Security and Resilience in Cyber

Physical Systems Detection Estimation

and Control Masoud Abbaszadeh
Visit to download the full and correct content document:
https://ebookmeta.com/product/security-and-resilience-in-cyber-physical-systems-det
ection-estimation-and-control-masoud-abbaszadeh/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...

Security of Cyber Physical Systems State Estimation and

Control 1st Edition Chengwei Wu

https://ebookmeta.com/product/security-of-cyber-physical-systems-
state-estimation-and-control-1st-edition-chengwei-wu/

Security and Resilience of Cyber Physical Systems 1st

Edition Krishan Kumar

https://ebookmeta.com/product/security-and-resilience-of-cyber-
physical-systems-1st-edition-krishan-kumar/

Merging Optimization and Control in Power Systems :

Physical and Cyber Restrictions in Distributed
Frequency Control and Beyond 1st Edition Feng Liu

https://ebookmeta.com/product/merging-optimization-and-control-
in-power-systems-physical-and-cyber-restrictions-in-distributed-
frequency-control-and-beyond-1st-edition-feng-liu/

Cyber-physical Systems and Industry 4.0: Practical

Applications and Security Management 1st Edition Dinesh
Goyal (Editor)

https://ebookmeta.com/product/cyber-physical-systems-and-
industry-4-0-practical-applications-and-security-management-1st-
edition-dinesh-goyal-editor/
Networked and Event Triggered Control Approaches in
Cyber Physical Systems 1st Edition Jinhui Zhang
Yuanqing Xia Zhongqi Sun Duanduan Chen

https://ebookmeta.com/product/networked-and-event-triggered-
control-approaches-in-cyber-physical-systems-1st-edition-jinhui-
zhang-yuanqing-xia-zhongqi-sun-duanduan-chen/

Safety and Security of Cyber-Physical Systems:

Engineering dependable Software using Principle-based
Development Frank J. Furrer

https://ebookmeta.com/product/safety-and-security-of-cyber-
physical-systems-engineering-dependable-software-using-principle-
based-development-frank-j-furrer/

Cyber-Physical, IoT, and Autonomous Systems in Industry

4.0 1st Edition Vikram Bali

https://ebookmeta.com/product/cyber-physical-iot-and-autonomous-
systems-in-industry-4-0-1st-edition-vikram-bali/

Security Chaos Engineering: Sustaining Resilience in

Software and Systems 1st Edition Kelly Shortridge

https://ebookmeta.com/product/security-chaos-engineering-
sustaining-resilience-in-software-and-systems-1st-edition-kelly-
shortridge/

Diagnosis Fault Detection Tolerant Control Studies in

Systems Decision and Control Book 269 Nabil Derbel
Jawhar Ghommam Quanmin Zhu

https://ebookmeta.com/product/diagnosis-fault-detection-tolerant-
control-studies-in-systems-decision-and-control-book-269-nabil-
derbel-jawhar-ghommam-quanmin-zhu/
Editors
Masoud Abbaszadeh and Ali Zemouche

Security and Resilience in Cyber-

Physical Systems
Detection, Estimation and Control
Editors
Masoud Abbaszadeh
GE Research, New York, NY, USA

Ali Zemouche
CRAN, IUT Henri Poincaré de Longwy, Université de Lorraine, Cosnes-
et-Romain, France

ISBN 978-3-030-97165-6 e-ISBN 978-3-030-97166-3

https://doi.org/10.1007/978-3-030-97166-3

Mathematics Subject Classification (2010): 93B52, 93C15, 93E10,

93E35

© The Editor(s) (if applicable) and The Author(s), under exclusive

license to Springer Nature Switzerland AG 2022

MATLAB and Simulink are registered trademarks of The MathWorks,

Inc. See https://www.mathworks.com/trademarks for a list of
additional trademarks.

This work is subject to copyright. All rights are solely and exclusively
licensed by the Publisher, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, reuse of
illustrations, recitation, broadcasting, reproduction on microfilms or in
any other physical way, and transmission or information storage and
retrieval, electronic adaptation, computer software, or by similar or
dissimilar methodology now known or hereafter developed.

The use of general descriptive names, registered names, trademarks,

service marks, etc. in this publication does not imply, even in the
absence of a specific statement, that such names are exempt from the
relevant protective laws and regulations and therefore free for general
use.
The publisher, the authors, and the editors are safe to assume that the
advice and information in this book are believed to be true and accurate
at the date of publication. Neither the publisher nor the authors or the
editors give a warranty, expressed or implied, with respect to the
material contained herein or for any errors or omissions that may have
been made. The publisher remains neutral with regard to jurisdictional
claims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer

Nature Switzerland AG
The registered company address is: Gewerbestrasse 11, 6330 Cham,
Switzerland
Preface
Cyber-physical systems enable interoperability of cyber and physical
worlds through control, computation, and communications. Control,
optimization, monitoring, and diagnostic schemes that operate cyber-
physical systems (e.g., power generation, transportation, oil & gas,
computing and communication systems, healthcare systems, etc.) are
increasingly connected via local networks or the Internet. As a result,
these control systems have been increasingly vulnerable to threats and
jamming, such as cyber-attacks (e.g., associated with a computer virus,
malicious software, etc.), that could disrupt their operation, damage
equipment, inflict malfunctions, etc. Many of current cybersecurity
methods primarily consider attack detection and mitigation in
Information Technology (“IT”, such as, computers that store, retrieve,
transmit, manipulate data) and Operational Technology (“OT”, such as
direct monitoring devices and communication bus interfaces) at the
network and communication layers. Cyber-attacks can still penetrate
through these protection layers and reach the physical “domain” as
seen in 2010 with the Stuxnet attack. Such attacks can negatively affect
the performance of a control system and may cause total shut down or
catastrophic damage to the system. Currently, fewer methods are
available to automatically detect, during a cyber-incident, attacks at the
physical domain layer (i.e. the process level) where sensors, controllers,
and actuators are located. In some cases, multiple attacks may occur
simultaneously (e.g., more than one actuator, sensor, or parameter
inside control system devices might be altered maliciously by an
unauthorized party at the same time). Furthermore, some subtle
consequences of cyber-attacks, such as stealthy attacks occurring at the
physical layer, might not be readily detectable (e.g., when only one
monitoring node, such as a sensor node, is used in a detection
algorithm). In addition, to maintain system availability and integrity
and to protect assets, attack resilience much be achieved through
resilient estimation and control methodologies, which are beyond
existing fault-tolerant control approaches. It may also be important to
determine and distinguish when a monitoring node is experiencing a
malicious attack (as opposed to a natural fault/failure) and, in some
cases, exactly what type of attack is occurring. Existing approaches to
protect an industrial control system, such as fault detection and
diagnostics technologies, may not adequately address these problems,
especially when multiple, simultaneous attacks occur, since multiple
faults/failure diagnostic technologies are not designed for detecting
stealthy attacks in an automatic manner. It would therefore be desirable
to research and develop new theories and technologies to protect
cyber-physical systems, including those in critical infrastructure, from
cyber-attacks in an automatic and accurate manner even when attacks
percolate through the IT and OT layers and directly harm the control
systems.
This book is intended to cover some of the latest research on cyber-
physical security and resilience and highlight active research directions
and solutions that are currently pursued in academia and industry. A
collection of book chapters are gathered from well-known experts in
the field with diverse technical backgrounds of controls, estimation,
machine learning, signal processing, and information theory, as well as
diverse geographical representation from North America, Europe, and
Asia. The book addresses a very important topic with a growing
attention from the research community and critical applications and
implications in industries and governments. The book chapters
comprise of a blend of new theoretical results on detection, resilient
estimation, and control combined with machine learning techniques, as
well as important application areas such as power generation, electric
power grid, autonomous systems, communication networks, and
chemical plants. In the recent years, there have been multiple books
published on cyber-security from various perspectives, including
vulnerability and impact analysis, safety, security, privacy, networks
intrusion detection and mitigation, etc. While there are synergies
between the current book and the previously published books, the book
complements previous publications by addressing cyber-physical
security at the physical sensing and control layer of cyber-physical
systems, and systems resilience under attack via resilient estimation
and control. The book is not solely based on control/estimation theory
but a combination of control theory and machine learning approaches
to cyber-physical security and resilience, by which several chapters are
taking a “Controls+AI” approach. The book is aimed for both
researchers and technology developers in the academia and industry.
This area is vast and rapidly growing, with crucial needs for additional
research and development. The editors hope that this book will be a
useful advancement in that front.
Finally, we deeply thank authors and reviewers for their
contributions. We also gratefully acknowledge support from Springer’s
editorial and production staff. A. Zemouche would like to thank the
ANR agency for the partial support of this work via the project ArtISMo
ANR-20-CE48-0015.
Masoud Abbaszadeh
Ali Zemouche
New York, USA
Grand Est, France
October 2021
Contents
1 Overview
Masoud Abbaszadeh and Ali Zemouche
2 Introduction to Cyber-Physical Security and Resilience
Masoud Abbaszadeh and Ali Zemouche
3 Fundamental Stealthiness–Distortion Trade-Offs in Cyber-
Physical Systems
Song Fang and Quanyan Zhu
4 Predictive Situation Awareness and Anomaly Forecasting in
Cyber-Physical Systems
Masoud Abbaszadeh, Weizhong Yan and Lalit K. Mestha
5 Resilient Observer Design for Cyber-Physical Systems with Data-
Driven Measurement Pruning
Yu Zheng and Olugbenga Moses Anubi
6 Framework for Detecting APTs Based on Steps Analysis and
Correlation
Hope Nkiruka Eke, Andrei Petrovski, Hatem Ahriz and M. Omar Al-
Kadri
7 Resilient State Estimation and Attack Mitigation in Cyber-
Physical Systems
Mohammad Khajenejad and Sze Zheng Yong
8 State and Attacks Estimation for Nonlinear Takagi–Sugeno
Multiple Model Systems with Delayed Measurements
Souad Bezzaoucha Rebai, Holger Voos and Mohamed Darouach
9 Secure Estimation Under Model Uncertainty
Saurabh Sihag and Ali Tajer
10 Resilient Control of Nonlinear Cyber-Physical Systems:​Higher-
Order Sliding Mode Differentiation and Sparse Recovery-Based
Approaches
Shamila Nateghi, Yuri Shtessel, Christopher Edwards and Jean-
Pierre Barbot
11 Resilient Cooperative Control of Input Constrained Networked
Cyber-Physical Systems
Junjie Fu, Guanghui Wen, Yongjun Xu, Ali Zemouche and Fan Zhang
12 Optimal Subsystem Decomposition and Resilient Distributed
State Estimation for Wastewater Treatment Plants
Langwen Zhang, Miaomiao Xie, Wei Xie and Bohui Wang
13 Cyber-Attack Detection for a Crude Oil Distillation Column
H. M. Sabbir Ahmad, Nader Meskin and Mohammad Noorizadeh
14 A Resilient Nonlinear Observer for Light-Emitting Diode Optical
Wireless Communication Under Actuator Fault and Noise Jamming
Ibrahima N’Doye, Ding Zhang, Ania Adil, Ali Zemouche,
Rajesh Rajamani and Taous-Meriem Laleg-Kirati
Index
Contributors
Masoud Abbaszadeh
GE Research, Niskayuna, NY, USA

Ania Adil
King Abdullah University of Science and Technology (KAUST), Thuwal,
Saudi Arabia

H. M. Sabbir Ahmad
Qatar University, Doha, Qatar

Hatem Ahriz
Robert Gordon University, Aberdeen, UK

M. Omar Al-Kadri
Birmingham City University, Birmingham, UK

Olugbenga Moses Anubi

FAMU-FSU College of Engineering, Tallahassee, FL, USA

Jean-Pierre Barbot
QUARTZ Laboratory, ENSEA, Cergy-Pontoise, France

Souad Bezzaoucha Rebai

EIGSI-La Rochelle, La Rochelle, France

Mohamed Darouach
Research Center for Automatic Control of Nancy (CRAN), Université de
Lorraine, IUT de Longwy, Cosnes et Romain, France

Christopher Edwards
The University of Exeter, Exeter, UK

Hope Nkiruka Eke

Robert Gordon University, Aberdeen, UK

Song Fang
New York University, New York, USA

Junjie Fu
School of Mathematics, Southeast University, Nanjing, People’s Republic
of China

Mohammad Khajenejad
Arizona State University, Tempe, AZ, USA

Taous-Meriem Laleg-Kirati
King Abdullah University of Science and Technology (KAUST), Thuwal,
Saudi Arabia

Nader Meskin
Qatar University, Doha, Qatar

Lalit K. Mestha
Genetic Innovations Inc. (work performed while at GE Research),
Honolulu, HI, USA

Shamila Nateghi
University of Alabama in Huntsville, Huntsville, AL, USA

Mohammad Noorizadeh
Qatar University, Doha, Qatar

Ibrahima N’Doye
King Abdullah University of Science and Technology (KAUST), Thuwal,
Saudi Arabia

Andrei Petrovski
Robert Gordon University, Aberdeen, UK

Rajesh Rajamani
Department of Mechanical Engineering, University of Minnesota,
Minneapolis, MN, USA

Yuri Shtessel
University of Alabama in Huntsville, Huntsville, AL, USA
Saurabh Sihag
University of Pennsylvania, Philadelphia, PA, USA

Ali Tajer
Rensselaer Polytechnic Institute, Troy, NY, USA

Holger Voos
Interdisciplinary Centre for Security, Reliability and Trust (SnT),
Automatic Control Research Group, University of Luxembourg,
Luxembourg, Luxembourg

Bohui Wang
School of Electrical and Electronic Engineering, Nanyang Technological
University, Singapore, Singapore

Guanghui Wen
School of Mathematics, Southeast University, Nanjing, People’s Republic
of China

Miaomiao Xie
College of Automation Science and Technology, South China University
of Technology, Guangzhou, China

Wei Xie
College of Automation Science and Technology, South China University
of Technology, Guangzhou, China

Yongjun Xu
Institute of Computing Technology, Chinese Academy of Sciences,
Beijing, China

Weizhong Yan
GE Research, Niskayuna, NY, USA

Sze Zheng Yong

Arizona State University, Tempe, AZ, USA

Ali Zemouche
CRAN CNR-UMR 7039, IUT Henri Poincaré de Longwy, Université de
Lorraine, Cosnes-et-Romain, France

Ding Zhang
Department of Electronic and Computer Engineering, The Hong Kong
University of Science and Technology, Clear Water Bay, Kowloon, Hong
Kong, China

Fan Zhang
School of Aeronautics and Astronautics (Shenzhen), Sun Yat-sen
University, Guangzhou, People’s Republic of China

Langwen Zhang
College of Automation Science and Technology, South China University
of Technology, Guangzhou, China

Yu Zheng
FAMU-FSU College of Engineering, Tallahassee, FL, USA

Quanyan Zhu
New York University, New York, USA
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022
M. Abbaszadeh, A. Zemouche (eds.), Security and Resilience in Cyber-Physical Systems
https://doi.org/10.1007/978-3-030-97166-3_1

1. Overview
Masoud Abbaszadeh1 and Ali Zemouche2
(1) GE Research, Niskayuna, NY, USA
(2) CRAN CNR-UMR 7039, IUT Henri Poincare Longwy, Universite
Lorraine, Cosnes-et-Romain, France

Masoud Abbaszadeh (Corresponding author)

Email: masoud@ualberta.net

Ali Zemouche
Email: ali.zemouche@univ-lorraine.fr

The increasing sophistication and severity of intelligently designed

cyber-attacks warrants new theoretical and technological
developments beyond current detection, estimation, and control
methodologies. On the other hand, cyber-physical systems are
dramatically changing, incorporating new elements such as the Internet
of Things (IoT) connectivity and distributed intelligence into the
perspective. This transformation further expands the digital footprint
of these systems, hence making them susceptible to cyber-attacks and
other safety and security issues. Advanced targeted attacks against
control systems have increased in the past years with evidence of high
risks related to zero-day and replay attacks. In order to tackle this
threat, we need advances in detection, feedback control, and estimation
with built-in resilience to cyber-attacks, to maintain system integrity
and reliability at all times, by providing uninterrupted, equipment-safe,
and controlled operation.
This book is intended to cover some of the latest theory and
technology advancements for detection and protection against cyber-
attacks in cyber-physical systems. This is a very important emerging
field and a very active multidisciplinary research and technology
development area. The book covers some of the latest problems and
research on cyber-physical security and resilience, and highlights active
research directions and solutions that are currently pursued in
academia and industry. The topics comprise of a blend of new
theoretical results on resilient estimation and control combined with
machine learning techniques, as well as important application areas
such as industrial control systems, power generation and distribution,
autonomous systems, wireless communication networks, and chemical
plants. The book comprises of a collection of chapters from well-known
researchers in academia, and industrial research labs providing a
comprehensive perspective of some of the latest advancements and
prospects of cyber-physical security and resilience.
The book is structured as follows. It starts with an introductory
chapter on cyber-physical security and resilience (Chap. 2), and
continues with chapters containing theoretical results on attack
detection and situational awareness, resilient estimation, and control,
with case studies on power generation, transmission and distribution,
sensor networks, cooperative tracking, and autonomous vehicles
(Chaps. 3–11). Then, it moves to application-oriented chapters on
wastewater treatment plants, oil refinery, and wireless communication
networks (Chaps. 12–14). A fundamental trade-off study of
stealthiness–distortion is offered in Chap. 3. This is an important topic
and sets foundations for future work in this emerging space. Chapter 4
is dedicated to predictive situational awareness in which an anomaly
detection and forecasting framework is proposed, combining elements
from estimation theory and machine learning. Chapter 5 provides a
resilient observer design solution using a concurrent learning
approach, while a framework for detection of advanced persistent
threats is presented in Chap. 6. Chapters 7–10 are focused on secure
and resilient estimation from different perspectives. Chapter 7
addresses the resilient state estimation and attack mitigation problems
for switched linear systems with stochastic and set-membership
uncertainties. Chapter 8 is on state and attack estimation for nonlinear
fuzzy systems with delayed measurements. Chapter 9 establishes the
notion of secure estimation under imperfect attack detection and
isolation decisions and studies the fundamental couplings between
those decisions and the estimation problem, characterizing closed-form
decision rules. Chapter 10, addresses cyber-attack reconstruction using
higher-order sliding mode observers and sparse recovery methods.
Chapter 11 is on resilient cooperative control over networks to achieve
consensus tracking under input constraints and communication
restraints. Chapter 12 is on resilient distributed estimation, addressing
the resilience of wastewater treatment plants against natural disasters.
A distributed attack detection algorithm is proposed in Chap. 13 for
crude oil distillation columns. Chapter 14 is on resilient estimation in
optical wireless communication networks for cooperative robot
autonomy under actuator faults and noise jamming. The titles and
abstracts of the chapters are in the following.
Chapter 2. Introduction to Cyber-Physical Security and
Resilience: This chapter describes the fundamentals of the cyber-
physical security and resilience approaches as well as some of the
current research directions, and provides a survey of latest results in
attack detection, isolation, resilient estimation and resilient control. It
also makes distinctions between cyber-physical security versus
adjoining and seemingly related applications such as fault detection,
and data communications and network security (a.k.a, cyber-security).
Chapter 3. Fundamental Stealthiness–Distortion Tradeoffs in
Cyber-Physical Systems: In this chapter, we analyze the fundamental
stealthiness–distortion trade-offs of linear Gaussian open-loop
dynamical systems and (closed-loop) feedback control systems under
data injection attacks using a power spectral analysis,, whereas the
Kullback–Leibler (KL) divergence is employed as the stealthiness
measure. Particularly, we obtain explicit formulas in terms of power
spectra that characterize analytically the stealthiness–distortion trade-
offs as well as the properties of the worst-case attacks. Furthermore, it
is seen in general that the attacker only needs to know the input–
output behaviors of the systems in order to carry out the worst-case
attacks.
Chapter 4. Predictive Situation Awareness and Anomaly
Forecasting in Cyber-Physical Systems: A new feature-based
situation awareness and forecasting framework is presented for rapid
detection and early warning of abnormalities in cyber-physical systems.
The abnormalities may refer to intelligent cyber-attacks or naturally
occurring faults and failures. Techniques presented here are aimed at
protecting against unauthorized intrusions as well as fault prevention.
Time series signals from system monitoring nodes are converted to
features using feature discovery techniques. The feature behavior for
each monitoring node is characterized in the form of decision
boundaries, separating normal and abnormal space with operating data
collected from the plant or by running virtual models of the plant. A set
of ensemble state-space models are constructed for representing
feature evolution in time domain, where the ensembles are selected
using Gaussian Mixture Model (GMM) clustering. The forecasted
outputs are anticipated time evolution of features, computed by
applying an adaptive Kalman predictor to each ensemble model. The
overall features forecast is then obtained through dynamic ensemble
averaging. This is done by projecting evolution of feature vector to
future times. This projection can be performed either in a receding
horizon or a committed horizon fashion. The feature forecasts are
compared to the decision boundary to estimate if/when the feature
vectors will cross the boundary. The decision boundary is a high-
dimensional manifold in the feature space learned by a neural network.
The training of the neural network is based on labeled data provided
either through simulation of the system digital twin or by capturing
historical field data. In this chapter, we also establish a framework for
situation awareness, discussing the different components to achieve full
situation awareness and showing the interactions between the attack
detection, isolation, and prediction modules at the system level.
Simulation results in a high-fidelity GE gas turbine platform show the
effectiveness of our approach for forecasting abnormalities, which can
be used for protecting physical assets from abnormalities due to cyber-
intrusion or natural faults.
Chapter 5. Resilient Observer Design for Cyber-Physical
Systems with Data-Driven Measurement Pruning: Resilient observer
design for Cyber-Physical Systems (CPS) in the presence of adversarial
false data injection attacks (FDIA) is an active area of research. Existing
state-of-the-art algorithms tend to break down as more and more
knowledge of the system is built into the attack model; also as the
percentage of attacked nodes increases. From the view of optimization
theory, the problem is often cast as a classical error correction problem
for which a theoretical limit of has been established as the
maximum percentage attacked nodes for which state recovery is
guaranteed. Beyond this limit, the performance of -minimization-
based schemes, for instance, deteriorates rapidly. Similar performance
degradation occurs for other types of resilient observers beyond
certain percentages of attacked nodes. In order to increase the
corresponding percentage of attacked nodes for which state recoveries
can be guaranteed, researchers have begun to incorporate prior
information into the underlying resilient observer design framework.
For the most pragmatic cases, this prior information is often obtained
through a data-driven machine learning process. Existing results have
shown a strong positive correlation between the maximum attacked
percentages that can be tolerated and the accuracy of the data-driven
model. Motivated by these results, this chapter examines the case for
pruning algorithms designed to improve the Positive Prediction Value
(PPV) of the resulting prior information, given stochastic uncertainty
characteristics of the underlying machine learning model. Theoretical
quantification of the achievable improvement is given. Simulation
results show that the pruning algorithm significantly increases the
maximum correctable percentage of attacked nodes, even for machine
learning model whose prediction power is comparable to the random
flip of a coin.
Chapter 6. Framework for Detecting APTs Based on Steps
Analysis and Correlation: An advanced persistent threat, (APT), is an
attack that uses multiple attack behavior to penetrate a system, to
achieve specifically targeted and highly valuable goals within a system.
This type of attack has presented an increasing concern for cyber-
security and business continuity. The resource availability, integrity,
and confidentiality of the operational cyber-physical systems’ (CPS)
state and control are highly impacted by the safety and security
measures adopted. In this study, we propose a framework based on
deep APT steps analysis and correlation, abbreviated as “APT-DASAC”,
for securing industrial control systems (ICSs) against APTs. This
approach takes into consideration the distributed and multi-level
nature of ICS architecture, and reflects on multi-step APT attack
lifecycle. We validated the framework with three case studies: (i)
network transactions between a remote terminal unit (RTU) and a
master control unit (MTU) within a supervisory control and data
acquisition (SCADA) gas pipeline control system, (ii) a case study of
command and response injection attacks, and (iii) a scenario based on
network traffic containing hybrid of the real modern normal and the
contemporary synthesized attack activities of the network traffic. Based
on the achieved result, we show that the proposed approach achieves a
significant attacks detection capability and demonstrates that attack
detection techniques that performed very well in one application
domain may not yield the same result in another. Hence, robustness
and resilience of operational CPS state or any system and performance
are determined by the security measures in place, which is specific to
the application system and domain.
Chapter 7. Resilient State Estimation and Attack Mitigation in
Cyber-Physical Systems: Smart and Cyber-Physical Systems (CPS), e.g.,
power and traffic networks and smart homes, are becoming
increasingly ubiquitous as they offer new opportunities for improved
performance and functionalities. However, these often safety-critical
systems have also recently become the target of cyber- or physical
attacks. This chapter contributes to the area of CPS security from the
perspective of leveraging the knowledge of physical system dynamics as
an additional “sensor” to mitigate the effects of false data injection
attacks on actuator and sensor signals as well as attacks on the
switching mechanisms, e.g., circuit breakers, on the state estimation
and control algorithms in these systems, in order to ensure continued
safety, reliability and integrity of systems despite attacks. Specifically,
we consider physical models with switched linear dynamics subject to
two classes of uncertainties: (a) stochastic uncertainty (aleatoric), i.e.,
with (unbounded) stochastic process and measurement noise signals
and (b) set-membership uncertainty (epistemic), i.e., with distribution-
free bounded-norm process and measurement disturbances. In both
settings, we model the system under attack as a hidden-mode switched
linear system with unknown inputs (attacks) and propose multiple-
model inference algorithms to perform attack-resilient state estimation
with stability and optimality guarantees. Moreover, we characterize
fundamental limitations to resilient state estimation (e.g., upper bound
on the number of tolerable signal attacks) and discuss the topics of
attack detection, identification, and mitigation under this framework.
Simulation examples of switching and false data injection attacks on a
benchmark system and an IEEE 68-bus test system show the efficacy of
our approach to recover resilient state estimates as well as to identify
and mitigate the attacks in the presence of stochastic and set-
membership uncertainties.
Chapter 8. State and Attacks Estimation for Nonlinear Takagi–
Sugeno Multiple Models Systems with Delayed Measurements: In
the following contribution, a state and attacks estimation for nonlinear
Takagi–Sugeno Systems with variable time-delay measurements is
proposed. Based on the sector nonlinearity approach, sufficient
conditions in term of Linear Matrix Inequalities (LMIs) formulation are
given for the observer design. It is demonstrated that, despite the
presence of cyber-attack (i.e., data deception attacks on both actuators
and sensors), and the delayed measurements, the proposed observer is
quite efficient and ensures the asymptotic convergence of the
estimation errors with an attenuation constraint.
Chapter 9. Secure Estimation under Model Uncertainty: The
increasing scale and widespread deployment of cyber-physical
systems for novel applications leave them vulnerable to malicious
intrusions and potential failures. Therefore, the performance of a
cyber-physical system hinges on both the successful detection and
elimination of malicious behavior. More importantly, the robustness of
inference algorithms in making high-quality inference decisions even
under active malicious behaviors is instrumental to making reliable
decisions. This chapter focuses on the robustness of state estimates in
complex networks . In such systems, state estimation is the key
inference task at the core of monitoring and decision-making. One key
challenge when facing malicious attacks is uncertainty in the true
underlying statistical model of the data collected. Such uncertainty can
be an outcome of a variety of adversarial behaviors, such as false data
injection attacks, denial of service (DoS) attacks, and causative attacks .
In all such scenarios, the estimation algorithms operate under a
distorted statistical model with respect to what they expect. Therefore,
forming estimates under malicious attacks involves an additional
decision pertinent to the presence of an attack and isolating the true
statistical model. This chapter introduces new notions of secure
estimation under the knowledge that imperfect detection and isolation
decisions induce a coupling between the desired estimation
performance and the auxiliary necessary detection and isolation
decisions. The fundamental interplay among the different decisions
involved is established and closed-form decision rules are provided.
Chapter 10. Resilient Control of Nonlinear Cyber-Physical
Systems: Higher-Order Sliding Mode Differentiation and Sparse
Recovery-based Approaches: In this chapter, we focus on a cyber-
attack reconstruction and secure state estimation to facilitate the
resilient control of nonlinear cyber-physical systems under sensor
and/or actuator attacks. The Sliding Mode
Observation/Differentiation (SMO/D) techniques, which can handle
systems of arbitrary relative degree perturbed by bounded attacks of
arbitrary shape, are used for online reconstruction of the attacks and
secure state estimation in CPSs under attacks. The Sparse Recovery
(SR) algorithm is also employed to reconstruct the stealth sensor
attacks to the unprotected sensors. Next, the corrupted measurements
and states are to be cleaned up online in order to prevent the attack
propagation to the CPS via the feedback control signal. The case study
based on the US Western Electricity Coordinating Council (WECC)
power network under attack is considered. The power network
performance degradation as a result of cyber-attacks to actuators
and/or sensors is observed. The proposed SMO/D and SR algorithms
and methodologies are applied to recover the performance of the
attacked WECC power network. Simulation results illustrate the
efficacy of the proposed approaches.
Chapter 11. Resilient Cooperative Control of Input Constrained
Networked Cyber-Physical Systems: This chapter mainly studies the
resilient cooperative control methods for Networked Cyber-Physical
Systems (NCPS) subject to input saturation constraints. First, input
constrained asymptotic consensus tracking problems for high-order
triangular form NCPS are investigated. Sliding mode control methods
are employed to achieve robust consensus tracking under input
saturation and bounded input disturbances. Both the cases of static
leader and dynamic leader are considered. Observer-based distributed
controllers are further designed to reduce the relative state
measurement requirement between the systems. Then, input
constrained robust finite-time consensus tracking problems for high-
order triangular form NCPS are studied. A switching control strategy is
proposed which is shown to achieve consensus tracking in finite time
under the input saturation constraint. Both the cases with relative state
measurement and only relative output measurement are handled. The
proposed control strategies are novel in that they are resilient to both
the control input constraints, the unknown external disturbances and
the possible digital communication restraints. Numerical simulation is
performed and an application to the vehicle platoon control problem is
given to illustrate the effectiveness of the proposed control strategies.
Chapter 12. Optimal Subsystem Decomposition and Resilient
Distributed State Estimation for Wastewater Treatment Plants: In
this work, an optimal subsystem decomposition algorithm is proposed
based on the community discovery algorithm with weighted network
graph and is applied to a benchmark wastewater treatment plants
(WWTP) system. With the obtained subsystems, a resilient distributed
state estimation method is further investigated to deal with the natural
disasters (storm and rain) and the unreliable communication networks.
The nodes of information graph theory are introduced to represent the
state, input and output variables of the WWTP system. By defining a
sensitivity of an edge, a weighted directed graph of WWTP system is
constructed. The nodes are connected by weighted edges with the
weight reflecting the strength of the connection between nodes. The
weighted network graph can reflect both the connectivity and
connection strength of the system. The community structure discovery
algorithm is used to divide all variables into subsystem groups, such
that the interaction between groups is strong. Then, the subsystem
decomposition of complex process system is obtained. The optimal
subsystem decomposition method is validated by designing a resilient
distributed state estimation for WWTP system with unreliable
communication networks. An information compensation strategy is
proposed to coordinate the sub-estimators. Comparative study is
carried out for the subsystem decomposition by physical structure and
unweighted network-based method. The results show that the
subsystem decomposition and distributed state estimation scheme
improves the resiliency of the system, compared to a centralized
scheme applied to the whole system.
 Chapter 13. Cyber-Attack Detection for a Crude Oil Distillation
Column: Industrial control systems are recently being interfaced to the
cyber-domain as computing, communication, and electronics
technologies continue to evolve giving rise to what is known as Cyber-
Physical Systems (CPSs). Integration of cyber-domain makes these
plants vulnerable to cyber-threats and hence it is indispensable to
address the cyber-security of these systems. The huge worldwide
demand for crude oil can make them a lucrative target for cyber-
intrusions. In this chapter, a continuous binary Distillation Column (DC)
plant is considered as a CPS and a distributed attack detection
algorithm is proposed to enhance its security. In order to demonstrate
the real-time performance of attack detection algorithm, a hybrid
Hardware-In-the-Loop (HIL) testbed is developed where the DC plant
is simulated in real time inside PC and the controllers as well as the
detection algorithms are implemented inside Siemens PLC. Finally, the
real-time performance of the developed attack detection algorithm is
validated through several attack scenarios.
Chapter 14. A Resilient Nonlinear Observer for Light-Emitting
Diode Optical Wireless Communication under Actuator Fault and
Noise Jamming: Optical wireless communication is emerging as a low-
power, low-cost, and high data rate alternative to acoustic and radio-
frequency communications in several short to medium-range
applications. However, it requires a close-to-line-of-sight link between
the transmitter and the receiver. Indeed, a severe misalignment can
lead to intolerable signal fades and can significantly degrade system
performance. Despite recent efforts to establish a line-of-sight (LOS)
between transmitter and receiver by improving system designs and
active alignment, maintaining a perfect LOS between the two sides
despite the robot’s mobility remain a challenging task for cooperative
autonomy. On the other hand, the optical wireless communication
system is often hampered by noise jamming on the optical
communication channel that reduces the system capacity of the
wireless optical mobile networks. Additionally, a situation of an
occurrence of actuator failures can occur due to malfunctions or high
instantaneous torques of the actuator mechanism flexible on the
receiver orientation. To address this problem, we propose a novel
extended state switched-gain discrete-time nonlinear observer to
simultaneously estimate the actuator fault and the optical
communication system’s state variables subject to noise jamming
attack. Furthermore, Lyapunov function-based analysis is used to
design the proposed unknown switched-gain input observer in each
piecewise monotonic region of the optical communication model
output functions and ensures global stability of the extended error
system. Numerical simulation results are then provided to demonstrate
the validity and effectiveness of the proposed extended switched-gain
state observer subject to noise jamming attack on the optical
communication link.
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022
M. Abbaszadeh, A. Zemouche (eds.), Security and Resilience in Cyber-Physical Systems
https://doi.org/10.1007/978-3-030-97166-3_2

2. Introduction to Cyber-Physical
Security and Resilience
Masoud Abbaszadeh1 and Ali Zemouche2
(1) GE Research, Niskayuna, NY, USA
(2) CRAN - Nancy Automatic Research Center IUT Henri Poincaré de
Longwy, University of Lorraine, Nancy, France

Masoud Abbaszadeh (Corresponding author)

Email: masoud@ualberta.net

Ali Zemouche
Email: ali.zemouche@univ-lorraine.fr

2.1 Introduction
Motivated by increasing demand for performance, availability,
efficiency, and resilience, several sectors including energy,
manufacturing, healthcare, and transportation have adopted latest
advances in controls, automation, communications, and monitoring in
the past decades, moving towards semi-autonomous or fully
autonomous systems in some cases. The resulting integration of
information, control, communication, and computation with physical
systems, demands new methodologies for detailed systematic and
modular analysis and synthesis of Cyber-Physical Systems (CPSs) as a
means to realize the desired performance metrics of efficiency,
sustainability, and safety (Dibaji et al. 2019). However, CPSs suffer from
extendable vulnerabilities that are beyond classical networked systems
due to the tight integration of cyber- and physical components.
Sophisticated and malicious cyber-attacks continue to emerge to
adversely impact CPS operation, resulting in performance degradation,
service interruption, and system failure. Cyber-physical security
provides a new line of defense at the physical domain layer (i.e., the
process level) in addition to the network Information Technology (IT)
and higher level Operational Technology (OT) solutions.
In the past few years, there has been tremendous research and
development efforts in cyber-physical security and resilience. The
forefront of these efforts is to develop theory and technology to detect
and localize cyber-attacks, identify attack types, estimate, and
reconstruct attacks, and to perform secure estimation and control
under attack. To this end, a variety of results have been proposed based
on both model-based and data-driven methodologies (Abbaszadeh
et al. 2018; Akowuah and Kong 2021; Alguttar et al. 2020; AlZubi et al.
2021; Ameli et al. 2018; An and Yang 2020; Ao et al. 2016; Azzam et al.
2021; Baniamerian et al. 2019; Brentan et al. 2017; Buason et al. 2019;
Cao et al. 2020; Chen et al. 2021, 2016; Có mbita et al. 2020; Dibaji et al.
2018; Ding et al. 2020a, b, 2021, 2018; Dutta et al. 2021; Fang et al.
2020; Farivar et al. 2019; Ferrari and Teixeira 2017; Fillatre et al. 2017;
Giraldo et al. 2018; Gu et al. 2020; Guan and Ge 2017; Han et al. 2021;
Hendrickx et al. 2014; Housh and Ohar 2018; Humayed and Luo 2015;
Humayed et al. 2017; Iwendi et al. 2021; Jahromi et al. 2021, 2019;
Junejo and Goh 2016; Khan et al. 2020; Kim et al. 2021; Kozik et al.
2018; Krishnamurthy et al. 2014; Kumar et al. 2022; Lee et al. 2014; Li
et al. 2021a, b, 2020; Loukas et al. 2019; Mestha et al. 2017; Narayanan
et al. 2021; Noorizadeh et al. 2021; Olowononi et al. 2020; Orumwense
and Abo-Al-Ez 2019; Paredes et al. 2021; Park et al. 2015, 2019;
Pasqualetti et al. 2013; Pirani et al. 2021; Roy and Dey 2021; Sahoo
et al. 2018; Semwal 2021; Shin et al. 2017; Su et al. 2020; Taheri et al.
2020; Tan et al. 2020; Teixeira et al. 2015; Tian et al. 2020; Tiwari et al.
2021; Tsiami and Makropoulos 2021; Valencia et al. 2019; Wang et al.
2021a, b, 2020; Wu et al. 2021; Xiong and Wu 2020; Yan et al. 2018,
2019; Ye et al. 2020; Zhang et al. 2021a, b, c, d, 2017; Zhang and Zhu
2020; Zhu et al. 2018).
Cyber-physical security technologies leverage dynamic models of
the closed-loop control systems through utilization of first-principle or
data-driven (e.g., system identification-based) modeling paradigms.
This, in addition to utilizing historical operational data, enables realistic
simulations of attack and fault scenarios, which, compared to normal
operation data, are usually rare in the field. This in turn, enables
utilization of both model-based and data-driven detectors, and in terms
of data-driven detectors, enables exploiting both supervised and
unsupervised machine learning approaches.

2.2 Cyber-Physical Security and Resilience

Functionality Overview
Cyber-physical security and resilience generally consists of the
following functionality modules:
Detection: Determines if an attack has happened.
Isolation: Determines what is under attack, in terms of sensor,
actuator, or control nodes. It may also provide foundations for early
warning generation at the system/subsystem/component level.
Identification: Determines severity and impact of the attack
(including attack type and magnitude), and backtracks the attack to
find its source through attack forensics. It may also separate the
source of the abnormality and distinguishes malicious attacks from
naturally occurring faults/failures.
Resilience: Maintains the integrity, operability, and availability of the
system by accommodating (mitigating) the attack through resilient
estimation and control, with/without a degraded performance (i.e.,
curtailment); or commands a controlled safe shutdown.
Figure 2.1 shows an example of a cyber-physical security system
functionality diagram with modules as described above. The detection
(and isolation) decisions may be made in one shot or in a two-step
process, in which a second decision algorithm resolves the gray zones
in the first decision. The system may be completely autonomous or
with a human in the loop, in which case the operator may be in the loop
for the whole process with the ability to override machine-made
decisions. The system may also provide visual and/or textual status
reports to the operator in real time through security user interfaces
such as a Security Information and Event Management (SIEM)
dashboard. Furthermore, to increase the decisions accuracy and speed,
the detection and isolation decisions may be taken in parallel and fused
with potential input from the operator.

Fig. 2.1 Cyber-physical security & resilience functionality diagram

Cyber-physical security goes beyond cyber-security, as it can
provide an additional layer of defence. Attack neutralization through
resilient estimation and control, helps providing the system with
capabilities to overcome damage and continue operation when sensors
or control signals are disrupted by adversarial threats.
Development of a cyber-physical security technology should follow
a design philosophy that includes three main aspects:
1. Scalability: This is itself two-fold (a) to be organically expandable
to large-scale systems, and (b) to be applicable to horizontal and
cross-domain applications with reasonable system
modeling/dataset generation, while the core algorithms and
architecture remaining domain-agnostic.
2. Robustness: Ability to perform in high performance (in terms of
requirements such as false positive and false negative rates, speed
of detection, etc.) in the presence of model uncertainty, data value
and label uncertainty, as well as system’s operational and
configuration/manufacturing variations.

3. Coherence: Having a unified architecture with modularity and

flexibility to identify essential and optional modules and to fit into
different application domains.

2.3 Cyber-Physical Security Versus Adjacent Fields

From the security perspective, cyber-physical security provides a new
layer of defence against cyber-attacks, complementing the existing
defence in the IT and higher level OT network security, and increasing
the overall security posture of systems via a defence-in-depth strategy
(Mosteiro-Sanchez et al. 2020). The focus of cyber-physical security is
on the impact of the attack on the physical behavior of the system as
opposed to monitoring data communications and network traffic.
Furthermore, the attack resilience capability maintains safe operation
and/or prevents system damage even at the presence of attacks which
may go stealthy and undetected by the IT/OT network-layer security
solutions. This increases the availability and integrity of the systems
under protection.

2.3.1 Cyber-Physical Security Versus Cyber-

Security
Although sounding similar, there are important distinctions between
cyber-security and cyber-physical security. The IT layer cyber-security
is concerned with data authenticity and integrity. Cyber-physical
security, on the other hand, addresses the availability and reliability, in
addition to the IT layer, and maintains system operability in an
operational technology (OT) environment, at the physical layer.
Therefore, mere access control, for example, does not help in the OT
layer, e.g., the industrial communication bus in Supervisory Control,
Data Acquisition (SCADA) systems or Distributed Control Systems
(DCS), and physical layers. For example, in a data-only IT layer, it is
possible to log out users or prevent their access to the network, but in
the OT layer, operators should never be log out of the system during an
emergency. Cyber-physical security complements IT and higher level
OT cyber-security. While cyber-security tries to prevent a cyber-attack
from happening at the first place, cyber-physical security comes into
play when an attacker has already bypassed the IT and higher level OT
layers, and thus, an attack has already happened. Furthermore, a cyber-
security solution detects an attack through anomalous activities in a
communication data network, while cyber-physical security detects an
attack by analyzing its impact on the physical behavior of the system.
Additionally, cyber-security detects network attacks only, while cyber-
physical security, due to its interaction with the physical world, can also
detect physical attacks. Finally, cyber-security is often based on static
analyses (in terms of system dynamics), while cyber-physical security is
essentially based on physical dynamics of the system.

2.3.2 Cyber-Physical Security Versus FDII

A fault is a natural cause, while a cyber-attack is a malicious cause,
often intelligently designed and targeted towards specific aspect(s) of a
system. A fault is due to a component/system natural malfunction.
Therefore, it is highly unlikely that multiple independent and unrelated
faults happen simultaneously. A multi-fault scenario is most often a
cascaded event started by a single fault. Fault Detection, Isolation, and
Identification (FDII) methods cannot detect and isolate multiple
simultaneous uncorrelated faults. A cyber-attack on the other hand, is
artificially designed and can target multiple places of a system or even
multiple systems as the same time without any system relations. Faults
usually happen in the sensors, actuators, or some other hardware
nodes, while a cyber-attack may happen in any hardware (e.g., sensor
or actuator) or software (e.g., inside controller) node. Software faults
are rare, especially in a certified code. For example, the probability of a
software fault in an airworthy code certified by DO-178 aviation
standard is less than (RTCA 2011). There is yet no certification
against a cyber-attack. FDI often works against a pre-determined set of
system faults, identified through tools such as fault tree analysis (FTA)
or Failure Mode and Effect Analysis (FMEA). A cyber-attack can very
much go beyond specified or even known system faults. A cyber-attack
can target or randomly activate a vulnerability even unknown to the
system designers. Furthermore, FDI cannot detect stealthy attacks that
keep the monitored signals within normal operational ranges.

2.3.3 Cyber-Physical Security Versus Prognostics

Prognostics concerns aspects like system ageing, estimation of the
remaining useful life (RUL), life optimization, condition monitoring, and
condition-based maintenance. These are all categorized under
industrial asset performance management (APM). Prognostics provides
a solution to the APM problem, which is quite different from what
cyber-physical security is all about. Due to its mission, prognostics
happens at time scales much slower than what is needed for cyber-
physical security. Fast response at the sampling rate of a real-time
controller, as needed in cyber-physical security and resilience, is simply
out of scope for prognostics. As a result, prognostics often uses steady-
state or quasi-steady-state models. Cyber-physical security, on the
other hand, often requires dynamic models of higher fidelity. In
summary, prognostics is often a tool for gaining more financial benefit
from an existing asset that would operate otherwise, anyway. However,
cyber-physical security and resilience is about maintaining system
operability at the first place, and therefore must enable the system to
withstand and respond to existential threats.

2.4 Attack Detection, Isolation, and Identification

In this section, we provide a survey of some of the main and latest
results on cyberattack detection, isolation, and identification for cyber-
physical systems.
A generic CPS architecture by considering the applications related
to secure industrial control system (ICS) to explain the cyber resilience
concepts is illustrated in Fig. 2.2, which is from the US DHS ICS-CERT
recommended practice for defense-in-depth strategies (Dakhnovich
et al. 2019; Homeland Security 2014), and based on the Purdue five-
level model (Dakhnovich et al. 2019). An ICS is a set of electronic
devices to monitor, control, and operate the behavior of interconnected
systems. ICSs receive data from remote sensors measuring process
variables, compare those values with desired values, and take
necessary actions to drive (through actuators) or control the system to
function at the required level of services (Galloway and Hancke 2013).
Industrial networks are composed of specialized components and
applications, such as programmable logic controllers (PLCs), SCADA
systems, and DCS. There are other components of ICS such as remote
terminal unit (RTU), intelligent electronic devices (IED), and phasor
measurement units (PMU). Those devices communicate with the
human–machine interface (HMI) located in the control network. With
the rise of 5G and industrial IoT, the ICS architecture is becoming even
more connected with lower level edge devices increasingly connected
to each other and to the cloud, hence, expanding the attack surface and
demanding for better cybersecurity solutions (Abosata et al. 2021).
This increased connectivity and reduced latency have also enabled
design of distributed architectures and distributed edge computing,
creating both cybersecurity opportunities and challenges.
Fig. 2.2 Secure ICS architecture.
Reproduced from (Dakhnovich et al. 2019), originally published under a CC BY
3.0 license, doi:​10.​1088/​1757-899X/​497/​1/​012006
 Cyber-attack detection is in general concerned with detecting a
malicious cyber-incident in a system, while cyber-attack isolation is
concerned with pinpointing specifics part(s) of the system that are
under attack, and trying to trace back the entry point(s), and the root
cause of the cyber-attack. Localizing the initial point(s) of cyber-
incident is both critical and hard, in the sense that the attack may cause
a series of cascaded events or propagate through the system, especially
in feedback control systems. For cyber-physical systems, attack
detection and isolation at the physical process level is based on
monitoring the process variables such as sensor measurements and
actuator commands in a control system. Several recent surveys on
attack detection and isolation are available, covering the space from
different perspectives and for different application domains including
for general CPS (Ding et al. 2018; Giraldo et al. 2018; Humayed et al.
2017; Li et al. 2020; Tan et al. 2020), ICS (Zhang et al. 2021d), smart
grid (Musleh et al. 2019; Peng et al. 2019), autonomous vehicles
(Chowdhury et al. 2020; Grigorescu et al. 2020; Loukas et al. 2019) and
energy systems (Orumwense and Abo-Al-Ez 2019).
Attack identification is concerned with providing additional insights
about the nature of the attack, identifying the type of the attack, impact
analysis and forensics (Long et al. 2005; Pasqualetti et al. 2013; Xuan
and Naghnaeian 2021). Another important aspect of attack
identification is to separate anomalies from novelties (e.g.,
environmental or operational changes) which can have process-level
impacts, and hence, may be detected by attack detectors, and to
distinguish cyber-attacks from naturally occurring faults or failures
(Anwar et al. 2015; Pan et al. 2015). Attack detection, isolation, and
identification (ADII) has similarities with FDII, but as mentioned
before, also has major differences, especially for detecting and locating
stealthy and coordinated attacks. Similar to other anomaly detection
paradigms, ADII algorithms face fundamental design trade-offs among
performance and robustness requirements such as false positive rate,
false negative rate, and speed of detection (Ding et al. 2018; Li et al.
2020; Zhang et al. 2021d). Many of ADII algorithms are passive in the
sense that they receive time-series data from sensors, actuators, and
controller, without altering the system. These methods may not be
effective against replay attacks. In a replay attack, the malware first
records healthy system data during the normal operation, then injects
malicious signals into sensors and/or actuators, while masking the
real-time data to be sent to the HMI and replaying the prerecorded
healthy data instead. Detection of replay attacks often requires active
methods. To address this, dynamic physical watermarking methods are
proposed (Porter et al. 2020; Satchidanandan and Kumar 2016, 2019).
In these methods, carefully designed watermark signals are injected
into the system on top of the control commands. The presence of the
expected watermark fingerprints in the outputs, determines whether
the system is uncompromised. These additional injections, however,
may affect the control performance or reduce the stability margins. So,
they need to be designed and implemented in a safe manner, through a
trade-off optimization between attack detectability and control
performance (Khazraei et al. 2017b, a).
The ADII algorithms may work stand-alone for monitoring and
alarm generation, or may work in conjunction with an automatic attack
mitigation and neutralization algorithm (Li et al. 2020; Mestha et al.
2017), or as part of a cyber-situational awareness system (Abbaszadeh
et al. 2018; Chang et al. 2017; Pö yhö nen et al. 2021. The ADII
techniques can be categorized into two main categories: (i) model-
based approaches and (ii) data-driven approaches. Next, we will
provide an overview of some of the latest results in each category.

2.4.1 Model-Based ADII

Model-Based ADII utilizes a system model in the detection, isolation,
and identification procedures. The model can be a simple encapsulation
of domain knowledge of the system operation such as in traditional
rule-based or expert systems, or can be a more formal dynamic system
model, such as a state space model, developed using first-principles or
system identification. Once such a model is available, an observer-
based method is often used for attack detection and isolation. The most
popular of such observers is the Kalman filter, providing an innovation
signal between the measured outputs and the predicted outputs by the
model. Detection and isolation procedures are mainly based on two
threshold mechanisms over the innovation signal: (i) the chi-square
distribution and (ii) the Cumulative Sum (CUSUM) (Ahmed et al. 2017;
Housh and Ohar 2018; Sridhar and Govindarasu 2014). The CUSUM
approach has the advantage to make a more robust decision based on a
weighted sequential sum of the innovation signal as opposed to its
instantaneous value, potentially reducing the false positives. However,
it may induce a time delay in detecting cyber-events. The attack
isolation is done mainly using two techniques, (i) a bank of observers
(such as Kalman filters) running in parallel, each designed to be
sensitive to a specific element of the innovation vector (Taheri et al.
2020; Ye et al. 2020; Zhang and Zhu 2020) and (ii) a hierarchical
approach in which a hierarchy of detectors is designed to zoom in from
the top system level into specific subsystems, components, or
sensors/actuaros in a top-down manner (Karimipour and Leung 2019;
Li et al. 2021a). Model-based attack identification mainly relies upon
modeling different attack types and scenarios, and exploiting those
attack models along with the system model (Azzam et al. 2021; Li et al.
2020; Park et al. 2019; Teixeira et al. 2015).

2.4.2 Data-Driven ADII

Many attacks detection algorithms available in the literature root back
to fault detection techniques. Indeed, from the physical process
perspective, cyber-attacks can be viewed as intelligent disturbances,
which can affect the system in a malicious manner. To solve complex
architectures of cyber-physical attacks, it is necessary to go beyond the
traditional methods resulting from fault diagnosis. Novel and intelligent
techniques are needed to deal with malicious attacks that appear
nonlinearly in mathematical models. To this end, to avoid the need of
conservative mathematical conditions, merging learning-based
algorithms with standard control theory based techniques is gaining a
lot of interest as a promising hybrid approach and a compelling
solution.
In recent years, machine learning and deep learning methods have
become popular in ADII Zhang et al. (2021c), Narayanan et al. (2021).
Recent results for ICS and CPS include classification using statistical
machine learning (Ameli et al. 2018; Lee et al. 2014), deep neural
networks (Jahromi et al. 2021, 2019; Lee et al. 2014; Yan et al. 2018;
Zhu et al. 2018), and pattern recognition (Brentan et al. 2017).
Distributed machine learning methods are also proposed for large-scale
systems including in IoT and edge computing (Guan and Ge 2017; Kozik
et al. 2018). A challenge for adopting AI/ML techniques for CPS ADII is
how to obtain the right training data sets, specially for supervised
learning methods, and in particular for two-class learning, in which
both normal and abnormal samples are required. To overcome this
challenge, some researchers have proposed unsupervised learning
methods, where no labeled data are required (Jahromi et al. 2019;
Tiwari et al. 2021). Unsupervised machine learning methods have also
been used in the past in anomaly and intrusion detection in
communication and computer networks. However, these approaches
need to go through an initial learning phase, often in-field, during which
they tend to have a large false alarm rate. Their final accuracy is also
often lower than those achieved by supervised learning methods. The
alternative approach is to generate synthetic training data using a
simulation platform of the system. To this end, digital twins have
become a powerful tools to conduct controlled simulations, and to
generate labeled data samples of both normal and abnormal classes,
both for training and validation of the machine learning models
(Abbaszadeh et al. 2018; Mestha et al. 2017; Yan et al. 2018). Digital
twin simulations can be used together with available historical field
data to address class imbalance (caused due to scarcity of abnormal
data in the field), and also to generate data for complete coverage of
normal operational and environmental conditions. Furthermore,
intelligently designed experiments for digital twin simulations can
reduce the need for large training datasets (Abbaszadeh et al. 2018; Yan
et al. 2019).
Machine learning algorithms used for ADII are themselves
susceptible to cyber-attacks, and hence, need to be secured via
hardware and software protections. Robust and adversarial machine
learning are active fields of research addressing the security and
resilience of machine learning algorithms. A survey on secure and
resilient machine learning for CPS security is given in (Olowononi et al.
2020). Besides, in order to be adopted in safety-critical and mission-
critical systems, machine learning algorithms must exhibit
trustworthiness, which includes certain level of explainability in a
human-readable fashion. The explainability can, for example, include
providing physical insights, outputting decision factors and their
contributions to the overall decision, and giving decision confidence
scores based on conformal prediction methods.

2.5 Attack Resilience

In this section, we provide an introduction to the notion of resilience,
and a survey of some of the main results. Then in Sects. 2.6 and 2.7, we
will cover some of the latest results on two major approaches towards
achieving resilience for cyber-physical systems, namely, resilient
estimation and resilient control.
Real-world attacks on control systems have in fact occurred in the
past decade and have in some cases caused significant damage to the
targeted physical processes. One of the most popular examples is the
attack on Maroochy Shire Council’s sewage control system in
Queensland, Australia, that happened in January 2000 Cardenas et al.
(2008), Slay and Miller (2007). In this incident, an attacker managed to
hack into some controllers that activate and deactivate valves causing
flooding of the grounds of a hotel, a park, and a river with a million
liters of sewage (Cardenas et al. 2008). Another well-known example of
an attack launched on physical systems is the Stuxnet virus that
targeted Siemens’ supervisory control on an Iranian uranium
enrichment plant targeting a commercially available PLC. Operating
under a narrow set of conditions, the attackers were able to ensure the
attack reached its intended recipient with limited fallout. They inserted
a malware which would lie dormant in the system and go
undetected (Falliere et al. 2018). This shows that even air-gapped
systems are susceptible to cyber-espionage and -attack.
Given that the end-goal of CPS is a reliable and safe functioning at all
times, cyber-physical resilience of CPS is a necessary requirement. It
corresponds to the ability to withstand high-impact disturbances,
which may occur due to either physical outages or cyber-causes, and to
continue to deliver acceptable performance even under attack.
The term resilience is being discussed increasingly in the context of
CPS lately, ranging from transportation (Ip and Wang 2011),
power (Albasrawi et al. 2014; Zhu and Basar 2011), control
systems (Rieger et al. 2009, 2013; Zhu and Basar 2011) as well as other
types of systems such as ecological (Holling 1996, 1973) and
biological (Kitano 2004). Resilience is often discussed concomitantly
with other system-oriented notions such as robustness, reliability, and
stability (Levin and Lubchenco 2008) and quite often used
interchangeably with the term robustness. We argue however that
these two terms are distinct. The reason is that resilience and
robustness characterize fundamentally different system properties. The
term robustness applies in the context of small bounded disturbances
while resilience, in the context of extreme high-impact disturbances.
Resilience of a CPS with respect to a class of extreme and high-impact
disturbances, is the property that characterizes its ability to withstand
and recover from this particular class of disturbances by being allowed
to temporarily transit to a state where its performance is significantly
degraded and returning within acceptable time to a state where certain
minimal but critical performance criteria are met (Baros et al. 2017).
The National Academy of Sciences (NAS) (Cutter et al. 2013) defined
resilience as the ability to prepare and plan for, absorb, recover from, or
more successfully adapt to actual or potential adverse events. The
authors in Linkov et al. (2013) used the resilience definition provided
by NAS to define a set of resilience metrics spread over four operational
domains: physical, information, cognitive, and social. In another
work (Linkov et al. 2013), the authors applied the previous resilience
framework by Linkov et al. (2013) to develop and organize useful
resilience metrics for cyber-systems. In Bruneau et al. (2003), the
authors have proposed a conceptual framework initially to define
seismic resilience, and later in Tierney and Bruneau (2007) the R4
framework for disaster resilience is introduced. It comprises
robustness (ability of systems to function under degraded
performance), redundancy (identification of substitute elements that
satisfy functional requirements in event of significant performance
degradation), resourcefulness (initiate solutions by identifying
resources based on prioritization of problems), and rapidity (ability to
restore functionality in timely fashion).
The design of control and estimation algorithms that are resilient
against faults and failures is certainly not a new problem. In fault-
detection and identification Massoumnia et al. (1989), Blanke et al.
(2006), the objective is to detect if one or more of the components of a
system has failed. Traditionally, this is done by comparing the
measurements of the sensors with an analytical model of the system
and by forming the so-called residual signal. This residual signal is then
analyzed (e.g., using signal processing techniques) in order to
determine if a fault has occurred, however, in such algorithms there is
in general one residual signal per failure mode and in some problems
formulations, the number of failure modes can be very large and one
cannot afford to generate and analyze a residual signal for each possible
failure mode Fawzi et al. (2014).
In another area, namely robust control (Zhou and Doyle 1998), one
seeks to design control methods that are robust against disturbances in
the model. However, these disturbances are mainly treated as natural
disturbances to the system and are assumed to be bounded. This does
not apply in the context of security since the disturbances will typically
be adversarial and therefore cannot be assumed bounded which is also
the case in stochastic control and estimation, where the disturbances
are assumed to follow a certain probabilistic model, which we cannot
adopt for CPSs.
Resilient or secure state estimation and control constitute effective
and promising means for addressing various security-related issues of
CPSs. The main objective is to keep an acceptable performance level of
the CPS by resorting to different security countermeasures, including
attack attenuation and mitigation, isolation, detection, and
compensation. When an attack occurs, the developed secure
estimation/control mechanisms possess certain capabilities to mitigate
or counteract attack effects, or prevent CPSs from severe performance
degradation and loss, or allow the system designers to make
corrections and recover the system from any unsafe operation (Ding
et al. 2020a).
Recently, there are several survey papers of security-oriented CPSs.
For example, the recent progress of secure communication and control
of smart grids under malicious cyber-attacks is reviewed in Peng et al.
(2019), where different attack models and effects as well as security
strategies are reviewed from IT protection and secure control-theoretic
perspectives. A summary of detection methods of false data injection
(FDI) attacks on smart grids is made in Musleh et al. (2019). The
existing FDI attack detection algorithms in smart grids are classified
into model-based types and data-driven types. From a systems and
control perspective, the CPS security issue is evaluated in Dibaji et al.
(2019), where some latest systems and control methods are reviewed
and classified into prevention, resilience, detection, and isolation. An
overview of security control and attack detection for industrial CPSs is
conducted in Ding et al. (2018). An intensive discussion of adversarial
attacks and their defenses is provided in Li et al. (2020) for sensor-
based CPSs in the field of computer vision. Emerging techniques
improving the safety and security of CPSs and IoT systems are surveyed
in Wolf and Serpanos (2017) from two aspects: (1) design time
techniques verifying properties of subsystems and (2) runtime
mechanisms helpful against both failures and attacks.

2.6 Resilient Estimation

This section is devoted to a general state of the art on available resilient
and secure estimation algorithms in cyber-physical systems. Before
recalling existing estimation methods, we give a general introduction to
emphasize the importance of resilient and secure estimation, and
explain what the software sensors have to face to ensure resilience and
security of the estimation. State estimation plays an important role in
better understanding the real-time dynamics of CPSs and executing
some specific control tasks. These states can be reconstructed based on
only measured yet possibly corrupted information from sensors.
Different from traditional control systems, the tight integration of
physical and cyber-components, and the occurrence of various
malicious attacks pose nontrivial challenges to the performance
analysis and the design of state estimators or filters. Vulnerability of
cyber-physical systems may come from two kind of malicious attacks,
namely cyber-attacks and physical attacks:
Cyber-attacks: Cyber-attacks occur on the cyber-variables of the
system. They may be due to a software virus or to a corruption in
communication channels. The well-known Stuxnet malware is one of
the relevant examples of cyber-attacks Mishra et al. (2016), Ferrari
and Teixeira (2021, Chap. 7). The attackers exploited vulnerabilities
of the system such as those running over SCADA devices (Fig. 2.2) to
for example, inject false data in the sensor measurements gathered
by the SCADA system.
 Physical attacks: Physical attacks (also called kinetic attacks) are
intentional offensive actions which aim to get unauthorised access to
physical assets such as infrastructure, hardware, or interconnection.
Sensors are among the devices most exposed to this type of attack.
This will have a direct and significant impact on any estimation
algorithm using measurements issued from such sensors because, in
addition to susceptible manipulations on the cyber-layer, sensor
readings rely on physical layer properties that can be
manipulated (Taormina et al. 2016). Examples of physical attacks
include manipulating gyroscopes used to stabilize drones during
formation flights, spoofing LiDAR sensors used in autonomous
driving, manually deactivating the pump to disconnect the network
from the reservoir in modern water distribution systems, and
spoofing magnetic sensors used in several applications, like anti-lock
braking systems in automotive.
In the following, we classify some existing secure state estimation
approaches according to performance indicators and defense strategies
against cyber-attacks.

2.6.1 State of the Art on Resilient and Secure

Estimation: A Glimpse on Existing Methods
This section is dedicated to a short but complete overview of existing
secure and resilient estimation methods. The overview is shared into
two categories (Ding et al. 2020a), namely statistical methods and
Lyapunov stability-based techniques.

2.6.1.1 Resilient Estimation Based on Statistical

Methods
The statistical-based state estimation aims to select appropriate gain
parameters to minimize estimation error variance, hence, the
structured information of cyber-attacks, such as statistical information
or boundedness information, is assumed to be known. Following this
idea, the main focus is then placed on disclosing or offsetting the
undesirable impact from compromised data generated by malicious
attacks (Ding et al. 2020a. In Ma et al. (2017), an algorithm of variance-
constrained filtering over sensor networks is proposed for discrete
time-varying stochastic systems and by resorting to the recursive linear
matrix inequality approach, a sufficient condition is established for the
existence of the desired filter satisfying the pre-specified requirements
on the estimation error variance. In the framework of Kalman filtering,
a distributed filter with double gains is designed in Ding et al. (2017)
which can be regarded as two weight matrices reflecting the different
confidence levels of the information from itself and from neighboring
nodes.
Estimators or filters can be integrated in some detection
mechanisms to remove the compromised data generated by malicious
attacks as much as possible. Benefiting from their favorable statistical
characteristics, detector and its variants are widely adopted. In light
of such a detection rule, a critical attack probability is analyzed in Yang
et al. (2019) where it is shown that when the considered probability is
bigger than some critical value, the steady-state solution of estimation
error covariance could exceed a preset value.
It is worth noting that the estimation performance can be properly
warranted if the corrupted sensor is accurately detected and effectively
isolated. For example, in Mishra et al. (2016) they have estimated the
state of a noisy linear dynamical system when an unknown subset of
sensors is arbitrarily corrupted by an adversary. They have proposed a
secure state estimation algorithm, and derived optimal bounds on the
achievable state estimation error given an upper bound on the number
of attacked sensors. The proposed state estimator involves Kalman
filters operating over subsets of sensors to search for a sensor subset
which is reliable for state estimation. When the attack subset is
properly identified, the performance of the developed algorithm does
not exceed the one by the worst-case Kalman estimation. The optimal
secure estimation is pursued in Shoukry et al. (2017) for attacks
without restrictions on their statistical properties, boundedness, and
time evolution in comparison with the sparse attacks. They have
presented a novel algorithm that uses a satisfiability modulo theory
approach to harness the complexity of secure state estimation.

2.6.1.2 Lyapunov Theory-Based Methods

Inspired by its mature approaches, an analysis of vulnerabilities of
cyber-physical systems in the face of unforeseen failures and external
attacks has received increasing attention in the recent years and some
preliminary results have been published in literature, see, for
instance, Ao et al. (2016), Pasqualetti et al. (2013). In Pasqualetti et al.
(2013), the authors have characterized fundamental monitoring
limitations from system-theoretic and graph-theoretic perspectives and
a Luenberger-type detection filter is designed. Similarly, detectability of
attacks is explored in Ao et al. (2016) in which detectability of attacks
based on linear system theory is explored and some sufficient
conditions of detecting state attacks and sensor attacks are established.
Then, two adaptive sliding mode observers with online parameter
estimation are designed to estimate state attacks and sensor attacks
with uniformly bounded errors. A co-estimation of system states and
attacks inspiration from fault-tolerant state reconstruction, as an
alternative scheme, is investigated in Amin et al. (2012), Shoukry and
Tabuada (2015). For instance, a scheme based on an unknown input
observer is developed in Amin et al. (2012) to estimate the states of
SCADA systems subject to stealthy deception attacks. In Fawzi et al.
(2014), the secure state estimation problem is transformed into the
solvability of an optimization issue and an optimization issue
in Liu et al. (2016), or the performance analysis problem of , , and
systems in Nakahira and Mo (2018) by virtue of the classical
robust control, and fault detection and isolation methods.
Employing some artificial saturation constraint on state estimators
is regarded as a promising security measure for constraining attacker
capability and mitigating the impulsive outlier-like effects of cyber-
attacks by attenuating the effects of these attack-incurred abnormal
measurements using estimators with some saturated output rejection.
For example, a saturated innovation update scheme is adopted in Chen
et al. (2018) for distributed state estimators with an adaptive threshold
of the saturation level, and in Sun et al. (2021) for stochastic nonlinear
systems with a sector bounded condition on the saturation constraint.
In Xie and Yang (2018), a saturated innovation scheme with an adaptive
gain coefficient and a mode switch mechanism is developed, where the
mismatched unknown inputs are suppressed by resorting to the well-
known -gain attenuation property. Dynamic saturations with an
adaptive rule are further developed in Alessandri and Zaccarian
(2018); Casadei et al. (2019). It is noted that dynamic saturations with
adaptive saturation levels enjoy more flexible attack attenuation
capability and less estimation performance degradation.

2.7 Resilient Control

Besides the resilient state estimation above, CPSs also need to mitigate
the threat from secret attackers via various control strategies.
Compared with other control applications, security control techniques
for CPSs are yet in their infancy, and few results can be found in
literature Ding et al. (2018). There are two main lines of research on
secure control for CPSs under cyber-attacks, which are categorized as
attack-tolerant control and attack-compensated control. The first
category focuses on the design of a suitable control policy/law to
tolerate unpredictable anomalies caused by attacks (Zhao et al. 2019).
In Zhao et al. (2019), a novel observer-based PID controller is
proposed and sufficient conditions are derived under which the
exponentially mean square input-to-state stability is guaranteed and
the desired security level is then achieved. An emphasis is then placed
on examining the prescribed tolerance capability or pursuing the
maximal tolerance capability for the controlled system, allowing further
intervention actions to be made from the system designers. The second
category deals with the design of preferable compensation schemes to
prevent the system performance and stability from severe deterioration
or even becoming unstable. For this purpose, it is essential to
implement appropriate attack detection mechanisms to identify and
locate the occurrence of cyber-attacks. With respect to networked
control systems subject to various cyber-attacks, some preliminary and
interesting results can be found in Dolk et al. (2016); Long et al. (2005);
Zhang et al. (2016) for DoS attacks, in Amin et al. (2012), Ding et al.
(2016a), Dolk et al. (2016), Ding et al. (2016b), Pang and Liu (2011),
Pang et al. (2016) for deception attacks, and in Lee et al. (2014); Zhu
and Martinez (2013) for replay attacks. The latest development of
secure control is evaluated from three aspects: (1) centralized secure
control; (2) distributed secure control; and (3) resource-aware secure
control.

2.7.1 Centralized Secure Control

Another random document with
no related content on Scribd:
by ministerial bounty. She still claimed the restoration of her name to
the Liturgy, and a revenue becoming her recognised rank as Queen-
consort.
In the meantime she publicly partook of the Holy Communion at
the parish church of Hammersmith, a proceeding which many
persons considered as a new protestation of her innocence. The
admirers of coincidences affected to have found a remarkable one in
the first lesson for the day, on this occasion (Isaiah lix.); and
particularly in the verse which declares that ‘Judgment is turned
away backward, and justice standeth afar off, for truth is fallen into
the street, and equity cannot enter.’ This was considered as
applicable to the Queen’s case, but, as its applicability presented
itself in a double sense, every one construed it as he thought best.
Caroline’s next step was to proceed to St. Paul’s in solemn,
public array, to return thanks for her escape from the meshes
constructed for her by her enemies. Due notice was given of her
Majesty’s intention and object to the Cathedral authorities, and the
day appointed by her was the 29th of November. The intimation
excited in those authorities neither admiration nor respect. Even the
dean, the mild and virtuous Van Mildert, seemed to think that it was
highly unbecoming in the Queen to be grateful for the dispensations
of Heaven. The whole chapter thought, or were taught to think, that
there was no greater nuisance upon earth than for this woman to
come to St. Paul’s and thank God that he had not allowed her
enemies to prevail over her. Those who may have any doubt as to
these being the capitular sentiments are referred to the ‘Life of Lord
Sidmouth,’ by Dean Pellew, who records with emphatic approval
what the good, but mistaken, Van Mildert very uncharitably said and
did upon the occasion.
The Corporation of London were anxious to facilitate the
Queen’s object; the Chapter of St. Paul’s, under pressure from very
high authority without, resolved to do all they could to impede it.
They determined that nothing should be changed in the ordinary
service; that the Queen’s presence or purpose should in no way be
recognised; that the doors should be thrown open to the rush of
Queen and canaille indiscriminately; and that the mayor and
corporation should be held responsible for the safety of the
Cathedral.
The chief magistrate and his council soon, however, brought the
chapter to a more proper sense of seemliness. The latter body
indeed would not yield on any really ecclesiastical point; but they
agreed that certain arrangements might be made by the mayor and
his corporate brothers for the better maintenance of the decorum,
dignity, and decency becoming so solemn an occasion.
The dean was satisfied that the unwashed artisans—the unclean
public generally—would make of the day a ‘saturnalia,’ a festival of
obscene desecration. The public, it is to be hoped, pleasingly
surprised him. It generally comports itself with propriety when it
descends in countless masses into the streets to form a portion of
the solemnity, partly actors, partly spectators, on great occasions.
The people never behaved with more decency than they did on this
day.
The circumstance was really solemn, but there were matters
about it that robbed it of some of its solemnity. It was solemn to see
a Queen proceeding alone, as it may be said, but through myriads of
people, to acknowledge publicly the mercies of Heaven. Lady Anne
Hamilton was her solitary female English attendant; but every
woman who witnessed her progress either praised or pitied her that
day. Her ‘procession’ was made up of very slender material, though
all her court followed her in the person of Mr. Vice-Chamberlain
Craven. This little company, however, was swollen by numerous
additions on the way; members of parliament, among others, Sir
Robert Wilson, Mr. Hume, and Mr. John Cam Hobhouse, lent some
dignity by their presence. Horsemen fell into the line, vehicles of
every degree took up their following, and the ‘trades’ marshalled
themselves, either in joining the march or drawing up to greet the
pious Queen as she passed upon her way. Among these, perhaps,
the solemnity most suffered. Some very ill-favoured individuals
shouted for her Majesty beneath banners which declared, ‘Thus shall
it be done to the woman whom the people delight to honour.’ The
braziers added a joke to the occasion by raising a flag over their
position at the end of Bridge Street, on which it was recorded that
‘The Queen’s Guards are Men of Metal.’
With the addition of the ordinary civic pomp the Queen arrived at
the Cathedral, where she was received with affectionate respect by
her friends, and with some show of courtesy by the ecclesiastical
authorities, who had wiled away the time previous to her arrival by
squabbling rather too loudly for the place and occasion with the
corporation present.
The usual service was then proceeded with, and again the
coincidence hunters sought for their favourite spoil. They found
abundance of what they desired in the hundred-and-fortieth and the
following psalms. But of these the phrases cut both ways, and
perhaps there was no passage more personally applicable to the
Queen, and some of those friends less in deed than in word, than
where it is written, ‘Oh let not my heart be inclined to any evil thing;
let me not be occupied in ungodly works with the men that work
wickedness, lest I eat such things as please them. Let the righteous
rather smite me friendly, and reprove me. But let not their precious
balsam break my head; yea, I will pray yet against their wickedness.’
No especial form of thanksgiving was made use of in her Majesty’s
name, but this was not needed. It was, however, imperative upon the
clergy officiating to read the parenthetical clause in the General
Thanksgiving prayer, which has immediate reference to the
individual who desires to make an offering of human gratitude to
God. This clause, however, was omitted! The Queen-consort of
England was upon her knees upon the floor of the Cathedral, but the
officiating minister virtually looked up to Him, and standing between
Caroline and her Creator, exclaimed, ‘Lord, she is not here!’ The
omission of the clause was tantamount to this. The people behaved
better than the priests on that day; and yet it was one on which the
priests might have found occasion to give valuable instruction to the
people. Those of St. Paul’s mistook their mission on the day in
question.
This spiritual matter ended, the temporal welfare of the Queen
had to be looked to. If she could have existed upon good wishes,
she would have been wealthy, for never did congratulatory
addresses pour in upon her as at the end of this year and the
beginning of that which followed. But she needed something more
substantial than good wishes, and the King himself acknowledged as
much in a speech from the throne, delivered on the re-opening of
parliament in January, 1821. His Majesty recommended that a
separate provision should be made for the Queen-consort. She
instantly declared her refusal of any provision that was not
accompanied by the restoration of her name in the Liturgy. The
condition was peremptorily declined by the government, and the
income of 50,000l. a year was then accepted by the Queen. In this
step she disappointed numberless friends, who would not have
contributed a farthing to her maintenance. But stern necessity broke
the pride of the poor lady, who was beginning to feel that a banker
without ‘effects’ for her use was a worse thing than a Liturgy without
her name. Her increased revenue enabled her to bear the expenses
of a town establishment, which she now formed at Cambridge
House, South Audley Street, but her favourite residence was still that
on the banks of the Thames.
Early in May, 1821, the ceremony of the King’s coronation began
to be spoken of as an event that was about to take place. Caroline
did not forget that she was Queen-consort. She immediately
addressed Lord Liverpool, claiming to take part in the ceremony. The
claim was made literally in these words:—‘The Queen, from
circumstances, being obliged to remain in England, she requests of
the King will be pleased to command those ladies of the first rank his
Majesty may think the most proper in the realm to attend the Queen
on the day of the Coronation, of which her Majesty is informed is
now fixed, and also to name such ladies which will be required to
bear her Majesty’s train on that day. The Queen, being particularly
anxious to submit to the good taste of his Majesty, most earnestly
entreats the King to inform the Queen in what dress the King wishes
the Queen to appear in on that day at the Coronation.’ The premier
replied that, as his Majesty had determined that the Queen should
form no part of the ceremonial of the coronation, it was his royal
pleasure that she should not even attend the ceremony itself. Ever
active when she could inflict annoyance on the King by claiming
what she very well knew he would never concede, she succeeded in
obtaining a hearing for her legal advisers in her behalf before the
Privy Council. They served her to the best of their ability, but in truth
they had no right upon their side, and the arguments which they
raised to prove what could not be demonstrated fell down as rapidly
as they were constructed. Mr. Brougham deduced a presumed right
from a curious fact, from a circumstance of a law being passed in the
year 784 excluding Queen Adelberga from the ceremony of being
crowned Queen of the West Saxons, because she had murdered a
former husband. The most early instance in which the title of Queen
is given to a wife of a King of Wessex in any contemporary
document occurs in the reign of Edmund, a.d. 945. The West
Saxons, it will be remembered, had well-nigh dethroned Ethelwolf for
crowning his wife Judith, on the ground that by so doing he had
violated the laws of the West Saxons, made by them on the death of
their King Bertric. ‘It has been supposed,’ says Lingard, in his History
of the Anglo-Saxon Church, ‘that Queens were crowned, because in
some MSS. the order for the coronation of a Queen follows that for
the coronation of a King; but this proves only that both orders were
contained in the original from which the copy was made.’ The same
writer also states that the little Queen Judith was so beloved that the
people ultimately acquiesced in her coronation without a murmur. Mr.
Brougham never pleaded a cause more unsuccessfully than on this
day. Mr. Denman, the Queen’s solicitor-general, was, if not more
successful, at least infinitely more reasonable. He grounded his
application upon the simple and incontrovertible fact, that the Queen
was in so unfortunate a position as to be unable to waive any right
she considered she possessed without being exposed to the most
injurious imputations. ‘He begged to impress upon their lordships, as
well as upon the country, that the claim of his illustrious client was
put forth in self-defence, because her Majesty could not forego that
claim without hazarding her reputation or sacrificing her honour,
which, to her, was dearer than life itself.’
The King’s attorney-general showed that, if claim there were, it
rested solely on usage, and that here the law of usage was without
application, as a coronation of a Queen-consort was not a right, but
a mere favour conferred by the King. The Queen, in short, could no
more demand her own coronation than she could that of the King.
The Privy Council made a report accordingly; it was approved by the
King, and a copy was transmitted to Viscount Hood. The purport of it
was—that, as the queens consort of this realm are not entitled of
right to be crowned at any time, it followed that her Majesty Queen
Caroline was not entitled as of right to be crowned at the time
specified in her Majesty’s memorial. The conclusion was
disagreeable, but it was inevitable. They who thought, however, that
it would silence the Queen for ever, were much mistaken. If she
could not form a part of the ceremony, she could mar it by her
presence; and this she resolved to effect. An announcement was
made to Lord Sidmouth of the Queen’s intention to be present at the
coronation on the 19th of July, and she demanded that a suitable
place might be appointed for her accordingly. The noble lord, in a
letter commencing ‘Madam,’ and terminating without the signature of
the writer, informs the Queen that it was not his Majesty’s intention to
comply with the application contained in her letter.
The Queen was none the less bent upon appearing in the Abbey,
and due notification of the fact was made to the Duke of Norfolk, as
earl marshal of England, with the request added that his grace would
order persons to be in attendance to conduct the Queen to her seat.
The earl marshal transmitted the letter containing the notification and
request to Lord Howard of Effingham, who was the ‘acting earl
marshal’ on the day in question, and that official ‘made his humble
representations to her Majesty of the impossibility, under existing
circumstances, of his having the honour of obeying her Majesty’s
commands.’ Her Majesty, however, was not so easily got rid of. She
now addressed a note to the Archbishop of Canterbury, informing
him of her desire to be crowned, some day after the King, and before
the arrangements for the previous ceremony had been done away
with. The lord primate humbly replied that he was the King’s servant,
and was ready to obey any commands that he might receive from his
royal master. Thus foiled once more, the Queen issued a protest
against the proceedings. This document was drawn up by the law-
advisers of her Majesty. It re-asserted that the Queen could claim as
of right to be crowned, and yet it admitted that there had been cases
in which the exercise of the right ‘was from necessity suspended, or
from motives of policy checked;’ and though perhaps not in the
sense in which it was understood by the Queen’s council, the King
now saw that there was a ‘necessity’ for the suspension of the right
claimed, and that there were ‘motives of policy,’ as well as of
personal feeling, for declining to authorise the exercise of it. The
protest was addressed to the King, from whom, says the royal
protester, ‘the Queen has experienced only the bitter disappointment
of every hope she had indulged;’ but—and it was in such phrases
she was made to represent the nation as hostile against the King
—‘in the attachment of the people she has found that powerful and
decided protection which has ever been her ready support and
unfailing consolation.’
Her Majesty’s legal advisers supposed, at least they hoped, that
she had now done enough for her dignity, and that with this protest
would end all further prosecution of a matter which could not be
carried further without much peril to that dignity and to her self-
respect. But even they did not know of what metal she was made.
On the coronation day she was up with the dawn, determined to
penetrate into the Abbey, or resolved to test the popular attachment,
the powerful and decided protection of the people, the ready support
of the public, of which she boasted in her last protest, and see if,
upon one or other of these visionary essences, she could not be
borne to the end which she ardently desired. Her health had already
begun to suffer from the effects of the unsettled and agitated career
through which she had passed, but her resolution was above all
thoughts of health. She was like the sick gladiator, determined to
stand in the arena, trusting to the chance of striking an effective blow
and yet almost assured that defeat was certain.
At six o’clock in the morning, the poor Queen, in a carriage
drawn by six horses, and with Lord and Lady Hood and Lady Anne
Hamilton in attendance upon her, proceeded down to Westminster.
The acclamations of the people hailed her on her way, and she
reached the front of Westminster Hall without obstruction. If many a
shout here welcomed her as she descended from her carriage, there
was something like fear, too, in many a breast, lest the incident,
peaceful as it seemed, should not end peacefully. After some
hesitation, Caroline, attended as above mentioned, advanced to the
doors of the Hall, amid much confusion, both of people and soldiery
—the first were eager to witness the result, the second were
uncertain how to act, and their leaders appeared as uncertain how to
direct them. The officer on guard respectfully declined allowing her to
pass, even though she were, as she said, Queen of England. He
could only obey his orders, and they were to this effect: to give
passage to no one whatever who was not the bearer of a ticket. The
Queen turned away, disappointed, proceeded on foot to other doors,
and encountered only similar results. It was a pitiable sight to see
her, hurrying along the platform by which her husband was presently
to march in gorgeous array, seeking for permission to pass the way
she would go, ejected alike wherever she made the application,
forced back in one direction by officers in authority, and turned off the
platform, not roughly, but yet turned off, by the common men; and
not an arm of the multitude, upon whose aid she reckoned, was
raised to help her to her end. They pitied her, perhaps, but as her
presence there promised to mar the splendour of which they hoped
to be spectators, they wished she were gone, and rather tolerated
than encouraged her.
Never was Queen cast so low as she, when, flurried, fevered,
now in tears and now hysterically laughing, she stood at the door of
the Abbey haggling with the official who acted as porter, and striving
to force or win her way into the interior. The chief of the ‘door-
keepers’ demanded to see her ticket, but Lord Hood claimed
exemption for her on account of her recognised rank: the door-
keeper would not recognise the claim. ‘This is your Queen!’ said
Lord Hood. ‘Yes, I am your Queen; will you admit me?’ The assertion
and the request were repeatedly made, but always with the same
effect. No passage could be given without the indispensable ticket.
Lord Hood possessed one, and the Queen appeared for a moment
inclined to pass in with that. But her heart failed her, and, half-
laughing, to hide perhaps what she could not conceal, her half-
crying, she declined to go in without her ladies. Finally, a superior
officer appeared, and respectfully intimated that no preparations
whatever had been made for the accommodation of her Majesty;
upon which, after looking around her, as if searching for suggestions
or help from the people, and finding no encouragement, she
assented to Lord Hood’s proposition, that it were better for her to
enter her carriage and return home.
She had dared the hazard of the die: the cast had been
unfortunate. She, for the first time, felt degraded, and she withdrew,
still, like the gladiator from the arena, conscious of bearing the
wound of which death must ultimately and speedily come.
Meanwhile, let us tarry for a moment at the Hall and the Abbey. It
is not likely that England will ever again behold such a scene of
coronation splendour as that of George IV., and it is quite certain that
England would not care to do so. The national taste does not merely
regulate itself by the national purse, but by general principle; and it is
an incontrovertible fact, that the outlay of millions for the crowning of
one man involves the violation of a principle which the nation desires
to see respected.
Never did sovereign labour as George IV. laboured to give éclat
to the entire ceremony. He passed days and nights with his familiar
friends in discussing questions of dress, colours, fashions, and
effects. His own costume was to him a subject of intense anxiety,
and when his costly habits were completed, so desirous was he to
witness their effect that, according to the gossip of the day, a court-
gossip which was not groundless, his Majesty had one of his own
servants attired in the royal garments, and the King contemplated
with considerable satisfaction the sight of a menial pacing up and
down the room in the monarch’s garb. The man did his office with as
much mock gravity as the dramatic King, Mr. Elliston, when he
showered tipsy benedictions upon the public as he crossed the
platform over the pit of Drury Lane.
But it is true in real things as it is in tragedies, that ‘the King’ is
not necessarily the principal character. Even in a ballet the sovereign
is less cared for than the chief dancer who cuts entrechats in his
presence. So at the coronation festival of George IV., although he
was first in rank and as princely as any in bearing, he was very far
from being the first in consequence or the foremost man in the
people’s love. This matter is admirably put by Mr. Rush, the
American ambassador to our court, who witnessed the ceremony,
and made a very nice distinction as to the true position of the
principal actors in it. In his account of the scene the amiable and
accomplished diplomatist remarks that the chief splendour of the
day, where all wore an air of joy and animation, was in the Hall. ‘The
table for the King’s banquet,’ he remarks, ‘was spread on the royal
platform; the foreign ambassadors and ministers had theirs in the
painted chamber of the house of lords, a communicating apartment
under the same roof—but we ran from it soon to come into the hall,
the centre of all attraction. The peeresses, peers, and others
associated with them had theirs in the body of the hall. Here six long
tables were laid, three on each side, leaving a vista, or aisle, open in
the middle, which directly fronted the royal platform. The platform
and all the seats were covered with crimson, which, with the
peeresses richly dressed, and the plate on the banqueting-tables,
and the company all seated, with the King at the head of his
sumptuous table, shaped as a crescent, so that he and a few seated
on his right and left faced the whole company, made the spectacle
extremely magnificent. The comptroller and clerk of the kitchen, and
purveyor of wines, had not, as may be imagined, overlooked their
duties. But when the Champion appeared at the opposite extremity
of the hall, directly in front of the King, nothing seen at first but tufts
of plumes waving from his horse’s head and his own helmet, startling
emotions arose in every bosom. Curiosity was breathless to see
what was coming. He was attended by Howard of Effingham, and by
Anglesea, and by another greater than all—the Duke of
Wellington; and as these, all on horseback, entered abreast, the
Champion heralding his challenge, and the horses seeming almost
in contact with the outward line of peeresses at the table, yet
obedient to the bit which they kept champing—as this equestrian
train slowly advanced in martial grace and strength up the aisle
towards the King, all eyes were seen turned upon one man in it. In
vain did the declining sun through the vast old Gothic edifice throw
beams upon the bright and heavy armour of the Champion; in vain
was it, when the horses reaching by slow, impatient steps the top of
the aisle, and proudly halting at the steps of the royal platform, that
the stout-clad Champion again put forth his challenge, threw down
his glove, received the cup from his sovereign, and drank to his
sovereign—in vain all this; the beauty and chivalry at the banqueting-
tables still looked at the Duke of Wellington; still kept their eyes on
the man whose person and horse recalled, not war in romance, but
its stern and recent realities. All were at gaze—fixed, silent. He was
habited only as a peer, had only his staff as Lord High Constable, yet
was he the observed of all. Nowhere was he more intently eyed than
from the box where sat the assembled ambassadors of the
potentates of Europe. Judging from opinion in that box, there was
nothing in the elaborate grandeur of the day to rival the scene. It was
the inherent pre-eminence of a great man exalting moral admiration
above the show of the whole kingdom.’ This was the imperative fact.
The King was the great figure of the hour, but the Duke was the
great hero of the age; and the truth was not lost sight of in the
gorgeous splendour of the spectacle.
To do the King justice, it must be confessed that he was among
the first to acknowledge the pre-eminence of the Duke as regarded
his services and merits. At the dinner given by the Duke of
Wellington, a few days after the coronation, in honour of the new
sovereign, and with that monarch as chief guest, this
acknowledgment was very gracefully made. At this splendid
banquet, after the noble host had proposed the health of his royal
guest—a toast that was drunk all standing and all silent, the King
himself merely rising to bow his thanks to the company—George IV.
in turn proposed, in a brief speech, the health of the Duke. ‘The
purport of his remarks,’ says Mr. Rush, who was present at this
interesting festival, was, ‘that, had it not been for the exertions of his
friend upon the left (it was so that he spoke of the Duke), he, the
King, might not have had the happiness of meeting those whom he
now saw around him at that table; it was, therefore, with particular
pleasure that he proposed his health. The King spoke his words with
emphasis and great apparent pleasure. The Duke made no reply, but
took in respectful silence what was said. The King continued sitting
while he spoke, as did the company, in profound silence under his
words.’
The silence of the host was true courtesy. It has not escaped Mr.
Rush’s discernment. ‘I thought,’ he says, ‘of Johnson, when George
III. complimented him: the innate dignity of great minds is the same.
In Johnson it was that of the rough, virtuous recluse—whose
greatness was that of the author. In Wellington it was externally
moulded into the will which armies and courts, and long association
with the élite of mankind, may be supposed to give. Johnson did not
bandy civilities with his Sovereign, whom he had never seen before;
nor did Wellington, who saw him every day!’ It is ever the same with
true gentlemen.
It would seem, however, that all the nobles who shone at the
coronation festivities of George IV. were not so perfect in politeness
as the warrior-duke. King George IV. gave a banquet to the
ambassadors specially sent to grace the high solemnity of the
coronation. To this banquet the foreign ministers generally and the
members of the cabinet were invited and were present. The
American Ambassador sat next to Lord Londonderry, and the two
discussed between themselves the power, pretensions, and infamy
of Russia, Lord Londonderry affecting to trust to the moderation of
the Muscovite—a moderation which has been more truly described
by Lord John Russell as more menacing than the ambition of other
powers. The conversation then fell upon English society; and while
on this theme Lord Londonderry remarked, ‘that the higher the rank
and education, the better bred, as a general rule, their people in
England—so he believed it was considered.’ Setting aside the fact
that this is only partially true, it was at the same time a most
uncourteous remark to be made by one who was high in rank and
education to a commoner. But the Stewart-Castlereaghs have ever
been unlucky in their civilities, and with their precious balsams they
have too often bruised the heads they would only have anointed.
Witness the fact of the banquet given by the late Marquis of
Londonderry to the ambassador of Louis Napoleon. Everything was
well done but one, and that one thing, ill done, marred all besides
that was well. The room in which the English host welcomed his
French guest was decorated with pierced and battered French
cuirasses, which had covered the breasts of gallant French enemies
at Waterloo. The man who is fortunate enough to kill an adversary in
a duel may, possibly, in after years, be reconciled with that
adversary’s brother, and perhaps entertain him at dinner; but he
would hardly think of hanging up the dead man’s clothes (purchased
as a trophy from his valet) in his dining-room.
The grand banquet at Carlton House was given on the 26th July.
The special and ordinary ambassadors and the ministers were
present. The monarch’s brothers were also among the guests—
always excepting the Duke of Sussex, whose sympathies for Queen
Caroline had been too markedly and publicly expressed.
‘We were invited,’ says Mr. Rush, ‘at seven o’clock. As my
carriage turned into Pall Mall from the foot of St. James’s Street, the
old clock at St. James’s struck seven, and before I reached Carlton
Palace all the carriages appeared to be entering or coming out
through the double gates of the Ionic screen in front of the palace.
Mine was among the last that drove up to the portico, and by a very
few minutes past seven all the guests, save one, were assembled in
the reception rooms. I had never before witnessed such punctuality
at any dinner in England.
‘The King entered a minute or two afterwards, and saluted his
guests generally, then went the rounds, speaking to each
individually. With the special ambassadors he paused longest. Time
had now run on to more than a quarter past seven, still one of the
guests had not yet arrived, and that one was the Duke of Wellington.
The man not apt to be behind time when his Majesty’s enemies were
to be met was, it seems, in meeting his friends. Five minutes more
went by, and still no Duke of Wellington; critical moments when each
one seemed to count two. At length, in one of the rooms at a
distance, the Duke was seen; he was dressed in the uniform of an
Austrian field-marshal, a plain round-about jacket of white cloth and
white under-dress to suit, relieved by scarcely anything but his
sword. The dress, being tight and simple, gave to his person a
thinner look than usual; and as he kept advancing with easy step,
quite alone, and a general silence prevailing, the King separated
himself from the group of ambassadors where he was standing, and
when he got near enough stepped forward to meet him. With both
hands he shook the Duke by both with great cordiality, saying
something which the company could not hear, but which, from the
manner, we took to be a good-natured rally upon his late arrival. The
Duke received it with placid composure, made no reply, but bowed.
When liberated from the friendly grasp of the King, he approached a
circle of which I happened to be one. One of the ministers
composing it said to him, “We hope you will forgive our little treason,
my Lord Duke, but we have just been determining that, as some one
of the company was to be too late, it was best to have fallen to your
Grace’s lot, who can so well bear it.” With a half whisper and an arch
smile, the Duke replied, “The King knows I could have been here
sooner but for attending to some of his Majesty’s business.” This,
considering the Duke as a cabinet minister and privy councillor, had
doubtless been sufficient to excuse his delinquency, and secure for
him the very cordial reception all had witnessed.... The entire dinner-
service was of gold. Each of the salt-cellars, as well as I could catch
the design, represented a small rock in dead gold, on which reclined
a sea-nymph holding in her hand a shell, which held the salt. One of
these was before every two guests; so it was, as to number, with the
gold coolers down the sides, containing wine. The whole table,
sideboard, and room had an air of chaste and solid grandeur, not,
however, interfering with the restrained enjoyments of a good dinner,
of which the King seemed desirous that his foreign guests should in
no wise be abridged, for we sat till past ten o’clock.’ Contrasting this
banquet with the one given by the Duke of Wellington, the same
writer and guest remarks that the Duke’s table-service was not only
brilliant, but that it lighted-up better than the King’s; for being entirely
of silver, and very profuse, the whole aspect was of pure, glittering
white, unlike the slightly-shaded tinges which candles seem to cast
from gold plate. The dessert-service at the Duke’s was of china, a
present from the King of Prussia, and made emblematical of the life
of the Duke, commencing with a view of Dangan Castle, the
(supposed) birth-place of Arthur Wellesley, and going through a
course of views of all the places rendered interesting by his
presence or remarkable by his deeds, down to the porcelained
pictorial representation of the crowning glory at Waterloo.
While all these matters were in progress, people who nursed
superstition were prophesying some calamity to come; and certainly,
among the incidents of the coronation of George IV., was one which
would have been counted ominous in earlier days. The gallant
Marquis of Anglesea was Lord High Steward on that occasion, and it
was part of his office to carry the crown up to the altar before the
Archbishop placed it on the King’s head. It was heavier than the
gallant Lord High Steward had reckoned upon, and the glittering
crown, ponderous with gold, diamonds, and other precious stones,
slipped from his hands. He dexterously recovered it, however, before
it reached the ground. Among the medallic records of the time one
was the work of an enemy of Caroline of Brunswick. A bronze medal
of the time is extant which has the Queen’s head, on the obverse,
with the inscription: ‘Caroline, D. G. Britt. Regina.’ On the reverse
is the head of Bergami, with the inscription: ‘Count B. Bergami.’
 CHAPTER XII.
A CROWN LOST, AND A GRAVE WON.

The Queen’s agitation—Her illness—Her sufferings—Desires her diary may

be destroyed—Her death—Sketch of her life—Her mother a foolish
woman—Every sense of justice outraged by the King—Inconsistency of
the Whigs—The Queen persecuted even after death—Disrespect shown
to her remains by the Government—Protest against a disgraceful haste to
remove her remains—Course of the funeral procession interrupted by the
people—Collision between the military and the populace—Effort to force a
way through the people ineffectual—The procession compelled to pass
through the City—The plate on the Queen’s coffin removed—The funeral
reaches Harwich—The Queen’s remains taken to Brunswick—Funeral
oration—Tombs of the illustrious dead there.

The coronation-day killed the Queen. The agitations and sufferings

of that eventful day called into deadly action the germs of the
disease under which she ultimately succumbed. Once only, between
that day and her death, did she appear in public, at Drury Lane
Theatre, and even then she may be said to have been dying.
On August the 2nd, the first bulletin issued from Brandenburgh
House, by ‘W. G. Maten, P. Warren, and H. Holland,’ announced that
her Majesty was suffering from internal inflammation and obstruction.
Her sufferings were considerable, but they were borne with
resignation; and she even expressed a cheerful readiness to be
gone from a world in which she had endured more than she had
enjoyed. Her own conviction, from the first, was that her malady
would prove fatal. No whisper of hope appeared to deceive or to
cheer her. She was determined, as it were, that she must die, and
she prepared for the worst. Her feelings were natural to a woman of
her disposition and character. She felt that, despite all solemn
protestation, notwithstanding all as solemn assertion, she had failed
in re-establishing the reputation which she enjoyed during the early
years of her residence in this country. The abandonment of the Bill of
Pains and Penalties had not rescued her from degradation; and the
people, who were ready to offer her consolation as a woman who
had been most deeply wronged and outraged, were by no means so
ready to espouse her cause further than this. She had herself
confessed to indiscretions, and when the confession applies to
constant repetition of the offence, the public judgment, even with
nothing more to warrant its exercise, will never be slow to hold her
who acknowledges so much as being guilty of more. In her position,
with a reputation so soiled, and torn, and trodden upon; which could
not be made bright by any declaration (poor indeed) that she was not
so debased as she was declared to be by her adversaries; for a
woman so placed, to die is the sole joy left her, if she has made the
peace with God which can never again exist between her and man.
Her few friends were accustomed to say that in after years her good
fame would be substantiated. After years—alas! Of what use to the
drowned sailor is the favourable wind after shipwreck? Assuredly,
her own character perished more by her own suicidal acts than by
the assaults made upon it by those who were interested in damning
it; just as ‘Tom Paine’ himself has said that a writer may destroy his
own reputation, which cannot be affected by the pens of other
writers.
To die then was now in the very fitness of things, and death
made but brief work with his new victim. Between the second and
the seventh of August the suffering never ceased sufficiently to
warrant serious hope of amelioration. During the intervening time
she continued to express her willingness to depart. She signed her
will, gave with calmness all necessary orders which she wished to be
observed, spoke charitably of all, and little of herself. Among her last
acts was one of sacrifice, and perhaps posterity will regret it. She
ordered the diary, which she had long kept, and in which she had
entered the characters of the most prominent persons with whom
she had come in contact, to be burned. This is said to have been
done in her presence; but so many things only seem to be done in a
dying presence that our successors may not despair, hereafter, of
becoming more intimate with Caroline, her thoughts and feelings,
than she ever permitted her contemporaries to be. The great chance
against posterity being allowed to read the scandalous chronicle or
the justifying confessions of Caroline lies in the fact that the series of
journals were burned by a foreign female servant, who knew nothing
of their value. Such, at least, was the accredited report.
After nearly five days of intense suffering, the Queen sank into a
stupor from which she never awoke. At half-past ten o’clock on the
morning of the seventh of August, 1821, ‘after an entire absence of
sense and faculty for more than two hours,’ Caroline Amelia
Elizabeth of Brunswick, Queen Consort of George IV., expired
almost without a struggle. In her supreme hour only her faithful
friends, Lord and Lady Hood and Lady Anne Hamilton, were with
her. Her legal and medical advisers, with Alderman Wood and one of
his sons, were also near her person. She had completed fifty-three
years and three months; of these she passed by far the happier and
the more innocent half—happier because the more innocent—in
Brunswick. Of the following nineteen years spent in England,
eighteen of them were passed in separation from, and most of them
in quarrelling with, her husband. For the first nine or ten years of this
period she lived without offence and free from suspicion; during the
remainder she was struggling to re-establish a fame which had been
wrongfully assailed; but this was accompanied by such eccentricity
and indiscretion that she seemed almost to justify the suspicion
under which she had suffered. Then came the half-dozen years of
her residence abroad, when she too often shaped her conduct as
though she had alacrity in furnishing matter condemnatory against
herself to the spies by whom she was surrounded. To say that they
exaggerated her offences does not, unfortunately, prove her guiltless
of great crime. Her return to England was a bold step, but it was one
she was compelled to take. It failed, however, in its great purpose.
She did not triumph. Justice, indeed, was not rendered her, for she
was condemned before she was tried; and though the trial was not
carried to its intended conclusion, he who would now stand forth as
the champion of Caroline of Brunswick would be necessarily
accounted of as possessing more generosity than judgment.
 Nevertheless, for this poor woman there is something to be said.
She was ill-educated; religiously educated, not at all; and never had
religious principles as expounded by any particular church. Her
mother was a foolish, frivolous woman, and her father, whom she
ardently loved, a brave, handsome, vicious man, who made his wife
and daughters sit down in company with his mistresses. With such
an example before her, what could be expected from an ardent,
spirited, idle, and careless girl? Much—if she had been blessed with
a husband of principle, a man who would have tempered the ardour
to useful ends, guided the spirit to profitable purpose, and taught the
careless girl to learn and love the cares, or duties, rather, which
belonged to her position. But by whom, and what, was that Princess
encountered in England, whither she had come to marry a Prince
who had condescended to have her inflicted on him, and bringing
with her the memories of pleasant communings with more courteous
wooers in Brunswick? She met a husband who consigned her to
companionship with women more infamous than ever she herself
became, and whose interest and business it was to render the wife
disgusting to the husband. They speedily accomplished the end they
had in view, and when they had driven the wife from the palace they
endeavoured to prove her to be guilty of vices which she had not
then, in common with themselves and her husband. If he ever justly
complained of wrong, he at least took infinite pains to merit all that
was inflicted on him. He outraged every sense of justice when,
steeped to the very lips in uncleanness, he demanded that his
consort should be rendered for ever infamous, for the alleged
commission of acts for which he claimed impunity on his own
account. She was not, perhaps, betrayed by the Whigs, but these
rather took up her cause for the reason that it served them politically
than put credence in its righteousness. They were, however, the
voluntary champions of her virtue. Lord Holland was among the first
of them, and yet in his contemporary Diary he says of her, ‘She was
at best a strange woman, and a very sorry and uninteresting heroine.
She had, they say, some talent, some pleasantry, some good-
humour, and great spirit and courage. But she was utterly destitute of
all female delicacy, and exhibited, in the whole course of the
transactions relating to herself, very little feeling for anybody, and
very little regard for honour and truth, or even for the interests of
those who were devoted to her, whether the people in the aggregate,
or the individuals who enthusiastically espoused her cause. She
avowed her dislike for many, scarcely concealed her contempt for all’
(no wonder); ‘in short, to speak plainly, if not mad, she was a very
worthless woman.’ So wrote one who had asserted directly the
contrary.
But it was the lot of this unhappy Queen to be persecuted even
after death. Her will, in which she bequeathed the little she had to
leave to William Austin, the protégé, who did not long survive her,
contained a clause to this effect: ‘I desire and direct that my body be
not opened, and that three days after my death it be carried to
Brunswick for interment, and that the inscription on my coffin be,
“Here lies Caroline of Brunswick, the injured Queen of England.”’
The government, acting under alleged orders from the King, but
influenced, no doubt, by a wish not to mar the festivities attendant
upon the visit of George IV. to Ireland, by allowing the Queen’s body
to remain longer than needful in England, announced their intention
to pay every sort of respect to the orders and wishes of her late
Majesty, and to despatch the body to Harwich at once, for
embarkation. The personal friends of Caroline protested against this
unseemly readiness, on the part of the ministers, to obey the wishes
of one who, when alive, never had a wish that was not thwarted.
Lady Hood addressed a letter to Lord Liverpool, not so much,
indeed, as she said to him, as to his heart. The letter pleaded for
delay, on the ground of the Queen’s ladies being unprepared; and it
expressly protested against the intended military escort, as being an
honour never allowed to the Queen when living, and one not
certainly desired by her, who was sufficiently guarded by the
people’s love. Reply was made that the arrangements already
resolved upon were irrevocable, and that, if the ladies were not
provided with the necessary mourning, there would be nothing
disrespectful in waiting behind till they had been furnished with what
was necessary, and then joining in the procession anywhere on its
route. There was a singular want of courtesy in all the
communications made by the ministry to the friends of the Queen.