#### Abstract

With the integration of physical plant and network, cyber-physical systems (CPSs) are increasingly vulnerable due to their distributed and hierarchical framework. Stackelberg interdependent security game (SISG) is proposed for characterizing the interdependent security in CPSs, that is, the interactions between individual CPSs, which are selfish but nonmalicious with the payoff function being formulated from a cross-layer perspective. The pure-strategy equilibria for two-player symmetric SISG are firstly analyzed with the strategy gap between individual and social optimum being characterized, which is known as negative externalities. Then, the results are further extended to the asymmetric and -player SISG. At last, a numerical case of practical experiment platform is analyzed for determining the comprehensively optimal security configuration for administrator.

#### 1. Introduction

Cyber-physical systems (CPSs), where modern computing, communication, and control technologies are deeply integrated, have been widely applied in various infrastructures including smart grid, reliable medical devices, and process control [1]. Although CPS can yield enormous benefits for us, its distributed and hierarchical framework (as shown in Figure 1) leads to the exposure of a series of vulnerabilities, which can be directly exploited by external attacker or, in most scenarios, by the compromised neighbors. The corresponding accidents have been reported in various outlets [2–7] and interdependent security of CPS therefore needs urgently to be studied for preventing people’s life and property together with national security from being threatened. In this paper, we approach the interdependent security of CPS from a game-theoretic perspective since game theory has already been a mature tool for characterizing the interactions of strategic players.

##### 1.1. Former Studies

According to the former studies, we conclude two branches of recent research concerning interdependent security, that is, internally and externally interdependent security.

In most research, the internally interdependent security is also expressed as cross-layer security, cascading security, or resilient control which is mainly focused on making a tradeoff between cyber cost and physical control performance.

In the literatures for cross-layer security of CPS, researchers have proposed several control theoretic approaches [8–12].

Liu et al. [8] show how an attacker can manipulate the state estimation while avoiding bad-data alarms in the control center. Two security indices are further defined in [9] for quantifying the degree of difficulty of carrying out a successful stealth attack against particular measurements. In [10], by encrypting a certain number of measurement devices, a state estimator is protected from unobserved attacks. In [11], stealthy false-data attacks against the state estimators in power systems are studied. From the perspective of compromise in filter gain or controller gain, Elbsat and Yaz [12] firstly use finite time state-feedback stabilization for discrete-time nonlinear systems with conic-type nonlinearities, bounded feedback control gain perturbations, and additive disturbances.

As for cascading security and resilient control, in [13, 14], the authors consider the cyber-physical system consisted of mutually interdependent physical-resource and computational-resource networks, which is basically in accordance with the concept of cross-layer framework. The issue of cascading failure occurring in such system is then investigated with a threshold of the proportion of faulty nodes being obtained for the collapse of system.

Yuan et al. [15] use a unified game approach for resilient control of networked control system (NCS) under Denial-of-Service (DoS) attack. The packet dropout caused by attacker is considered in cyber layer, while, in physical layer, optimal control strategies with multitasking and central tasking structure are developed using game theory. In [16], resilient stabilization of a Multihop Control Network (MCN) is considered as a codesign problem of controller and communication protocol. In physical layer, a MIMO LTI system is considered, and the necessary and sufficient conditions that invalidate controllability and observability are characterized. In cyber layer, how to detect and isolate the compromised nodes is discussed.

Nevertheless, as for external interdependence security of CPS, it is worth mentioning that there is surprisingly little work on this topic. To the best of our knowledge, the most related works to ours are [17–19].

In [17], the interdependent security of identical networked control systems is studied. The problem of how to make security investment for each individual system operator is formulated as a two-stage noncooperative game, in the first stage of which a security investment should be decided to make or not, while, in the second stage, an LQG problem is then resolved for minimizing the average operational cost.

In [18], the authors present an analytical model based on the Kunreuther and Heal game-theoretic model of the interdependent security problem, in order to study the deployment of security features and protocols in the subnets with different network topologies. In [19], the Kunreuther and Heal game-theoretic model of the interdependent security problem is extended by applying empirically based social network, while theft of knowledge is considered as the major threat due to its impact on both economic and national security.

##### 1.2. Contributions

Nevertheless, the static game proposed in [17] is against the practical scenario that once security choices are made, they are observable to all the players connected by the common network. In addition, the amount of defense resources implemented on each individual is ignored since all the individuals are assumed to be identical, and the corresponding action space of each individual merely includes two choices, “invest” or “not invest.” Furthermore, in [18, 19], the researchers only discuss the security investment of cyber layer without taking any physical effect into account.

It is noted that there exist the papers and projects containing approaches of taking both cyber and physical aspects into consideration based on the methodology other than game theory, such as switch system-based research [20–22] and state estimation-based research [8, 9]. However, in these researches, the nature of rational cyber attackers and physical uncertainties is ignored. It is hard to capture the rational, intelligent, and uncertain dynamics of the distributed and hierarchical CPSs without game-theoretic methodology. Due to space limitations, we choose to go no further on detailed discussion. The researches [17–19] are analyzed since they are all studied from a game-theoretic perspective which is in accordance with the methodology of our paper.

The main contributions of this paper include the following.(1)According to the practical scenario, a Stackelberg interdependent security game (SISG) is proposed for better capturing the interactions between individual CPSs sharing common network. Unlike the simultaneous moves in static game proposed in [17], the players would act in order.(2)When formulating payoff function, we consider the internally interdependent security by taking factors of both cyber layer and physical layer into consideration. More specifically, in physical layer, an - optimal control problem is considered and control performance index is dependent on time-delay parameters which are determined by the cyber interactions. The security issues in cyber layer and optimal control problems in physical layer are then intertwined.(3)The pure-strategy equilibria are analyzed for two-player symmetric SISG with the conditions under which these equilibria can take place being determined. Meanwhile, our results show that the individually optimal choices differ from socially optimal ones, which prove the existence of strategy gap and negative externalities. It indicates that the individual players tend to underinvest in security (relative to the social planner) due to the negative externalities introduced by common network.(4)The result of two-player symmetric SISG is further extended to asymmetric and -player SISG. Specifically, we discuss the circumstance that the players are nonidentical, which we name as asymmetric SISG for distinguishing from the case that individuals are equipped with same defense resources and action space.(5)A numerical case study of practical experiment platform is given, which indicates a possible way of solving interdependent security issues in practical engineering projects. It will help administrator make a comprehensively optimal configuration in distributed environment.

##### 1.3. Organization

The rest of this paper is organized as follows. In Section 2, SISG is introduced with cross-layer payoff function being defined. Moreover, the security interdependence reflected in payoff function is explained as well. In Sections 3 and 4, the pure-strategy equilibria for two-player symmetric SISG are firstly analyzed and the results are extended to asymmetric and -player SISG. The condition under which these equilibria can take place is given, and meanwhile both individual and social optima are explored with the gap of which is being clearly distinguished. A numerical case of practical experiment platform is analyzed in Section 5. Section 6 concludes this paper and introduces our future interests. The proofs of Theorems 3, 4, and 5 are supplied in Appendices A, B, and C, respectively.

#### 2. Problem Setting

##### 2.1. Stackelberg Interdependent Security Game

Firstly, the definition of interdependent security game is given as follows.

*Definition 1 (interdependent security game). *In an interdependent security game, the players are selfish but nonmalicious and are able to choose whether to invest in security or remain unprotected. Each player’s goal is to minimize his own risk, which depends on the investments of some or every other players who also aim to minimize their own costs.

We firstly consider the situation that all the players (individual CPSs) are identical and the corresponding Stackelberg interdependent security game (SISG) is therefore called symmetric SISG. The extensive form representation of two-player and -player symmetric SISG is as shown in Figures 2 and 3, respectively.

In two-player symmetric SISG as described in Figure 2, leader chooses to invest or not invest in security at first, and then follower makes an optimal response for minimizing his own payoff. In -player SISG as described in Figure 3, the players other than , who are assumed to act simultaneously, are regarded as leader. denotes the strategy of leader with representing the number of insecure individuals, that is, the players who do not make a security investment. Furthermore, is the total number of players. After the strategy of , , being determined, the follower, , chooses an optimal strategy for minimizing his own payoff. Based on Figures 2 and 3, it would be easy to extend the symmetric SISG to the situation that the amount of defense investment choices of all the players is more than two.

It is noted that, in the symmetric SISG given by Figures 2 and 3, all of the players (individual CPSs) are supposed to be identical. The action space defined for each CPS is the same and includes “invest” or “not invest” with the different defense resources implemented on each CPS being ignored. In practical security scenarios such as Stuxnet worm [2], Flame virus [4], and Water Plant Breach [5], the rational attackers are always familiar with the fingerprint characteristic of CPS, which indicates that they are capable of accurately parsing the command message and find the target devices even in the complicated hierarchical and distributed framework. Naturally, it is supposed that different attack strategy would be implemented for different target devices and thus each CPS is faced with different types of cyber attacks. Under this circumstance, the players (individual CPSs) of SISG should be considered as nonidentical.

The extensive form representations of asymmetric SISG for two-player and -player are given in Figures 4 and 5, respectively, where different types of defense investment are considered for each player. In Figure 4, and represent different types of defense investment of each player. In Figure 5, () indicates that the defense investment implemented by the th leader is .

Based on Figures 4 and 5, it is easy to extend the situations to more complicated ones, such as the situation that amount of defense investment choices of each player is more than two.

##### 2.2. Cross-Layer Payoff Function

For better characterizing the SISG, we formulate payoff function from a cross-layer perspective, that is, taking factors of both cyber layer and physical layer into consideration.

Each individual CPS is viewed as a player , where is the set of all players. Each player aims to minimize his own overall payoff for maintaining a relatively higher security level and better control performance.

In cyber layer, is able to decide whether to invest in security or not and is denoted as the security choice made by ,

The security choices made by all players can therefore be denoted as , and thus the cyber layer cost of is given by

The physical plant of each individual CPS is described by discrete-time model, which is assumed to be in the form as follows:where is the system state, is the control input, is the controlled output, is the disturbance input belonging to , , , , and are known real matrices with appropriate dimensions.

The randomly varying communication delays are described bywhere is the measured output and is the actual output. is the control signal generated by the controller and is the signal received by the actuator. and are both communication delays.

In practical engineering scenario, such as controlling the PWM inverter for an uninterrupted power system (UPS) through network, the output AC voltage data measured by sensor and then collected by PLC corresponds to , while the actual output AC voltage corresponds to . is the control command for the PWM inverter, while is the control signal received by the PWM inverter. (resp., ) can be interpreted as the communication delay on sensor-to-controller (resp., controller-to-actuator) channel as shown in Figure 6.

The stochastic variable is considered as Bernoulli distributed white sequence with

According to (4), it is noted that when (resp., ), (resp., ) indicates that the last sensor command is not received (or received) by the controller at , and when (resp., ), (resp., ) indicates that the last control command is not received (or received) by the actuator at . The influence that time-delay attacker exerts on system control can therefore be embodied by packet losses happened in the last step.

More specifically, taking typical time-delay attack, DoS attacks, into consideration, we can view both and as intensity-of-attack (IoA) on S-C and C-A communication channel, respectively. According to Xu et al. [23], DoS attacks can degrade the channel quality which leads to the packet losses and thus lowers package delivery rate (PDR). The corresponding -optimal control problem under DoS attacks should be able to address the issue of packet losses which is also common in traditional network control system (NCS) [24, 25].

Here we use the dynamic observer-based control scheme [26] for the system described by (3):where is the estimated state, is the observer output, is the control signal generated by the controller, is the signal received by the actuator, and and are the observer gain and controller gain, respectively. The stochastic variable , mutually independent of , is also a Bernoulli distributed white sequence with expected value .

The parameters in physical layer, and , are defined as and for depicting the internally interdependent security, since communication delay in physical layer is influenced by the cyber interactions. Once and are determined, the -optimal controller can then be designed. If the initial condition is zero, the index satisfies inequality (7) and can be obtained through applying Theorem proposed in [26].

The physical layer cost in this paper is denoted as which is the minimum of index that satisfies inequality (8). It is noted that the aim of designing an -optimal controller is to minimize the closed-loop impact of a perturbation. For the attenuation rate of controlled output under the impact of disturbance input , optimal index, , represents and quantifies the control performance of physical plant. The lower the value of is, the better the control performance physical plant is. In addition, for reflecting the influence of cyber security investment, we further refine the expression of by

The cyber layer cost depends on the security choice made by players. Since denotes the security choice made by player , the cyber layer cost of can therefore be given as , where represents the cost of cyber countermeasure adopted and therefore quantifies the cyber security investment. For example, if the cyber layer is equipped with SCADA or IDS, can be further interpreted as the computing resource occupancy ratio of a specific packet filtering policy. When chooses to invest in security, the cyber layer cost would be ; otherwise it would be 0.

The overall payoff function of each individual player can therefore be obtained as (10). The security issues in cyber layer and optimal control problems in physical layer are intertwined, and the payoff of each individual is therefore formulated from a more comprehensive and accurate perspective.

We then show how to build payoff matrix for SISG. Take the two-player and -player symmetric SISG introduced in Figures 2 and 3 as instance, the strategic form representation of which is given as shown in Tables 1 and 2, respectively.

In Table 1, subscripts and indicate the leader and follower; for example, denotes that follower chooses to invest in security. In addition, since follower has two information sets and two available actions, four pure strategies for follower including , , , and can be implemented. indicates the response strategy that no matter what action leader takes, he will always choose to invest in security. In addition, the upper (resp., lower) one is the payoff function of leader (resp., follower), that is, (resp., ).

In Table 2, pure strategies for follower are listed. In addition, it is noted that although there actually exists pure strategies, implementing pure strategy has the same result with that of applying . For the convenience of denotation and analysis, only situations are listed. It is easy for us to extend the result to asymmetric situation according to Tables 1 and 2.

##### 2.3. Security Interdependence

Let each individual CPS be subjected to time-delay attacks (such as DoS, DDoS). The communication delays and for are then modeled as follows:where indicates the number of players (excluding ) who do not invest in security. is the discount parameter and is assumed as a strictly increasing function with maximum and minimum being set as and , where is the total number of players. Thus, reflects the indirect influence that insecure individual CPS has on via common network.

In (11), the first term reflects the direct delays caused by ’s decision on security investment, while the second one indicates the indirect delays from common network, which are caused by other insecure individuals.

*Remark 2. *Two reasonable explanations as follows indicate the soundness of (11) with respect to and .

(1) If makes a security investment against time-delay attack, part of delays can then be eliminated due to the unwillingness of rational attacker. However, it still cannot avoid the delays from common communication network caused by other individuals under attack, which corresponds to our definition in (11) that when , both and merely depend on the number of other insecure individuals.

(2) If one individual CPS invests in security, the overall security level of distributed CPS will therefore increase, which indicates that, with a higher number of secure individual CPSs, rational attackers will be less willing to implement time-delay attack, and then the expected value of stochastic delays will be relatively lower with both better security levels in cyber layer and control performance being obtained by each individual CPS. This is also reflected by (11), since for , when , both and will decrease, and meanwhile for , reduces with the decrement of the number of insecure individuals, .

#### 3. Pure-Strategy Equilibria Analysis for Two-Player SISG

As the SISG we describe is game of complete information, pure-strategy equilibria always exist, and the pure-strategy equilibria for both two-player symmetric and asymmetric SISG are analyzed in this section, while that of -player SISG will also be discussed for both symmetric and asymmetric situation in the next section.

##### 3.1. Pure-Strategy Equilibria for Two-Player Symmetric SISG

Theorem 3. *In two-player symmetric SISG, pure-strategy subgame perfect Nash equilibria (SPNE) will always exist and are symmetric. Depending on different value of ,*(1)*when , the SPNE is*(2)*when , the SPNE is**where , , and .*

In addition, we further explore the preference of administrator (social planner) seeking for social optimum, that is, minimizing overall payoff of the distributed CPSs. Since three SPNE are possibly reached, we derive social payoff under each strategy pair, as shown in Table 3.

Since is equal to , we firstly derive three critical points, , , and , at which we have , , and . According to Theorem 3, two situations for social optimum are discussed.

(1) When is satisfied, we have , and the socially optimum choices are as shown in Table 4. The relationship between socially and individually optimal choices is directly reflected in Figure 7, through which the strategic gap is clearly distinguished. It is noted that, in Figure 7(a), , while, in Figure 7(b), .

**(a)**

**(b)**

**(c)**

**(d)**

(2) When is satisfied, we have , and socially, individually optimal choices and their relationship are also as shown in Table 4 and Figure 7. It is noted that, in Figure 7(c), , while, in Figure 7(d), .

##### 3.2. Pure-Strategy Equilibria for Two-Player Asymmetric SISG

We then further analyze the pure-strategy equilibria for two-player asymmetric SISG as given in Figure 4. Similar with building game matrix for two-player symmetric SISG, the strategic form representation of two-player asymmetric SISG is given in Table 5 where and are different types of security investment, the cost of which is and , respectively.

The following theorem concerning equilibria of two-player asymmetric SISG is put forward for obtaining the individually optimal choice, which is given in the form of the solution of SPNE.

Theorem 4. *In two-player asymmetric SISG, pure-strategy subgame perfect Nash equilibria (SPNE) will always exist. Depending on different value of ,*(1)*when , the SPNE is *(2)*when , the SPNE is**where , , , , , and .*

The conclusions made in Theorem 4 can be vividly reflected in the form of two-dimension figures as shown in Figures 8 and 9 where we can clearly distinguish the different SPNE with corresponding conditions.

The optimal choices for social planner in two-player asymmetric SISG are further explored. We derive social payoff under each strategy pair, as shown in Table 6.

According to Theorem 4, two situations are discussed.(1)When is satisfied, the socially optimum choices are as shown in Table 7. The relationship between socially and individually optimal choices is directly reflected in Figure 10 where the coincident strategy area is highlighted by red blocks and the rest area denotes the strategy gap between individual and social players.(2)When is satisfied, the socially optimum choices are as shown in Table 8. The relationship between socially and individually optimal choices is directly reflected in Figure 11 where the coincident strategy area is highlighted by red blocks and the rest area denotes the strategy gap between individual and social players.

#### 4. Pure-Strategy Equilibria Analysis for -Player SISG

In this section, we show how to extend the theorems concerning pure-strategy equilibria to the situation of -player SISG. Firstly, in the -player () symmetric SISG, the SPNE is proved to exist with the corresponding analytical solutions being obtained. Moreover, the socially optimal choices are discussed, and at last the relationship between socially and individually optimal choices is studied with the strategy gap being characterized. According to Figure 5, the theorem concerning -player symmetric SISG can be easily extended to the asymmetric.

Thus, we consider -player () symmetric SISG that all the players excluding act simultaneously, and then according to the strategy chosen by , decides his own optimal strategy.

is used for denoting the number of insecure players excluding , while characterizes the strategy of .

Theorem 5. *In -player SISG, a pure-strategy subgame perfect Nash equilibrium (SPNE) will always exists. Depending on different value of ,*(1)*when , the SPNE is*(2)*when , the SPNE is **where , , , and , .*

We then further discuss the socially optimal choices for -player symmetric SISG. The payoff function of administrator is denoted in (18). Analogous to the analysis of individually optimal choice, two situations are considered.where is the total number of players making investment in security.

*Situation 1. *One has . *Case 1*. One has , .

In accordance with inequality (19), is the minimum of social cost, and thus is the optimal choice for administrator if .*Case 2*. One has , .

In Case 2, is an increasing (resp., decreasing) function when (resp., ) with the minimum being determined as (resp., ). By comparing the value of , , and under different magnitude of , the socially minimal cost is derived as follows: where and . *Case 3. *One has , .

According to inequality (21), (resp., ) is the minimal cost when (resp., ). When , both and are socially minimal cost.

*Situation 2. *One has . *Case 1.* One has , .

Similar to Case 3 of Situation , (resp., ) is the minimal cost when (resp., ). When , both and are socially minimal cost.*Case 2.* One has , .

In Case 2, is an increasing (resp., decreasing) function when (resp., ) with the minimum being determined as (resp., ). According to (22), (resp., ) is the minimum when (resp., ). When , both and are socially minimal cost.*Case 3.* One has , .

According to inequality (19), is the socially minimal cost when . Both and are the minimum of cost when .

The relationship between socially and individually optimal choices in -player SISG is characterized in Figure 12, where Figure 12(a) is for Situation , while Figure 12(b) is for Situation .

In the conflict area as denoted in Figures 7, 10, 11, and 12, we can clearly distinguish that the individually optimal choices differ from socially optimal ones, and the tendency of individual player’s underinvestment reflects the existence of negative externalities and is in accordance with the strategy gap between individual and social players proposed in [27].

**(a)**

**(b)**

#### 5. Numerical Case Studies

In this section, we refer to the simulation example given in [28, 29] and then build our experimental platform for numerical case studies. The distributed and hierarchical framework of our experiment platform is as shown in Figure 13, and more details of plant devices are further provided in Figure 14. In both Figures 13 and 14, two individual CPSs consisted of engineer station as cyber component and inverter together with motor as physical component can be clearly distinguished.

The object of administrator in chief engineer station is to choose a coincident and optimal defense strategy (configuration of security countermeasures) for individual player and social planner under external attacks. The man-in-the-middle (MIM) attack is considered, and meanwhile encryption algorithms including AES and DES are regarded as security countermeasures.

Due to its high threats and low possibility of being detected, MIM attack against time synchronization is considered. Once the vulnerability of time synchronization protocol is exploited by MIM attacker, the main-clock device will be completely spoofed while the slave-clock devices will be fully manipulated. The attacker is capable of mastering the real-time clock of slave-clock devices by sending bogus command messages without being detected by main-clock device. In our case, when CPS is compromised by MIM attacker, all the devices will then be synchronized by attacker with S-C delay, , and C-A delay, , being manipulated. For more details about man-in-the-middle (MIM) attack against time synchronization, the reader can refer to [30].

The experiment is carried out according to the following procedures.

*Step 1 (determination of security configuration). *The security configuration is determined by chief engineer station acting as a social planner, according to which each individual CPS is equipped with a certain security countermeasure, AES or DES.

*Step 2 (introduction of MIM attack). *MIM attack launched by external host computers is introduced into CPSs via common network. The victimized devices will be cheated to receive synchronization command messages with false timestamps and then lose the synchronization to other devices in the same network. The delays in physical plant are therefore produced due to the out-of-synchronization.

*Step 3 (realization of -optimal control under MIM attack and quantification of cyber cost). *PLC together with individual engineer station equipped with security countermeasure will deal with the control problems under MIM attack by sending control command messages to plant devices, inverter, and motor. In addition, the individual engineer station is realized as an embedded platform (ATM91SAM9XE512QU, MCU 32 bits, 180 Mhz) for proceeding encryption process and quantifying the cost of security countermeasure in cyber layer. It is noted that we refer to [31–33] for realizing -optimal control through PLC and meanwhile the feedback macrocycle time of motors in physical plant is set to be 5 seconds.

We quantify the value of for each defense strategy based on the test data for executing time of encrypting/decrypting sensor or control command of plaintext as shown in Table 9, since the longer time that MCU spends on encryption, the more computational resources of defender will be occupied and thus the more cost defender should pay.

The mapping function for and is defined as , where is the weighing parameter and given as 0.1 in our case. In addition, we consider the situation that the length of both sensor and control command is configured as 1040 and thus and are obtained as 0.0411 and 0.0589, respectively.

*Step 4 (quantification of physical cost). *The data of output AC voltage returned from inverter is used for quantifying the performance of controlled plant.

*Step 5 (repeated experiments with different security configuration). *Different security configuration is implemented by chief engineer station and the corresponding overall cost in physical layer and cyber layer can be obtained similarly through Steps 1–4.

Since the feedback macrocycle time of physical signal is 5 seconds and meanwhile the maximum of encryption executing time in the closed-loop communication channel is 1.24 seconds, there is enough time left for individuals security decision-making and processing -optimal control algorithm. Additionally, the bandwidth in our case is 1 Gbps and thus the delays on communication channel are microsecond level or even nanosecond level. As a consequence, the feasibility and performance of proposed algorithm are ensured.

The discrete-time model at half-load operating point can be found in [28, 29]:

As being manipulated by MIM attacker, S-C delay and C-A delay of CPS equipped with either AES or DES are given by the same matrix and the corresponding cost in physical layer under different cyber strategy pairs is obtained as follows:

We will then have . According to Theorem 3, when and (resp., ) are satisfied, the SPNE would be (resp., ) as listed in Table 10.

Furthermore, in accordance with the analysis in Section 3.2, the socially optimal choices for different magnitude of are obtained in Table 11 with , , and being computed as 0.0826, 0.0568, and 0.0697, respectively. Additionally, the magnitude of for each encryption algorithm ( for AES, for DES) is quantified based on the test of occupying rate of the hardware resource, with and being determined as 0.0391 and 0.061, respectively.

The relationship between socially and individually optimal choices can then be depicted in Figure 15, where we can clearly distinguish the coincident and conflict area and meanwhile recognize the fact that, by setting the security configuration of applying AES on each individual CPS, the social planner can achieve both individual and social optimum. As a consequence, in this case, the security configuration of both individuals being equipped with AES is optimal.

It is easy to extend our example to -player situation following the theorem we propose in Section 4, and there would be boundaries in Figure 15 for distinguishing the gap between individually and socially optimal choices under different value of .

#### 6. Concluding Remarks

In this article, we explore the interdependent security of CPS with distributed and hierarchical framework. SISG is proposed for characterizing the interactions between individual CPSs, which are selfish but nonmalicious, and meanwhile the payoff function is formulated from a cross-layer perspective. The pure-strategy equilibria for two-player symmetric SISG are firstly analyzed with the strategy gap between individual and social optimum being distinguished. The result is further extended to asymmetric and -player SISG. At last, a numerical case study is analyzed by applying the proposed theorems in order to obtain the comprehensively optimal security decision for administrator.

As future work, we are interested in investigating the game with incomplete information due to the fact that the information on common network might not be fully trustable and cannot accurately reflect the actual security choices of other players either. Since we have already discussed the different cyber cost function, another interesting extension of our work would be to consider the CPSs of different physical plants where more types of control model (such as time-delay system, stochastic system) would be taken into account. In addition, when applying the proposed theorems in solving the practical security decision-making problems in -player scenarios, the state space explosion problem caused by the geometric increase of payoff matrix dimension will complicate the analysis and corresponding results, and it would be further discussed in our following work.

#### Appendix

#### A. Proof of Theorem 3

In the second stage of SISG described in Figure 2, there contains two subgames, and meanwhile the follower has four pure strategies, , , , and . According to payoff function given in Table 1, following four inequalities and two equations can be derived for determining the optimal strategy for individual player.

We then discuss existence of SPNE in the following situations.

*Situation 1*. When inequalities (A.1) and (A.4) are satisfied, optimal strategy for the follower would be , which is denoted as red branch in Figure 16(a); that is, in both subgames 1 and 2, not investing in security would be the optimal choice for follower. For leader, two possible gaming paths, and , can then be procured, in which the payoff of leader is and , respectively. Since inequality (A.4) is satisfied and is equal to , we will have

Hence, is proved to be the optimal path (as denoted in Figure 16(b)) and also SPNE in Situation , if inequality (A.7) is satisfied. Then inequality (A.8) is obtained.

*Situation 2*. When inequalities (A.1) and (A.6) are satisfied, optimal strategy for the follower would be . Analogous to the analysis of Situation , two possible gaming paths for leader are and , in which the payoff of leader is and . Since is equal to , we will have

Hence, is proved to be the optimal path and also SPNE in Situation , if inequality (A.10) is satisfied.

*Situation 3*. When inequalities (A.3) and (A.4) are satisfied, optimal strategy for the follower would be . Analogous to the analysis of Situation , two possible gaming paths for leader are and , in which the payoff of leader is and . According to and inequalities (A.3) and (A.4), we will have

Hence, is proved to be the optimal path and also SPNE in Situation , if inequality (A.12) is satisfied.

*Situation 4*. When inequalities (A.3) and (A.6) are satisfied, optimal strategy for the follower would be . Analogous to the analysis of Situation , two possible gaming paths for leader are and , in which the payoff of leader is and . According to inequalities (A.3) and (A.4), we then have

Hence, is proved to be the optimal path and also SPNE in Situation , if inequality (A.14) is satisfied.

*Situation 5*. When (A.2) or (A.5) is satisfied, two cases are discussed.

*Case 1* (). In this case, when (A.2) is satisfied, we have . For follower, both and are optimal pure strategies since and are satisfied. Furthermore, for leader, is satisfied. is therefore obtained as SPNE.

When (A.5) is satisfied, we have . For follower, both and are optimal pure strategies. Furthermore, for leader, is satisfied. and are then obtained as SPNE.

*Case 2* (). In this case, when (A.2) is satisfied, we have . For follower, both and are optimal pure strategies, while, for leader, and are both satisfied. Thus, is obtained as SPNE.

When (A.5) is satisfied, we have . For follower, both and are optimal pure strategies, while, for leader, is satisfied. Thus, is obtained as SPNE.

#### B. Proof of Theorem 4

Similar to the proof line of symmetric SISG, different situations will be discussed separately based on inequalities (B.1), (B.3), (B.4), and (B.6) and equations (B.2) and (B.5) in order to determine the SPNE.

*Situation 1*. When inequalities (B.1) and (B.4) are satisfied, optimal strategy for the follower would be , which is denoted as red branch in Figure 17; that is, in both subgames 1 and 2, not investing in security would be the optimal choice for follower. As for leader, two possible gaming paths, and , can then be procured, in which the payoff of leader is and , respectively. The value of determines the optimal choice and leader. When (resp., ), the optimal path for leader would be (resp., ), and thus the SPNE will be obtained as (resp., ), which is as shown in Figure 17(b) (resp., Figure 17(c)).

The result can be extended to the situation that inequalities (B.1) and (B.6), inequalities (B.3) and (B.4), and (B.3) and (B.6) are satisfied.

Then we discuss the boundary of game, that is, when (B.2) or (B.3) is satisfied.

*Situation 2*. When (B.2) is satisfied, and the following two cases will be considered.

*Case 1* (). In this case, there exist three possible optimal paths for leader, , , and , the leader’s cost of which is , , and