Confidentiality Analysis of Linear Networked Control Systems
Time: Thu 2026-09-10 09.00
Location: Harry Nyquist, Malvinas Väg 10, floor 7
Video link: https://kth-se.zoom.us/j/66795132284
Language: English
Subject area: Electrical Engineering
Doctoral student: Enno Breukelman , Reglerteknik
Opponent: Prof. Dr.-Ing. Steven X. Ding, University of Duisburg-Essen, Duisburg, Germany
Supervisor: Professor Henrik Sandberg, Reglerteknik; Professor Karl H. Johansson, Reglerteknik
QC 20260715
Abstract
Advances in digitalization have transformed modern control systems by enabling the integration of physical processes with computation and networked communication, allowing for ever-increasing levels of automation. Systems with this tight integration of the physical and digital worlds are often referred to as Cyber-Physical Systems (CPSs), enabling remote operation and interconnection of distributed processes. In such systems, the physical process and the control unit communicate over a network, which introduces vulnerabilities to cyber-attacks. An adversary may interrupt communication, eavesdrop on exchanged information, or manipulate transmitted data, potentially causing remote damage to the physical system. As a result, the security of such systems has become an important research topic in the field of control theory.
In this thesis, we study attacks on networked control systems, such as CPSs, in which an adversary has gained unauthorized access to the communication between the controller and the controlled process, also called the plant. We focus on confidentiality attacks, where the adversary remains passive, without injecting data into the closed-loop process, and instead observes intercepted signals to infer private information from within the controller or the plant. In particular, we consider Linear Time-Invariant (LTI) models for the plant and the controller, where the plant is subject to stochastic disturbances. The thesis is divided into two parts. In the first part, we develop methods for state and unknown input estimation in stochastic systems, independent of the potential use in an adversarial attack. In the second part, we apply these methods to confidentiality attacks, where a passive adversary aims to reconstruct internal states or reference signals from intercepted data.
This thesis makes three main contributions. First, we develop a model-based estimation framework for stochastic LTI systems that yields unbiased, minimum-variance estimates of states and unknown inputs under explicit system-theoretic conditions, by exploiting delayed estimation. Second, we design a data-driven unknown input reconstruction algorithm for Multiple-Input Multiple-Output (MIMO) systems that computes estimates directly from measured data without requiring an explicit system model. Third, we analyze confidentiality attacks on closed-loop systems and derive system-theoretic conditions that characterize when such attacks are feasible. A central result is that the feasibility of both estimation and confidentiality attacks is fundamentally governed by system-theoretic properties such as invariant zeros and strong detectability. These results enable system designers to assess confidentiality risks and identify structural vulnerabilities in networked control systems.