Diagnosability of Discrete Event Systems under Sensor Attacks

This paper considers fault diagnosis in discrete event systems modeled by finitestate automata, according to the theory of diagnosability, but it assumes that an attacker has compromised the communication channel from the system's sensors to the diagnostic engine. The attacker operates according to a general attack model that has been studied previously in the context of supervisory control, but not in the context of fault diagnosis. Specifically, the attacker is able to replace each occurrence of a compromised observable event with a string in an attack sublanguage; in particular, this general model embeds event insertion and deletion as well as static and dynamic attacks. The new notion of CA- diagnosability is defined in order to formally capture the ability of the diagnostic engine to still diagnose the occurrences of faults in the presence of the attacker, as captured by its attack model. This extends prior results on supervisory control under attack, where the corresponding properties of CA-controllability and CA-observability were introduced, to the realm of fault diagnosis. A testing procedure for CA-diagnosability is developed and its correctness is proved. Then, diagnosability theory is used to study conditions under which the presence of the attacker can be detected based on the corrupted observations. The results in the paper are illustrated using an example of a protection relay and a circuit breaker in a power system, where the faults are the failures of the protection relay or of the circuit breaker.