Design and Implementation of Secure Networked ... - CiteSeerX

5 downloads 0 Views 475KB Size Report
Under Deception Attacks. Zhong-Hua Pang and Guo-Ping Liu, Fellow, IEEE ..... Under the STM in the backward and forward channels, de- ception attacks will ...
1334

IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 20, NO. 5, SEPTEMBER 2012

Design and Implementation of Secure Networked Predictive Control Systems Under Deception Attacks Zhong-Hua Pang and Guo-Ping Liu, Fellow, IEEE

Abstract—This brief addresses the security issues of data transmitted in networked control systems (NCSs), especially confidentiality, integrity and authenticity. A secure networked predictive control system (SNPCS) architecture is presented, which integrates the Data Encryption Standard (DES) algorithm, Message Digest (MD5) algorithm, timestamp strategy, and recursive networked predictive control (RNPC) method. The former three parts are used to form a secure transmission mechanism between the controller side and the plant side, which is responsible for enforcing the data confidentiality and checking the data integrity and authenticity. To guarantee the control system performance when suffering from deception attacks, the RNPC method based on round-trip time delays is proposed to compensate for the adverse effects introduced by the deception attacks as well as the network communication constraints, such as time-varying network delay, packet disorder and packet dropout. A theoretical result using the switched system theory is obtained for the closed-loop stability of the RNPC system. Practical experiments are performed to demonstrate the effectiveness of the proposed SNPCS. Index Terms—Communication constraints, data confidentiality, deception attacks, experiments, recursive networked predictive control (RNPC), secure networked control systems (SNCSs), stability.

I. INTRODUCTION S an integration of sensors, controllers, actuators and networks, networked control systems (NCSs) show many distinct advantages such as flexible architectures, low installation and maintenance costs, and the fusion and sharing of global resources [1]. Consequently, NCSs have been finding applications in a vast range of areas such as traffic management [2], robot control [3], mobile sensor networks [4], remote surgery [5], unmanned aerial vehicles [6], and remote control [7], [8]. However, with the strong opening-up property of a shared network, especially the Internet and wireless networks, the sensor and control data exchanged over networks in NCSs without security protection are confronted with the network security problem [9], [10]. For example, industrial spies remotely access confidential information of the key equipment. Malicious hackers intercept, tamper, forge, and retransmit the sensitive

A

Manuscript received October 19, 2010; revised January 27, 2011; accepted April 02, 2011. Manuscript received in final form June 20, 2011. Date of publication July 25, 2011; date of current version June 28, 2012. Recommended by Associate Editor L. Xie. This work was supported in part by the National Science Foundation of China under Grant 61028010 and Grant 60934006. Z.-H. Pang is with Qingdao Technological University, Qingdao 266033, China, and also with the Institute of Automation, Chinese Academy of Sciences, Beijing 100190, China (e-mail: [email protected]). G.-P. Liu is with the Faculty of Advanced Technology, University of Glamorgan, Pontypridd CF37 1DL, U.K., and also with CTGT Center, Harbin Institute of Technology, Harbin 150001, China (e-mail: [email protected]). Digital Object Identifier 10.1109/TCST.2011.2160543

data transmitted over networks. Especially for the NCSs of critical infrastructures, such as water, electrical, nuclear, and chemical plants, the disruption of any of them can result in severe consequences ranging from production losses to environmental damage, and even personal injury or loss of life [11]. These network attacks to NCSs are real and some security incidents have been reported [12]. However, only recently have engineers and researchers paid considerable attention to them. Dzung et al. [13] gave an overview of information security issues in industrial automation systems based on open communication networks. Yang et al. [14] surveyed the security threats and solutions in three typical wireless networks, i.e., wireless LANs, 3G cellular networks, and mobile ad hoc networks. Creery and Byres [15] presented assessment procedures and protective measures for the industrial control cybersecurity. Information technology (IT) security can be described in terms of security objectives, such as confidentiality, integrity, authentication, availability, authorization, auditability, nonrepudiability, and third-party protection, of which the first four ones have the highest priority for the data transmitted in industrial NCSs [9], [13]. This brief is mainly concerned with confidentiality, integrity and authenticity of data security service, and data availability will be considered in the future work. Data confidentiality is to prevent disclosure of transmission data to attackers. Data Integrity refers to ensuring that the data are received as sent, and are not changed during transmission over networks. Such attacks as data modification (tampering), data replay and data delay can lead to the violation of data integrity. Data Authenticity is to ensure that data are from where they claim to be from, which defends against masquerade attacks. Focusing on the confidentiality aspect of network security, Swaminathan et al. [16] described a secure field-bus protocol in which the Data Encryption Standard (DES) was performed for data protection. Gupta and Chow [17] applied encryption algorithms DES, 3DES, and Advanced Encryption Standard (AES) to protect the data transmitted in NCSs. However, the data encryption alone is not sufficient to secure data flows over the network. For example, data tampering attacks to the sensor and/or control data cannot prevented by the data encryption, which can significantly impair the system performance or even lead to loss of control of NCSs. To ensure the security of sensor and control signals transmitted over the network, the confidentiality, integrity checking and authentication were implemented in hardware tools in [18] and [19]. Zhang et al. [20] introduced a 3-tier signature signing and key-evolving scheme to ensure that the exchanged information via mobile networks is authentic. Xu et al. [21]

1063-6536/$26.00 © 2011 IEEE

PANG AND LIU: DESIGN AND IMPLEMENTATION OF SNPCSs UNDER DECEPTION ATTACKS

presented a secure architecture for the collaborative control of distributed device networks, in which the security problems of confidentiality, integrity, authenticity, and execution safety were addressed. However, the aforementioned security schemes are just designed from the viewpoint of general IT security, which mainly focus on information protection. For instance, once the spurious data are detected, they are simply discarded or retransmitted, which are not sufficient or suitable for real-time industrial control systems. Apart from attack prevention and detection measures, the corresponding compensation strategies should be considered for the NCSs under attacks from the viewpoint of control. In this brief, the security issues of data transmitted in NCSs, especially confidentiality, integrity and authenticity, are considered. A secure networked predictive control system (SNPCS) is designed for the data encryption as well as the detection and compensation of deception attacks (the attacks resulting in the violation of data integrity and/or authenticity). Data encryption is performed by the DES algorithm. Deception attacks are detected by the Message Digest (MD5) algorithm and the timestamp strategy under the DES cryptosystem. In order to guarantee the system performance at a satisfactory level when under deception attacks, a recursive networked predictive control (RNPC) method is proposed based on the round-trip time (RTT) delay. The performance of the SNPCS is then illustrated by practical experiments, showing that the proposed secure architecture is feasible, active and effective. The remainder of this brief is organized as follows. A secure transmission mechanism is presented in Section II to fulfill the data encryption and to detect the typical deception attacks. In Section III, the SNPCS architecture is proposed, as well as the design and stability analysis of RNPC. Practical experiments are performed to illustrate the effectiveness of the SNPCS in Section IV. Section V concludes this brief. II. SECURE TRANSMISSION MECHANISM A. Implementation of Data Confidentiality Data confidentiality can be achieved by encryption algorithms, which can be classified into two forms: symmetric ciphers and public-key ciphers. Compared with the public-key ciphers, the symmetric ciphers are faster by two to three orders of magnitude [22] and require much shorter keys to achieve the same level of security [23]. Typical symmetric ciphers are DES, 3DES, and AES, of which the first one is used in this brief because it is the fastest one of them and enough to guarantee the security of the data over NCSs [16]. The DES algorithm transforms a 64-bit plaintext into a 64-bit ciphertext using a 56-bit key. For the details of DES, refer to [22]. The implementation of DES involves hardware and software design/co-design [24]. Because DES only deals with substitution-permutation and table lookup operations, it is an ideal solution to implement DES via hardware, for instance field-programmable gate array (FPGA) [25], which offers the highest speed and most effective security. However, these merits cannot take full effect for shorter data chunks in NCSs, due to the periodical operations of the corresponding hardware. Software implementations provide ease of use, ease of upgrading, portability

1335

Fig. 1. Scheme of data modification detection.

and flexibility [26]. Moreover, it can be used in both offline simulations and practical experiments. Therefore, the software implementation of DES using C-MEX S-Functions is chosen in this brief, which achieves a throughput of 7.2136 Mbit/s in a 180 MHz 32-bit ARM microprocessor with Linux 2.6.15 operation system (OS). For the same reasons, the software implementation of MD5 introduced in Section II-B is also adopted. B. Detection of Deception Attacks The compromise of data integrity and authenticity leads to deception attacks, which include data modification, deceptive sender identity, and data delay/replay. Since they relate to active attacks [27], detection and compensation measures should be considered rather than prevention methods. The detection measures are first described here, and the compensation measures will be addressed in Section III. 1) Data Modification Detection: Data modification can be detected by one-way hash functions, which accept a variablesize message as input and produce a fixed-size output, called hash code. A change to any bit or bits in the message results in a change to the hash code. The most widely used hash functions are MD5 and Secure Hash Algorithm (SHA, e.g., SHA-1/ 256/384/512), and the former is used in this brief due to its low computation. MD5 accepts a message input of various lengths and produces a 128-bit hash code. More details of MD5 can be seen in [22]. Although some collisions are found with MD5 [28], it is still recommended to apply in the scheme depicted in Fig. 1, in which MD5 is safe as long as the underlying DES cryptosystem is not broken. The speed of MD5 software implementation using C-MEX S-Functions is 16.19 Mbit/s in the 180 MHz 32-bit ARM microprocessor with Linux 2.6.15 OS. As shown in Fig. 1, a sender provides a plaintext message as input to MD5 that generates a hash code. The hash code conis encrypted by DES and sent to the destinacatenated with tion. In the destination, the incoming packet is first decrypted and treated as a message with an appended hash code. Then MD5 is used again to the decrypted message to reproduce the hash code. If the calculated hash code is equal to the incoming one, the message will be considered authentic. Otherwise, the message will be regarded to be modified in transmission and then discarded. 2) Deceptive Sender Identity Detection: For the purpose of real-time control, the UDP/IP protocol is generally used in NCSs. The sender and receiver are specified as IP addresses. Thus, attackers may pretend to be legitimate senders and send false data to the receiver. The scheme in Fig. 1 can be also used to detect this kind of attacks, because attackers without knowledge of DES key are unable to create an authentic hash code for the forged data. The data with the deceptive sender identity will be detected and discarded by the legitimate receiver.

1336

IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 20, NO. 5, SEPTEMBER 2012

Fig. 2. Secure transmission mechanism.

3) Data Delay/Replay Detection: If a data packet is intercepted and delayed or replayed in NCSs, additional network delay and data disorder will be produced. The detection of data delay/replay requires that individual messages can be uniquely identified. The timestamp, indicating the time when the message is sent by the sender, can act as an identifier for the data packets in NCSs. C. Secure Transmission Mechanism To achieve data confidentiality and deception attack detection simultaneously, a secure transmission mechanism (STM) shown in Fig. 2 is designed, which is composed of two parts: a secure UDP sender and a secure UDP receiver. The sender appends a timestamp to the message , and a hash code is and as a whole are calculated from the entire block. encrypted into one packet and sent to the receiver. After the encrypted packet arrives at the receiver, it will be first decrypted and then forwarded to verify the timestamp and hash code. Its timestamp will be compared with that of the receiver register. If the former is not larger than the latter, the packet will be rejected. Otherwise, MD5 is applied to the incoming timestamp and message to reproduce the hash code. If the calculated hash code is different from the incoming one, the packet will be discarded. Otherwise, the packet will be identified as in-order and genuine, and then replace the contents of the register, including the timestamp and message. The output of the receiver is the au. thentic message III. DESIGN OF SNPCSS For practical applications, the secure networked control system (SNCS) can be designed based on the STM as shown and are used to model in Fig. 3. Two toggle switches the deception attacks in the backward channel (i.e., the sensor-to-controller channel) and the forward channel (i.e., the controller-to-actuator channel), respectively. For instance, in selects one the backward channel at each sampling time, of its two inputs, a sensor packet or an attack packet, to pass through to the output, while the unselected one is discarded. The same arrangement is made for the forward channel. Under the STM in the backward and forward channels, deception attacks will produce additional time delay, packet disorder and packet dropout. As a result, it becomes much harder to design and implement NCSs. Without considering external attacks, the networked predictive control (NPC) has been proved to be an effective strategy to compensate for these negative effects [29]–[32]. However, the previous NPC methods in [29] and

Fig. 3. Structure of secure NCSs.

[30] have one disadvantage: the high computational complexity resulting from the solution of Diophantine equation and the calculation of matrix inverse, especially for the SNCSs under attacks, in which there exist the higher-order Diophantine equation and higher-dimensional matrix. In this brief, following the NPC methods in [31] and [32], a recursive networked predictive control (RNPC) approach based on the RTT delay is proposed for the SNCS. Compared with previous results, the output and control predictions for linear time-delay systems are calculated on the controller side and the network delay compensation is based on the RTT delay, which makes RNPC more feasible in practice. Whereas in [31], the output and control predictions were separately done in the sensor and controller, which is not generally allowed due to the limited computation capacity of the sensor. In addition, the delay compensation in [31] was based on the one-way time (OWT) delay in the backward and forward channels, which needs clock synchronization between the controller side and the plant side that is difficult to achieve, especially for long-distance networks. The NPC method in [32] does not consider time-delay systems. As a compensation measure for the SNCS under deception attacks, the RNPC can be used to deal with the adverse effects brought by both communication constraints and deception attacks, i.e., random delay, packet disorder and packet dropout. Thus, a secure networked predictive control system (SNPCS) can be designed as shown in Fig. 4. According to the functionality, the SNPCS can be divided into four parts: the plant and the sensor, the communication network with the STM, the controller, and the actuator. The sensor and actuator are time-driven with the same sampling period, and the controller is time-driven or event-driven. In this section, we present first the design details of RNPC and then the stability analysis of the closed-loop system.

PANG AND LIU: DESIGN AND IMPLEMENTATION OF SNPCSs UNDER DECEPTION ATTACKS

1337

Fig. 4. Structure of SNPCSs.

A. Design of RNPC

1) Control Prediction Generator: Without considering the network delay, a controller is designed as

As shown in Fig. 4, the RNPC consists of a buffer, a control prediction generator (CPG), and a network delay compensator (NDC). The buffer is established to hold the consecutive historical output and control input signals of the plant before they are transmitted to the controller, the length of which is determined by the model description of the plant and the selected control algorithm. The CPG is designed to generate a set of future control predictions based on the mathematical model of the plant. The NDC is used to compensate for the random delay, packet disorder, and packet dropout. The following assumptions are made for the RNPC design. is chosen Assumption 1: The control prediction horizon to be not less than the upper bound of the network RTT delay (noted by ), i.e.,

(3) where the error between the future reference . output prediction polynomials as follows:

and

To simplify the formulation, the following operations are defined:

(1) Assumption 2: The deception attacks happen once every sampling interval in the backward and/or forward channels. Remark 1: In the SNPCS, disordered packets are discarded under the STM. Accordingly, the packet disorder can be treated as part of packet dropout. The lost packets are simply ignored, and the RTT delay in Assumption 1 is measured by the timestamp of those valid data packets received successfully by the actuator. Therefore, the packet disorder and packet dropout do not need to be specially treated but regarded as part of the RTT delay using the compensation strategy proposed in this brief. Consider the following single-input single-output linear timedelay plant in discrete time given by:

is and the are the

if if

(4) (5) (6)

represents and . where is an integer, Suppose that, at time , the sensor sends the following historical input/output data to the controller through the backward channel: (7) . where Thus, the historical data sequence from the secure UDP receiver in the controller at time can be described by

(2) and are the output and control input of the where and are the polyplant, is the time delay, and nomials as follows:

(8) is the delay in the backward channel at time . where Equation (8) shows that the historical input/output data seare available in the controller at time quence up to time

1338

IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 20, NO. 5, SEPTEMBER 2012

. Based on (2) and (8), the forward output predictions of the plant are

(9) for . Then, using (8), (9), and (3), the future output predictions and control predictions can be calculated recursively as shown in (10) and (11), respectively

controller does not know the real control signal applied to the plant. As a result, the consecutive historical control inputs are much harder to arrange for the controller. Therefore, a buffer is used to deal with these problems in this brief. The consecutive are always available in the historical data (8) up to time controller. B. Stability of the Closed-Loop System . Equa-

To analyze the stability, the reference input tion (11) and (10) can be rewritten as

(15) (10)

(16) where

(11) for . Clearly, (11) yields the following control prediction sequence:

(12) which is put into one packet together with the timestamp and sent to the actuator. 2) Network Delay Compensator: With the help of the timestamp comparison strategy of the STM in Section II-C, the control prediction sequence stored in the register of the secure UDP receiver in the actuator is always the latest one available at each instant of time, which can be described by and (13) where is the RTT delay at time is the delay for calculating the control predictions in the controller, is the delay in the forward channel. and The RTT delay can be accurately calculated in the actuator from the current time. In by subtracting the timestamp of order to compensate for the network delay, the NDC selects the according to the RTT delay. proper control signal from Therefore, the control input applied to the plant will be

is an zero matrix; identity matrix; , and . Substituting (15) into (16) gives

is an are

matrices;

(17) Combining (15) and (17) results in

(14) Remark 2: As discussed above, in order to identify the plant model on line and calculate the control predictions, the consecutive historical input/output data are required for the controller. However, in [29], only a single plant output is sent to the controller. Thus, the consecutive historical output data are hard to obtain for the controller due to the packet disorder and packet dropouts in the backward channel. On the other hand, in the NPC environment, the actuator only selects one from the control prediction sequence according to the random delay, and the

(18) where

PANG AND LIU: DESIGN AND IMPLEMENTATION OF SNPCSs UNDER DECEPTION ATTACKS

From (18), the control signal applied to the plant at time derived as

1339

is

(19) where

Fig. 5. Internet-based DC motor speed control system.

Proof: Let the switched Lyapunov function be (24) Equation (19) can be rewritten as

and then its increment is obtained as (20)

where (25) which completes the proof. Remark 3: Due to the application of the SLF approach, the condition for the closed-loop stability is less conservative than those in [30]–[32]. In addition, the result is obtained via the arbitrary switching value in a finite set. However, the network-induced delays of NCSs are practically governed by random processes (e.g., Markov chains). In this case, the conservativeness of the stabilization condition should be further reduced.

The output vector of the plant (2) can be described by (21) where

IV. PRACTICAL EXPERIMENTS A. Internet-Based Control Test Rig

Combining (20) and (21) yields the following closed-loop system: (22) where

As the RTT delay changes randomly in the finite set , the system (22) is a linear switched system. According to the switched Lyapunov function (SLF) approach proposed in [33], the following stability condition is obtained. Theorem 1: The closed-loop system (22) is globally asymppositive definite matrices totically stable if there exist for the following linear matrix inequalities (LMIs):

(23)

To validate the proposed SNPCS, a networked DC motor speed control test rig over the Internet has been built, as shown in Fig. 5. Besides the Internet, the test rig mainly consists of a networked controller board (NCB) with an IP address of 193.63.131.219, a networked implementation board (NIB) with an IP address of 159.226.20.79, and a DC motor system. The NCB is located in University of Glamorgan, Pontypridd, U.K. The NIB and the DC motor system are located in Chinese Academy of Sciences, Beijing, China. The NCB and NIB have the same hardware structure. The kernel chip of the embedded board is Atmel’s AT91RM9200, which is a cost-effective and high-performance 180 MHz 32-bit microcontroller. The DC motor system consists of a DC motor and a driver. The input voltage range of the driver is 0 to 10 V. The range of the motor speed is 0 to 2900 rpm, which is measured by the NIB. B. Stability Analysis of Practical Closed-Loop System According to the experimental results with the sampling period 0.05 s, the RTT delays between the controller and the plant vary from 5 to 8 steps (0.25–0.40 s), and the model of the plant under certain working condition is identified as (26)

1340

IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 20, NO. 5, SEPTEMBER 2012

The proportional-integral (PI) controller is designed to be

(27) Techniques such as the LMI toolbox are useful in the process of finding the positive definite matrices of a given system . For the practical system (26), the closed-loop system can be obtained from (22). Using the LMI toolbox in can be calculated MATLAB, the matrices by Theorem 1 so that the closed-loop system is globally asympand the upper totically stable. Due to the time delay bound of the RTT delay are 38 38 matrices, which are difficult to be put in the brief. Therefore, as an example, only the elements of the first 6 rows and 6 columns of are described as shown in the equation at the bottom of the page.

Fig. 6. RNPC experiment without attacks.

C. Internet-Based Control Experiments In practical applications, the model accuracy significantly affects the performance of RNPC systems because the control predictions are based on the plant model. Therefore, a recursive least square method is used in this brief for the online estimation of the plant parameters. The control prediction horizon is chosen as 15. For comparison purposes, practical experiments are carried out for three cases: 1) RNPC Experiment Without Attacks: The sinusoidal response of the RNPC based on (27) without deception attacks is shown in the upper of Fig. 6, which indicates that the RNPC performance is good with the random RTT delay of 5–6 steps shown in the lower of Fig. 6. 2) RNPC Experiment With Attacks: To simulate data modification attacks, an attack simulation unit (ASU) is designed in the following form: if otherwise

(28)

is the ASU output; is a uniform random where number; is the preset constant corresponding to the attack and denote the valid packets (i.e., genuine level; packets) and the invalid packets (i.e., deception attack packets), respectively, which have the same length. At each sampling . time, a random number generator produces a number is greater than , the valid packet is transmitted When is sent to to the destination. Otherwise, the invalid packet the destination.

Fig. 7. RNPC experiment with attacks.

Fig. 7 displays the sinusoidal response of the RNPC with 20% data modification attacks in the forward channel, which confirms that the performance of the RNPC greatly degrades under deception attacks. Without the attack detection, whether legitimate or spurious, all packets are accepted by the actuator to be ultimately applied to the plant, resulting in the irregular actions of the DC motor. The RTT delays are similar to those in Fig. 6, which are not depicted in Fig. 7. 3) SNPCS Experiment With Attacks: When the STM is used to detect the deception attacks and RNPC is used to compensate for the RTT delays introduced by the Internet and attacks, the sinusoidal responses of the SNPCS with 20% and 80% data modification attacks in the forward channel are shown in Fig. 8. It is clear from Fig. 8(a) that the performance of the SNPCS with

PANG AND LIU: DESIGN AND IMPLEMENTATION OF SNPCSs UNDER DECEPTION ATTACKS

1341

When the RTT delays are greater than the control prediction horizon, the plant output is determined by the last element of the latest valid control prediction sequence in the actuator. As a result, the sinusoidal response of the SNPCS with 80% attacks shown in Fig. 8(b) is inferior to that with 20% attacks due to the incomplete compensation for the RTT delays. With the DES encryption, the original content can not be seen from the encrypted output of the plant shown in the upper of Fig. 8(a) and (b), which achieves the data confidentiality. V. CONCLUSION This brief has presented a secure networked predictive control system architecture for the data security and control of networked systems. The SNPCS integrates the DES algorithm, MD5 algorithm, timestamp strategy, and the RNPC method, which can provide the data confidentiality service, and the detection and compensation of deception attacks. In the secure architecture, the adverse effects caused by deception attacks and communication constraints are ultimately treated as the network RTT delay, which is dealt with by the RNPC proposed in this brief. The stability theorem for the closed-loop RNPC system is obtained using the switched system theory. Practical experiments have also been done to illustrate the effectiveness of the SNPCS. REFERENCES

Fig. 8. SNPCS experiments with attacks. (a) 20% deception attacks. (b) 80% deception attacks.

20% attacks is similar to that without attacks shown in Fig. 6. Although the rejection of invalid packets leads to the sharp increase of the RTT delays shown in the lower of Fig. 8(a), they are still within the control prediction horizon (15 steps), and the RNPC can completely compensate for them. As the attack level increases, the RTT delays also rise and maybe occasionally exceed the control prediction horizon. In this case, the following partial compensation strategy, instead of (14), can be adopted in the RNPC environment for the open-loop stable system: if otherwise.

(29)

[1] J. P. Hespanha, P. Naghshtabrizi, and Y. Xu, “A survey of recent results in networked control systems,” Proc. IEEE, vol. 95, no. 1, pp. 138–162, Jan. 2007. [2] P. Belanovic, D. Valerio, A. Paier, T. Zemen, F. Ricciato, and C. F. Mecklenbrauker, “On wireless links for vehicle-to-infrastructure communications,” IEEE Trans. Veh. Technol., vol. 59, no. 1, pp. 269–282, Jan. 2010. [3] R. C. Luo, K. L. Su, S. H. Shen, and K. H. Tsai, “Networked intelligent robots through the Internet: Issues and opportunities,” Proc. IEEE, vol. 91, no. 3, pp. 371–382, Mar. 2003. [4] V. C. Gungor and G. P. Hancke, “Industrial wireless sensor networks: Challenges, design principles, and technical approaches,” IEEE Trans. Ind. Electron., vol. 56, no. 10, pp. 4258–4265, Oct. 2009. [5] J. Arata, H. Takahashi, P. Pitakwatchara, S. Warisawa, K. Tanoue, K. Konishi, S. Ieiri, S. Shimizu, N. Nakashima, K. Okamura, Y. Fujino, Y. Ueda, P. Chotiwan, M. Mitsuishi, and M. Hashizume, “A remote surgery experiment between Japan and Thailand over Internet using a low latency CODEC system,” in Proc. IEEE Int. Conf. Rob. Autom., 2007, pp. 953–959. [6] T. Samad, J. S. Bay, and D. Godbole, “Network-centric systems for military operations in urban terrain: The role of UAVs,” Proc. IEEE, vol. 95, no. 1, pp. 92–107, Jan. 2007. [7] Y. Qiao, G. P. Liu, G. Zheng, and W. Hu, “NCSLab: A Web-based global-scale control laboratory with rich interactive features,” IEEE Trans. Ind. Electron., vol. 57, no. 10, pp. 3253–3265, Oct. 2010. [8] H. Yu, Y. Liu, and M. S. Hasan, “Modelling and remote control of an excavator,” Int. J. Autom. Comput., vol. 7, no. 3, pp. 349–358, Aug. 2010. [9] A. A. Cárdenas, S. Amin, and S. S. Sastry, “Secure control: Towards survivable cyber-physical systems,” in Proc. 28th Int. Conf. Distrib. Comput. Syst. Workshops, 2008, pp. 495–500. [10] A. Teixeira, H. Sandberg, and K. H. Johansson, “Networked control systems under cyber attacks with applications to power networks,” in Proc. Amer. Control Conf., 2010, pp. 3690–3696. [11] C. H. Tsang and S. Kwong, “Multi-agent intrusion detection system in industrial network using ant colony clustering approach and unsupervised feature extraction,” in Proc. IEEE Int. Conf. Ind. Technol., 2005, vol. 14–17, pp. 51–56. [12] A. A. Cárdenas, S. Amin, and S. S. Sastry, “Research challenges for the security of control systems,” presented at the 3rd USENIX Workshop Hot Topics in Security, Jul. 2008, USENIX, Art. 6.

1342

IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 20, NO. 5, SEPTEMBER 2012

[13] D. Dzung, M. Naedele, T. P. Von Hoff, and M. Crevatin, “Security for industrial communication systems,” Proc. IEEE, vol. 93, no. 6, pp. 1152–1177, Jun. 2005. [14] H. Yang, F. Ricciato, S. Lu, and L. Zhang, “Securing a wireless world,” Proc. IEEE, vol. 94, no. 2, pp. 442–454, Feb. 2006. [15] A. A. Creery and E. J. Byres, “Industrial cybersecurity for a power system and SCADA networks—Be secure,” IEEE Ind. Appl. Mag., vol. 13, no. 4, pp. 49–55, Jul. 2007. [16] P. Swaminathan, K. Padmanabhan, S. Ananthi, and R. Pradeep, “The secure field bus (SecFB) protocol—Network communication security for secure industrial process control,” in Proc. IEEE Region 10 Conf., 2006, pp. 1–4. [17] R. A. Gupta and M.-Y. Chow, “Performance assessment and compensation for secure networked control systems,” in Proc. 34th IEEE Ind. Electron. Conf., 2008, pp. 2929–2934. [18] H. Song, J. Lu, J. Lockwood, and J. Moscola, “Secure remote control of field-programmable network devices,” in Proc. 12th IEEE Symp. FieldProgram. Custom Comput. Mach., 2004, pp. 334–335. [19] J. Smit and G. P. Hancke, “The design and implementation of a general-purpose, secure, measurement and control network incorporating Internet-based access,” in Proc. 20th IEEE Instrum. Meas. Technol. Conf., 2003, vol. 2, pp. 1643–1647. [20] Q. Zhang, C. H. Wu, and J. D. Irwin, “A coalition key-evolving signature scheme towards intrusion resilient mobile networks for industrial applications,” in Proc. 29th IEEE Ind. Electron. Conf., 2003, vol. 2, 2–6, pp. 1447–1452. [21] Y. Xu, R. Song, L. Korba, L. H. Wang, W. M. Shen, and S. Lang, “Distributed device networks with security constraints,” IEEE Trans. Ind. Inf., vol. 1, no. 4, pp. 217–225, Nov. 2005. [22] B. Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd ed. New York: Wiley, 1996. [23] S. Y. Wu, W. B. Li, and X. Y. Hu, “Study of digital signature with encryption based on combined symmetric key,” in Proc. Int. Conf. E-Bus. Inf. Syst. Secur., 2009, pp. 1–4.

[24] M. McLoone and J. V. McCanny, “High-performance FPGA implementation of DES using a novel method for implementing the key schedule,” IEE Proc. -Circuits Devices Syst., vol. 150, no. 5, pp. 373–378, Oct. 2003. [25] K. Y. Yuan, J. Chen, G. P. Liu, and J. Sun, “Design and implementation of data encryption for networked control systems,” in Proc. IEEE Int. Conf. Syst. Man Cybern., 2009, pp. 2105–2109. [26] Embedded Crytographic Hardware: Methodologies and Architectures, N. Nedjah and L. de M. Mourelle, Eds., 1st ed. New York: Nova Science Publishers, 2004. [27] W. Stallings, Cryptography and Network Security: Principles and Practice, 4th ed. Englewood Cliffs, NJ: Pearson/Prentice-Hall, 2006. [28] X. Wang and H. Yu, “How to break MD5 and other Hash functions,” in Proc. Eurocrypt., 2005, vol. 3494, pp. 19–35. [29] G. P. Liu, J. X. Mu, D. Rees, and S. C. Chai, “Design and stability analysis of networked control systems with random communication time delay using the modified MPC,” Int. J. Control, vol. 79, no. 4, pp. 288–297, Apr. 2006. [30] W. S. Hu, G. P. Liu, and D. Rees, “Networked predictive control over the Internet using round-trip delay measurement,” IEEE Trans. Instru. Meas., vol. 57, no. 10, pp. 2231–2241, Oct. 2008. [31] S. H. Chai, G. P. Liu, D. Rees, and Y. Q. Xia, “Design and practical implementation of Internet-based predictive control of a servo system,” IEEE Trans. Control Syst. Technol., vol. 16, no. 1, pp. 158–168, Jan. 2008. [32] W. S. Hu, G. P. Liu, and D. Rees, “Event-driven networked predictive control,” IEEE Trans. Ind. Electron., vol. 54, no. 3, pp. 1603–1613, Jun. 2007. [33] J. Daafouz, P. Riedinger, and C. Iung, “Stability analysis and control synthesis for switched systems: A switched Lyapunov function approach,” IEEE Trans. Autom. Control, vol. 47, no. 11, pp. 1883–1887, Nov. 2002.