Arrival of a global optimal solution for a Cyber-Physical System (CPS) seems to share many commonalities with distributed decision making strategies taught in the business world. Information flows in a bi-directional fashion gaining in abstraction as it moves upwards in the chain and specificity as it moves downward. The end goal of distributed decision making is to set intent and move forward to the ultimate goal. In the case of CPS, it is easy to see how a centralized control system (the CEO, if you will) uses probabilistic methods to detect abnormalities in system state or attacks. In the distributed control system, the detection is distributed among the coordinated controllers which provide feedback down the reverse routing paths. This appears to be much like a team-of-teams approach where each team, dependent on one another, serves as a check for other teams. In this fashion, each controller ends up with knowledge about the other controllers, the perceived system state and the ideal system state.

More sensors means more variables from which the controller must conclude state. Andersson et al [1] provides a method for interpolating sensor data in space by enabling the sensors to determine what the collective answer is by monitoring the communication medium and chiming in only when they have a “better” answer. In this scenario, it may be possible for compromised sensors to continuously have the “better” answer to represent the space-adjacent sensors and thus obscure the truth of the situation. According to [1], the time to transmit the data is the time to content for the medium thereby reducing the overhead from sensor to controller, an outcome desirable to a distributed CPS. Additional capabilities may be added at the controller to throw out sensor failures if there is no physical way for the values to be accurate either over time or space. However, this seems to enable escape from plausibility as the “best” answer wins by adoption.

So, for example, a co-located collection of temperature sensors in an equipment room will send the maximum temperature to the controller. The controller in turn may then turn on the A/C in response. A compromised sensor may continuously report 100deg F, thereby keeping the A/C running at financial cost to the company. Similar to how the minimum temperature reported turns the heat on and possibly overheating the expensive equipment. All in all, this sounds like the co-located sensors reduce down to one answer. Malicious actors would need to understand the topology, leading to topology poisoning attacks, possible packet scheduling attacks, bias injection and false data attacks. Packet scheduling attacks might be mitigated if the controller had a suitable model for calculating next state and if the delayed packets resulted in obvious violations against the physics of the system (e.g., temperature change in delayed packets isn’t plausible based on other sensor information).

[1] appears to be a implementation that works with homogeneous devices, leaving opportunity for research with heterogeneous devices. As mentioned in [2], how might a controller turn various data types into information to be passed upwards to a cooperative controller? The software on the controller would need to be customized to make sense of the type of data received. Denial of Service, packet scheduling and topology poisoning attacks may disrupt the next-state determination of the controller, based on the weight given to each sensor input.