Abstract: The arrival of the Industrial 4.0 era, characterized by the deep integration of information technologies such as computing, communication, and control, has brought new opportunities and challenges to the research on security issues of networked control systems. The aim of research on networked control system security is to establish a complete system security defense system to ensure efficient and reliable operation. This article provides an overview of the latest domestic and international research achievements, current status, and challenges faced in the field of networked control system security, and points out and summarizes unresolved research issues that urgently need to be addressed.
Keywords: Networked Control; Attacks; System Security
1 Overview
The rapid development of information technology has led humanity into the Industrial 4.0 era, characterized by digitization, networking, and intelligence, giving rise to various new intelligent information systems such as smart factories, intelligent transportation, and smart grids, significantly improving and changing the way human society lives, produces, and manages. These new information systems achieve interconnection and deep integration of physical and information spaces through information perception, ubiquitous computing, and management control. The essence of these new information systems is networked control systems (Networked Control Systems, abbreviated as NCS), which consist of physical objects, sensors, estimators, controllers, actuators, and network media. Networked control is the key technical support for information systems to achieve real-time, stable, and optimized operation.
The high level of informatization and intelligence required by the Industrial 4.0 era for networked control directly leads to higher potential security threats for NCS. Recent major security incidents involving NCS include:
(1) In 2010, the “Stuxnet” virus exploited vulnerabilities in industrial control systems to infiltrate Iran’s Natanz nuclear plant, causing one-fifth of its centrifuges to fail and the reactor to remain inoperable for an extended period.
(2) In 2011, in the city water supply system of Illinois, USA, due to an intrusion into the data collection and monitoring system, many water pumps were destroyed.
(3) In 2012, the highly destructive “Flame” virus spread widely in the Middle East, significantly impacting the normal operation of critical control systems such as the oil industry.
(4) In 2014, security vendor F-Secure discovered the Havex virus, which was capable of disabling hydroelectric dams and overloading nuclear power plants by infiltrating industrial control software used in SCADA and industrial control systems, even allowing someone to shut down a country’s power grid with a keystroke.
(5) At the end of 2015, the control systems of substations in Ukraine were continuously subjected to cyberattacks, resulting in approximately 1.4 million residents losing power in at least three regions, leading to large-scale outages lasting 3-6 hours.
According to a report by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a global authority on industrial control information security, security incidents in industrial control systems rose from 197 in FY 2012 to 295 in FY 2015, showing a rapid upward trend. By June 2016, the China National Vulnerability Database (CNVD) had published a total of 840 industrial control system security vulnerabilities. This indicates that NCS, which is widely used in industries, military, transportation, energy, and other sectors crucial to national livelihood and key infrastructure, poses a significant threat to both economic loss and public safety if attacked. Therefore, the security of networked control systems has garnered widespread attention and in-depth research from scholars.
The deep integration of cyberspace and physical space brings many new research problems and challenges to NCS security. For example, how to characterize the relationship between attacks and system states, how to effectively detect malicious attacks, how to handle malicious attacks targeting closed-loop control, and how to counter malicious attacks aimed at physical processes. Existing computer security technologies still lack sufficient capability to ensure NCS security. Therefore, these new research problems present new theoretical challenges and technical demands for the secure operation of NCS systems, becoming significant research topics that urgently need to be addressed in modern industrial development and application.
2 Research Hotspots and Achievements
NCS security involves challenging problems that intersect control theory, network communication technology, and computer technology, and has become a scientific frontier issue in the field of information research. Researchers both domestically and internationally have conducted extensive related research and achieved certain research results.
2.1 Typical Attack Models
Typical attacks targeting NCS systems include Denial-of-Service attacks (DoS attacks), replay attacks, and data injection attacks.
DoS attacks aim to make the system unable to function normally by occupying a large amount of network and system resources through numerous legitimate or forged requests. Specific attack methods include congestion attacks at the physical layer, collision attacks at the link layer, erroneous indications and black hole attacks at the network layer, and flooding attacks at the transport layer. Based on the random packet loss patterns caused by DoS attacks, researchers typically describe this attack as a sequence of independent and identically distributed random variables.
Replay attacks involve the attacker recording communication data between system components over a period and then choosing to replay that data at another time. The notorious Stuxnet virus utilized the principle of replay attacks by playing back the normal data from sensors in the cascade protection system for 21 seconds, causing the centrifuges to operate abnormally and resulting in catastrophic damage to the nuclear power system. Based on the recorded communication data and the attack’s start time, an attack time series model can be established.
Data injection attacks occur when an attacker sends erroneous information to the corresponding receiver, compromising the integrity and accuracy of communication data. This erroneous information may include incorrect measurement values, erroneous sending times, or incorrect user IDs. If the attacker gains access to the communication keys between system components or infiltrates sensors or controllers, data injection attacks can be executed. By adding the variations caused by attacks to the system evolution equations under normal operating conditions, the system evolution equations under attack can be obtained. It is important to note that the variations caused by attacks may be constant values, random values, or bounded values.
2.2 The Intrinsic Relationship Between Attack Characteristics and System Performance
Characterizing the coupling relationship between attacks and the control performance of NCS systems plays a crucial role in security research. A deep understanding of this coupling relationship helps in designing accurate intrusion detection methods and constructing reliable security defense mechanisms.
Zhang et al. established the functional relationship between energy-constrained DoS attack strategies and system state estimation performance as well as optimal control performance, and provided a quantitative assessment of the impact of attacks on estimation and control performance. Amin et al. studied the impact of DoS attacks on the data transmission channels between sensors and estimators, and between controllers and actuators, using independent random sequence models to characterize the attack’s effects on data transmission, thus obtaining the correspondence between attack variable sequences and linear quadratic Gaussian control cost functions.
Mo et al. analyzed the changes in system state estimation and control performance when measurement data from estimators to controllers are subjected to replay attacks. Zhu et al. considered replay attacks on data transmitted from controllers to actuators and studied the impact of such attacks on system performance, subsequently designing a rolling control rate to mitigate the impact of attacks on system performance. Teixeira et al. conducted in-depth research on system control performance under resource-constrained data injection attacks, describing the impact of attacks on system performance through defined security sets and validating the correspondence between attack parameters and control performance on a four-tank control platform. Liu et al. analyzed the impact of data injection under attack capability constraints on power grid state estimation.
2.3 Attack Intrusion Detection Mechanisms
In response to different attacks, researchers have designed attack detection mechanisms. Zhang et al. pointed out that the Packet Reception Rate (PRR) is a conventional detection indicator reflecting whether communication between system components is affected by DoS attacks. Carl et al. summarized conventional detection methods for DoS attacks, which are very typical in sensor networks. The χ2-test is the most commonly used method for detecting replay attacks and data injection attacks. Pasqualetti et al. designed centralized and distributed filters for attack detection in linear time-invariant continuous systems, which can detect typical attacks such as replay attacks and data injection attacks. For the attack forms involving data injection on measurement and control values, Weerakkody et al. proposed a new intrusion detection method based on physical watermarking technology, achieving maximized detection rates by selecting appropriate watermark degree of freedom parameters.
2.4 System Defense Mechanisms
Research on system defense mechanisms includes aspects such as security versus system real-time performance, secure state estimation, and secure control.
The existence of malicious attacks significantly impacts the real-time control performance of NCS, while employing security defense mechanisms such as information encryption inevitably reduces system real-time control performance. In other words, security defense mechanisms and real-time control performance are contradictory. Gupta et al. considered the impact of NCS security on system performance based on the path tracking issue, demonstrating the trade-off relationship between system security characteristics and additional system delays. Zeng and Chow studied how to balance the level of information encryption with system real-time control performance, characterizing real-time control levels based on rapid tracking average errors and defining information encryption levels based on key lengths, thus constructing a performance-security trade-off model. By using a co-evolutionary algorithm to select optimal security and system parameters, performance-security collaborative optimization was achieved.
State estimation is a fundamental approach to understanding the operational status of NCS and is an important basis for designing system feedback control algorithms. For example, in power grid systems, it is necessary to estimate state information such as network topology and power flow distribution to grasp the operational status of the power grid system, while feedback control for UAVs is based on estimating state variables such as position and velocity. Various attack behaviors can significantly impact state estimation, and researchers have explored this from different angles, including resilient state estimation for general linear systems, secure state estimation for power grids, resilient state estimation for the cruising safety of unmanned ground vehicles, and resilient adaptive state estimation.
Secure control technology is key to ensuring the reliable operation of NCS systems under attack conditions. In the face of DoS attacks, Amin et al. constructed an optimal linear quadratic Gaussian control model under attack and obtained optimal secure control strategies using the optimal solution of semi-definite programming. Gupta et al. constructed a zero-sum game model between DoS attacks and controllers, obtaining the control equilibrium points and attack strategies in the game scenario. Zhu et al. designed a rolling time-domain control algorithm to resist replay attacks and analyzed the decline in system control performance. In another paper, Zhu et al. designed a distributed control algorithm allowing vehicular networks to maintain formation even under data injection attack conditions on control signals.
3 Open Problems and Challenges
The further deep integration of control, communication, and computing technologies will promote the formation of highly heterogeneous, topologically complex, and multi-dimensional open NCS, which poses new challenges and higher requirements for system security, mainly including the following aspects:
(1) The problem of modeling the correlation between high-dimensional heterogeneous systems and complex modal attacks. Currently, there is a lack of reasonable mathematical models to describe the interaction between the high-dimensional heterogeneous characteristics of NCS systems in industrial application scenarios and the continuously evolving complex modal attacks.
(2) The problem of optimizing defense for resource-constrained systems. Unlike traditional information systems with ample energy supply and strong computing and storage capabilities, NCS designs often need to consider limited resources such as energy, computation, and storage. Optimizing the allocation of limited resources to achieve system security defense goals is a highly challenging research topic.
(3) The problem of trust management for system components. System components, especially sensor nodes, are vulnerable to attack threats, leading to physical device failures, hijacking, etc., severely affecting reliable system operation. However, there is currently a significant lack of research on building security certification and trust management systems for NCS components.
(4) The problem of efficient and precise intrusion detection for complex modal attacks. The increasingly complex and variable nature of attack modes and the limited resources of the system pose significant challenges for designing efficient and precise intrusion detection mechanisms.
(5) The problem of measuring the security of large-scale systems. When constructing security measurement indicators, it is necessary to comprehensively consider the high real-time, high reliability, and high stability requirements of NCS, as well as factors such as system scale. In specific application scenarios, the mixed composition of discrete subsystems and continuous subsystems into a complete large system also complicates the construction of security measurement indicators.
(6) The problem of security control and optimization of systems. Based on existing NCS control mechanisms, combining the correlation modeling analysis of complex modal attacks and system operation, designing secure and reliable optimization control technologies remains a challenging core task.
4 Conclusion
Exploring and researching the security of networked control systems is an important topic related to national security, with significant practical significance and application value. This article summarizes the main research hotspots regarding control systems, highlighting important research results in areas such as attack modeling, the intrinsic relationship between attack characteristics and system performance, attack intrusion detection mechanisms, and attack defense mechanisms. Additionally, this article points out the challenges that this topic still faces and urgently needs to be resolved. In-depth research on the theory and key technology systems of networked control system security will undoubtedly enhance the system’s security defense capabilities, ensuring national and public safety.
Source: Communication of the Chinese Automation Society

