pith. sign in

arxiv: 2309.11965 · v4 · pith:PVSUZTBDnew · submitted 2023-09-21 · 📡 eess.SY · cs.SY

Coordination Control of Discrete Event Systems under Cyber Attacks

Fei Wang , Jan Komenda , Feng Lin This is my paper

Pith reviewed 2026-05-24 07:17 UTC · model grok-4.3

classification 📡 eess.SY cs.SY
keywords discrete event systemscoordination controlcyber attackssensor attacksactuator attackssupervisory controlconditional decomposabilityCA-controllability
0
0 comments X

The pith

Local supervisors for discrete event systems maintain safety under joint sensor and actuator attacks when conditional decomposability, CA-controllability, and CA-observability hold.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper develops coordination control for discrete event systems under joint sensor and actuator cyber attacks. It uses a proposed ALTER model to describe sensor attacks via attack languages. Necessary and sufficient conditions for local supervisors to ensure safety are derived using conditional decomposability, CA-controllability, and CA-observability. Methods for state estimation under attacks and supervisor design are also developed for systems satisfying these properties or only decomposability.

Core claim

The central claim is that local supervisors exist to enforce safety in discrete event systems under cyber attacks modeled by the ALTER attack languages if and only if the system and specification satisfy conditional decomposability, CA-controllability, and CA-observability. The paper provides methods to calculate local state estimates and to design the supervisors accordingly, working for stealthy and non-stealthy attacks.

What carries the argument

The ALTER model defining attack languages combined with the properties of conditional decomposability, CA-controllability, and CA-observability that determine supervisor existence.

If this is right

  • Local state estimates under sensor attacks can be computed.
  • Supervisors can be designed when all three conditions hold.
  • Supervisors can be designed when only conditional decomposability holds.
  • The method applies to both stealthy and non-stealthy attacks.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The conditions could be verified using existing discrete event system algorithms.
  • The framework may extend to systems with more complex attack models.
  • Results could apply to security in other cyber-physical discrete event models.

Load-bearing premise

The assumption that all sensor attacks fall within the attack languages defined by the ALTER model.

What would settle it

Finding a sensor attack not representable in the ALTER model that leads to unsafe behavior despite the conditions being satisfied.

Figures

Figures reproduced from arXiv: 2309.11965 by Fei Wang, Feng Lin, Jan Komenda.

Figure 1
Figure 1. Figure 1: Discrete event system G of Example 1. Assume that event b is unobservable and event d is attackable, that is, Σo = {c, d} and Σ a o = {d}. The attacks are dynamic and are implemented by the automaton M in [PITH_FULL_IMAGE:figures/full_fig_p006_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: The automaton M implementing the dynamic attack [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 5
Figure 5. Figure 5: The synchronous product Gˆ = G∥M of Example 1 [PITH_FULL_IMAGE:figures/full_fig_p007_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: The extended automaton Gˆa of Example 1. mapping S : Φa (L(G)) → 2 Σ. The control command S(w) issued by the supervisor after observing w ∈ Φ a (L(G)) may be altered by an attacker. We use S a (w) to denote the set of all possible control commands that may be received by the plant under actuator attacks, that is, S a (w) = ∆(S(w)). We denote the supervised system under cyber attacks as S a/G, whose schemat… view at source ↗
Figure 7
Figure 7. Figure 7: Supervised system under cyber attacks. is given by the synchronous product G = G1∥ . . . ∥Gn. Since in general a coordinator is needed to deal with global (indecomposable) specification languages K ⊆ Σ ∗ , our approach is based on so called coordination control [7]. 3.1 Coordination control of modular DES Without loss of generality, we assume that n = 2. We consider a modular DES G = G1 ∥ G2. In coordinati… view at source ↗
Figure 8
Figure 8. Figure 8: Five islands connected by five bridges and divided into two regions. [PITH_FULL_IMAGE:figures/full_fig_p018_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Automata Ga (top) and Gb (bottom). Automaton Gb is similarly defined. The overall system is obtained by taking the synchronous product of Ga and Gb: G = Ga∥Gb. G is shown in [PITH_FULL_IMAGE:figures/full_fig_p019_9.png] view at source ↗
Figure 10
Figure 10. Figure 10: Automaton G of the system. To avoid conflicts between two vehicles, we would like to control the bridges so that two vehicles will never be on the same island at the same time. Therefore, the safety specification described by automaton H shown in [PITH_FULL_IMAGE:figures/full_fig_p019_10.png] view at source ↗
Figure 11
Figure 11. Figure 11: The specification automaton H. choose the corresponding event sets such that the region border crossing events, namely a23, a32, b23, and b32 are added to events in both regions 1 and 2. Therefore, Σ1 ={a12, a21, a23, a32, b12, b21, b23, b32}, Σ2 ={a23, a32, a34, a43, a45, a54, a35, a53, b23, b32, b34, b43, b45, b54, b35, b53} [PITH_FULL_IMAGE:figures/full_fig_p020_11.png] view at source ↗
Figure 12
Figure 12. Figure 12: Automaton H1 for P1(K) (top) and automaton H2 for P2(K) (bottom). Let us check if K is conditionally decomposable with respect to Σ1 and Σ2. Automaton H1 for P1(K) and automaton H2 for P2(K) are calculated as shown in [PITH_FULL_IMAGE:figures/full_fig_p020_12.png] view at source ↗
Figure 13
Figure 13. Figure 13: Automaton G1. Since K is conditionally decomposable, by Proposition 1, we have La((S ↑,a 1 ∧ S↑,a 2 )/G) ⊆ K. Such supervisors can be designed using Theorem 6 as follows. We first obtain H ↑ 1 = (Q ↑ H,1 , Σ1, δ↑ H,1 , q1,o) by removing states 3 and 7 in H1, because b21 ∈ Σ a c can take G from state 3 to illegal state 6 and a21 ∈ Σ a c can take G from state 7 to illegal state 6. The resulting automaton is… view at source ↗
Figure 14
Figure 14. Figure 14: Autumaton H ↑ 1 = (Q ↑ H,1 , Σ1, δ↑ H,1 , q1,o). Since all events are observable and the attacker can attack the sensors on the bridge between Island 2 and Island 3, we can obtain CA-observer H ↑,a 1,obs as shown in [PITH_FULL_IMAGE:figures/full_fig_p021_14.png] view at source ↗
Figure 15
Figure 15. Figure 15: CA-observer H ↑,a 1,obs = (X ↑ 1 , Σ1,o, ξ↑ 1 , x1,o, X↑ 1,m). supervisors to address this challenge. In a future work we plan to develop hierarchical supervisory control under cyber attacks and to study equality between closed-loop achieved by the monolithic supervisor and the closed￾loop achieved by the joint action of modular/coordination supervisors in the case, where CA-controllability and CA-observa… view at source ↗
read the original abstract

In this paper, coordination control of discrete event systems under joint sensor and actuator attacks is investigated. Sensor attacks are described by a set of attack languages using a proposed ALTER model. Several local supervisors are used to control the system. The goal is to design local supervisors to ensure safety of the system even under cyber attacks (CA). The necessary and sufficient conditions for the existence of such supervisors are derived in terms of conditional decomposability, CA-controllability and CA-observability. A method is developed to calculate local state estimates under sensor attacks. Two methods are also developed to design local supervisors, one for discrete event systems satisfying conditional decomposability, CA-controllability and CA-observability, and one for discrete event systems satisfying conditional decomposability only. The approach works for both stealthy and non-stealthy attacks. A practical example is given to illustrate the results.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The paper investigates coordination control of discrete event systems under joint sensor and actuator cyber attacks. It introduces an ALTER model to capture sensor attacks via sets of attack languages. Local supervisors are designed to maintain system safety under attacks. Necessary and sufficient conditions for supervisor existence are stated in terms of conditional decomposability, CA-controllability, and CA-observability. Methods are given for computing local state estimates under sensor attacks and for synthesizing supervisors (one using all three properties, one using only conditional decomposability). The approach is claimed to apply to both stealthy and non-stealthy attacks and is illustrated by a practical example.

Significance. If the derivations are correct and the ALTER model is shown to be sufficiently general, the work would extend decentralized DES supervisory control theory to explicitly handle cyber attacks while preserving safety. The provision of state-estimation methods under attack and dual synthesis procedures (one weaker than the full N&S conditions) could be useful for practical implementation in networked control systems. Credit is due for addressing both stealthy and non-stealthy attacks within a single framework.

major comments (3)
  1. [Abstract] Abstract: The manuscript states that necessary and sufficient conditions are derived in terms of conditional decomposability, CA-controllability and CA-observability, yet the provided text contains no derivation steps, proofs, or verification of these conditions. This absence is load-bearing for the central claim.
  2. [Modeling of sensor attacks] Modeling section (ALTER model): The sensor-attack languages are defined via the proposed ALTER model, but no argument is supplied that every plausible sensor attack (including those outside the defined family) can be expressed inside the model. If an attack language lies outside ALTER, the CA-controllability and CA-observability predicates become inapplicable and the safety guarantee does not hold.
  3. [Supervisor design methods] Supervisor synthesis section: The two design methods are presented without explicit verification that the resulting supervisors indeed enforce the claimed safety property under the modeled attacks; no closed-loop language inclusion or invariance proof is visible.
minor comments (2)
  1. Notation for attack languages and the ALTER model should be introduced with a clear table or diagram showing the relationship between plant language, attack language, and observed language.
  2. The practical example would benefit from explicit listing of the attack languages used and the resulting local supervisors to allow reproducibility.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive feedback on our manuscript. We address each major comment below and indicate planned revisions where appropriate.

read point-by-point responses

  1. Referee: [Abstract] Abstract: The manuscript states that necessary and sufficient conditions are derived in terms of conditional decomposability, CA-controllability and CA-observability, yet the provided text contains no derivation steps, proofs, or verification of these conditions. This absence is load-bearing for the central claim.

    Authors: The necessary and sufficient conditions appear as Theorem 1 in Section IV, expressed via the three properties. However, the full proof details were condensed in the initial submission. We will expand Section IV with complete derivation steps and verification arguments in the revised version. revision: yes

  2. Referee: [Modeling of sensor attacks] Modeling section (ALTER model): The sensor-attack languages are defined via the proposed ALTER model, but no argument is supplied that every plausible sensor attack (including those outside the defined family) can be expressed inside the model. If an attack language lies outside ALTER, the CA-controllability and CA-observability predicates become inapplicable and the safety guarantee does not hold.

    Authors: The ALTER model is introduced to represent sensor attacks through attack languages in a manner compatible with the DES framework. We agree that an explicit discussion of its scope and coverage of common attack types would clarify applicability. A new subsection will be added to argue the model's generality for the attacks considered in the paper. revision: yes

  3. Referee: [Supervisor design methods] Supervisor synthesis section: The two design methods are presented without explicit verification that the resulting supervisors indeed enforce the claimed safety property under the modeled attacks; no closed-loop language inclusion or invariance proof is visible.

    Authors: The synthesis procedures in Section V are constructed to satisfy the stated conditions, which by definition ensure safety. We acknowledge the absence of an explicit closed-loop invariance argument. The revised manuscript will include a dedicated lemma and proof establishing language inclusion under attacks for both design methods. revision: yes

Circularity Check

0 steps flagged

No significant circularity in the derivation chain

full rationale

The paper introduces an ALTER model to capture sensor attacks as attack languages, then defines CA-controllability and CA-observability relative to those languages and states N&S conditions for supervisor existence in terms of conditional decomposability plus the two new properties. This is a standard definitional framework in supervisory control theory; the conditions are derived within the model rather than reducing to the inputs by construction, with no fitted parameters renamed as predictions, no self-referential equations, and no load-bearing self-citations evident. The derivation remains self-contained against external benchmarks once the modeling assumptions are granted.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 1 invented entities

The central claim rests on standard discrete-event language properties plus the newly introduced ALTER attack model; no numerical free parameters are introduced.

axioms (1)
  • domain assumption Discrete event systems are modeled by languages and automata possessing standard controllability and observability properties from supervisory control theory.
    Implicit foundation for all supervisor existence results in the abstract.
invented entities (1)
  • ALTER model no independent evidence
    purpose: To represent sensor attacks as sets of attack languages.
    Newly proposed in the paper; no independent evidence supplied.

pith-pipeline@v0.9.0 · 5677 in / 1297 out tokens · 32205 ms · 2026-05-24T07:17:42.217630+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

29 extracted references · 29 canonical work pages

  1. [1]

    Michel R. C. Alves, Patr´ ıcia N. Pena, and Karen Rudie. Discrete-event systems subject to unknown sensor attacks. Discrete Event Dynamic Systems , 32(1):143–158, 2022

    work page 2022

  2. [2]

    Carvalho, Yi-Chin Wu, Raymond Kwong, and St´ ephane Lafortune

    Lilian K. Carvalho, Yi-Chin Wu, Raymond Kwong, and St´ ephane Lafortune. Detection and prevention of actuator enablement attacks in supervisory control systems. In 2016 13th International Workshop on Discrete Event Systems(WODES) , pages 298–305, 2016

    work page 2016

  3. [3]

    Cassandras and St´ ephane Lafortune

    Christos G. Cassandras and St´ ephane Lafortune. Introduction to Discrete Event Systems . Springer Nature, 3rd edition, 2021

    work page 2021

  4. [4]

    Modeling and detection of cyber attacks on discrete event systems

    Raphael Fritz and Ping Zhang. Modeling and detection of cyber attacks on discrete event systems. IF AC-PapersOnLine, 51(7):285– 290, 2018

    work page 2018

  5. [5]

    van Schuppen

    Jan Komenda, Tom´ aˇ s Masopust, and Jan H. van Schuppen. On conditional decomposability.Systems & Control Letters , 61(12):1260– 1268, 2012

    work page 2012

  6. [6]

    van Schuppen

    Jan Komenda, Tom´ aˇ s Masopust, and Jan H. van Schuppen. Supervisory control synthesis of discrete-event systems using a coordination scheme. Automatica, 48(2):247–254, 2012

    work page 2012

  7. [7]

    van Schuppen

    Jan Komenda, Tom´ aˇ s Masopust, and Jan H. van Schuppen. Coordination control of discrete-event systems revisited.Discrete Event Dynamic Systems , 25:65–94, 2015

    work page 2015

  8. [8]

    van Schuppen

    Jan Komenda, Tom´ aˇ s Masopust, and Jan H. van Schuppen. On a distributed computation of supervisors in modular supervisory control. In 2015 International Conference on Complex Systems Engineering (ICCSE) , pages 1–6, 2015

    work page 2015

  9. [9]

    van Schuppen

    Jan Komenda and Jan H. van Schuppen. Coordination control of discrete-event systems. In 2008 9th International Workshop on Discrete Event Systems , pages 9–15, 2008

    work page 2008

  10. [10]

    Lima, Marcos V.S

    P´ ublio M. Lima, Marcos V.S. Alves, Lilian K. Carvalho, and Marcos V. Moreira. Security of cyber-physical systems: Design of a security supervisor to thwart attacks. IEEE Transactions on Automation Science and Engineering , 19(3):2030–2041, 2021

    work page 2030

  11. [11]

    Murray Wonham

    Feng Lin and W. Murray Wonham. On observability of discrete-event systems. Information sciences, 44(3):173–198, 1988

    work page 1988

  12. [12]

    On resilient supervisory control against indefinite actuator attacks in discrete-event systems

    Ziyue Ma and Kai Cai. On resilient supervisory control against indefinite actuator attacks in discrete-event systems. IEEE Control Systems Letters, 6:2942–2947, 2022

    work page 2022

  13. [13]

    Moving target defense based on switched supervisory control: A new technique for mitigating sensor deception attacks

    Rˆ omulo Meira-G´ oes and St´ ephane Lafortune. Moving target defense based on switched supervisory control: A new technique for mitigating sensor deception attacks. IF AC-PapersOnLine, 53(4):317–323, 2020

    work page 2020

  14. [14]

    Pena, Jos´ e E.R

    Patricia N. Pena, Jos´ e E.R. Cury, and St´ ephane Lafortune. Polynomial-time verification of the observer property in abstractions. In 2008 American Control Conference(ACC) , pages 465–470, 2008

    work page 2008

  15. [15]

    De Queiroz and Jos´ e E.R

    Max H. De Queiroz and Jos´ e E.R. Cury. Modular supervisory control of large scale discrete event systems. In Discrete Event Systems, pages 103–110. Springer, 2000

    work page 2000

  16. [16]

    Ramadge and W

    Peter J. Ramadge and W. Murray Wonham. Supervisory control of a class of discrete event processes. SIAM journal on control and optimization, 25(1):206–230, 1987

    work page 1987

  17. [17]

    Supervisory control of discrete-event systems under attacks: An overview and outlook

    Aida Rashidinejad, Bart Wetzels, Michel Reniers, Liyong Lin, Yuting Zhu, and Rong Su. Supervisory control of discrete-event systems under attacks: An overview and outlook. In 2019 18th European Control Conference (ECC) , pages 1732–1739, 2019

    work page 2019

  18. [18]

    Murray Wonham

    Karen Rudie and W. Murray Wonham. Think globally, act locally: decentralized supervisory control. IEEE Transactions on Automatic Control, 37(11):1692–1708, 1992. 22

    work page 1992

  19. [19]

    Synthesis of distributed covert sensor-actuator attackers

    Ruochen Tai, Liyong Lin, Yuting Zhu, and Rong Su. Synthesis of distributed covert sensor-actuator attackers. IEEE Transactions on Automatic Control , 69(8):4942–4957, 2024

    work page 2024

  20. [20]

    Hespanha

    Masashi Wakaiki, Paulo Tabuada, and Jo˜ ao P. Hespanha. Supervisory control of discrete-event systems under attacks. Dynamic Games and Applications , 9(4):965–983, 2019

    work page 2019

  21. [21]

    Supervisory control of discrete event systems in the presence of sensor and actuator attacks

    Yu Wang and Miroslav Pajic. Supervisory control of discrete event systems in the presence of sensor and actuator attacks. In 2019 IEEE 58th Conference on Decision and Control (CDC) , pages 5350–5355, 2019

    work page 2019

  22. [22]

    Wang, Rˆ omulo Meira-G´ oes, St´ ephane Lafortune, and Raymond H

    Ze Y. Wang, Rˆ omulo Meira-G´ oes, St´ ephane Lafortune, and Raymond H. Kwong. Mitigation of classes of attacks using a probabilistic discrete event system framework. IF AC-PapersOnLine, 53(4):35–41, 2020

    work page 2020

  23. [23]

    Wong and W

    Kai C. Wong and W. Murray Wonham. Hierarchical control of discrete-event systems. Discrete Event Dynamic Systems , 6(3):241– 273, 1996

    work page 1996

  24. [24]

    Wong and W

    Kai C. Wong and W. Murray Wonham. Modular control and coordination of discrete-event systems. Discrete Event Dynamic Systems, 8(3):247–297, 1998

    work page 1998

  25. [25]

    Murray Wonham and Kai Cai

    W. Murray Wonham and Kai Cai. Supervisory control of discrete-event systems . Springer, 2019

    work page 2019

  26. [26]

    Stealthy attacks for partially-observed discrete event systems

    Qi Zhang, Zhiwu Li, Carla Seatzu, and Alessandro Giua. Stealthy attacks for partially-observed discrete event systems. In 2018 IEEE 23rd International Conference on Emerging Technologies and Factory Automation (ETF A) , volume 1, pages 1161–1164, 2018

    work page 2018

  27. [27]

    Joint state estimation under attack of discrete event systems

    Qi Zhang, Carla Seatzu, Zhiwu Li, and Alessandro Giua. Joint state estimation under attack of discrete event systems. IEEE Access, 9:168068–168079, 2021

    work page 2021

  28. [28]

    Modeling and control of discrete event systems under joint sensor-actuator cyber attacks

    Shengbao Zheng, Shaolong Shu, and Feng Lin. Modeling and control of discrete event systems under joint sensor-actuator cyber attacks. In 2021 6th International Conference on Automation, Control and Robotics Engineering (CACRE) , pages 1–8, 2021

    work page 2021

  29. [29]

    Modeling and control of discrete event systems under joint sensor-actuator cyber attacks

    Shengbao Zheng, Shaolong Shu, and Feng Lin. Modeling and control of discrete event systems under joint sensor-actuator cyber attacks. IEEE Transactions on Control of Network Systems , 11(2):782–794, 2024. 23

    work page 2024