Security of interdependent and identical networked control systems

This article studies security decisions of identical plant-controller systems, when their security is interdependent due to network induced risks. Each plant is modeled by a discrete-time stochastic linear system, with the systems controlled over a shared communication network. We formulate the problem of security choices of the individual system operators (also called players) as a non-cooperative game. We consider a two-stage game, in which on the first stage the players decide whether to invest in security or not; and on the second stage, they apply control inputs to minimize the average operational costs. We characterize the equilibria of the game, which includes the determination of the individually optimal security levels. Next, we solve the problem of finding the socially optimal security levels. The presence of interdependent security causes a negative externality, and the individual players tend to under invest in security relative to the social optimum. This leads to a gap between the individual and the socially optimal security levels for a wide range of security costs. From our results, regulatory impositions to incentivize higher security investments are desirable.

[1]  T. S. Adams,et al.  National Bureau of Economic Research, Inc. , 1920, Quarterly Publications of the American Statistical Association.

[2]  H. Kunreuther,et al.  Interdependent Security , 2003 .

[3]  Peter Honeyman,et al.  Interdependence of Reliability and Security , 2007, WEIS.

[4]  Nicholas Bambos,et al.  Security Decision-Making among Interdependent Organizations , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[5]  Bruno Sinopoli,et al.  Foundations of Control and Estimation Over Lossy Networks , 2007, Proceedings of the IEEE.

[6]  Tyler Moore,et al.  Security Economics and European Policy , 2008, WEIS.

[7]  Marc Lelarge,et al.  Network externalities and the deployment of security features and protocols in the internet , 2008, SIGMETRICS '08.

[8]  Annette Hofmann,et al.  Internalizing externalities of loss prevention through insurance monopoly: an analysis of interdependent risks , 2007 .

[9]  S. Shankar Sastry,et al.  Research Challenges for the Security of Control Systems , 2008, HotSec.

[10]  Marc Lelarge,et al.  Economics of malware: Epidemic risks model, network externalities and incentives , 2009, 2009 47th Annual Allerton Conference on Communication, Control, and Computing (Allerton).

[11]  Tansu Alpcan,et al.  Dynamic Control and Mitigation of Interdependent IT Security Risks , 2010, 2010 IEEE International Conference on Communications.

[12]  João Pedro Hespanha,et al.  A Survey of Recent Results in Networked Control Systems , 2007, Proceedings of the IEEE.

[13]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[14]  Rainer Böhme,et al.  Modeling Cyber-Insurance: Towards a Unifying Framework , 2010, WEIS.

[15]  Ross J. Anderson,et al.  Security Economics and Critical National Infrastructure , 2009, WEIS.

[16]  Herbert S. Lin,et al.  Technology, Policy, Law, and Ethics Regarding U.S. Acquisition and Use of Cyberattack Capabilities , 2009 .

[17]  Richard M. Murray,et al.  Data Transmission Over Networks for Estimation and Control , 2009, IEEE Transactions on Automatic Control.

[18]  Tamer Basar,et al.  Optimal control of LTI systems over unreliable communication links , 2006, Autom..

[19]  Panos J. Antsaklis,et al.  Special Issue on Technology of Networked Control Systems , 2007 .

[20]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[21]  Huseyin Cavusoglu,et al.  The Value of Intrusion Detection Systems in Information Technology Security Architecture , 2005, Inf. Syst. Res..

[22]  Tansu Alpcan,et al.  Network Security , 2010 .

[23]  Larry Samuelson,et al.  Choosing What to Protect: Strategic Defensive Allocation Against an Unknown Attacker , 2005 .

[24]  N. Bambos,et al.  Security investment games of interdependent organizations , 2008, 2008 46th Annual Allerton Conference on Communication, Control, and Computing.