Abstract-An architecture and supporting methods are presented for the implementation of a resilient condition assessment monitoring system that can adaptively accommodate both cyber and physical anomalies to a monitored system under observation. In particular, the architecture includes three layers: information, assessment, and sensor selection. The information layer estimates probability distributions of process variables based on sensor measurements and assessments of the quality of sensor data. Based on these estimates, the assessment layer then employs probabilistic reasoning methods to assess the plant health. The sensor selection layer selects sensors so that assessments of the plant condition can be made within desired time periods. Resilient features of the developed system are then illustrated by simulations of a simplified power plant model, where a large portion of the sensors are under attack.Index Terms-Resilient systems, resilient monitoring, cyberphysical attacks, cyber/physical condition assessments, rational controllers, graceful degradation, measure of resiliency.
I. INTRODUCTION A. MotivationComplex engineering systems need to be reliably monitored in order to ensure safety and proper operations. To this end, sensors are typically deployed within the monitored facility in order to observe the behavior of key process variables and access system conditions. Monitoring challenges include efficient processing of information and correct assessment of facility health despite possible natural or malicious disturbances. While natural disturbances can often be characterized reasonably well, malicious disturbances are illcharacterized. Regarding the latter, a significantly damaging disturbance to design against is the cyber-physical coordinated attack. In a cyber-physical coordinated attack, an attacker may cause a physical damage to the monitored facility and, furthermore, coordinately compromise the information layer via a cyber attack (e.g., by causing sensors to provide false readings of process variables) so as to confuse the operator of the actual plant health conditions. As intended by the attacker, a potential result may be that the operator, due to this confusion, takes a wrong decision, such as shutting down the monitored process or switching the plant to an inappropriate operating mode, while he/she otherwise could have gracefully maintained operations amid in a degraded mode, for example. Here, coordinated means that attacks occur at different locations of the monitoring system, while cyber-physical means that there are not only physical but also cyber attacks. A resilient monitoring system, which meets the above challenges, should possess the following properties:• exhibit graceful degradation in performance, as opposed to sudden collapse, under severe disturbances;