Robustness of Cyber-Physical Systems against Simultaneous , Sequential and Composite Attack

Pengshuai Cui 1, Peidong Zhu 1,2,*, Peng Xun 1 and Chengcheng Shao 1 1 College of Computer, National University of Defense Technology, Changsha 410073, China; cuipengshuai@nudt.edu.cn (P.C.); p.xun@outlook.com (P.X.); chch.shao@outlook.com (C.S.) 2 Department of Electronic Information and Electrical Engineering, Changsha University, Changsha 410022, China * Correspondence: pd.zhu@outlook.com; Tel.: +86-155-0748-6081


Introduction
Physical systems cover the majority of Critical Infrastructures (CIs), which are the cornerstone of social prosperity and development.The typical physical systems include power grids, transportation networks, water supply systems, medical systems, etc.The safe operation of physical systems matters a lot to the safety and stability of the society.However, system failures and malicious attacks often occur in physical systems, and it is inevitable that some components of the systems would be broken down.Robustness, which is defined as the survivability under failure or attack, is one of the most important properties of a system.In the meantime, robustness is a relative term, a system may be robust under an attack strategy but vulnerable under another attack strategy.Thus, understanding how attackers would attack the system is of great importance.
Many researchers focus on the robustness and attack strategy of physical systems, especially on the power grid.Simultaneous attack on a power grid is studied in [1], and the loss of generation power and time to reach steady-state are used to evaluate the damage to the power grid.Sequential attack on a power grid is studied in [2][3][4][5], which shows that sequential attack brings new vulnerability to the power grid.More generally, there are also researchers trying to build a universal model to describe the robustness of physical systems but not limited to the power grid, and a complex network model is used [6][7][8].However, the research in [6][7][8] only considers the simultaneous attack but neglects the sequential attack.
In recent years, information systems are coupled with the physical systems to achieve real time monitoring and controlling.The physical systems and the information system form the Cyber-Physical Systems (CPS), which have attracted extensive attention recently [9,10].The coupling process makes it possible to damage the physical systems through cyber systems [11][12][13][14][15][16][17] and makes the physical systems more vulnerable.Currently, it is difficult for both IT people and people from physical systems to understand the risk.For the former, they know little about the physical process and for the latter, they are not skilled in cyber security [18].When we design the robustness model for the CPS, the characteristics of the cyber system and the process of physical system must be included.The existing model mainly applies to the power grid [19][20][21], and the universal model such as interdependent networks [22,23] can not grasp the characteristics of either cyber systems or physical systems.Thus, a new model should be built to describe the coupling CPS, which will appear in Section 2.
Meanwhile, there is little research about sequential attack on interdependent Cyber-Physical networks, which should be further studied.In addition, there are other forms of attacks that are different from simultaneous and sequential ones and we call them composite attacks.We will study the attack effect of simultaneous attack, sequential attack and composite attack, and evaluate whether the composite attack would bring new vulnerability.
The rest of the paper is organized as follows: the failure model, attack model and problem definition are given in Section 2. In Section 3, numerical simulations are conducted.At the end of the paper, the discussions and conclusions are given.

The Model
In this section, we propose a Cyber-Physical failure model, in which the measurement of robustness, and the cascading failure process are introduced.Then, target set, attack unit, attack tuple and attack sequence are defined.

The Failure Model of Interdependent Cyber-Physical Systems
The interdependent Cyber-Physical system containing N nodes can be divided into cyber sub-network and physical sub-network.Without loss of generality, we set that there are N/2 nodes in the cyber sub-network and N/2 nodes in the physical subnetwork, denoted by N C and N P .We use the one-to-one correspondence [22] to build the dependence between cyber sub-network and physical sub-network.The nodes from cyber sub-network and physical subnetwork come in pairs.For example, node c i from a cyber sub-network and node p i from a physical sub-network are a pair.Then, if c i stops functioning, node p i would stop functioning too and, if node p i stops functioning, node c i would fail too.In the cyber sub-network, to maintain a functional, a cyber node must (i) belong to the giant component of the cyber sub-network and (ii) meet the requirement that its support node from a physical sub-network is survival.We use the load-induced model [24] to describe the physical sub-network.The initial load L i (0) of node i is defined as: In Equation ( 1), k i is the intra-degree of node i, and α is a tunable parameter.The capacity C i of node i is proportional to its initial load: In Equation (2), λ is also a tunable parameter that represents the tolerance of the physical sub-network against attack or failure.Larger λ brings more robustness to the physical sub-network; however, larger λ also means that it will cost more when building the physical sub-network.After state s, if node i fails, its load would be redistributed to its neighbor nodes.Then, in state s + 1, the load of its neighbor node j would become: In Equation (3), Γ i represents the set of neighbor nodes of node i.To maintain functioning, a physical node i must meet the following conditions: (i) its load is not larger than its capacity, which means L i ≤ C i ; and (ii) its support node from cyber sub-network is still survival.
The attack on a Cyber-Physical system is represented by removing a fraction of nodes (how to remove the nodes will be described in Section 2.2).Generally, the physical nodes are well protected, so we assume that the removing part is all from the cyber sub-network.The ration of survival nodes to initial nodes is used to measure the robustness against attack sequence AS i , denoted by R AS i : In Equation ( 4), N C and N P are the survival nodes in the cyber sub-network and physical sub-network after being attacked.A specific example of the model is shown in Figure 1.In Figure 1, there are 14 nodes in the Cyber-Physical network, and N C = N P = 7.The values of α and λ are 1 and 0.5, respectively.In stage 0, attackers attack node C2, and C2 fails.In stage 1, node P2 fails because its support node C2 has been failed in stage 0. In stage 2, the load of P2 has been redistributed to node P1 and P3; the load of P1 has been changed to 5/3 and exceeds its capacity 3/2, so node P1 fails; the load of P3 has been changed to 10/3 and exceeds its capacity 3, so node P3 fails; then, the load of P3 has been redistributed to node P7, and the load of P7 has been changed to 13/3 and exceeds its capacity 3/2, so node P7 fails.In Stage 3, nodes C1, C3 and C7 fail because their support nodes P1, P3 and P7 have failed in stage 2. Finally, the interdependent Cyber-Physical sub-network reaches the stable state.Each node in the cyber sub-network belongs to the giant component and has a support node from the physical sub-network, and each node in the physical sub-network is not overloaded and has a support node from the cyber sub-network.

Attack Model
To describe our attack model clearly, the following definitions are given.Definition 1. Target set, denoted by T, T is a set of nodes that the attackers have the ability to attack, and all nodes in the attack set would be removed by attackers.The number of nodes in target set is denoted by T n .Definition 2. Attack unit a is the basic unit the attackers can attack, which means a specific node could be attacked and removed by attackers, and we have a ∈ T.

Definition 3. Attack set, denoted by
is a set of attack units that attackers would attack simultaneously, and A ⊂ T. |A| represents the number of elements of the attack set.The attack set has the following characteristics: (i) certainty, which means for any attack unit a, either a ∈ A or a / ∈ A; (ii) exclusion, which means for any two attack units a i and a j in an attack sets, a i = a j ; (iii) disorder, for example, [a 1 , a 2 , The attack strength of an attack sequence, denoted by |AS|, decides how many nodes would be removed from the network, obviously, Given a specific attack sequence, the attack process is as follows (see Algorithm 1).

Algorithm 1
The attack process in interdependent load-induced Cyber-Physical systems.
end for end for 14: if node c l is survival & its support node has been failed then 16: Step 1: Fail all the nodes in attack set A i , and set Step 2: Find the giant components of a cyber sub-network, check all the nodes in the cyber-subnetwork, and fail the nodes that do not belong to the giant component.When one node is removed, set N C = N C − 1; Step 3: Check all nodes in the cyber-subnetwork, and fail the nodes whose support nodes have failed.When one node fails, set N P = N P − 1; Step 4: Check all the nodes in the physical sub-network, fail all the nodes whose loads exceed their capacities, and redistribute the loads according to Equation (3).When one node is removed, set N P = N P − 1; Step 5: Check all nodes' physical-subnetworks, and fail the nodes whose support nodes have been failed.When one node fails, set N P = N P − 1; Step 6: If there have been any nodes that failed in Step 2-Step 5, go to Step 2.
Step 7: i = i + 1; if i <= n, go to Step 1; Step 8: Evaluate the robustness, return R AS = (N C + N P )/(N C + N P ).

Problem Definition
Given a specific target set, if attacking simultaneously brings large damage to the network, these nodes in the target set would be considered as critical nodes and well protected.However, for some target sets [2], the network is robust under simultaneous attack but vulnerable under sequential attack in the power grid, so the defender should also consider these nodes that are removed sequentially as critical ones.In this paper, we try to answer the following questions: (1) whether the sequential attack would cause larger damage with some target sets in a more universal model, for example, load-induced model; (2) whether the sequential attack causes new vulnerability in an interdependent Cyber-Physical network when the attack can be only on a cyber subnetwork; (3) whether the following attack sequences exist, which are not sequential attacks and simultaneous attacks but would cause more damage.If these attack sequences exist, it means that some critical nodes are ignored, which should be realized by the defenders.First, we define the conception of simultaneous attack and sequential attack; in fact, they are only two special attack sequences: Definition 5. Simultaneous attack, denoted by AS si in an attack sequence, there is only one attack set, such as Definition 6. Sequential attack, denoted by AS se in an attack sequence, in each set, there is only one attack unit, such as For a given target set who has n attack units, there are f (n) kinds of attack sequences, and we have: Thus, for a given n, there are many kinds of attack sequences.For example, f (4) = 81 and f (5) = 541.There are many other attack sequences besides the sequential attack and simultaneous attack.The question 3 can be expressed as:

Numerical Simulations and Analysis
This section is divided into three parts: first, we check whether the sequential attack can cause more damage than simultaneous attack in a load-induced network; then, whether the sequential attack can bring more damage than a simultaneous attack in an interdependent Cyber-Physical network is evaluated; finally, we find new vulnerability in some attack sequences, which are neither sequential attack nor simultaneous attack.

Sequential Attack against Single Physical Networks
To check the attack effect of a sequential attack on single physical networks, we use the IEEE-39 bus [25] to do the simulations.Each bus is treated as a node and each transmission line is treated as a link.The structure of IEEE-39 bus network is shown in Figure 2. In the simulations, λ = 0.6 and α = 1.The attack process on a single physical network is shown in Figure 3.The results are shown in Tables 1 and 2. With the target sets in Table 1, a simultaneous attack would cause more damage.For example, if the attackers use attack sequence { [12,11]}, none of the nodes would survive against the attack; however, if the attackers use the attack sequence { [12], [11]}, 37 nodes would survive against the attack.The results shown in Table 1 meet most people's expectations: it would cost more to attack simultaneously, so it can surely cause more damage.With the situation that attack sequence { [12,11]} causes more damage, node 11 and node 12 will be considered as critical nodes and well protected.
Table 2 shows the target sets with whom the sequential attack would cause more damage.For example, with attack sequence { [7,8]}, there are 37 nodes surviving the attack; however, with attack sequence { [7], [8]}, none would survive.These attack sequences bring new vulnerability.Only taking simultaneous attacks into account, node 7 and node 8 are not critical nodes and won't be well protected, but attackers can attack them sequentially and cause dramatic damage.
We should notice that the target sets in Table 1 or Table 2 are only small parts of all target sets.There are 39 nodes in the network, so there are C 2 39 = 741 different kinds of target sets.In total, the former comprises 1.75% and the latter comprises 3.64%.We also do simulations with BA networks that are randomly generated, and the results imply that in these networks there also exist target sets with which sequential attack would cause more damage.
with n = 100 is constructed, and the cyber subnetwork and physical subnetwork have the same size(N C = N P = 50).The two subnetworks are generated by the algorithm proposed by Barabasi et al. [26], so the two subnetworks are scale-free and follow power-law distribution P(k) = 2m 2 k −s .In the simulations, s = 3 and we set m = 2.There are two targets in the attack sets, so T n = 2, and there are C 2 50 = 1225 different target sets.Two attack sequences-sequential attack and simultaneous attack-are tested.
First, we construct a single physical network, set λ = 0.5 and α = 1, and record the subnetwork's structure and initial state.The robustness of the single physical subnetwork under simultaneous attack and sequential attack is shown in Figure 4a.Then, we build an interdependent Cyber-Physical network, and the structure of the physical subnetwork is the same as the structure of a single physical network we build before, and we also set λ = 0.5 and α = 1.The robustness of the interdependent Cyber-Physical network is shown in Figure 4b.We could see from the two figures that the results are similar but also have differences.In the single physical network, sequential attacks would cause more damage with 19 target sets and simultaneous attack could cause more damage with 35 target sets.While in interdependent Cyber-Physical systems, sequential attacks would cause more damage with 28 target sets and simultaneous attack would cause more damage with 28 target sets.We could find, with the coupling process, that the number of target sets for which a sequential attack would cause more damage is increasing, while the number of the target sets for which a simultaneous attack would cause more damage is decreasing.
We make a brief analysis here for the phenomenon.During the above case, we could find 39 target sets in interdependent Cyber-Physical systems with which a sequential attack would cause more damage, and we could find 18 of them that are the correspondence of the target sets in single physical systems.For example, in interdependent Cyber-Physical systems, attack sequence { [26],[31]} causes more damage than attack sequence { [26,31]}.While in single physical systems, the attack sequence { [13], [21]} causes more damage than attack sequence { [13,21]}.Node 26 in the cyber subnetwork and node 13 in the physical subnetwork are a pair and node 31 in the cyber subnetwork and node 21 in the physical subnetwork are a pair.

Discussions
Our model cannot apply to all Cyber-Physical systems and there are limitations for the systems: first, the cyber system and physical system should depend on each other; second, the physical system is load-induced, and the load would be redistributed after a physical node's failures; third, the attack targets are cyber nodes, while in some cases, attackers may prefer attacking physical edges; finally, the number of survival nodes should be used to measure the robustness of systems.A Cyber-Physical system meeting all the limitations can use our model to simulate its robustness, and all we need to do is just adjust the parameters in our model.
We suggest that the following changes may be needed while building the model for other types of systems: first, the dependency relation may be changed; second, the physical process in physical systems may be changed; third, the attack targets may be changed; finally, the measurement of robustness may be changed.
In our model, with some target sets, the sequential attack causes more damage than simultaneous attack, and with some target sets, composite attack causes more damage than both sequential attack and simultaneous attack.However, how to find these target sets is still a research field that needs to be researched.In Section 3.1, we find that most nodes in target sets with which sequential attack causes more damage are neighbors; in Section 3.1, we find half of the target sets are the correspondence of target sets in single physical systems; these may be a clue to find the target sets with which sequential attack would cause more damage in interdependent Cyber-Physical networks and could be verified later.However, there are no clues on how to find target sets with which composite attack would cause more damage than both simultaneous attack and sequential attack.
In Section 3.1, there are only 3.64% target sets with which sequential attack would cause more damage in a single physical network; in Section 3.2, there are only 2.29% target sets with which sequential attack would cause more damage in interdependent Cyber-Physical network; in Section 3.3, the target sets with which the composite attack effect are better than both sequential attack and simultaneous attack are more rare.In some cases, these target sets do not even exist.However, we still suggest that the defenders consider the sequential attack and composite attack when selecting the critical nodes.It is very dangerous when the attackers find an attack sequence with which they can bring vast damage on the network, while the defenders ignore these nodes because their simultaneous failure can only bring limited damages.
We also suggest that the defenders take the composite attack as a priority, not because composite attack is more advanced than sequential attack or simultaneous attack.In fact, it is hard to tell which is better.For some target sets, one kind of attack sequence may cause more damage.For other target sets, another attack sequence may cause more damage.We suggest the composite attack as priority, because it comprises the majority of all attack sequences.If there are four nodes in target sets, this means T n = 4.Then, there are f (4) = 81 kinds of attack sequences, and one of them is simultaneous attack and 24 of them are sequential attacks, so there are 56 kinds of composite attacks.When T n = 5, 420 attack sequences of 521 total attack sequences are composite attacks.Thus, with T n increasing, the composite attack takes more of a part in all attack sequences.

Conclusions
In this paper, we propose the interdependent Cyber-Physical model, and the definitions of target set, attack unit, attack set, attack sequence are given to describe the model more clearly.The attack model is also proposed to present the attack process, and we divide the attack sequence into three kinds: simultaneous attack, sequential attack and composite attack.Through numerical simulations, we find: (1) with some target sets, sequential attack can cause more damage than simultaneous attack in a single load-induced physical network; (2) in an interdependent Cyber-Physical network, sequential attack can also lead to a better attack effect with some target sets, and half of them are the correspondence of the target sets in single load-induced physical networks; (3) composite attack may cause much more damage than both sequential attack and simultaneous attack.Thus, we suggest that the defenders should take simultaneous attack, sequential attack and composite attack into account when they try to select the critical nodes.
There are manifold Cyber-Physical systems, and different models can be built to simulate their robustness under different attacks.In future work, we would build more models with different types of systems.

Figure 1 .
Figure 1.A specific example of the Cyber-Physical network failure model.

Figure 4 .
Figure 4. Robustness under simultaneous attack and sequential attack.Each point is the robustness under simultaneous attack and sequential attack with the same target set.AS2 represents the sequential attack and AS1 represents the simultaneous attack.Figure 4a shows the robustness of a single physical network under different attack sequences; Figure 4b shows the robustness of interdependent Cyber-Physical network under different attack sequences.

Figure 5 .
Figure 5. Robustness of an interdependent Cyber-Physical network under different attack sequences with the same target sets.AS1 represents the simultaneous attack.AS2-AS7 represent sequential attacks.AS7-AS13 are composite attacks.

Figure 6 .
Figure 6.Robustness of interdependent Cyber-Physical network under different attack sequences with same target sets.R AS8 represents the robustness under attack sequence AS8, R AS11 represents the robustness under attack sequence AS11, and R AS2 represents the robustness under attack sequence AS2.
is a series of ordered attack sets.It represents the attack strategy of attackers.It has the following characteristics: (i) the most important characteristic is orderly organized, for example, {A 1 , A 2 } = {A 2 , A 1 }; (ii) any two attack sets in an attack sequence have no intersection, which means A i ∩ A j = ∅; and (iii) an attack sequence includes all the attack units in a target set, which means T