1334 IEEE TRANSACTIONS ON CONTROL SYSTEMS TECHNOLOGY, VOL. 20, NO. 5, SEPTEMBER 2012 Design and Implementation of Secure Networked Predictive Control Systems Under Deception Attacks Zhong-Hua Pang and Guo-Ping Liu, Fellow, IEEE Abstract—This brief addresses the security issues of data transmitted in networked control systems (NCSs), especially confidentiality, integrity and authenticity. A secure networked predictive control system (SNPCS) architecture is presented, which integrates the Data Encryption Standard (DES) algorithm, Message Digest (MD5) algorithm, timestamp strategy, and recur- sive networked predictive control (RNPC) method. The former three parts are used to form a secure transmission mechanism between the controller side and the plant side, which is respon- sible for enforcing the data confidentiality and checking the data integrity and authenticity. To guarantee the control system perfor- mance when suffering from deception attacks, the RNPC method based on round-trip time delays is proposed to compensate for the adverse effects introduced by the deception attacks as well as the network communication constraints, such as time-varying network delay, packet disorder and packet dropout. A theoret- ical result using the switched system theory is obtained for the closed-loop stability of the RNPC system. Practical experiments are performed to demonstrate the effectiveness of the proposed SNPCS. Index Terms—Communication constraints, data confidentiality, deception attacks, experiments, recursive networked predictive control (RNPC), secure networked control systems (SNCSs), stability. I. INTRODUCTION A S an integration of sensors, controllers, actuators and net- works, networked control systems (NCSs) show many distinct advantages such as flexible architectures, low installa- tion and maintenance costs, and the fusion and sharing of global resources [1]. Consequently, NCSs have been finding applica- tions in a vast range of areas such as traffic management [2], robot control [3], mobile sensor networks [4], remote surgery [5], unmanned aerial vehicles [6], and remote control [7], [8]. However, with the strong opening-up property of a shared net- work, especially the Internet and wireless networks, the sensor and control data exchanged over networks in NCSs without security protection are confronted with the network security problem [9], [10]. For example, industrial spies remotely ac- cess confidential information of the key equipment. Malicious hackers intercept, tamper, forge, and retransmit the sensitive Manuscript received October 19, 2010; revised January 27, 2011; accepted April 02, 2011. Manuscript received in final form June 20, 2011. Date of publi- cation July 25, 2011; date of current version June 28, 2012. Recommended by Associate Editor L. Xie. This work was supported in part by the National Sci- ence Foundation of China under Grant 61028010 and Grant 60934006. Z.-H. Pang is with Qingdao Technological University, Qingdao 266033, China, and also with the Institute of Automation, Chinese Academy of Sci- ences, Beijing 100190, China (e-mail: zhonghua.pang@ia.ac.cn). G.-P. Liu is with the Faculty of Advanced Technology, University of Glam- organ, Pontypridd CF37 1DL, U.K., and also with CTGT Center, Harbin Insti- tute of Technology, Harbin 150001, China (e-mail: gpliu@glam.ac.uk). Digital Object Identifier 10.1109/TCST.2011.2160543 data transmitted over networks. Especially for the NCSs of crit- ical infrastructures, such as water, electrical, nuclear, and chem- ical plants, the disruption of any of them can result in severe consequences ranging from production losses to environmental damage, and even personal injury or loss of life [11]. These net- work attacks to NCSs are real and some security incidents have been reported [12]. However, only recently have engineers and researchers paid considerable attention to them. Dzung et al. [13] gave an overview of information security issues in industrial automa- tion systems based on open communication networks. Yang et al. [14] surveyed the security threats and solutions in three typical wireless networks, i.e., wireless LANs, 3G cellular networks, and mobile ad hoc networks. Creery and Byres [15] presented assessment procedures and protective measures for the industrial control cybersecurity. Information technology (IT) security can be described in terms of security objectives, such as confidentiality, integrity, authentication, availability, authorization, auditability, non- repudiability, and third-party protection, of which the first four ones have the highest priority for the data transmitted in industrial NCSs [9], [13]. This brief is mainly concerned with confidentiality, integrity and authenticity of data security service, and data availability will be considered in the future work. Data confidentiality is to prevent disclosure of transmission data to attackers. Data Integrity refers to ensuring that the data are received as sent, and are not changed during transmission over networks. Such attacks as data modification (tampering), data replay and data delay can lead to the violation of data integrity. Data Authenticity is to ensure that data are from where they claim to be from, which defends against masquerade attacks. Focusing on the confidentiality aspect of network security, Swaminathan et al. [16] described a secure field-bus protocol in which the Data Encryption Standard (DES) was performed for data protection. Gupta and Chow [17] applied encryption algo- rithms DES, 3DES, and Advanced Encryption Standard (AES) to protect the data transmitted in NCSs. However, the data en- cryption alone is not sufficient to secure data flows over the net- work. For example, data tampering attacks to the sensor and/or control data cannot prevented by the data encryption, which can significantly impair the system performance or even lead to loss of control of NCSs. To ensure the security of sensor and control signals trans- mitted over the network, the confidentiality, integrity checking and authentication were implemented in hardware tools in [18] and [19]. Zhang et al. [20] introduced a 3-tier signature signing and key-evolving scheme to ensure that the exchanged information via mobile networks is authentic. Xu et al. [21] 1063-6536/$26.00 © 2011 IEEE