Multiplicative Attacks with Essential Stealthiness in Sensor and Actuator Loops against Cyber-Physical Systems

Stealthy attacks in sensor and actuator loops are the research priorities in the security of cyber-physical systems. Existing attacks define the stealthiness conditions against the Chi-square or Kullback-Leibler divergence detectors and parameterize the attack model based on additive signals. Such conditions ignore the potential anomalies of the vulnerable outputs in the control layer, and the attack sequences need to be generated online, increasing the hardware and software costs. This paper investigates a type of multiplicative attack with essential stealthiness where the employed model is a novel form. The advantage is that the parameters can be designed in a constant form without having to be generated online. An essential stealthiness condition is proposed for the first time and complements the existing ones. Two sufficient conditions for the existence of constant attack matrices are given in the form of theorems, where two methods for decoupling the unknown variables are particularly considered. A quadruple-tank process, an experimental platform for attack and defense, is developed to verify the theoretical results. The experiments indicate that the proposed attack strategy can fulfill both the attack performance and stealthiness conditions.


Introduction
As the core and driving force of information technology in the past four decades, computers, communication, and control have caused a huge change in human social life. In this context, the concept of cyber-physical systems (CPSs) is proposed and widely valued. The CPSs involve most of the important industries that affect people's livelihoods, making it important to study their key technologies [1].
The high integration of computing, physical plants, and communication networks increases the flexibility, reliability, and productivity of CPSs. However, it also extends the information security issues from the network layer to the computational and physical layers, resulting in serious safety problems [2]. Since the Stuxnet event in 2010 [3], more and more security incidents involving CPSs have appeared in the limelight. For example, the Flame virus suffered by the oil industry in the Middle East in 2012 [4], the advanced persistent threat cyber-attacks on a German steel company in 2014 [5], the Triton attacks on Schneider Triconex security instruments in 2017 [6], and the Watering Hole attacks on a municipal water treatment company in America in 2021 [7] can be easily listed. To address the security threats to CPSs, researchers focus on both attack and defense strategies. These studies are categorized into four types: attack methods [8,9], prevention of attacks [10], resilient control [11,12], and detection of attacks [13,14].
for right-reversible and non-right-reversible systems, respectively. Furthermore, for the controlled CPSs, Ren et al. [9] investigate the stealthy KLD attacks operating in the sensor loop. The authors analyze the attack performance when the attack sequences satisfy the strict-and ε-stealthiness, as well as give the optimal solutions for the attack strategies.
It can be seen from the above that the existing attack strategies focus on the statistical properties of the state estimation residual z(k), and the attack sequences are in the form of time-varying additive signals generated online, whether for the χ 2 or the KLD stealthiness. The residual z(k) can be expressed as z(k) = y(k) − Cx(k), where y(k) denotes the output of the physical plant received by the control layer,x(k) stands for the estimation of the plant state x(k), and C refers to the output matrix of the physical plant. In practice, however, the process data supervision of CPSs is mainly dependent on the host PC's configuration screen in the control layer. The unbiased statistical properties of z(k) cannot enable the anomaly-free display of the compromised sensor data y(k). See, for example, refs. [16,17]. This fact implies that the anomalies occurring in y(k) can lead to an immediate exposure of the so-called stealthy attacks. Therefore, making the compromised y(k) remain stealthy should be a necessary condition for all of the stealthy attacks, and it is obvious that the existing results ignore this critical issue. Moreover, the attack strategies with forms y(k) = y p (k) + y a (k) and u p (k) = u(k) + u a (k) depend on specific hardware and software environments to implement the real-time computation and data injection of the attack sequences in the sensor and actuator loops. These will undoubtedly increase the attack costs and the exposure risks. In the two formulas above, y(k) and u(k) denote the physical layer output received by the control layer and the control input to be sent to the physical layer, y p (k) and u p (k) represent the actual output and the received control input of the physical layer, respectively. The subscript "p" denotes "plant". y a (k) and u a (k) refer to the attack signals injected by the attacker in the sensor and actuator loops, respectively, where the subscript "a" stands for "attack".
Motivated by the above two concerns, this paper investigates a novel class of stealthy attack strategies with multiplicative constant attack matrix parameters. Two sufficient conditions for the existence of the attack matrices are given in the form of theorems. One of them is dominated by the stealthiness condition, and the other takes into account both attack performance and stealthiness. The contributions of this paper are as follows.
(1) A novel attack model with multiplicative attack matrices is proposed, which models the cyber-attacks as changes in the parameters of the generalized system consisting of physical and network layers instead of tampering with process data as given in existing literature. (2) The proposed attack matrices can be designed in a constant form, which can avoid the online operation of the attack parameters, thus reducing the costs and exposure risks of the attacks. (3) A definition of essential stealthiness is presented as a complement for the existing χ 2 and KLD stealthiness conditions. Two sufficient conditions are given for the existence of constant attack matrices satisfying the essential stealthiness. (4) An attack and defense experimental platform is developed for CPSs, in which the physical plant is chosen as the classic quadruple-tank process. The platform can provide some experimental guidelines for related research in the field of CPSs security. The evaluations of the suggested strategies are performed in the form of hardware-inthe-loop experiments instead of simulations only, as in the existing work.
The subsequent sections of this paper are organized as follows. Section 2 introduces the basic model information of the CPS under consideration. Section 3 presents an attack model, gives a definition of essential stealthiness, and then analyzes the basic properties of the attack matrices. In Section 4, the methods for designing attack matrices are given in two theorems as the main results of this paper. In Section 5, the CPS attack and defense experimental platform are detailed, and the experimental results are analyzed, followed by conclusions and future work in Section 6.

Problem Formulation and Preliminaries
Consider the typical CPS illustrated in Figure 1, which consists of three parts: the control layer, the network layer, and the physical layer. The controlled plant lies in the physical layer, and its mathematical model can be represented as a discrete-time linear time-invariant (LTI) stochastic system: where x p (k) ∈ R n x , u p (k) ∈ R n u , and y p (k) ∈ R n y denote the system state, control input, and measurement output, respectively. The subscript 'p' denotes 'plant'. A, B, and C are known model parameters, w x (k) and w y (k) are process and measurement noise, respectively.
of the attack matrices. In Section 4, the methods for designing attack matrices are given in two theorems as the main results of this paper. In Section 5, the CPS attack and defense experimental platform are detailed, and the experimental results are analyzed, followed by conclusions and future work in Section 6.

Problem Formulation and Preliminaries
Consider the typical CPS illustrated in Figure 1, which consists of three parts: the control layer, the network layer, and the physical layer. The controlled plant lies in the physical layer, and its mathematical model can be represented as a discrete-time linear time-invariant (LTI) stochastic system: ( ) y k in e ( ) y k and ( ) u k in Equation (2) denote the physical layer output received in the control layer and the control input that is to be sent to the physical layer, respectively; see Assume that the inherent controller of the CPS is employed in the control layer and has a form of dynamic output feedback: where x c (k) is the controller's state, A c , B c , ..., F c are the known controller parameters, where the subscript 'c' means 'controller'. y e (k) := y(k) − y r (k) denotes the output error in the control layer, y r (k) ∈ R n y and y r0 denote the output reference trajectory and the desired output stabilized value, respectively. The output reference y r (k) is given by y(k) in y e (k) and u(k) in Equation (2) denote the physical layer output received in the control layer and the control input that is to be sent to the physical layer, respectively; see Figure 1. Note that the studied CPS is a tracking control system, and that in practice the desired output reference is not always at the modeling equilibrium point of the physical plant. Without loss of generality, we assume that the desired output stabilized value satisfies y r0 = 0. Attacks on CPSs may either occur in the physical layer or in the network layer. See, for example, refs. [1] and [29]. Since the attack sequences acting in the former can always be equivalently represented by the attack signals in the latter, Figure 1 simply gives the general form of the attack acting in the network layer. In particular, equations u(k) = u p (k) and y(k) = y p (k) hold under the assumption of an ideal communication network when the CPS is not under attack [20].

Modeling the Attacks
The attacker attempts to drive the state of the actual physical plant into the insecure regions by tampering with y p (k) and u(k) which are exposed to the communication network while satisfying the predefined stealthiness conditions. In this respect, existing stealthy attack strategies are mostly based on the two-channel FDI attack model [30] to implement the attack parameters design: where u a (k) and y a (k) are the attack sequences to be determined. Notice that the attack sequences are usually time-varying to satisfy the stealthiness condition. This implies that the attack strategies with the form of Equation (4) in practice need to rely on some hardware and software settings to enable the real-time computation and data injection of the attack parameters. The necessary computing environments and the frequent interaction of network data increase the costs of attacks and their exposure risks. To this end, a new attack model is considered below.
According to the assumption of the desired output steady state y r0 = 0 in the previous section, the physical layer process data satisfying u p (k) = 0 and y p (k) = 0. Then a novel attack model can be formulated as where A a (k) and A s (k) are the multiplicative attack matrices in the actuator and sensor loops, respectively. Compared with the FDI model (4), the advantage of Equation (5) is that A a (k) and A s (k) can be designed as constant matrices A a and A s to avoid the online computational requirements of the existing attack parameters. At the same time, the numerical degrees of freedom for the two matrices can satisfy the stealthy attack design. The attack strategies in the form of A a and A s will be detailed in the next section. Before that, we begin with the analysis of the basic properties of the attack matrices in Equation (5). Definition 1. (Essential stealthiness of attacks.) For a CPS consisting of Equations (1)-(3) and the compromised communication network, an attack is said to satisfy the essential stealthiness with parameter γ > 0, if its attack sequences make holds, where y e (k) refers to the output tracking error shown in the control layer, and ω(k) denotes the augmented disturbance in the closed-loop CPS affected by the attack sequences.
Under Definition 1, the attack matrices of a stealth attack strategy with the form of Equation (5) should fulfill the following proposition.

Proposition 1. (Non-singular properties of attack matrices.) For a CPS consisting of Equations
(1)-(3) and the compromised network, a necessary condition for any attack strategy represented by Equation (5) to satisfy the essential stealthiness is that the attack matrices A a (k) and A s (k) are full rank.
Proof of Proposition 1. Consider the contrapositive of Proposition 1. When A a (k) and A s (k) have at least one set of dissatisfied ranks, the output controllability of the generalized system consisting of Equations (1) and (5) is not guaranteed. Then, for any desired trajectory y r (k) and generalized system output y(k), we have the tracking error y e (k) → 0. At this point, the considered attack strategy does not satisfy the essential stealthiness. The proposition is proved.

Remark 1.
The essential stealthiness condition given in Definition 1 is a complement to the existing ones defined based on the χ 2 and the KLD detectors. The declared Equation (6) is founded on the fact that the operating data in the control layer should not be significantly abnormal when any attack is performed on the CPS; otherwise, it can be intuitively detected by the defender, making it difficult to achieve the intended attack purpose. The condition above is an essential requirement for a successful attack strategy and is therefore referred to as the essential stealthiness.
Attack performance refers to the extent of deviation that the actual output of the physical plant causes from the defender's desired reference trajectory. It can be defined as κ := y p − y r0 , where y p denotes the steady-state value of y p (k) in Equation (1). In particular, if the attack matrices are constant, κ can be expressed as κ = A −1 s y e + (A −1 s − I)y r0 , where y e denotes the steady-state value of y e (k) in Equation (6). For attacks with essential stealthiness, y e has a small value, and thus the attack performance κ is mainly determined by the attack matrix A s based on the assumption of y r0 = 0 in Equations (2) and (3).

Attack Matrices Design for Stealthy Attacks
Consider the attack model Equation (5) with its constant matrices A a and A s . This section gives two sufficient conditions for the existence of these matrices satisfying the essential stealthiness in a theoretical form. In particular, attackers aim to design the two matrices such that the compromised CPS fulfills both of the following two conditions. First, the physical plant state x p (k) deviates from its operation and causes the actual tracking error of the physical layer satisfying κ = y p − y r0 = 0. Second, the attack sequences meet the essential stealthiness with parameter γ > 0, i.e., Equation (6) holds.
For condition one, the attacker considers an auxiliary perturbation signal d on x p (k). It can be represented as wherex p (0) denotes the attacker's estimation of x p (k) before the attacks are initiated, i.e., in the instant k = 0. For the sake of exposition, we define the instant k ∈ (−∞, 0], similar to ref. [25], as the regular operation stage of the CPS and assume that the intended attack strategy is launched from the instant k = 1. Define x(k) := x p (k) + d and rewrite Equation (1) as where A d := I − A. The physical plant model (from u p (k) to y p (k)) in the attackers' perspective is obtained.

Remark 2.
Notice that the closed-loop CPS without attack is stable and satisfies a definite static-error-free tracking control performance, i.e., y(0) = y p (0) → y r0 holds. Hence, we have E[x(0)] = 0 when Equation (7) holds. It means that the auxiliary perturbation d gives Equation (8) a zero initial state in the statistical sense. This condition is easily neglected in the subsequent derivations.
To satisfy the stealthiness conditions, the attacker introduces the following control layer output reference model This model has the same structure as the inherent output reference Equation (3) of the CPS, but A r , B r , and C r are determined by the attacker with x r (0) = 0. x r0 needs to satisfy Sensors 2023, 23,1957 7 of 20 C r (I − A r ) −1 B r x r0 = y r0 to ensure that the steady output of Equation (9) is equal to y r0 . Here, y r0 = 0 denotes the desired output of the CPS before the instant of attack initiation (i.e., k = 0), and y r0 is constant around the attacks.
The following lemmas are introduced before giving our theorems. In the derivations of theoretical results based on the Lyapunov stability theory, the coupling of pending variables will lead to the corresponding matrices without the form of linear matrix inequalities. The following Lemma 1 is an important result of eliminating coupling terms, which will be used in the proof of Theorem 1.

Lemma 1. [31]
For matrices T, S, M, N with appropriate dimensions, and a non-zero scalar β, the inequality T + S M + MS < 0 holds if the following inequality is true.
The Schur's lemma can combine matrix polynomials into a global matrix for convenience in subsequent derivation, but this process will introduce matrix inverse terms. The following Lemma 2 is used to perform the reduction in the nonlinear matrix inverse terms, after the main matrix is left and right multiplied a full rank square matrix.

Lemma 2. [32]
For matrices X, Y, and J > 0 with appropriate dimensions, the following inequality is true.
Similar to Lemma 1, Lemma 3 below also deals with the coupling of the pending terms. Lemma 1 is more concise. However, Lemma 3 is a necessary and sufficient condition. It introduces an extra matrix F that can increase the degrees of freedom in solving linear matrix inequalities under some circumstances. Lemma 3 will be used in the subsequent derivation of Theorem 2.

Lemma 3. [33]
For matrices F, S, M, N, T with appropriate dimensions, and a non-zero scalar β, the following two inequalities are equivalent.
Theorem 1. For the CPS given by Equations (1) . . , 4, and a scalar β > 0, such that holds, the attack determined by (A a , A s , d, γ) satisfies the essential stealthiness with parameter γ, i.e., the Equation (6)  anomalies in the sensor measurements and causes the attack to be detected by the defender. The attacker has to take into account that the physical layer state should be driven to a new steady state, regardless of whether this steady state is technologically safe.
Remark 4. When the augmented system is stable from the attacker's perspective, one has A s y p (k) → y r0 , i.e., a new desired output y r0 = A −1 s y r0 holds. Therefore, the physical sense of the sensor attack matrix A s can be reinterpreted. The injected A s can indirectly tamper with the desired steady output of the physical plant (from y r0 to y r0 ), making it possible for the attacker to manipulate the actual output of the physical system by simulating the sensor dead zone faults.
In practice, attackers usually consider driving the output of the actual physical plant to a particular level while satisfying the essential stealthiness. The following theorem gives an implementation of this practical attack strategy. (1)-(3). For a given attack target y r0 = 0 for physical plant output y p (k) and a stealthiness parameter γ = y th e ω(k) −1 with k > 0, where y th e = sup( y e (k ) ), k ∈ (−∞, 0], if there exist matrices F, U, V, G i , P i = P i > 0, i = 1, . . . , 4, and a scalar β > 0, such that

Theorem 2. Consider a CPS given by Equations
holds, the attack determined by (A a , A s , d, γ) satisfies the essential stealthiness with parameter γ, where T 1 , T 2 , and T 3 are denoted as T 1 and T 2 have the same structure as T 1 and T 2 in Equation (14), respectively, except for the different symbolic representations of V, G i , and P i . A a and A s can be obtained by A a = U −1 V and A s = diag y r0 (1)/y r0 (1), . . . , y r0 (n y )/y r0 (n y ) , respectively.
Proof of Theorem 2. The proof can be followed by Lemma 3 and Theorem 1, so it is omitted here.
Remark 5. Different from Theorem 1, here the sensor attack matrix A s is a predefined diagonal matrix based on the attack target y r0 . Since the full-rank square matrix satisfying y r0 = A s y r0 is not unique, the predefined diagonal form reduces the degree of freedom for the results. Therefore, in the derivation of the decoupling terms, Theorem 2 considers the inequalities given by Lemma 3. The conservation of the result is reduced by introducing the new pending matrix F.

Hardware Experiments and Results Analysis
In this section, a CPS attack and defense experiment platform is developed by employing the classic quadruple-tank process as the physical plant. Furthermore, the effectiveness of the proposed attack strategy is verified and analyzed in a hardware-in-the-loop (HIL) experiment.

Configuration of the CPS Experiment Platform
The developed experimental platform is shown in Figure 2. The plant consists of four components: a quadruple-tank process (QTP) [34], a defender's industrial PC (IPC) equipped with a data acquisition board, an attacker's PC, and the private Ethernet communication network. loop (HIL) experiment.

Configuration of the CPS Experiment Platform
The developed experimental platform is shown in Figure 2. The plant consists of four components: a quadruple-tank process (QTP) [34], a defender's industrial PC (IPC) equipped with a data acquisition board, an attacker's PC, and the private Ethernet communication network. The QTP is a representative type of coupled system in the process industry, where the controlled outputs are the liquid levels of the two lower tanks ( 1 h and 2 h ), and the inputs are the control voltages acting on the two pump drive units ( 1 v and 2 v ). The modeling method of the QTP can be referred to in refs. [14,34], and the model parameters of our experimental platform are As the hardware component of the control layer in CPS, the defender's IPC is connected to the QTP through a data acquisition board and a wiring terminal board. The detailed hardware configuration of the platform is given in Table 1 for readers to replicate. Specifically, the controlled plant is composed of four cylindrical tanks in acrylic and six hoses in silicone. The two pumps and their drivers in Table 1 are the actuator part of the physical plant. They change the water flow in the hose in response to the received control signal. Two gas pressure sensors with model number HEYO-24V916PWM are chosen for real-time liquid level measurement. The readers can easily see such sensors in a blood pressure meter. The data acquisition board and the wiring terminal board are used together to transfer the collected liquid level signals to Simulink in real-time, while the latter's control signals are processed by digital-to-analog conversion and then the control voltage can be output to the pump drivers. The software components are based on the Real-Time Windows Target environment of the Matlab/Simulink to realize the HIL control of the QTP, as shown in Figure 3. The parameters of the employed dynamic output feedback controller (2)  The attacker uses the user datagram protocol (UDP) to tamper with the process data of the CPS through the private communication network to achieve the attack goal. Another typical protocol is the transmission control protocol (TCP), and a platform based on this protocol can be found in ref. [15]. To reduce the hardware investment, the input and output signal acquisition part of the physical layer of the experimental platform is designed on the IPC, while its software is separated from the controller. This idea is consistent with the basic principle of CPS and is able to meet the demand for attack data injection.
The software components are based on the Real-Time Windows Target environment of the Matlab/Simulink to realize the HIL control of the QTP, as shown in Figure 3. The parameters of the employed dynamic output feedback controller (2)     The attacker uses the user datagram protocol (UDP) to tamper with the process data

Experimental Results and Analysis
The attacker sets the attack target value of y p (k) as y r0 = [6, 8.3] , which corresponds to the actual levels 25.2 cm and 27.8 cm. The sensor attack matrix can be determined according to Theorem 2 as follows: In addition, the stealthiness parameter is set to γ = 0.0162, and the auxiliary perturbation d is: The parameters in the output reference (9) are set as follows: A feasible actuator attack matrix A a is obtained according to Theorem 2 as follows: A a = 1.127 0.667 0.206 0.893 .
The total running time of the experiment is set to 1000 s. The attacker implements the attack strategy with parameters (19) and (22)  The total running time of the experiment is set to 1, 000 s . The attacker implements the attack strategy with parameters (19) and (22) Figure 4 shows the variation curves of the actual output p ( ) y k in the physical layer for the CPS. It can be seen that the physical system operates in a static-error-free tracking mode before the attack is launched. Once the attack starts, the two liquid levels deviate from the previous output reference   The facts indicate that the attacker achieves the desired attack effect.
trol Layer Outputs (cm) The total running time of the experiment is set to 1, 000 s . The attacker implements the attack strategy with parameters (19) and (22) Figure 4 shows the variation curves of the actual output p ( ) y k in the physical layer for the CPS. It can be seen that the physical system operates in a static-error-free tracking mode before the attack is launched. Once the attack starts, the two liquid levels deviate from the previous output reference   3, 5  , and then stabilize at the attacker's targets 6 cm and 8.3 cm, respectively. Thus, the attack performance can be obtained as The facts indicate that the attacker achieves the desired attack effect.  It should be noted that the actual outputs of the physical plant under attack have larger steady-state errors compared with those not under attack. This is because the injection of the sensor attack matrix s A indirectly tampers with the input gains c B and c D in CPS's inherent controller Equation (2), resulting in a change in the dynamic relationship between the nominal output ( ) u k and input e ( ) y k in the control layer. Moreover, the actuator attack matrix a A can be considered as the tampering of the control gain for the physical plant in Equation (1), that is, B is altered to a B A . Almost all existing studies treat the attack process as the operating data being compromised. It is important to analyze both the attack and defense issues of CPSs from the perspective of model parameters under attack because the attack model essentially raises open questions.
In addition, Figures 5 and 6 give the curves displayed in the control layer before and after the attacks. They present the output ( ) y k , tracking error e ( ) y k (the norm form of e ( ) y k ), and the implicit metrics of tracking control performance ( ) γ ω k in the defender's perspective. It can be seen that although the actual output of the physical plant deviates from the predefined reference when the CPS is subjected to attacks (as shown in Figure 4), the received data in the control layer are not significantly abnormal and only present a phenomenon similar to a short-time exogenous perturbation. From the perspective of the process data received in the control layer, the Equation (6) holds after a limited tuning time (about 29.1 s ), which indicates that the designed attack matrices satisfy the desired stealthiness.

Discussions and Limitations
As we can see from the experiments in Section 5.2, the attacker can simply obtain the attack matrices in constant form by solving the linear matrix inequalities offline in a onetime process. Thanks to the constant form of the attack matrices, the attacker can, in practice, diagonalize the attack matrices and then implement the attack by adjusting the gain knobs of the sensors and actuators in the physical layer. This physical attack does not require any data injection in the communication network and is strictly stealthy for most anomaly detectors based on network traffic monitoring. In addition, the phenomenon, such as the short-time exogenous perturbation that appears in Figure 6, is essentially caused by the change in the potential desired trajectory due to the sensor attack matrix. This phenomenon can be weakened when the attacker tries to target the stepped desired trajectory as the attack goal.
It is important to note that the proposed attack strategies also have some limitations. On the one hand, we assume that the attacker has complete information on the CPS model. This assumption is common in the research of stealth attacks (e.g., in ref. [9,16,17]), but it is worth being concerned to weaken this assumption in order to further improve the practical value of the attack programs. This paper does not make a breakthrough in this regard. On the other hand, the two proposed theorems assume that the attacker tries to drive the Figure 6. The curves of y e (k) and γ ω(k) before and after the attacks. Figure 4 shows the variation curves of the actual output y p (k) in the physical layer for the CPS. It can be seen that the physical system operates in a static-error-free tracking mode before the attack is launched. Once the attack starts, the two liquid levels deviate from the previous output reference [3,5] , and then stabilize at the attacker's targets 6 cm and 8.3 cm, respectively. Thus, the attack performance can be obtained as The facts indicate that the attacker achieves the desired attack effect.
It should be noted that the actual outputs of the physical plant under attack have larger steady-state errors compared with those not under attack. This is because the injection of the sensor attack matrix A s indirectly tampers with the input gains B c and D c in CPS's inherent controller Equation (2), resulting in a change in the dynamic relationship between the nominal output u(k) and input y e (k) in the control layer. Moreover, the actuator attack matrix A a can be considered as the tampering of the control gain for the physical plant in Equation (1), that is, B is altered to BA a . Almost all existing studies treat the attack process as the operating data being compromised. It is important to analyze both the attack and defense issues of CPSs from the perspective of model parameters under attack because the attack model essentially raises open questions.
In addition, Figures 5 and 6 give the curves displayed in the control layer before and after the attacks. They present the output y(k), tracking error y e (k) (the norm form of y e (k)), and the implicit metrics of tracking control performance γ ω(k) in the defender's perspective. It can be seen that although the actual output of the physical plant deviates from the predefined reference when the CPS is subjected to attacks (as shown in Figure 4), the received data in the control layer are not significantly abnormal and only present a phenomenon similar to a short-time exogenous perturbation. From the perspective of the process data received in the control layer, the Equation (6) holds after a limited tuning time (about 29.1 s), which indicates that the designed attack matrices satisfy the desired stealthiness.

Discussions and Limitations
As we can see from the experiments in Section 5.2, the attacker can simply obtain the attack matrices in constant form by solving the linear matrix inequalities offline in a one-time process. Thanks to the constant form of the attack matrices, the attacker can, in practice, diagonalize the attack matrices and then implement the attack by adjusting the gain knobs of the sensors and actuators in the physical layer. This physical attack does not require any data injection in the communication network and is strictly stealthy for most anomaly detectors based on network traffic monitoring. In addition, the phenomenon, such as the short-time exogenous perturbation that appears in Figure 6, is essentially caused by the change in the potential desired trajectory due to the sensor attack matrix. This phenomenon can be weakened when the attacker tries to target the stepped desired trajectory as the attack goal.
It is important to note that the proposed attack strategies also have some limitations. On the one hand, we assume that the attacker has complete information on the CPS model. This assumption is common in the research of stealth attacks (e.g., in ref. [9,16,17]), but it is worth being concerned to weaken this assumption in order to further improve the practical value of the attack programs. This paper does not make a breakthrough in this regard. On the other hand, the two proposed theorems assume that the attacker tries to drive the output of the physical plant to an unsafe constant value. This linearized attack goal remains somewhat homogeneous due to the constraints of the stealthiness conditions. More flexible forms of attack targets should be considered in the future.

Conclusions and Future Work
In this paper, we studied a class of stealthy attack strategies in the form of multiplicative matrices against CPSs. Two theorems are given for designing attacks with constant matrices. The model of multiplicative attack matrices is proposed for the first time. The attack strategies based on this model transform the attack parameter designs into controller design issues, which may raise a new research trend in the field of stealthy attack strategies. Moreover, a CPS attack and defense experimental platform is developed. The platform has the characteristics of low cost and high openness, which promotes the practicalization of stealthy attack research.
In the future, our research will be extended to stealthy attack methods under the unknown model information. The emphasis should be on data-driven multiplicative stealthy attacks. In addition, the relationship between the proposed stealthiness conditions with the existing χ 2 and KLD ones should also be investigated.
According to the Schur complement lemma, Π < 0 is equivalent to the inequality −diag P 1 , P 2 , P 3 − I, P 4 , γ 2 I * Φ −diag P −1 1 , P −1 2 , P −1 3 , P −1 Left and right multiplication by diag{I, . . . , I, G 1 , G 2 , G 3 , G 4 } and its transposition for the matrix in inequality (A12) yield where L 11 = G 1 A, L 12 = G 1 BA a C c , L 13 = G 1 BA a D c , L 15 = G 1 A d , L 16 = G 1 BA a F c H r , L 17 = G 1 , L 22 = G 2 A c , L 23 = G 2 B c , L 26 = G 2 E c H r , L 31 = GCA, L 32 = GCBA a C c , L 33 = GCBA a D c , L 34 = −G 3 C r A r , L 35 = −GCA, L 36 = GCBA a F c H r − G 3 C r B r , L 37 = GC, L 38 = G, L 44 = G 4 A r , L 46 = G 4 B r , G = G 3 A s , G i =G i P −1 i G i , i = 1, . . . , 4. Notice that Π contains the inverse of the matrices to be determined (e.g., G i , i = 1, . . . , 4) and several coupled terms of the pending matrices (such as L 12 ). For the former, we can utilize Lemma 2. Let X = I in this lemma yields Y J −1 Y ≥Y + Y − J and use the resulting inequality to eliminate the matrix inverse terms. For the coupled pending matrices, we next use the full-rank decomposition combined with the decoupling method given in Lemma 1 to deal with them.
Considering the coupled terms in (A13), introduce the definition A a = U −1 V, where U is a pending invertible matrix. Thus, the coupled terms can be represented as Next, consider the inequality where Let N = diag{U, U}, T 2 = βM + NS, T 3 =−β(N + N ). According to Lemma 1, we have T 1 + MS + (MS) < 0 and thus Π < 0 when Equation (14) holds. The theorem is proved.