Detection of Covert Cyber-Attacks in Interconnected Systems: A Distributed Model-Based Approach

Distributed detection of covert attacks for linear large-scale interconnected systems is addressed in this article. Existing results consider the problem in centralized settings. This article focuses on large-scale systems subject to bounded process and measurement disturbances, where a single subsystem is under a covert attack. A detection methodology is proposed, where each subsystem can detect the presence of covert attacks in neighboring subsystems in a distributed manner. The detection strategy is based on the design of two model-based observers for each subsystem using only local information. An extensive detectability analysis is provided and simulation results on a power network benchmark are given, showing the effectiveness of the proposed methodology for the detection of covert cyber-attacks.

cyber-attacks. Security concerns related to these systems include both physical security and cyber-security, as well as combined cyber-physical threats. Indeed, in recent years, the security challenge has become a vital technological issue, especially after the occurrence of incidents involving industrial plants and critical infrastructures (see [1] and [2]).
Due to the complexity of these systems and the computational and communication constraints, the development of distributed methodologies for monitoring and detection of malicious cyberattacks has become a necessity. Recently developed comprehensive techniques for distributed fault diagnosis (see, for instance, the recent works [3], [4] and the references cited therein) may not be fully effective in detecting cyber-attacks [5], as they are typically carried out by intelligent and active agents. This difficulty has inspired a large stream of research efforts (see, for example, the seminal works [6]- [11], the more recent ones [12]- [14], and the surveys [15], [16], as well as the references cited therein).
This article deals with a distributed methodology toward the detection of a particularly harmful class of stealthy cyberattacks, namely the so-called covert attacks [17]. The proposed approach is specifically designed for spatially-distributed networked large-scale interconnected systems. In the remaining part of this section, after providing a glimpse on the state of the art, the specific contributions will be illustrated and the organization of the article will be outlined.

A. Glimpse on the State of the Art
As mentioned before, the problem of detecting and isolating cyber-attacks plays a central role in secure control systems. In this respect, some approaches in the literature related to security of cyber-physical systems stem from prior research in the field of fault detection and isolation (FDI), a well-established research area whose aim is to detect (and possibly identify the source of) faulty modes of behavior of the monitored system. In this connection, several contributions proposing distributed FDI techniques are available (see, for instance [18]- [25]), but extending these approaches to successfully detect a large class of malicious cyber-attacks has not yet happened, to the best of our knowledge. The main complexities arise from the inherent limitations in the presence of attacks that affect the system behavior in a much different way as compared with typical classes of faults and malfunctions.
Differently from studies on cyber-security in the computer science research community, most techniques in the control literature on attack detection and isolation take advantage of a dynamic model of the interconnected system to detect whether the communicated information in the control loop has been corrupted by malicious attacks [5]. As already anticipated, this article focuses on a model-based distributed attack-detection methodology and only quite a limited number of related works can be found in the literature (see [26]- [30]). Specifically, in [26] and [27], a distributed methodology is presented to detect attacks for interconnected subsystems in which the communication infrastructure is assumed to be secure, in [28], the knowledge of the model of the entire system is required. In the recent conference paper [29], only attacks on the communication network between controllers and monitoring units are considered in a dc microgrid application scenario, whereas in [30], the performance of distributed and decentralized detectors is analyzed in a statistical framework.
The family of covert cyber-attacks considered in the article may have a detrimental impact on the physical layer: a covert agent injects some undesired control actions in the networked actuation channels while "canceling" its effects on the measurements. In this way, under the assumption of perfect knowledge of the system model by the attacker, the state of the system can be arbitrarily driven to potentially unsafe state trajectories without any trace in the monitoring units. In fact, due to the attack, the sensing layer communicates measurements that are consistent with the normal behavior, thus making the attack undetectable.
A few works have considered this scenario: for instance, in [31], an intelligent type of covert attacks is presented using system identification tools; in [32], the problem of covert attack detection in cyber-physical systems is investigated and a random modulation is introduced on the system actuation side to cause errors in the attacker's model. In the very recent work [33], resiliency versus covert attacks is formulated as an H 2 optimal control problem. However, the literature in the area of detection and isolation of covert attacks is still limited with many open research problems worth investigation. In particular, to the best of the authors' knowledge, the problem of distributed model-based detection of covert attacks on large-scale networked systems has still not been addressed.

B. Objectives and Contributions
In this article 1 , a distributed covert attack detection architecture is proposed in which each locally controlled subsystem is equipped with two local state observers that use different information. The first observer is designed using a local model of its respective subsystem and uses both information provided by local sensors and information communicated from neighboring subsystems (for this reason, this observer is called distributed). The second observer is an unknown-input one and uses only locally available information and measurements (hence this observer is called decentralized). On the basis of the local estimates provided by the observers, an attack detection strategy is devised 1 Early results for the disturbance-free case have been presented in [34].
that, under suitable conditions, allows the detection of covert attacks not otherwise possible by a fully decentralized approach or by traditional distributed observation methods.
The main specific contributions of this article are as follows. 1) Definition of a state-space characterization of the covert property of man-in-the-middle local attacks in the context of large-scale interconnected systems. 2) Design of a distributed observer-based estimation technique for detecting covert attacks. 3) Sufficient detectability conditions and convergence analysis, in the case where the measurements and the process are affected by bounded disturbances. 4) Validation of the proposed distributed detection technique via simulation on a power network benchmark problem.

C. Main Notations
The following notation is used throughout the article. R denotes the set of real numbers. I is an identity matrix with compatible dimensions.v is the estimated value of the variable v. L 2 is the space of signals with bounded energy. For a vector v, v [l] denotes its lth component. · 2 stands for the Euclidean norm of a matrix. · L 2 denotes the L 2 norm of a signal. χ(t) stands for a step function. · ∞ stands for the H ∞ norm of a transfer function. diag(·) describes a block diagonal matrix composed of a set of matrices. We say a matrix M > 0 (or M < 0) if it is symmetric positive (negative) definite. We denote by |M | the entrywise absolute value of a matrix M . Moreover, we define a concatenation operation over a finite indexed family of matrices (M i ∈ R p× * ) i∈I with index set I = {i 1 , i 2 , . . . , i n } as row i∈I (M i ) .

D. Article Organization
The article is organized as follows. In the following section, the problem dealt with is formulated in detail, including the description of the covert attacks, the architecture of the estimation scheme and the detection decision strategy. Section III illustrates the design of the two local observers and provides the convergence analysis, and Section IV presents the attack detection methodology and the related detectability analysis. Section V reports extensive simulation results on a power network benchmark problem and concluding remarks are given in Section VI.

II. PROBLEM STATEMENT
Consider an LSS composed of N interconnected subsystems, with the ith subsystem described as where x i ∈ R n i is the subsystem state vector,ũ i ∈ R m i is the control input vector, y i ∈ R p i is the output vector, and w i ∈ R n i and v i ∈ R p i denote the external disturbance vectors. The set N i of neighbors of S i is defined as the index set of those systems S j whose states x j appear as an argument in the state equation of S i . Top-down architecture of the considered system. From left to right, the general layout can be seen, with the separation of physical and cyber layers. In the middle, the diagram of the attacked subsystem equipped with a local unit LU i ; finally, on the right, the detection architecture is further specialized in the two observers and the detection logic block D i .
Remark 1: The dynamic interconnection characterized by index set N i and constant interconnection matrices A ij does not change over time and typically has a precise physical meaning, i.e., the interconnected state variables could be-for instancecurrents, forces, flows, etc., depending on the type of system being modeled.
Assumption 2: ∀i ∈ {1, . . . , N} and ∀t there exist known positive constantsw i andv i such that w i <w i and v i <v i .
The proposed detection architecture is shown in Fig. 1. Each subsystem is equipped with a local unit LU i composed of a given controller C i and a detector D i . The local measurements available to LU i are represented byỹ i ∈ R p i , whereas the control input computed by C i is u i .
By "local" we mean that each unit does not need any information about the overall topology of the LSS, but only exploits the model information and variables appearing in (1).
The variableỹ i denotes the measurement received by LU i via a possibly vulnerable link (see Fig. 1). Due to the action of the attacker,ỹ i can be different from y i . Because of this possible discrepancy, we denote u i and y i as the legitimate or transmitted signals, andũ i andỹ i as the attacked or received ones, respectively.
If i denotes the index of the subsystem under attack, we assume that the attacker A i performs a man-in-the-middle attack and injects undesirable signals γ i and η i in the tapped link between the plant and the local unit such that The main difficulty in detecting such cyber-attacks is that γ i and η i can be designed by the attacker such that the attack effect is covert and not distinguishable from the nominal behavior. This important aspect is explained in more detail in the following sections.

A. Covert Attack Model
In this section, we present a state-space model for a covert attacker along the lines of [17].
Definition 1 (Covert agent): The malicious agent A i is covert to subsystem S i if the attacked measurement outputỹ i is indistinguishable from the legitimate subsystem response y i .
An attacker is covert if it can hide its effect on the system such that the measured output is compatible with an attack-free behavior (we sometimes refer to this as covertness property). In this respect, we point out that covert attacks are stealthy by design. Since by Definition 1 the attacked measurements are indistinguishable from the nominal response, it follows that any residual signal relying on them necessarily satisfies the stealthiness condition in [9,Definition 2].
A covert strategy can be fulfilled by replicating the dynamics of the targeted system. Hence, the malicious agent A i is modeled as a dynamical system In particular, η i is a signal that is chosen by the attacker to potentially steer the system toward some undesired trajectory. Because such a signal is arbitrary, its characteristics are in general unknown to a defender. As a result, the model (3) is in principle sufficient for describing a covert agent. In addition, the attacker may need to implement its own controllerC i in order to achieve some desired dynamics as where ξ i ∈ R ν i is the controller's state and ρ i ∈ R r i is used to determine the controller's reference. By choosing ρ i , the attacker can more easily control the system to achieve its own objective, for instance causing instability or to track a reference different from the nominal one. Moreover, A Ci , Υ i , R Ci , C Ci , are matrices of compatible dimensions, and K Ci provides a feedback from the state ofS i , and Υ i represents the disclosure resources (as in [9], from which we borrow the jargon of this section), identifying accessible information by the attacker.
Using (3) and (4), the attacker can be represented in compact form by introducing a vector ζ i . = x i ξ i ∈ R n i +ν i as follows: where and Γ i plays the role of the disruption resources, as it defines which channels among actuation and measurement the attacker can be compromised with malicious signals. With this description, the attacker A i on S i is completely characterized by its model knowledge (Ã i ,B i ,C i ), its infiltration resources Υ i and Γ i , and its attack strategy defined byC i and ρ i .
For example, ρ i can be a reference signal to an unsafe or disrupting operating point of some equipment. By designingC i , the attacker can inject η i such that S i is driven to the said point and can compensate the misbehavior using γ i as in (2). We also note that, depending on Υ i , the attacker could account for the unknown reference (see [17] for more detail on the issue) as it would know the values of u i . Model (5) by itself does not satisfy the covertness property. To do so,S i needs to be a realization of the same transfer function realized by S i . This can be easily achieved if the following assumption holds.
Assumption 3: The attacker has perfect knowledge of whereas has no knowledge of the dynamic interconnection with neighboring subsystems.
Remark 2: By considering an omniscient local attacker, with Assumption 3, in our analysis we consider the worst-case scenario, where the attacker is the most difficult to detect. In fact, as it is shown later on, in this case local residuals are not influenced by the attacker, and this is consistent with the results in [17]. By proving that the proposed detection strategy works in the perfect knowledge case, we also cover less tight cases: an attacker with incomplete information is not fully covert and therefore easier to reveal by residual analysis. Assumption 3 holds in practice when model information can be obtained via some form of intelligence, either because the components used in a plant are known (like in the case of the Stuxnet worm [35]) or because such information is leaked. In addition, it is fair to assume that an attacker who can write on some channels can also read from those, and therefore the model can be identified by eavesdropping on the measurement and actuation signals [36].
For what concerns its resources, the attacker has to be able to disrupt all the measurements and actuation channels of a single subsystem while no disclosure resources are needed.
Let T ai ≥ 0 be the time instant when the attack occurs (i.e., γ i = η i = 0 for t < T ai ). We present sufficient conditions for an attacker to be covert. Covertness can be seen as an asymptotic property if we focus on the steady-state response, but here we are also interested in addressing the transient behavior, given that our analysis is in the time domain.
Proposition 1: Under Assumption 3, there exists a γ i such that the attack is covert as Proof: Before occurrence of the attack, for 0 < t < T ai , y i = y i . Let us analyze the covert property for t ≥ T ai . By considering (1)-(4), the attacked subsystem's output can be written as In this condition, given a choice of η i , the effect of γ i can be computed as by using (2) and Assumption 3, one can observe that From (8), it follows that for t → ∞,ỹ i will be the same as the output of the attack-free subsystem (the legitimate output). In other words, by considering (6)-(8), for t → ∞,ỹ i will be identical to y i when η i = 0 (no attacks) if the first exponential term is vanishing. Moreover, if the attacker sets the initial conditions of (3) asx i (T ai ) = 0,ỹ i is equal to y i when no attack is underway and the first exponential term is identically Zero.
Remark 3: Note that in Proposition 1, the attacker is covert without any knowledge about the neighbors or their interconnection. In fact, a purely local model (3) is used along with Assumption 3; this is sufficient to successfully carry out a covert attack on the subsystem.
It is worth noting that the results stated in Proposition 1 are related to the ones given in [17] for the centralized case in the frequency domain but are more general in that we consider a distributed framework and the transient behaviors due to unknown initial conditions are taken into account.
Finally, we emphasize that both the definition of covert attacks and the results of Proposition 1 can equivalently be restated in terms of detection residuals, as will be discussed later.

B. Detector Architecture
We describe in more detail the design principles of the detector shown in Fig. 1. The proposed architecture is based on two observers for each local unit LU i : a decentralized observer O d i (described in Section III-A) and a distributed one O c i (described in Section III-B). More specifically, O d i is designed such that its state estimatex d i is decoupled from the neighboring subsystems S j , ∀j ∈ N i , whereas O c i computes a state estimatex c i that depends on communicated neighboring estimatesx d j , j ∈ N i . By exploiting the cooperation of a decentralized decoupled estimation strategy and a distributed one, it is possible for the observers to reveal possible inconsistencies in the measurements from neighboring subsystems. In this way, a perfectly covert attack in N i can be revealed by detectors in all neighboring LU j .
For every subsystem S i , we design a residual signalr c i and a time-varying thresholdr i , whose definition and properties will be discussed later. In order to reveal stealthy attacks, the following distributed detection logic is implemented by the diagnoser D i in Fig. 1.
Conversely, it also receives a set of signals a j , j ∈ N i , from the neighbors. 3) If for any i, a j = 1, ∀j ∈ N i , then detector D i decides that S i is under attack.

III. OBSERVER DESIGN
According to the definitions ofx d i andx c i of the previous section, the output and state estimation errors for the distributed and decentralized observers are defined as follows: It should be noted that d i and c i represent the difference between the actual state of S i and the state estimates of the corresponding observers. We refer to these quantities as the true errors, and they cannot be computed in practice since the actual state of any subsystem is not directly accessible. However, the related residuals can be computed in the attack-free scenario according to the relations in the left part of (9).
On the other hand, when S i is under attack (and ifC i = C i , see Assumption 3), sinceỹ i = y i , the residuals computed by the subsystem are as follows: Similar to the conventions introduced in Section II, we refer to (10) as the received or attacked output and state error. Also note that when no attack is under way, (9) and (10) coincide.
Design details are presented in the following subsections. First, the decentralized observation strategy is introduced and then the distributed observer based on coupling among the subsystems is proposed.
Finally, we introduce the following assumption that will be instrumental to the design of the observers as illustrated in the following two sections.
Assumption 4: Only the local dynamics' matrices A i , B i , C i , and the interconnection matrices A ij , ∀j ∈ N i , are available to each LU i .

A. Decentralized Observation Strategy
In order to obtain a state estimatex d i , which is independent of the states of the neighboring subsystems, we implement an unknown input observer (UIO) [37] for each subsystem i, where the interconnection among the subsystems is considered as an unknown input. It should be noted that the use of UIOs for distributed detection of anomalies is not new (for instance, see [24] and [29]). However, in this article, we combine it for the first time (to the best of the authors' knowledge) with a distributed observer, and derive conditions under which covert attacks in neighboring systems can be revealed.
Based on a UIO, the estimatex d i can be obtained from the following dynamical system: where F i , T i , K i , and H i are matrices with compatible dimensions designed later. First, let us define Ξ i and x i as implying that for the ith subsystem, the effect of the neighbors' interconnection can be restated in a vector form as follows: Based on these definitions, the following conditions on the observer (11) are required [37, Under these conditions, by decomposing K i as Under condition a), we can compute the matrix , which decouples the unknown inputs, whereas condition b) implies that F i can be obtained from (12c). By considering (11) and (12), we can derive the dynamical equations of the estimation error d i as follows: From (13) and the fact that F i is Hurwitz, it follows that for a disturbance-free subsystem, the estimation error d i converges to zero. For a subsystem with bounded disturbances, the estimation error is bounded. It should be noted that (13) holds when the subsystem is not under attack, i.e., when the actuation and measurement channels are not corrupted.
Proposition 2: Let the ith subsystem be under the attack modeled in (5) and (2) and let Assumption 3 hold. Under the UIO conditions (12), the estimation error dynamics for the observer (11) are˙ whereas the attacked estimation error iṡ Furthermore, the attack is covert for the observer (11).
Proof: See the Appendix. Remark 4: In Proposition 2, it is shown that for the proposed covert attack the received error˜ d i has the same dynamics of the attack-free one d i , and by using (10), we can state the following:

By using triangle inequality, this leads to
As a result, a covert attacker can maliciously increase the lower bound on the true error of the attacked subsystem by increasing the norm of its own internal state.

B. Distributed Observation Strategy
By considering the interconnection model and by using the information received from neighboring subsystems, a distributed observation strategy is developed for each subsystem to estimate the value of its own state vector.
Assumption 5: We assume ideal communication between subsystems. As such, the exchanged estimatesx d j , j ∈ N i are not corrupted during communication.
By considering the subsystems dynamical equations given in (1), the distributed state observer O c i is described by the following: where L i ∈ R n i ×p i is the observer gain to be designed later and y c i = C ix c i . Remark 5: It should be noted that, in (16), we have used A ijx d j instead of A ijx c j , because the value ofx d j is not affected by attacks in neighboring subsystems k, k ∈ N j . This property will lay the basis for our detection strategy in the following section.
To design the observer gain L i , an H ∞ optimization approach is employed. The gain L i is designed such that the effect of the exogenous signals vector i = w i v i j∈N i d j A ij is attenuated on the observer error c i . To achieve this goal, the induced norm of the L 2 norm of c i and the L 2 norm of i is minimized as follows: where λ i > 0. It should be noted that Hurwitz stability of the decentralized observer O d i , introduced in the previous section, guarantees the L 2 -boundedness of d j . Thus, d j can be considered as an exogenous signal in i .
Before presentation of the main results, let us introduce the following lemma.
Lemma 1: [38] The H ∞ performance (17) Theorem 1: Consider the LSS described in (1) and the observer introduced in (16). The estimation errors c i , i ∈ {1, 2, . . . , N}, converge to zero and the H ∞ performance (17) is achieved if L i satisfies ∀i the following linear matrix inequality (LMI) for some P i and S i : where P i ∈ R n i ×n i is a symmetric positive definite matrix, (16) can be restated aṡ By considering (1) and since c i = x i −x c i , the error dynamics can be written aṡ Since y i = C i x i + v i , after some manipulation from (19), it follows thaṫ According to Lemma 1, to satisfy a desirable H ∞ performance, we should have By defining V i = c i P i c i and by considering the time derivative of V i along (20), J i can be obtained as Let S i = P i L i , then J i can be simplified as follows: In this condition, we have J i < 0 if the LMI (18) is satisfied. Remark 6: Note that since the pair (A i , C i ) is observable, for any symmetric positive definite Q i ∈ R n i ×n i , there exists an L i such that the Lyapunov equation has a solutionP i implying that the LMI Π i < 0 always has a solutionS i andP i . As a result, the Schur complement of the block Π i of the matrix W i is negative definite for some λ i (see [39] for the theory of the Schur complement), and therefore W i < 0 always has solutions.

Remark 7:
The H ∞ optimization technique proposed in Theorem 1 is also useful to design K (1) i for the decentralized observer (11) such that the effect of the exogenous signals vectoŕ is attenuated on the observer error d i . Therefore, following a logic similar to the proof of Theorem 1, K (1) i can be obtained from the following optimization problem: Proposition 3: Let the ith subsystem be under the attack modeled in (5) and (2) and Assumption 3 hold. The actual estimation error dynamics for observer (16) whereas the computed attacked estimation error iṡ Furthermore, the attack is covert for the observer (16). Proof: The proof is readily obtained by combining the observer formulation (16) with the attacker model in (2) and (3). Since (22) and (20) are identical, the attack is covert.

IV. ATTACK DETECTION SCHEME
As anticipated in Section II-B, we monitor the behavior of the residualr c i defined in (10) to trigger an attack alarm when the residual crosses a suitable threshold to be defined in order to take disturbances into account. It follows directly from Proposition 3 that the received error˜ c i (and hencer c i ) is sensitive to the true error in its neighbors.

A. Observers' Errors in Attack-Free Conditions
Since we are considering the possible presence of measurement and process disturbances, the proposed strategy requires the design of an appropriate threshold for the detection residuals such that the alarm binary variable is triggered avoiding false alarms. The threshold can be obtained by considering the received errors in attack-free conditions.
Before proceeding with the analysis, we assume the following in order to rule out the more complex situation where two attackers in the same neighborhood may cooperate to compensate each other.
Assumption 6: For any subsystem S i , there is only one attacker in its neighborhood N i . Assumption 6 is in place only for the sake of analyzing the detectability property of the proposed scheme and it is not needed in general, i.e., there might be cases where detection is still possible with multiple attackers although the analysis becomes more complex. From a practical point of view, if the overall system is spread over a large area, it may be difficult for an attacker to target vast sections of it, especially since local control loops are targeted.
In order to simplify equations, we make use of the logarithmic norm μ(M ) of a matrix M . This approach is relevant when deriving bounds as it can be shown that (see [40]) μ(M ) = min{α : e Mt ≤ e αt , t ≥ 0}.
Throughout this section, we will use the following inequality: In the following result, we derive an upper bound for the estimation error of the decentralized observer.

Proposition 4:
In attack-free conditions, the norm of the UIO error is bounded by a positive function¯ d , andv i andw i defined in Assumption 2.
Proof: Along the lines of [29], we integrate (13), obtaining which can be bounded as follows: Remark 8: Derivation of (25) is correct only if μ(F i ) = 0. Conditions in which this holds can be found in [40], however they easily hold for Hurwitz matrices.
In the following proposition, we derive a threshold for the distributed detection residual r c i . Proposition 5: In attack-free conditions, if μ(F c i ) < 0, the received residual is bounded by Proof: By considering (23) and integrating (22), we obtain We can recognize (26) and (27) as the first and third terms of (30), respectively. After expanding d j (s) as per Proposition 4, the solution of the second integral yields¯ k,i in (28). The thesis follows from norm properties. The special case (29) is obtained by expanding d j (s) , which cancels the outer exponential and leads to the integration of a constant.
Remark 9: The considerations made in Remark 8 also apply to the computations in this theorem. In the limit case when

B. Detectability Analysis
In this section, we obtain some important results about attack detectability and detection time with the proposed distributed detection methodology. We consider a generic S i and a single covert attack in one of its neighbors k ∈ N i , according to Assumption 6.
Theorem 2 (Detectability): A covert attack starting at time Proof: To consider the attack effect, we integrate (13) and (14) before and after time T ai , respectively. This leads to The first two terms consist in the attack-free error d k , which corresponds to the received error˜ d k in virtue of Proposition 2. Also, notice that this error expression has been expanded in (24) in Proposition 4. We can conveniently rewrite (32) as where again the first three terms correspond to the attack-free received error˜ c i,af , and the last term is the attack contribution. Let us denote for brevity this last term with ϕ i,k .
By applying the inverse triangle inequality and the bounds of Proposition 5, we obtain which holds ∀t. By negating this condition, we finally obtain (31). Remark 10: In [34], it is pointed out that reachability of the pair (F c i , A ik ), is a necessary condition for attack detectability. However, this condition is implied by (31). With this, we remark the importance of interconnections on the attack detectability properties.
Corollary 1: A covert attack starting at time Proof: Equation (34) is obtained by definition of residuals in (10) and (9) and by following the same steps of the proof of Theorem 2. The last inverse triangle inequality is The thesis follows by negating the condition above.
Remark 11: Note that, in fact, Assumption 6 ensures that the summation of integrals in (33) contains the attack signal η j only once. This is done only to avoid pathological cases where a particularly resourceful attacker designs multiple attacks such that their dynamic effect is mutually canceled in the dynamics (22). Such a strategy, however, requires a considerable amount of resources, nonlocal model knowledge, and timing. We stress that the analysis of the observer errors under attack does not rely on such an assumption, which is effectively used when deriving bounds on (33).

C. Componentwise Bounds
Using the same arguments of Section IV-A, it is possible to obtain componentwise bounds for the local residual vector that lead to less conservative detection thresholds than the one based on the norm. Unfortunately, considering entrywise absolute values do not allow to obtain closed-form expression as those shown in the previous subsections. In the following, we show the componentwise counterparts of Propositions 4 and 5, and Corollary 1.
Lemma 2: In attack-free conditions, the UIO error is bounded component-by-component by Proposition 6: In attack-free conditions, the received residual is bounded as follows:

Theorem 3 (Componentwise detectability): A covert attack starting at time
(37) Remark 12: Equations (34) and (37) provide an implicit characterization of the attack signals η i that are detected surely. Conditions in Theorems 2 and 3 are only sufficient, i.e., they only provide a guaranteed detection threshold, but nothing can be said if such a threshold is not crossed.

D. Settling Time
We complement the results on this section by briefly discussing the convergence properties of the obtained bounds. The scalar bounds introduced in Section IV-A may be quite conservative in the case when the state vector (or disturbances) are not normalized, i.e., they have components whose magnitudes are on different scales. On the other hand, all the exponentials presented in this section are related to transients in the state estimates, and not to transients in attack detection. Since it is always true that for any vector x ∈ R n x ≥ |x [i] | ∀i ∈ 1, . . . , n we can argue that if the residual norm has converged within a certain tolerance level, then also each one of its components has. Therefore, if the computation of (35)-(37) is problematic, then the respective steady-state values could be computed offline and a constant threshold could be employed. If that is the case, a lower boundT i on the convergence time of the detection residuals is needed, in order to activate the detection logic only afterward. It is possible to use (26)- (28) to obtain such lower bound for a given tolerance levelδ i .

Proposition 7:
Proof: Equation (38) can be obtained by grouping the exponential parts of (26) and (27), whereas for (28), we wish to remove dependence from e μ(F j )t . This can be done by considering Therefore, we can chooseδ i and find a solution tō where we have explicitly considered the fact that the logarithmic norm is negative for Hurwitz matrices.

V. SIMULATION RESULTS
In order to show the effectiveness of the proposed methodology, we address a covert attack scenario in the context of the power network system benchmark proposed in [41]. To emphasize the independence of our detector from the controller design, we use a predesigned distributed model-predictive controller from the PnPMPC toolbox [42], on top of which we implement the proposed detection architecture.
The scheme of the considered interconnected system is shown in Fig. 2, where each subsystem Σ [i] represents a different power generation area interconnected through a tie line. Each distributed controller, accounting for desired input and state  constraints, is in charge of the automatic control generation layer in its respective zone, with the aim of keeping the subsystem around its nominal values. We refer the reader to [42] for further details on the system's model, choice of parameters, and control algorithm. However, for the reader's convenience, we recall that the power system is linearized around its operating point, and therefore all quantities should be regarded as deviations from a desired equilibrium. The state of each subsystem is defined as where Δθ i and Δω i are deviations of rotor's angular displacement and speed, ΔP m i is the deviation from the nominal mechanical power, and ΔP v i represents the deviation of the steam valve position from its nominal value.
In the simulation scenario considered in this article, we refer to a regulation task, rather than the original set-point tracking one, because in this way we can avoid discrepancies between our problem formulation and the benchmark one, which includes also exogenous load references. We do not lose generality in doing this, as we still employ the same controller to achieve a meaningful and realistic control objective. Furthermore, only for the control task, we adopt the assumption of fully accessible state, in order to guarantee its convergence analytical properties. For the diagnosers, instead, we consider a sensor channel with bounded disturbances.
The disturbances are random variables independently uniformly distributed in the following interval, for each component in each subsystem S i : To design the detector, by solving the LMI presented in Theorem 1, a set of stabilizing matrices L i is obtained. With regards to the threshold, we opt for the bounds briefly presented in Section IV-C mainly because the state variables of the subsystems differ by orders of magnitude, thus the norm bounds may not be particularly sensitive to deviations in some of the smaller components. We simulate the system for a total time span of 40 s. At T a4 = 20 s, a malicious agent covertly attacks Subsystem S 4 and tries to force a deviation on ΔP m 4 . The attack reference signal is designed such that this deviation amounts approximately to 0.6 p.u. (per unit) We consider the case where the attacker's objective is to introduce some form of deviation from a desired state, rather than controlling it along a certain trajectory or set point.
First of all, we show that indeed the attack is covert for local estimators. In particular, in Fig. 4 we plot the errors received by each subsystem: as expected from (15), they do not show any visible trace of the attack, hence they cannot be used for the purpose of detection. This justifies the use of the architecture presented in the article.
The results of the simulation are shown in Fig. 5. As presented in the previous sections, the residual signalr c i (r i for brevity in the figures) is sensitive to attacks in the neighborhood of its corresponding subsystem. This is evident from Fig. 5(c) (the only neighbor of Subsystem 4, according to the layout in Fig. 2), where we see the threshold being trespassed for the second component of the state at approximately t = 26 s, where the signal a 3 is triggered. According to the detection strategy summarized in Section II-B, the detector broadcasts this signal to S 2 and S 4 . Since S 2 , receives {a 1 = 0, a 3 = 1} the local decision of being under attack is not made. Conversely, S 4 receives {a 3 = 1} from its only neighbor, and therefore it decides to be under attack.
Since the considered system is weakly coupled ( A ij ≈ 10 −1 ) and the state variables are in the per unit system, the influence of˜ d 4 onr c 3 is small [e.g., ∼ 4 · 10 −3 for the second state component in Fig. 5(c)]. As a result, this specific system with the proposed detection architecture cannot tolerate high levels of disturbances in order to maintain acceptable effectiveness. We note, however, that the bounds (39) are within the same order as or larger than those used in other instances of the considered benchmark [43]. Furthermore, since the state components are in the per unit system, (39) have to be considered relative to the equipment's rated values and not in absolute terms.

VI. CONCLUDING REMARKS
In this article, we propose a distributed method for the detection of covert attacks in interconnected large-scale LTI systems subject to bounded disturbances. We design a novel local detection scheme based on pairs of decentralized and distributed observers, in order to reveal local covert attacks. A rigorous analysis is provided dealing with estimation errors, detectability conditions, and detection-time upper bounds and extensive simulation results are given using a widely used power systems benchmark.
Future research efforts will be devoted to considering cooperating attackers, the effects of imperfect model knowledge, the generalization to the case of distributed nonlinear systems, and resilient control.

APPENDIX PROOF OF PROPOSITION 2
Proof: To prove the proposition, note that the actual subsystem is driven by the control inputũ i , whereas the observer estimates are computed using u i andỹ i . For the sake of notation simplicity, we omit in the following subscript i: (14) is obtained. To prove (15), the same above steps can be repeated using (10). Finally, since the error dynamics under attack (15) are the same as the attack-free case (13), we conclude that the attack is covert. Thomas Parisini (Fellow, IEEE) received the Ph.D. degree in electronic engineering and computer science from the University of Genoa, Genoa, Italy, in 1993.
He was with the Politecnico di Milano and since 2010 he holds the Chair of Industrial Control and is the Director of Research at Imperial College London, London, U.K. He is the Deputy Director of the KIOS Research and Innovation Centre of Excellence, University of Cyprus, Nicosia, Cyprus. Since 2001, he has also been the Danieli Endowed Chair of Automation Engineering with the University of Trieste, Trieste, Italy. Since 2009-2012, he was a Deputy Rector of the University of Trieste. He authored or coauthored more than 320 research papers in archival journals, book chapters, and international conference proceedings. His research interests include neural-network approximations for optimal control problems, distributed methods for cyber-attack detection and cyber-secure control of large-scale systems, fault diagnosis for nonlinear and distributed systems, nonlinear model predictive control systems, and nonlinear estimation.
Dr. Parisini is a co-recipient of the IFAC Best Application Paper Prize of the Journal of Process Control, Elsevier, for the three-year period