Research Article | Open Access
Stackelberg Interdependent Security Game in Distributed and Hierarchical Cyber-Physical Systems
With the integration of physical plant and network, cyber-physical systems (CPSs) are increasingly vulnerable due to their distributed and hierarchical framework. Stackelberg interdependent security game (SISG) is proposed for characterizing the interdependent security in CPSs, that is, the interactions between individual CPSs, which are selfish but nonmalicious with the payoff function being formulated from a cross-layer perspective. The pure-strategy equilibria for two-player symmetric SISG are firstly analyzed with the strategy gap between individual and social optimum being characterized, which is known as negative externalities. Then, the results are further extended to the asymmetric and -player SISG. At last, a numerical case of practical experiment platform is analyzed for determining the comprehensively optimal security configuration for administrator.
Cyber-physical systems (CPSs), where modern computing, communication, and control technologies are deeply integrated, have been widely applied in various infrastructures including smart grid, reliable medical devices, and process control . Although CPS can yield enormous benefits for us, its distributed and hierarchical framework (as shown in Figure 1) leads to the exposure of a series of vulnerabilities, which can be directly exploited by external attacker or, in most scenarios, by the compromised neighbors. The corresponding accidents have been reported in various outlets [2–7] and interdependent security of CPS therefore needs urgently to be studied for preventing people’s life and property together with national security from being threatened. In this paper, we approach the interdependent security of CPS from a game-theoretic perspective since game theory has already been a mature tool for characterizing the interactions of strategic players.
1.1. Former Studies
According to the former studies, we conclude two branches of recent research concerning interdependent security, that is, internally and externally interdependent security.
In most research, the internally interdependent security is also expressed as cross-layer security, cascading security, or resilient control which is mainly focused on making a tradeoff between cyber cost and physical control performance.
Liu et al.  show how an attacker can manipulate the state estimation while avoiding bad-data alarms in the control center. Two security indices are further defined in  for quantifying the degree of difficulty of carrying out a successful stealth attack against particular measurements. In , by encrypting a certain number of measurement devices, a state estimator is protected from unobserved attacks. In , stealthy false-data attacks against the state estimators in power systems are studied. From the perspective of compromise in filter gain or controller gain, Elbsat and Yaz  firstly use finite time state-feedback stabilization for discrete-time nonlinear systems with conic-type nonlinearities, bounded feedback control gain perturbations, and additive disturbances.
As for cascading security and resilient control, in [13, 14], the authors consider the cyber-physical system consisted of mutually interdependent physical-resource and computational-resource networks, which is basically in accordance with the concept of cross-layer framework. The issue of cascading failure occurring in such system is then investigated with a threshold of the proportion of faulty nodes being obtained for the collapse of system.
Yuan et al.  use a unified game approach for resilient control of networked control system (NCS) under Denial-of-Service (DoS) attack. The packet dropout caused by attacker is considered in cyber layer, while, in physical layer, optimal control strategies with multitasking and central tasking structure are developed using game theory. In , resilient stabilization of a Multihop Control Network (MCN) is considered as a codesign problem of controller and communication protocol. In physical layer, a MIMO LTI system is considered, and the necessary and sufficient conditions that invalidate controllability and observability are characterized. In cyber layer, how to detect and isolate the compromised nodes is discussed.
Nevertheless, as for external interdependence security of CPS, it is worth mentioning that there is surprisingly little work on this topic. To the best of our knowledge, the most related works to ours are [17–19].
In , the interdependent security of identical networked control systems is studied. The problem of how to make security investment for each individual system operator is formulated as a two-stage noncooperative game, in the first stage of which a security investment should be decided to make or not, while, in the second stage, an LQG problem is then resolved for minimizing the average operational cost.
In , the authors present an analytical model based on the Kunreuther and Heal game-theoretic model of the interdependent security problem, in order to study the deployment of security features and protocols in the subnets with different network topologies. In , the Kunreuther and Heal game-theoretic model of the interdependent security problem is extended by applying empirically based social network, while theft of knowledge is considered as the major threat due to its impact on both economic and national security.
Nevertheless, the static game proposed in  is against the practical scenario that once security choices are made, they are observable to all the players connected by the common network. In addition, the amount of defense resources implemented on each individual is ignored since all the individuals are assumed to be identical, and the corresponding action space of each individual merely includes two choices, “invest” or “not invest.” Furthermore, in [18, 19], the researchers only discuss the security investment of cyber layer without taking any physical effect into account.
It is noted that there exist the papers and projects containing approaches of taking both cyber and physical aspects into consideration based on the methodology other than game theory, such as switch system-based research [20–22] and state estimation-based research [8, 9]. However, in these researches, the nature of rational cyber attackers and physical uncertainties is ignored. It is hard to capture the rational, intelligent, and uncertain dynamics of the distributed and hierarchical CPSs without game-theoretic methodology. Due to space limitations, we choose to go no further on detailed discussion. The researches [17–19] are analyzed since they are all studied from a game-theoretic perspective which is in accordance with the methodology of our paper.
The main contributions of this paper include the following.(1)According to the practical scenario, a Stackelberg interdependent security game (SISG) is proposed for better capturing the interactions between individual CPSs sharing common network. Unlike the simultaneous moves in static game proposed in , the players would act in order.(2)When formulating payoff function, we consider the internally interdependent security by taking factors of both cyber layer and physical layer into consideration. More specifically, in physical layer, an - optimal control problem is considered and control performance index is dependent on time-delay parameters which are determined by the cyber interactions. The security issues in cyber layer and optimal control problems in physical layer are then intertwined.(3)The pure-strategy equilibria are analyzed for two-player symmetric SISG with the conditions under which these equilibria can take place being determined. Meanwhile, our results show that the individually optimal choices differ from socially optimal ones, which prove the existence of strategy gap and negative externalities. It indicates that the individual players tend to underinvest in security (relative to the social planner) due to the negative externalities introduced by common network.(4)The result of two-player symmetric SISG is further extended to asymmetric and -player SISG. Specifically, we discuss the circumstance that the players are nonidentical, which we name as asymmetric SISG for distinguishing from the case that individuals are equipped with same defense resources and action space.(5)A numerical case study of practical experiment platform is given, which indicates a possible way of solving interdependent security issues in practical engineering projects. It will help administrator make a comprehensively optimal configuration in distributed environment.
The rest of this paper is organized as follows. In Section 2, SISG is introduced with cross-layer payoff function being defined. Moreover, the security interdependence reflected in payoff function is explained as well. In Sections 3 and 4, the pure-strategy equilibria for two-player symmetric SISG are firstly analyzed and the results are extended to asymmetric and -player SISG. The condition under which these equilibria can take place is given, and meanwhile both individual and social optima are explored with the gap of which is being clearly distinguished. A numerical case of practical experiment platform is analyzed in Section 5. Section 6 concludes this paper and introduces our future interests. The proofs of Theorems 3, 4, and 5 are supplied in Appendices A, B, and C, respectively.
2. Problem Setting
2.1. Stackelberg Interdependent Security Game
Firstly, the definition of interdependent security game is given as follows.
Definition 1 (interdependent security game). In an interdependent security game, the players are selfish but nonmalicious and are able to choose whether to invest in security or remain unprotected. Each player’s goal is to minimize his own risk, which depends on the investments of some or every other players who also aim to minimize their own costs.
We firstly consider the situation that all the players (individual CPSs) are identical and the corresponding Stackelberg interdependent security game (SISG) is therefore called symmetric SISG. The extensive form representation of two-player and -player symmetric SISG is as shown in Figures 2 and 3, respectively.
In two-player symmetric SISG as described in Figure 2, leader chooses to invest or not invest in security at first, and then follower makes an optimal response for minimizing his own payoff. In -player SISG as described in Figure 3, the players other than , who are assumed to act simultaneously, are regarded as leader. denotes the strategy of leader with representing the number of insecure individuals, that is, the players who do not make a security investment. Furthermore, is the total number of players. After the strategy of , , being determined, the follower, , chooses an optimal strategy for minimizing his own payoff. Based on Figures 2 and 3, it would be easy to extend the symmetric SISG to the situation that the amount of defense investment choices of all the players is more than two.
It is noted that, in the symmetric SISG given by Figures 2 and 3, all of the players (individual CPSs) are supposed to be identical. The action space defined for each CPS is the same and includes “invest” or “not invest” with the different defense resources implemented on each CPS being ignored. In practical security scenarios such as Stuxnet worm , Flame virus , and Water Plant Breach , the rational attackers are always familiar with the fingerprint characteristic of CPS, which indicates that they are capable of accurately parsing the command message and find the target devices even in the complicated hierarchical and distributed framework. Naturally, it is supposed that different attack strategy would be implemented for different target devices and thus each CPS is faced with different types of cyber attacks. Under this circumstance, the players (individual CPSs) of SISG should be considered as nonidentical.
The extensive form representations of asymmetric SISG for two-player and -player are given in Figures 4 and 5, respectively, where different types of defense investment are considered for each player. In Figure 4, and represent different types of defense investment of each player. In Figure 5, () indicates that the defense investment implemented by the th leader is .
2.2. Cross-Layer Payoff Function
For better characterizing the SISG, we formulate payoff function from a cross-layer perspective, that is, taking factors of both cyber layer and physical layer into consideration.
Each individual CPS is viewed as a player , where is the set of all players. Each player aims to minimize his own overall payoff for maintaining a relatively higher security level and better control performance.
In cyber layer, is able to decide whether to invest in security or not and is denoted as the security choice made by ,
The security choices made by all players can therefore be denoted as , and thus the cyber layer cost of is given by
The physical plant of each individual CPS is described by discrete-time model, which is assumed to be in the form as follows:where is the system state, is the control input, is the controlled output, is the disturbance input belonging to , , , , and are known real matrices with appropriate dimensions.
The randomly varying communication delays are described bywhere is the measured output and is the actual output. is the control signal generated by the controller and is the signal received by the actuator. and are both communication delays.
In practical engineering scenario, such as controlling the PWM inverter for an uninterrupted power system (UPS) through network, the output AC voltage data measured by sensor and then collected by PLC corresponds to , while the actual output AC voltage corresponds to . is the control command for the PWM inverter, while is the control signal received by the PWM inverter. (resp., ) can be interpreted as the communication delay on sensor-to-controller (resp., controller-to-actuator) channel as shown in Figure 6.
The stochastic variable is considered as Bernoulli distributed white sequence with
According to (4), it is noted that when (resp., ), (resp., ) indicates that the last sensor command is not received (or received) by the controller at , and when (resp., ), (resp., ) indicates that the last control command is not received (or received) by the actuator at . The influence that time-delay attacker exerts on system control can therefore be embodied by packet losses happened in the last step.
More specifically, taking typical time-delay attack, DoS attacks, into consideration, we can view both and as intensity-of-attack (IoA) on S-C and C-A communication channel, respectively. According to Xu et al. , DoS attacks can degrade the channel quality which leads to the packet losses and thus lowers package delivery rate (PDR). The corresponding -optimal control problem under DoS attacks should be able to address the issue of packet losses which is also common in traditional network control system (NCS) [24, 25].
Here we use the dynamic observer-based control scheme  for the system described by (3):where is the estimated state, is the observer output, is the control signal generated by the controller, is the signal received by the actuator, and and are the observer gain and controller gain, respectively. The stochastic variable , mutually independent of , is also a Bernoulli distributed white sequence with expected value .
The parameters in physical layer, and , are defined as and for depicting the internally interdependent security, since communication delay in physical layer is influenced by the cyber interactions. Once and are determined, the -optimal controller can then be designed. If the initial condition is zero, the index satisfies inequality (7) and can be obtained through applying Theorem proposed in .
The physical layer cost in this paper is denoted as which is the minimum of index that satisfies inequality (8). It is noted that the aim of designing an -optimal controller is to minimize the closed-loop impact of a perturbation. For the attenuation rate of controlled output under the impact of disturbance input , optimal index, , represents and quantifies the control performance of physical plant. The lower the value of is, the better the control performance physical plant is. In addition, for reflecting the influence of cyber security investment, we further refine the expression of by
The cyber layer cost depends on the security choice made by players. Since denotes the security choice made by player , the cyber layer cost of can therefore be given as , where represents the cost of cyber countermeasure adopted and therefore quantifies the cyber security investment. For example, if the cyber layer is equipped with SCADA or IDS, can be further interpreted as the computing resource occupancy ratio of a specific packet filtering policy. When chooses to invest in security, the cyber layer cost would be ; otherwise it would be 0.
The overall payoff function of each individual player can therefore be obtained as (10). The security issues in cyber layer and optimal control problems in physical layer are intertwined, and the payoff of each individual is therefore formulated from a more comprehensive and accurate perspective.
We then show how to build payoff matrix for SISG. Take the two-player and -player symmetric SISG introduced in Figures 2 and 3 as instance, the strategic form representation of which is given as shown in Tables 1 and 2, respectively.
In Table 1, subscripts and indicate the leader and follower; for example, denotes that follower chooses to invest in security. In addition, since follower has two information sets and two available actions, four pure strategies for follower including , , , and can be implemented. indicates the response strategy that no matter what action leader takes, he will always choose to invest in security. In addition, the upper (resp., lower) one is the payoff function of leader (resp., follower), that is, (resp., ).
In Table 2, pure strategies for follower are listed. In addition, it is noted that although there actually exists pure strategies, implementing pure strategy has the same result with that of applying . For the convenience of denotation and analysis, only situations are listed. It is easy for us to extend the result to asymmetric situation according to Tables 1 and 2.
2.3. Security Interdependence
Let each individual CPS be subjected to time-delay attacks (such as DoS, DDoS). The communication delays and for are then modeled as follows:where indicates the number of players (excluding ) who do not invest in security. is the discount parameter and is assumed as a strictly increasing function with maximum and minimum being set as and , where is the total number of players. Thus, reflects the indirect influence that insecure individual CPS has on via common network.
In (11), the first term reflects the direct delays caused by ’s decision on security investment, while the second one indicates the indirect delays from common network, which are caused by other insecure individuals.
Remark 2. Two reasonable explanations as follows indicate the soundness of (11) with respect to and .
(1) If makes a security investment against time-delay attack, part of delays can then be eliminated due to the unwillingness of rational attacker. However, it still cannot avoid the delays from common communication network caused by other individuals under attack, which corresponds to our definition in (11) that when , both and merely depend on the number of other insecure individuals.
(2) If one individual CPS invests in security, the overall security level of distributed CPS will therefore increase, which indicates that, with a higher number of secure individual CPSs, rational attackers will be less willing to implement time-delay attack, and then the expected value of stochastic delays will be relatively lower with both better security levels in cyber layer and control performance being obtained by each individual CPS. This is also reflected by (11), since for , when , both and will decrease, and meanwhile for , reduces with the decrement of the number of insecure individuals, .
3. Pure-Strategy Equilibria Analysis for Two-Player SISG
As the SISG we describe is game of complete information, pure-strategy equilibria always exist, and the pure-strategy equilibria for both two-player symmetric and asymmetric SISG are analyzed in this section, while that of -player SISG will also be discussed for both symmetric and asymmetric situation in the next section.
3.1. Pure-Strategy Equilibria for Two-Player Symmetric SISG
Theorem 3. In two-player symmetric SISG, pure-strategy subgame perfect Nash equilibria (SPNE) will always exist and are symmetric. Depending on different value of ,(1)when , the SPNE is(2)when , the SPNE iswhere , , and .
In addition, we further explore the preference of administrator (social planner) seeking for social optimum, that is, minimizing overall payoff of the distributed CPSs. Since three SPNE are possibly reached, we derive social payoff under each strategy pair, as shown in Table 3.
Since is equal to , we firstly derive three critical points, , , and , at which we have , , and . According to Theorem 3, two situations for social optimum are discussed.
(1) When is satisfied, we have , and the socially optimum choices are as shown in Table 4. The relationship between socially and individually optimal choices is directly reflected in Figure 7, through which the strategic gap is clearly distinguished. It is noted that, in Figure 7(a), , while, in Figure 7(b), .
(2) When is satisfied, we have , and socially, individually optimal choices and their relationship are also as shown in Table 4 and Figure 7. It is noted that, in Figure 7(c), , while, in Figure 7(d), .
3.2. Pure-Strategy Equilibria for Two-Player Asymmetric SISG
We then further analyze the pure-strategy equilibria for two-player asymmetric SISG as given in Figure 4. Similar with building game matrix for two-player symmetric SISG, the strategic form representation of two-player asymmetric SISG is given in Table 5 where and are different types of security investment, the cost of which is and , respectively.
The following theorem concerning equilibria of two-player asymmetric SISG is put forward for obtaining the individually optimal choice, which is given in the form of the solution of SPNE.
Theorem 4. In two-player asymmetric SISG, pure-strategy subgame perfect Nash equilibria (SPNE) will always exist. Depending on different value of ,(1)when , the SPNE is (2)when , the SPNE iswhere , , , , , and .
The conclusions made in Theorem 4 can be vividly reflected in the form of two-dimension figures as shown in Figures 8 and 9 where we can clearly distinguish the different SPNE with corresponding conditions.
The optimal choices for social planner in two-player asymmetric SISG are further explored. We derive social payoff under each strategy pair, as shown in Table 6.