False data injection attacks detection method based on super-twisting extended state observer algorithm

Abstract

Industrial control systems (ICSs) face escalating risks from network-layer cyberattacks. False data injection attacks (FDIAs) undermine operational security by manipulating data transmitted through communication networks, leading the controller to receive compromised state information and subsequently make erroneous decisions. This paper proposes a novel detection framework for FDIAs based on a super-twisting extended state observer (STESO). First, we design a third-order STESO and rigorously prove its finite-time stability through Lyapunov function analysis, enabling rapid and accurate estimation of system states and disturbances. Second, the FDIA detection mechanism is established by constructing a reference model based on disturbance estimate, where deviations between the reference system states and the observed states under steady-state conditions serve as detection indicator. The proposed mechanism effectively avoids false alarms caused by disturbances. In addition, the introduction of the observer reduces the detection system’s reliance on real states, making it more suitable for ICS where state information is often unavailable. Finally, numerical simulations validated the effectiveness of the proposed detection method and insensitivity to disturbances.

Keywords

Industrial control systems FDIA detection extended state observer finite-time stability

Introduction

Industrial control system (ICS), functioning as the cyber-physical backbone of critical infrastructure, orchestrates production processes through the integration of real-time control architectures, industrial automation technologies, and interconnected edge devices such as sensors, actuators, and embedded controllers. The evolution of information and communication technologies (ICTs) has transformed ICS from isolated automated systems to interconnected intelligent systems (Gupta and Chow, 2009; Lu and Xu, 2019). These systems support vital sectors such as power generation, manufacturing, healthcare, and transportation and are critical for maintaining economic stability and national security (Xu et al., 2018).

However, their strategic significance and growing connectivity have made ICS prime targets for cyber-physical attacks with catastrophic consequences. The digital transformation of ICS, driven by the widespread adoption of Industrial Internet of Things (IIoT) devices and networked microprocessors, has introduced unprecedented vulnerabilities (Zhang et al., 2016). Traditional ICS components frequently operate on outdated, unpatched software, while the convergence of IT and OT networks further expands the attack surface (Anton et al., 2021; Xue et al., 2024). ICS security vulnerabilities fall into three categories: policy/procedural vulnerabilities (e.g. inadequate security documentation), platform vulnerabilities (e.g. hardware/software defects or misconfigurations), and network vulnerabilities (e.g. communication protocol weaknesses susceptible to data tampering). This study focuses specifically on network vulnerabilities.

Network attacks in ICS threaten production stability, highlighting the need for extensive research on attack detection methods. This work focuses on control-relevant cyberattacks, excluding pure information security threats. Network control system attacks generally fall into two categories: non-disruptive attacks (e.g. eavesdropping, which enables subsequent attacks such as replay attacks (An et al., 2022; Langner, 2011)) and disruptive attacks (e.g. physical attacks, denial-of-service (DoS) attacks (Wu et al., 2024; Yao et al., 2023), and deception attacks such as false data injection, replay, zero-dynamics, and bias injection attacks (Bessa et al., 2022; Liang et al., 2016)).

Unlike traditional cyberattacks targeting information security (e.g. man-in-the-middle attacks (Cao et al., 2025; Xu et al., 2024; Yuan et al., 2024)) and routing attacks, FDIAs subvert control logic by mimicking legitimate behavior, presenting significant detection challenges. FDIAs typically inject malicious data into sensor measurements to mislead operators or controllers (Lu et al., 2023; Suo et al., 2024) or directly manipulate actuator commands (Zhang et al., 2023). Sophisticated adversaries may exploit system model knowledge to design stealthy attacks, whereas less informed attackers may use trial-and-error methods.

Model-based detection methods have gained attention in ICS security due to their interpretability and system compatibility. These methods use state estimation techniques such as least squares estimation (Deng et al., 2015; Huang et al., 2014), although their detection robustness is limited (Hug and Giampapa, 2012). Observer-based methods using the Luenberger observers (Pasqualetti et al., 2013), high-gain observers (Gallo et al., 2018), and KFs (Cardenas et al., 2008) demonstrate improved performance. Notable advancements include distributed observer frameworks for cyber-physical system (CPS) attack detection (Gallo et al., 2018), multi-sensor resilient detection with error correction (Kim et al., 2018), and model-based schemes that combine Kalman filters (KFs) with noise reduction (Manandhar et al., 2014). Optimal attack strategies under Linear Quadratic Gaussian LQG control with KF estimation (Chen et al., 2017) and extended Kalman filter (EKF) applications for nonlinear systems (Liu et al., 2016) have further advanced this field.

While existing detection methods can sensitively identify attacks, prevailing techniques primarily focus on intrusion detection under measurement noise (Soltani et al., 2017) and largely ignore inherent process disturbances in industrial operations. This oversight is critical because mechanical vibrations, sensor drift, and environmental fluctuations often have statistical characteristics indistinguishable from those of FDIAs. Consequently, conventional detection frameworks—such as residual-based chi-square tests and adaptive thresholds—often misclassify disturbances as attacks, leading to excessive false positives.

To address this critical problem, we propose a novel extended state observer (ESO)-based detection architecture that explicitly resolves it. Our work makes three key contributions:

We design a super-twisting extended state observer (STESO) with enhanced robustness, fast response, and precision and prove the finite-time stability of the closed-loop observer system using the Lyapunov-based methods.

Existing FDIA detection methods often neglect the impact of inherent process disturbances in ICS, and disturbance effects may trigger false alarms. Using the STESO, we construct a disturbance-attack decoupling framework to isolate disturbances from FDIAs, thereby eliminating disturbance-induced false alarms.

The proposed detection mechanism does not rely on real system states, making it more suitable for scenarios where most ICS states are unavailable or partially available.

This paper is organized as follows: section “Problem description and preliminaries” presents system modeling and preliminaries; section “Main results” presents the main results and related theoretical analysis; section “Simulation results” provides the simulation validations; section “Conclusion” concludes this paper.

Problem description and preliminaries

System description

In industrial systems, many complex systems can often be simplified to first-order or second-order models. Without loss of generality, this paper considers the following simplified disturbed second-order system model:

\begin{matrix} ẋ_{1} = x_{2}, \\ ẋ_{2} = u + d, \\ y = x_{1} . \end{matrix}

(1)

where $x_{1}, x_{2}$ are the system states, y is the measurable system output, u is the control input, and d represents the external disturbance that is continuous and differentiable, and its derivative is bounded, that is, $| ḋ | < d^{*}$ , where $d^{*} > 0$ is a positive constant.

Remark 1. Studying the second-order system (1) holds significant theoretical and practical importance. From the perspective of engineering applications, the dynamical equations of most mechanical motion systems are second-order. Therefore, numerous ICSs can be modeled in the form of system (1), such as elastic actuator systems, robotic arm systems, and UAV position/attitude systems.

A typical ICS model is shown in Figure 1. The industrial field layer and the control layer of the system are connected via a wireless communication network. The system state data measured by the sensors in the industrial field layer are transmitted through the communication network to the control layer. Based on the received state information, the control layer generates control commands, which are then transmitted back through the communication network to the actuators in the industrial field layer.

Figure 1.

Industrial control system model diagram.

However, the open network communication environment is vulnerable to FDIAs. Next, three common forms of FDIAs will be introduced.

1. Surge Attack

x_{a} (t) = {\begin{matrix} x (t), & t \neq t_{a}, \\ x (t) + ρ_{s}, & t = t_{a}, \end{matrix}

(2)

where $ρ_{s}$ is a relatively large attack amplitude, which is superimposed on $x (t)$ at time $t_{a}$ .

2. Bias Attack

x_{a} (t) = {\begin{matrix} x (t), & t \notin (t_{a}, t_{b}), \\ x (t) + ρ_{b}, & t \in (t_{a}, t_{b}), \end{matrix}

(3)

where $ρ_{b}$ is a relatively small attack amplitude that is continuously superimposed onto $x (t)$ during the time interval from $(t_{a}, t_{b})$ .

3. Geometric Attack

x_{a} (t) = {\begin{matrix} x (t), & t \notin (t_{a}, t_{b}), \\ x (t) + ρ_{g}, & t \in (t_{a}, t_{b}), \end{matrix}

(4)

where $ρ_{g} = k β^{t - t_{a}}$ , $t_{a}$ denotes the attack initiation time, and k and β are the constant parameters in the attack formulation.

To ensure the stable operation of the system, it is essential to design a real-time attack detection mechanism. The traditional FDIA detection method is illustrated in Figure 2. In the presence of both attacks and disturbances, state information transmitted through the communication network to the control layer may be simultaneously subjected to disturbances and potential FDIAs. It is evident that traditional detectors are unable to distinguish the combined effects of disturbances and attacks. Consequently, the system may misidentify disturbances as attacks, leading to false alarms, which could negatively impact system operation. In the research on false data injection attack (FDIA) detection, avoiding false alarms induced by external disturbances remains a critical challenge that has yet to be addressed.

Figure 2.

The block diagram of the traditional detection system for the industrial field layer to control layer under FDIAs.

Remark 2. In ICS, information transmission between sensor nodes and controller node, as well as between controller nodes and actuator node, relies on the communication network. Therefore, FDIAs may occur simultaneously in both of these channels. However, this paper only considers the scenario in which the data communication between the sensor node and the controller node is subject to FDIAs.

Related definitions and lemmas

Definition 1. Define ${sig}^{α} (β) = | β |^{α} sign (β)$ , where $sign (\cdot)$ is a sign function, $α \geq 0$ .

Lemma 1. For $t \in (0, 1)$ , the following inequality holds

\begin{matrix} | r^{t} - s^{t} | \leq 2^{1 - t} | r - s |^{t}, \end{matrix}

(5)

where $r, s \in ℝ$ .

Lemma 2. For $r, s \in ℝ$ , and positive constants α, β, and ψ, the following inequality is valid

\begin{matrix} | r |^{α} | s |^{β} \leq \frac{α}{α + β} ψ | r |^{α + β} + \frac{β}{α + β} ψ^{- α ∕ β} | s |^{α + β} . \end{matrix}

(6)

Lemma 3. For any $r_{1}, r_{2}, \dots, r_{m} \in ℝ$ and $0 < α \leq 1$ , the following inequality is satisfied

\begin{matrix} {(| r_{1} | + | r_{2} | + \dots + | r_{m} |)}^{α} \leq | r_{1} |^{α} + | r_{2} |^{α} + \dots + | r_{m} |^{α} . \end{matrix}

(7)

Lemma 4. Let $r, s \in ℝ$ and $t = t_{1} ∕ t_{2} > 1$ with $t_{1}$ and $t_{2}$ being the irreducible positive odd integers. Then, the following inequalities hold

\begin{matrix} 1) | r^{t} - s^{t} | \geq 2^{1 - t} | r - s |^{t}, \\ 2) | r^{t} - s^{t} | \leq t (2^{t - 2} + 2) | r - s |^{t} + t (2^{t - 2} + 2) | r - s | | s |^{t - 1} . \end{matrix}

Main results

To address the false alarm issues caused by disturbances, this paper considers the design of an STESO to estimate both the system states and the disturbances. Using the obtained disturbance estimation, a reference system with the same parameters as the real system is constructed. The first level of attack detection is then established at the control layer by comparing the discrepancies between the reference system and the real system states.

Design of the STESO

It is evident that the accuracy of attack detection is constrained by the real-time performance and precision of the observer. If the observer’s accuracy is low, this means that there will be a small discrepancy between the reference model and the real model. In such cases, a larger alarm threshold must be set to avoid false alarms caused by steady-state differences due to parameter discrepancies. Meanwhile, to improve the real-time performance of the detection, the convergence speed of the observer is also a key factor in enhancing the rapidity of the attack detection method. Therefore, designing an ESO with high precision and fast response time is crucial for implementing FDIA detection method based on disturbance estimation. Sliding mode observers, due to their robustness, simple structure, and practicality, are favored by researchers. In this paper, a third-order super-twisting sliding mode ESO is designed.

For the original system (1), with the extended state defined as $x_{3} = d$ (where d is the external disturbance of the original system), the augmented system (a state-expanded form of the original system) is given by

\begin{matrix} ẋ_{1} = x_{2}, \\ ẋ_{2} = u + x_{3}, \\ ẋ_{3} = ḋ . \end{matrix}

(8)

This augmented system retains inherent equivalence with the original system (1) in terms of core state values, while incorporating disturbance-related information into the state space.

Theorem 1. For the augmented system (8), the STESO is designed to estimate its states (including the disturbance-related $x_{3}$ ) as follows:

\begin{matrix} {\begin{matrix} {\overset{\cdot}{\hat{x}}}_{1} & = {\hat{x}}_{2} + q_{1} {sig}^{\frac{2}{3}} (y - {\hat{x}}_{1}), \\ {\overset{\cdot}{\hat{x}}}_{2} & = {\hat{x}}_{3} + u + q_{2} {sig}^{\frac{1}{3}} (y - {\hat{x}}_{1}), \\ {\overset{\cdot}{\hat{x}}}_{3} & = q_{3} sign (y - {\hat{x}}_{1}), \end{matrix} \end{matrix}

(9)

where ${\hat{x}}_{i}$ ( $i = 1, 2, 3$ ) denote the estimated states of $x_{i}$ in the augmented system (8), with $q_{1}$ , $q_{2}$ , and $q_{3}$ being the positive observer gains satisfying stability conditions. This design enables the observer (9) to achieve finite-time exact reconstruction of the augmented system’s states, thereby realizing estimation of the original system’s states and disturbance.

Proof. Let the error between real states value and observer states value be defined as

\begin{matrix} ς_{1} = x_{1} - {\hat{x}}_{1}, ς_{2} = x_{2} - {\hat{x}}_{2}, ς_{3} = x_{3} - {\hat{x}}_{3}, \end{matrix}

(10)

which leads to the following error system dynamics:

\begin{matrix} {\begin{matrix} {\overset{\cdot}{ς}}_{1} & = ς_{2} - q_{1} {sig}^{\frac{2}{3}} ς_{1}, \\ {\overset{\cdot}{ς}}_{2} & = ς_{3} - q_{2} {sig}^{\frac{1}{3}} ς_{1}, \\ {\overset{\cdot}{ς}}_{3} & = ḋ - q_{3} sign ς_{1} . \end{matrix} \end{matrix}

(11)

Introducing the new states as follows:

\begin{matrix} ζ_{1} = ς_{1}, ζ_{2} = \frac{ς_{2}}{q_{1}}, ζ_{3} = \frac{ς_{3}}{q_{2}}, ϑ = \frac{ḋ}{q_{3}}, \end{matrix}

(12)

the error dynamics can be rewritten as

\begin{matrix} {\begin{matrix} {\overset{\cdot}{ζ}}_{1} & = p_{1} (ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1}), \\ {\overset{\cdot}{ζ}}_{2} & = p_{2} (ζ_{3} - {sig}^{\frac{1}{3}} ζ_{1}), \\ {\overset{\cdot}{ζ}}_{3} & = p_{3} (ϑ - sign ζ_{1}), \end{matrix} \end{matrix}

(13)

where $p_{1} = q_{1}$ , $p_{2} = \frac{q_{2}}{q_{1}}$ , $p_{3} = \frac{q_{3}}{q_{2}}$ , $q_{3} > d^{*}$ , and $ϑ < 1$ .

Then, the Lyapunov function is selected as follows:

\begin{matrix} V = V_{α} + V_{β} + V_{γ}, \end{matrix}

(14)

where

\begin{matrix} V_{α} = \int_{{sig}^{\frac{3}{2}} ζ_{2}}^{ζ_{1}} (m - {sig}^{\frac{3}{2}} ζ_{2}) d m, \\ V_{β} = \int_{{sig}^{2} ζ_{3}}^{ζ_{2}} ({sig}^{2} m - {sig}^{4} ζ_{3}) d m, \\ V_{γ} = \frac{1}{6} | ζ_{3} |^{6} . \end{matrix}

(15)

Step 1. By differentiating $V_{α}$ with respect to time and substituting ${\overset{\cdot}{ζ}}_{1}$ and ${\overset{\cdot}{ζ}}_{2}$ , we obtain

\begin{matrix} {\overset{\cdot}{V}}_{α} \leq & p_{1} (ζ_{1} - {sig}^{\frac{3}{2}} ζ_{2}) (ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1}) \\ + \frac{3}{2} p_{2} | ζ_{2} |^{\frac{1}{2}} (| ζ_{1} - {sig}^{\frac{3}{2}} ζ_{2} |) (| ζ_{3} - {sig}^{\frac{1}{3}} ζ_{1} |) . \end{matrix}

(16)

First, the following equality holds:

\begin{matrix} p_{1} (ζ_{1} - {sig}^{\frac{3}{2}} ζ_{2}) (ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1}) \\ = - p_{1} | {sig}^{\frac{3}{2}} ζ_{2} - ζ_{1} | | ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} | . \end{matrix}

(17)

Based on Lemma 4, the following inequality can be derived:

\begin{matrix} | {sig}^{\frac{3}{2}} ζ_{2} - ζ_{1} | = | {sig}^{\frac{3}{2}} ζ_{2} - {({sig}^{\frac{2}{3}} ζ_{1})}^{\frac{3}{2}} | \geq 2^{- \frac{1}{2}} {| ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |}^{\frac{3}{2}} . \end{matrix}

(18)

Then, by employing Lemma 4, the following results are obtained:

\begin{matrix} | {sig}^{\frac{3}{2}} ζ_{2} - ζ_{1} | & \leq l_{1} ({| ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |}^{\frac{3}{2}} + | ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} | | ζ_{2} |^{\frac{1}{2}}) \\ \leq \frac{9}{2} ({| ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |}^{\frac{3}{2}} + | ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} | | ζ_{2} |^{\frac{1}{2}}), \end{matrix}

(19)

and

\begin{matrix} | ζ_{3} - {sig}^{\frac{1}{3}} ζ_{1} | & = | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} + {sig}^{\frac{1}{2}} ζ_{2} - {sig}^{\frac{1}{3}} ζ_{1} | \\ \leq | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} | + 2^{\frac{1}{2}} {| ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |}^{\frac{1}{2}}, \end{matrix}

(20)

where $l_{1} = \frac{3}{2} \cdot (2^{- \frac{1}{2}} + 2)$ .

Moreover,

\begin{matrix} | ζ_{2} |^{\frac{1}{2}} = | | ζ_{2} |^{\frac{1}{2}} - ζ_{3} + ζ_{3} | \leq | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} | + | ζ_{3} | . \end{matrix}

(21)

Combining (19), (20), (21) and Lemma 2, we can deduce that

\begin{matrix} \frac{3}{2} p_{2} | ζ_{2} |^{\frac{1}{2}} (| ζ_{1} - {sig}^{\frac{3}{2}} ζ_{2} |) (| ζ_{3} - {sig}^{\frac{1}{3}} ζ_{1} |) \\ \leq p_{4} {| ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |}^{\frac{5}{2}} + c_{1} {| ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} |}^{5} + c_{2} | ζ_{3} |^{5}, \end{matrix}

(22)

where $p_{4}$ is a positive constant associated with $p_{2}$ , and $c_{1}$ and $c_{2}$ are the positive constants.

Finally, by integrating (17), (18), and (22), we conclude that

\begin{matrix} {\overset{\cdot}{V}}_{α} \leq & (- 2^{\frac{1}{2}} p_{1} + p_{4}) (| ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |^{\frac{5}{2}}) \\ + c_{1} (| ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} |^{5}) + c_{2} | ζ_{3} |^{5} . \end{matrix}

(23)

Step 2. By differentiating $V_{β}$ with respect to time and substituting ${\overset{\cdot}{ζ}}_{2}$ and ${\overset{\cdot}{ζ}}_{3}$ , we obtain

\begin{matrix} {\overset{\cdot}{V}}_{β} = & ({sig}^{2} ζ_{2} - {sig}^{4} ζ_{3}) (p_{2} (ζ_{3} - {sig}^{\frac{1}{3}} ζ_{1})) \\ + 4 p_{3} | ζ_{3} |^{3} (| ζ_{2} - {sig}^{2} ζ_{3} |) (ϑ - sign ζ_{1}) . \end{matrix}

(24)

where $(ζ_{3} - {sig}^{\frac{1}{3}} ζ_{1}) \leq | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} | + 2^{\frac{1}{2}} | ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |^{\frac{1}{2}}$ .

For the first term, the following relationship can be established:

\begin{matrix} p_{2} ({sig}^{2} ζ_{2} - {sig}^{4} ζ_{3}) (ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2}) \\ = - p_{2} | {sig}^{4} ζ_{3} - {sig}^{2} ζ_{2} | | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} | . \end{matrix}

(25)

Applying Lemma 4, we derive that

\begin{matrix} | {sig}^{4} ζ_{3} - {sig}^{2} ζ_{2} | & = | {sig}^{4} ζ_{3} - {({sig}^{\frac{1}{2}} ζ_{2})}^{4} | \\ \geq \frac{1}{8} {| ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} |}^{4} . \end{matrix}

(26)

For the second term, based on Lemma 4, the following inequality holds:

\begin{matrix} | {sig}^{2} ζ_{2} - {sig}^{4} ζ_{3} | \leq 24 (| ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} | | ζ_{3} |^{3} + | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} |^{4}) . \end{matrix}

(27)

Similar to (22), it follows that

\begin{matrix} | {sig}^{2} ζ_{2} - {sig}^{4} ζ_{3} | (p_{2} 2^{\frac{1}{2}} | ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |^{\frac{1}{2}}) \\ \leq p_{5} | ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |^{\frac{5}{2}} + c_{3} | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} |^{5} + c_{4} | ζ_{3} |^{5}, \end{matrix}

(28)

where $p_{5}$ is a positive constant associated with $p_{2}$ , and $c_{3}$ and $c_{4}$ are the positive constants.

In addition, it is known that

\begin{matrix} ϑ - sign ζ_{1} \leq 1 + ρ . \end{matrix}

(29)

Following the approach in (27) and leveraging Lemmas 1 and 2, we derive that

\begin{matrix} 4 p_{3} (ϑ - sign ζ_{1}) | ζ_{3} |^{3} (| ζ_{2} - {sig}^{2} ζ_{3} |) \\ \leq 16 p_{3} (1 + ρ) | ζ_{3} |^{3} (| ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} |^{2} + | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} | | ζ_{3} |) \\ \leq p_{6} | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} |^{5} + c_{5} | ζ_{3} |^{5}, \end{matrix}

(30)

where $c_{5}$ is a positive constant, and $p_{6}$ is a positive constant associated with $p_{3}$ . Finally, by combining (26), (28), and (30), one has

\begin{matrix} {\overset{\cdot}{V}}_{β} \leq & (- \frac{p_{2}}{8} + p_{6} + c_{3}) | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} |^{5} \\ + (c_{4} + c_{5}) | ζ_{3} |^{5} + p_{5} | ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |^{\frac{5}{2}} . \end{matrix}

(31)

Step 3. The time derivative of the function $V_{γ}$ along the system dynamics (13) can be expressed as

\begin{matrix} {\overset{\cdot}{V}}_{γ} & = {sig}^{5} ζ_{3} p_{3} (ϑ - sign ζ_{1}) \\ \leq - p_{3} | ζ_{3} |^{5} (1 - ρ) + p_{3} | ζ_{3} |^{5} (| sign ζ_{3} - sign ζ_{1} |) . \end{matrix}

(32)

For the second term in (32), we focus on the scenario where $ζ_{1} ζ_{3} \leq 0$ (if $ζ_{1} ζ_{3} > 0$ , the second term vanishes, and no further analysis is required).

When $ζ_{1} ζ_{3} \leq 0$ , it follows that $| sign ζ_{3} - sign ζ_{1} | \leq 2$ , and

\begin{matrix} | ζ_{3} | & \leq | ζ_{3} - {sig}^{\frac{1}{3}} ζ_{1} | \\ = | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} + {sig}^{\frac{1}{2}} ζ_{2} - {sig}^{\frac{1}{3}} ζ_{1} | \\ \leq | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} | + | {sig}^{\frac{1}{2}} ζ_{2} - {sig}^{\frac{1}{3}} ζ_{1} | . \end{matrix}

(33)

Applying Lemma 4, we obtain

\begin{matrix} p_{3} | ζ_{3} |^{5} (| sign ζ_{3} - sign ζ_{1} |) \\ \leq p_{7} | ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |^{\frac{5}{2}} + p_{8} | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} |^{5}, \end{matrix}

(34)

where $p_{7}$ and $p_{8}$ are the positive constants associated with $p_{3}$ . Substituting (34) into (32) yields

\begin{matrix} {\overset{\cdot}{V}}_{γ} \leq & - p_{3} | ζ_{3} |^{5} (1 - ρ) + p_{7} | ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |^{\frac{5}{2}} \\ + p_{8} | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} |^{5} . \end{matrix}

(35)

Combining (23), (31), and (35), we derive

\begin{matrix} \overset{\cdot}{V} & = {\overset{\cdot}{V}}_{α} + {\overset{\cdot}{V}}_{β} + {\overset{\cdot}{V}}_{γ} \\ \leq - (p_{3} (1 - ρ) - c_{2} - c_{4} - c_{5}) | ζ_{3} |^{5} \\ - (2^{- \frac{1}{2}} p_{1} - p_{4} - p_{5} - p_{7}) | ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |^{\frac{5}{2}} \\ - (\frac{p_{2}}{8} - p_{6} - p_{8} - c_{1} - c_{3}) | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} |^{5} . \end{matrix}

(36)

By suitably choosing $p_{1}, p_{2}, p_{3}$ , Lemma 3 guarantees the existence of a constant $λ_{1}$ such that

\begin{matrix} \overset{\cdot}{V} & \leq - λ_{1} (| ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |^{\frac{5}{2}} + | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} |^{5} + | ζ_{3} |^{5}) \\ \leq - λ_{1} {(| ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |^{3} + | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} |^{6} + | ζ_{3} |^{6})}^{\frac{5}{6}} . \end{matrix}

(37)

In addition, it is important to note that

\begin{matrix} V & = V_{α} + V_{β} + V_{γ} \\ \leq λ_{2} (| ζ_{2} - {sig}^{\frac{2}{3}} ζ_{1} |^{3} + | ζ_{3} - {sig}^{\frac{1}{2}} ζ_{2} |^{6} + | ζ_{3} |^{6}), \end{matrix}

(38)

where $λ_{2} > 0$ is a positive constant.

Combining (38) with (37), we can conclude that

\begin{matrix} \overset{\cdot}{V} \leq - Φ_{1} V^{\frac{5}{6}}, \end{matrix}

(39)

where $Φ_{1} = λ_{1} ∕ {(λ_{2})}^{5 ∕ 6} > 0$ is a positive constant. This ensures that the variables $ζ_{1}$ , $ζ_{2}$ , and $ζ_{3}$ converge to zero in finite time.

Design of the FDIA detection method based on STESO

In this section, to address the issue of false alarms caused by disturbances, a new detection method is designed based on the proposed ESO. The detection scheme is illustrated in Figure 3.

Figure 3.

Block diagram of the ESO-based FDIA detection system.

As is shown, during system operation, the ESO receives the real control signals and system outputs measured by the sensors. Then, the ESO generates estimations of both system states and external disturbances. These data are subsequently transmitted to the control layer via the communication network. However, the transmission process may be vulnerable to FDIAs. Define $a (t) \in ℝ$ as the attack signal injected into the transmitted data packets through the communication network. The compromised data received by the controller and reference model can be expressed as

\begin{matrix} {\begin{matrix} {\hat{x}}_{1 a} & = {\hat{x}}_{1} + a, \\ {\hat{x}}_{2 a} & = {\hat{x}}_{2} + a, \\ {\hat{d}}_{a} & = \hat{d} + a . \end{matrix} \end{matrix}

(40)

Considering the second-order model in the form of system (1), the control input is designed as

\begin{matrix} u = u_{real} = - K_{1} {\hat{x}}_{1 a} - K_{2} {\hat{x}}_{2 a} . \end{matrix}

(41)

The reference system takes the following form:

\begin{matrix} {\begin{matrix} ṅ_{1} & = n_{2}, \\ ṅ_{2} & = u_{n} + {\hat{d}}_{a}, \end{matrix} \end{matrix}

(42)

where control input of the reference system is denoted as $u_{n} = - K_{1} n_{1} - K_{2} n_{2}$ .

Attack detection is conducted in the control room. The ESO is employed to estimate the states and disturbance of the real system, and these estimated states are transmitted to the control room. If the disturbance estimation is sufficiently accurate and remain free from FDIAs during transmission, a reference system (differing from the real system only in initial conditions) can be constructed in the control room. By designing stable controllers with identical parameters, the steady-state values of both the reference and real systems should theoretically align. However, if the transmitted data are compromised by FDIAs, the steady-state values of the two systems will diverge. The attack detector receives the estimated states of the real system transmitted through the communication network and the states of the reference system, using the lumped error e between those states under steady-state conditions as the detection indicator, we have

\begin{matrix} e = \sum_{i = 1}^{2} | x_{i} - n_{i} | . \end{matrix}

(43)

The alarm threshold is defined as $e_{th}$ . When the detection indicator surpasses this predetermined threshold, the system is deemed to be under attack, thereby triggering an alarm. We subsequently analyze two distinct scenarios:

Case 1: Communication network is not subjected to FDIAs

In this case, we have

\begin{matrix} {\begin{matrix} {\hat{x}}_{1 a} & = {\hat{x}}_{1}, \\ {\hat{x}}_{2 a} & = {\hat{x}}_{2}, \\ {\hat{d}}_{a} & = \hat{d} . \end{matrix} \end{matrix}

(44)

Since the disturbance observation error converges to zero within finite time, the reference system and real system exhibit complete dynamical equivalence, differing only in the initial conditions. This property ensures convergence to identical steady-state values. Consequently, the following result holds within finite time:

\begin{matrix} e = \sum_{i = 1}^{2} | x_{i} - n_{i} | = 0 < e_{th} . \end{matrix}

(45)

At this point, the detection indicator should be zero, and the attack detector will not trigger an alarm. This is consistent with the expected detection result in the absence of FDIAs.

Case 2: Communication network is subjected to FDIAs

\begin{matrix} {\begin{matrix} {\hat{x}}_{1 a} & = {\hat{x}}_{1} + a, \\ {\hat{x}}_{2 a} & = {\hat{x}}_{2} + a, \\ {\hat{d}}_{a} & = \hat{d} + a . \end{matrix} \end{matrix}

(46)

When the communication network is subjected to FDIAs, the transmitted observation data become corrupted, causing deviations between disturbance estimate and the true value. This corrupted estimation subsequently induces dynamic mismatch between the reference system and the real system, manifested through discrepancies in their respective steady-state values. This indicates that

\begin{matrix} e = \sum_{i = 1}^{2} | x_{i} - n_{i} | > 0 . \end{matrix}

(47)

If $e \geq e_{th}$ , the attack detector will trigger an alarm. This is consistent with the expected detection result in the presence of FDIAs.

The implementation steps of the proposed attack detection method based on the ESO are as follows:

Step 1: Based on the measurable system output and control signals, utilize the third-order super-twisting sliding mode ESO to estimate $\hat{x}$ and $\hat{d}$ .

Step 2: Transmit the packaged estimation values $\hat{x}$ and $\hat{d}$ to the control room via the communication network.

Step 3: Establish the reference system of the real system based on the disturbance observation value $\hat{d}$ in the control room and calculate the control signal based on the state observation value.

Step 4: Transmit the state information of the reference system and the state observation values of the real system to the attack detector.

Step 5: Calculate the detection indicator e under steady-state conditions. If the detection indicator e surpasses the threshold $e_{th}$ , the system is deemed to be under FDIAs, prompting the attack detector to activate an alarm signal. Conversely, if e remains below this critical threshold, the detector maintains its normal silent state.

Step 6: If no attack is detected, return to Step 1 to continue the attack detection process. The detailed implementation steps of the proposed detection method are illustrated in Figure 4.

Figure 4.

Flowchart of ESO-based FDIA detection implementation.

Simulation results

This section validates the detection method proposed in this paper through numerical simulations to illustrate the effectiveness of the proposed approach. The state-space equation of the simulation system is as follows:

\begin{matrix} {\begin{matrix} ẋ_{1} = x_{2}, \\ ẋ_{2} = u + d, \\ y = x_{1} . \end{matrix} \end{matrix}

(48)

To validate the effectiveness of the proposed attack detection method and its detection robustness under disturbance effects, we consider a scenario where the system is subjected to: (i) a sudden external disturbance of form $d (t) = 3 + 1.5 \sin 5 (t - 8)$ for $t \geq 5 seconds$ and (ii) three types of FDIAs for $t \geq 8 seconds$ :

Surge Attack

x_{a} (t) = {\begin{matrix} x (t), & t \neq 8 seconds, \\ x (t) + a (t) = x (t) + 3, & t = 8 seconds . \end{matrix}

(49)

Bias Attack

x_{a} (t) = {\begin{matrix} x (t), & t \notin (0, 8), \\ x (t) + a (t) = x (t) + 1.5, & t \in (8, 15) . \end{matrix}

(50)

Geometric Attack

x_{a} (t) = {\begin{matrix} x (t), & t \notin (0, 8), \\ x (t) + a (t) = x (t) + 3^{0.2 (t - 8)}, & t \in (8, 15) . \end{matrix}

(51)

The ESO for system (48) is designed as

\begin{matrix} {\begin{matrix} ż_{1} & = z_{2} + q_{1} {sig}^{\frac{2}{3}} (y - z_{1}), \\ ż_{2} & = z_{3} + u + q_{2} {sig}^{\frac{1}{3}} (y - z_{1}), \\ ż_{3} & = q_{3} sign (y - z_{1}), \end{matrix} \end{matrix}

(52)

where the parameters are chosen as $q_{1} = 20, q_{2} = 100, q_{3} = 200$ , and the controller is designed as

\begin{matrix} u = - 10 {\hat{x}}_{1} - 10 {\hat{x}}_{2} . \end{matrix}

(53)

The response curves of state and disturbance estimation are shown in Figure 5. The results demonstrate that the designed ESO can estimate both states and time-varying disturbances, with estimation errors achieving finite-time convergence to zero.

Figure 5.

Response curves of the states and disturbance estimation: (a) first state $x_{1}$ , (b) second state $x_{2}$ , and (c) extended state (disturbances) $x_{3}$ .

In Figure 6, it can be observed that before the attack was introduced at the 8 seconds, the detection indicators remained near zero, indicating no attack detection as expected. However, the addition of disturbance at the 5 seconds caused minor fluctuations in the detection indicators. The fluctuation amplitude was far below the alarm threshold and quickly returned to zero, thus not triggering any alarm. This verifies that the proposed method can effectively avoid false alarms caused by disturbances. After introducing the attack at the 8 seconds: the surge attack simulation results in Figure 6 show an instantaneous threshold-exceeding mutation in the detection indicators, identifying the attack as a surge attack. Figure 7 demonstrates the bias attack scenario, where the detected attack signal exceeds the threshold for a period and stabilizes at a specific amplitude, consistent with the characteristics of bias attacks. Figure 8 presents the geometric attack scenario, where the detection indicator amplitude continuously increases over time after exceeding the threshold, confirming it as a geometric attack. These simulation results validate the effectiveness of the STESO-based attack identification method proposed in this paper for detecting and identifying FDIAs.

Figure 6.

Surge attack signal and detection curves: (a) disturbance d, (b) surge attack signal a, (c) detection indicator e.

Figure 7.

Bias attack signal and detection curves: (a) disturbance d, (b) bias attack signal a, (c) detection indicator e.

Figure 8.

Geometric attack signal and detection curves: (a) disturbance d, (b) geometric attack signal a, (c) detection indicator e.

Conclusion

This paper addresses the attack detection problem in ICS under FDIAs, focusing on achieving real-time and accurate attack identification while avoiding false alarms caused by disturbances. The attack detection method based on STESO is proposed for conventional FDIAs. First, the STESO is introduced at the industrial field layer to enable rapid and accurate estimation of system states and disturbances. Then, a reference model incorporating disturbance information is established at the control layer. The detection indicator is defined as the error between the reference system state and the real system states estimation under steady-state condition, enabling accurate detection of different types of FDIAs. The simulation results demonstrate that the proposed attack detection method can accurately differentiate between the effects of disturbances and attacks, effectively reducing false alarms induced by disturbances while achieving precise attack detection.

Footnotes

Declaration of conflicting interests

The authors declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Funding

The authors received no financial support for the research, authorship, and/or publication of this article.

ORCID iDs

Shenshen Li

Shihua Li

Data availability statement

Data sharing is not applicable to this article, as no data sets were generated or analyzed during the current study.

References

Zhang

Yang

, et al. (2022) Data integrity attack in dynamic state estimation of smart grid: Attack model and countermeasures. IEEE Transactions on Automation Science and Engineering 19(3): 1631–1644.

Anton

SDD

Fraunholz

Krohmer

, et al. (2021) The global state of security in industrial control systems: An empirical analysis of vulnerabilities around the world. IEEE Internet of Things Journal 8(24): 17525–17540.

Bessa

Trapiello

Puig

, et al. (2022) Dual-rate control framework with safe watermarking against deception attacks. IEEE Transactions on Systems, Man, and Cybernetics: Systems 52(12): 7494–7506.

Cao

, et al. (2025) Attack detection and location using state forecasting in multivariate time series of ICS. IEEE Transactions on Network Science and Engineering 12(4): 2989–3001.

Cardenas

Amin

Sastry

(2008) Secure control: Towards survivable cyber-physical systems. In: Proceedings of the 2008 the 28th international conference on distributed computing systems workshops, Beijing, China, 17–20 June, pp. 495–500. New York: IEEE.

Chen

Kar

Moura

(2017) Optimal attack strategies subject to detection constraints against cyber-physical systems. IEEE Transactions on Control of Network Systems 5(3): 1157–1168.

Deng

Xiao

(2015) Defending against false data injection attacks on power system state estimation. IEEE Transactions on Industrial Informatics 13(1): 198–207.

Gallo

Turan

Nahata

, et al. (2018) Distributed cyber-attack detection in the secondary control of DC microgrids. In: Proceedings of the 2018 European control conference (ECC), Limassol, Cyprus, 12–15 June, pp. 344–349. New York: IEEE.

Gupta

Chow

(2009) Networked control system: Overview and research trends. IEEE Transactions on Industrial Electronics 57(7): 2527–2535.

10.

Huang

Tang

Cheng

, et al. (2014) Real-time detection of false data injection in smart grid networks: An adaptive CUSUM method and analysis. IEEE Systems Journal 10(2): 532–543.

11.

Hug

Giampapa

(2012) Vulnerability assessment of AC state estimation with respect to false data injection cyber-attacks. IEEE Transactions on Smart Grid 3(3): 1362–1370.

12.

Kim

Lee

Shim

, et al. (2018) Detection of sensor attack and resilient state estimation for uniformly observable nonlinear systems having redundant sensors. IEEE Transactions on Automatic Control 64(3): 1162–1169.

13.

Langner

(2011) Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy 9(3): 49–51.

14.

Liang

Zhao

Luo

, et al. (2016) A review of false data injection attacks against modern power systems. IEEE Transactions on Smart Grid 8(4): 1630–1638.

15.

Liu

Wei

Song

, et al. (2016) Extended Kalman filtering for stochastic nonlinear systems with randomly occurring cyber attacks. Neurocomputing 207: 708–716.

16.

Liu

Lin

, et al. (2023) Concurrent cyber deception attack detection of consensus control in isolated AC microgrids. IEEE Transactions on Industry Applications 59(6): 7584–7596.

17.

(2019) Internet of things (IoT) cybersecurity research: A review of current research topics. IEEE Internet of Things Journal 6(2): 2103–2115.

18.

Manandhar

Cao

, et al. (2014) Detection of faults and attacks including false data injection attack in smart grid using Kalman filter. IEEE Transactions on Control of Network Systems 1(4): 370–379.

19.

Pasqualetti

Dörfler

Bullo

(2013) Attack detection and identification in cyber-physical systems. IEEE Transactions on Automatic Control 58(11): 2715–2729.

20.

Soltani

Kordestani

Aghaee

, et al. (2017) Improved estimation for well-logging problems based on fusion of four types of Kalman filters. IEEE Transactions on Geoscience and Remote Sensing 56(2): 647–654.

21.

Suo

Chai

, et al. (2024) Attack detection and secure state estimation of collectively observable cyber-physical systems under false data injection attacks. IEEE Transactions on Automatic Control 69(3): 2067–2074.

22.

Zhao

, et al. (2024) Periodic and dynamic periodic event-triggered control for nonlinear cyber-physical systems under DoS attacks via a hybrid system approach. IEEE Transactions on Control of Network Systems 11(1): 221–232.

23.

Jin

Zhou

, et al. (2024) Active fault diagnosis based on dual-observer for leakage detection and estimation with adaptive auxiliary signal mechanism in industrial gas networks. IEEE Transactions on Instrumentation and Measurement 73: 1–11.

24.

Griffith

, et al. (2018) A survey on industrial internet of things: A cyber-physical systems perspective. IEEE Access 6: 78238–78259.

25.

Xue

Pan

Geng

, et al. (2024) Real-time intrusion detection based on decision fusion in industrial control systems. IEEE Transactions on Industrial Cyber-Physical Systems 2: 143–153.

26.

Yao

Wang

, et al. (2023) Cyber-resilient control of an islanded microgrid under latency attacks and random DoS attacks. IEEE Transactions on Industrial Informatics 19(4): 5858–5869.

27.

Yuan

Cai

Chen

, et al. (2024) Efficient detection of cooperative external attacks in wireless localization systems. IEEE Transactions on Wireless Communications 23(11): 16666–16682.

28.

Zhang

Zhao

Wang

, et al. (2023) Improved event-triggered dynamic output feedback control for networked T–S fuzzy systems with actuator failure and deception attacks. IEEE Transactions on Cybernetics 53(12): 7989–7999.

29.

Zhang

Zhou

Xiong

, et al. (2016) Multimodel-based incident prediction and risk assessment in dynamic cybersecurity protection for industrial control systems. IEEE Transactions on Systems, Man, and Cybernetics: Systems 46(10): 1429–1444.