Experimental Validation of the Attack-Detection Capability of Encrypted Control Systems Using Man-in-the-Middle Attacks

In this study, the effectiveness of encrypted control systems in detecting attacks is experimentally demonstrated using a networked control system testbed that allows for man-in-the-middle (MITM) attacks. The developed testbed is a networked position control system for an industrial-use linear stage. Generally, an attacker can reroute and modify packet data via a wireless router, harnessing the address-resolution-protocol-spoofing technique, which allows for the execution of MITM attacks, such as falsification and replay attacks. The deployed MITM-attack-detection method is grounded on a threshold-based method that monitors control inputs. The demonstration examines falsification- and replay-attack scenarios across unencrypted, static-key, and key-updatable encrypted control systems. The results confirm that encrypted control systems are both effective and apt in detecting attacks in real time. Furthermore, the potential for developing alternative attack-detection schemes based on variations in processing times is discussed.


I. INTRODUCTION
The networked control system (NCS) has emerged as a pivotal technology, bolstering computer scalability and enhancing management flexibility [1].Advancements in communication technologies have facilitated the integration of NCS into an array of systems.These range from small-scale systems, such as unmanned aerial vehicles [2], and remote control over mobile networks [3], to expansive industrial control systems integral to various sectors, including oil and gas production, power, transportation, and manufacturing [4], [5], [6].This proliferation in networking has amplified the capabilities of control systems, enabling the incorporation of a relatively broad spectrum of software components.These components are The associate editor coordinating the review of this manuscript and approving it for publication was Hosam El-Ocla .adept at intricate computations, encompassing equipment configuration, manufacturing-process optimization, cloudbased data processing, and robot-operation orchestration from distant locations.
Concurrently, there are some concerns regarding the vulnerability of systems that are essential for equipment provisioning, service delivery, and safety maintenance.These systems are susceptible to potential cyberattacks, given their partial integration with cyberspace.Notable instances of cyberattacks on control systems include the Stuxnet malware that targeted uranium-enrichment centrifuges at an Iranian nuclear facility [7], [8].It demonstrated that the manipulation of information in cyberspace leads to the physical destruction of the controlled plant; the Industroyer malware, which disrupted a Ukrainian power facility, leading to an extensive power blackout [9]; the Triton malware that attacked a safety instrumented system based on reverse-engineered protocols, ultimately shutting down the plant [10]; and the Maroochy Water Services attack, where remote manipulation of sewage pumping stations caused the release of untreated sewage into local waterways for a three-month period [11].
Several defensive measures against various attack schemes, such as denial-of-service attacks [12], [13], [14], false data injection attacks [15], [16], [17], [18], zerodynamics attacks [19], [20], [21], [22], covert attacks [23], [24], and replay attacks [25], [26], [27], [28], [29], have been actively proposed.Some of these studies consider the situation where the attacker knows about the target control system prior to conducting a sophisticated attack on it.Moreover, in exploring reactive measures against cyberattacks, attack detection plays a crucial role in bolstering security.The detection method presented in [15] uses the χ 2 -detector based on Kalman filters; however, the detection performance is limited by the model's uncertainties, and there is a detection delay.The threshold-based detection method in [26] can detect replay attacks; however, it does not operate in real time.These studies focusing on approaches based on state estimation and statistics have drawbacks that require solutions.
Meanwhile, as a preventive and reactive measure against cyberattacks, encrypted control is a promising and innovative methodology that ensures the secure implementation of controllers [30], [31], [32], [33].This approach encrypts control parameters and/or communications using homomorphic encryption [34], [35], [36], [37], which allows operations on encrypted data to be performed.Further, it has been applied to enhance the security of a linear control [38], [39], a model predictive control [40], [41], a cooperative control and consensus [42], [43], [44], [45], and a nonlinear control [46], [47].Moreover, encrypted control systems are apt for integrating threshold-based attack detection.This suitability arises from the fact that when encrypted data and parameters are inappropriately overwritten due to a cyberattack, the correctness is compromised.This typically results in a conspicuous noise leakage during the decryption process.Indeed, several studies [48], [49], [50] have assessed the efficacy of encrypted control systems equipped with attack-detection mechanisms.
However, these studies were conducted from a theoretical perspective, typically involving the simulation of idealized cyberattacks programmatically within control system simulations or testbeds.Additionally, a demo abstract [51] conveys that the encrypted control framework significantly reduces false detections in an industrial control-system testbed, although it does not provide specifics.Based on a theoretical property of control systems regarding attack detection, the practical demonstration of an actual cyberattack on control devices and communication systems, which is capable of overwriting parameters and packet data, is crucial for developing secure control technologies.Such demonstrations can help clarify both the challenges and feasibility of launching these attacks, shedding light on the technical intricacies.Furthermore, these demonstrations will provide insights that could facilitate the discovery of novel detection methods.
The objective of this study is to demonstrate the effectiveness of encrypted control systems in attack detection using an NCS testbed that allows for man-in-the-middle (MITM) attacks.The encrypted control is grounded in multiplicatively homomorphic encryption schemes, such as static-key and key-updatable ElGamal-based encryption [30], [52].These schemes preserve the confidentiality of control parameters during operations and ensure a relatively lightweight computational load.The testbed developed for this study is a networked PID position control system for an industrial-use linear stage.In the system, wireless communications between the plant and controller sides are achieved via a wireless router.An attacker can reroute and modify packet data from the router, leveraging the address resolution protocol (ARP)-spoofing technique, which allows for the execution of falsification and replay attacks.For attack detection, this study uses the threshold-based method presented in [49], which monitors the control inputs, and also reveals that the employed detector results in detecting the attacks as a theorem.The theorem provides a novel result, which is the main difference from the previous studies using the threshold-based detector [48], [49].The demonstration examines three attack scenarios.In the first, involving a falsification attack, a portion of the packet data is modified with inappropriate values, whereas in the second, also involving a falsification attack, the packet data are overwritten using proper ciphertexts through a public key.In the third scenario, involving a replay attack, the current packet data are replaced with previously recorded data.This study confirms that the key-updatable encrypted control system is effective and appropriate in the sense that the attack can be detected, in contrast with the static-key encrypted and unencrypted control systems, which support the theorem.Moreover, using the experimental results, we discuss the potential of developing a different attack-detection scheme, considering variations in processing time.

A. CONTRIBUTIONS
This study offers both practical and theoretical contributions.The practical contribution involves the development of key-updatable encrypted control systems involving the threshold-based detector, which address MITM attacks by leveraging practical network protocols to enhance cybersecurity.Implementing real-world attack scenarios provides insights into practical attack detection and defense strategies.Although similar results have been presented in previous studies, e.g., [48] and [49], which explored simulated attacks within control algorithms, this study marks the beginning of experimental demonstrations.The theoretical contribution involves revealing analytical features of encrypted control systems with the detector as a theorem.This theorem discusses the probability of detecting falsification or replay attacks, supported by experimental results on the attack detection of encrypted control systems.

B. ORGANIZATION OF THIS PAPER
This paper is organized as follows.Section II provides preliminary information on the encrypted control methodology.In Section III, the positioning-control-system testbed developed using the industrial-use linear stage is detailed.Section IV describes the cyberattack environment and elaborates on the execution of falsification and replay attacks.Section V demonstrates the effectiveness of the attack-detection mechanism in the encrypted control systems.Section VI discusses the potential of developing a different attack-detection method based on variations in the processing times.Finally, Section VII concludes this paper.

II. PRELIMINARIES A. NOTATION
The sets of real numbers, rational numbers, integers, primes, security parameters, key pairs, public keys, secret keys, plaintexts, and ciphertexts are denoted by R, Q, Z, S, K, K p , K s , M, and C, respectively.We define sets R The set of vectors whose sizes are n is denoted by R n , and the set of matrices whose sizes are m × n is denoted by R m×n .The ith element of vector v and the (i, j)th entry of matrix M are denoted by v i and M ij , respectively.

B. DYNAMIC ELGAMAL ENCRYPTION
The ElGamal encryption is a public-key cryptosystem with multiplicative homomorphism.A key-updatable ElGamal cryptosystem is defined as E := (Gen, Enc, Dec, T K , T C ).These transition maps are defined as follows [52]: : (pk, sk) → ((p, q, g, hg s ′ mod p), s + s ′ mod q), where Gen is a key-generation algorithm, Enc is an encryption algorithm, Dec is a decryption algorithm, T K is the mapping that updates the key, and T C is the mapping that updates the ciphertext of the control parameter.pk is a public key, sk is a secret key, λ is a security parameter, q is a λ-bit prime, and p = 2q + 1 is a safe prime.Parameter g represents a generator of a cyclic group G := {g i mod p | i ∈ Z q } such that g q mod p = 1, h = g s mod p, and C = G 2 .r and s are random numbers in Z q , s ′ and r ′ are random numbers in Z q generated by T K and T C respectively; and h is pk before updating by T K .For m, m ′ ∈ M, the ElGamal encryption satisfies the following homomorphism: where * is the Hadamard product.In a dynamic key scheme, the key-update operation is added after each f operation.For any k ∈ K, m ∈ M and c = Enc(k, m) ∈ C, the encryption scheme E and the mapping T K , T C at time step t ∈ Z + satisfy the following homomorphism: In addition, if s ′ and r ′ are set to zero in the encryption scheme E, the keys and ciphertexts do not change over time.In this case, E is identical to the static-key encryption scheme E s := (Gen, Enc, Dec) used in [30].

III. NETWORKED CONTROL SYSTEM
This section introduces the developed NCS testbed and its specifications.

A. THE DEVELOPED TESTBED
The testbed system developed in this study embodies a position control system for an industrial-use linear stage.The system features wireless communication between the stage and the controller via a router.Fig. 1 provides the whole view of the developed NCS, where the red and white arrows represent wired and wireless communications, respectively.The control system comprises a motorized linear stage, a plant-side PC, a controller-side PC, a wireless router, and  the attacker's computer.Their respective specifications are detailed in Table 1.
The motorized stage, illustrated in Fig. 2, consists of a handle fixed on a stage, a ball screw, an AC servo motor as an actuator, and an encoder attached to the motor as a sensor.With power supplied by a servo amplifier, the motor generates torque to rotate the ball screw.The ball screw mechanism then converts between rotational and linear motion, and the stage moves in the linear direction.The encoder measures the stage position and communicates this information to the plant-side PC via the amplifier.
The plant-side PC, in turn, transmits the received control input from the controller-side PC to the amplifier and communicates the received stage position from the amplifier to the controller-side PC.Due to the functionality of the ARCS6 C++ library,1 these processes on the plant-side PC can be executed in real time.For the controller-side PC, it runs a control algorithm written in C++ that calculates a control input using the control parameters and the received stage position.The computed control input is subsequently dispatched to the plant-side PC.Furthermore, signal communication between the two PCs occurs wirelessly via the router.TCP/IP was chosen as the protocol for the wireless communication to ensure reliable signal exchange, given its widely recognized functions, such as data interpolation and data-order maintenance.
The third PC is for the attacker and is wired to the router.The attacker uses the Scapy library2 in Python, a packet manipulation tool for computer networks, to perform the cyberattacks on the position control system.The details of how the cyberattacks are performed will be explained in Section IV.
In this study, the control period, denoted as T s , was set to 0.5 s to establish a real-time NCS, considering the transmission time between the plant-side and controller-side PCs via the attacker's PC, as well as the computation time required to perform the cyberattacks.These computation times will be discussed further in Section V.
The discussion in this subsection is limited to an unencrypted configuration of the NCS and does not include explanations of any encryption and decryption processes related to the encrypted control system.In subsequent subsections, we will introduce encrypted control and revise the explanation to accommodate the configuration in the context of an encrypted control system.

B. NETWORKED CONTROL SYSTEM
The control objective of the NCS is to track the stage position to a given reference; therefore, we designed a discrete-time PID controller in a state-space representation, with  position; e is a feedback (tracking) error between r and y, i.e., e := r − y; and w is a state of the integral compensator, i.e., w(t + 1) := t k=0 T s e(τ ) = w(t) + T s e(t).Now, we consider the PID controller with n = 2, m = 1, and l = 2.The system coefficient ∈ R 3×4 consists of , where K P , K I , and K D are proportional, integral, and derivative gains, respectively.By trial and error, we determined the gains: K P = 1.2 × 10 −3 , K I = 6.0 × 10 −3 , and The block diagram of the unencrypted NCS is shown in Fig. 3.In this configuration, the communication signals are transmitted as plain text, and the operation (3) is performed over plain text.In the following subsection, we describe the reconstruction of the configuration to incorporate a key-updatable encryption scheme to enhance the control system's cybersecurity.

C. KEY-UPDATABLE ENCRYPTED CONTROL SYSTEM
This section introduces the key-updatable encrypted controller presented in [52].Based on the controller encryption technique [30], the linear operation ( 3) is divided into multiplication and addition.That is, The division enables us to incorporate the multiplicative homomorphism of the ElGamal encryption into the control system to conceal the coefficient and signals.
Definition 1 [52]: Let us assume that an unencrypted controller, f , is in (3), and that E is modified to , where E γ and D γ are an encoder and a decoder, respectively: where a scaling parameter γ ∈ R is given by key length λ, ⌈•⌋ is a function that rounds to the nearest element in M, p is a modulo parameter used in operations of ElGamal encryption, and Dec + := f + • Dec. Let C , C ξ , and C be ciphertexts corresponding to , ξ , and , respectively.Thus, an encrypted controller f × E ⋆ with dynamic keys is defined as follows: with the following update rules using ( 1) and ( 2): where the initial keys are given by (pk(0), sk(0)) = Gen(k), and C =: The encrypted controller sends computed ciphertext C (t) to the plant side.Additionally, E γ and D γ operate as quantizers; accordingly, the operation causes quantization errors, which decrease as the λ increases.
From Definition 1, it is confirmed that under (4a), the equations T C (C (t)) = Enc(E γ c ( ), pk(t + 1)) and T C (C ξ (t)) = Enc(E γ p (ξ (t +1)), pk(t +1)) hold, where γ c and γ p are scaling parameters for and ξ , respectively.Thereby, the control input is extracted on the plant side by where there exists δ ∈ R m at step t such that u(t) = ǔ(t) + δ(t) holds, corresponding to the total quantization errors.The errors impact the stability of the encrypted control system, which will be discussed Remark 1.Moreover, Definition 1 does not use the property of the multiplication of the controller f × , defined in Section III-B, for constructing the encrypted control system.Therefore, the (unencrypted) controller can be designed independently of the controller encryption process.
The definition implies that and ξ on the controller side are encrypted during the operation of the control system, as shown in Fig. 4. On examining the plant side in the figure, we see that a measured position by the sensor, y, and a reference to the stage position, r, are encrypted and sent to the controller via the router.On the controller side, the encrypted signal, C ξ , and the encrypted coefficients, C , perform the homomorphic operation.The resulting C , corresponding to the control input, is sent to the plant side, and the decrypted signal, ǔ, is inputted to the plant.Furthermore, there is a key-updatable mechanism in the control system.A randomnumber generator for s ′ is required on both the controller and plant sides, which assumes the same seed and time synchronization.To update (4a), a random number s ′ is required, which is also used in (4b) and (4c).Moreover, another random-number generator for r ′ is required on the controller side to update the encrypted system matrix C with (4b).These generators provide random numbers periodically and offer them to T C and T K .Additionally, for example, the encrypted coefficients with λ = 64 and γ c = 10 8 are as shown at the bottom of the page, where the elements are displayed as hexadecimal numbers.Meanwhile, when considering a static-key encrypted controller, r ′ and s ′ are set to zero for any step, and in this case, the configuration is simplified, as shown in Fig. 4(b).
Remark 1: The presented encrypted control system incorporates the ElGamal-encryption scheme through the encoder and decoder, introducing quantization errors induced by these components.These errors may compromise the system's stability.To ensure stability in the encrypted control system, it is necessary to implement methods such as dynamic quantizers [53] and the design of controllers with integer coefficients [54], [55], [56], [57].Moreover, when the impact of quantization errors is significant on tracking performance, increasing the key length becomes necessary.

IV. MITM ATTACKS
This section provides a detailed methodology for executing the MITM attacks, such as falsification and replay attacks, against the developed control system.

A. ARP SPOOFING
The ARP is a vital tool for mapping an IP address to its corresponding physical machine address within a local area network, such as a media access control (MAC) address.ARP identifies and registers MAC addresses associated with specific IP addresses.Once an IP-MAC address pair is established, this mapping is cached within the ARP table to expedite future communications.However, a critical area of concern is that this table, which maintains MAC-IP correspondences, lacks security measures, such as authentication or encryption during updates.Attackers can exploit this vulnerability by deploying ARP requests to extract the MAC address of a node associated with a specific target IP address.Thereafter, they utilize ARP replies to masquerade as a MAC address in the ARP response directed back to the attacker.This action overwrites the cached ARP information.Consequently, when the poisoned cache is employed for data transmission, the packets are misdirected, compromising the network's integrity.
This study uses ARP cache poisoning to alter the MAC address, as demonstrated in Table 2.This manipulation reroutes the communication path between the controller and the plant, directing it toward the attacker.Initially, the attacker connects a computer directly to the router.Leveraging ARP, the attacker can transmit the overwritten cache to every controller, router, and plant-side computer, thereby replacing their original ARP caches with the contaminated ones.Consequently, even though the plant-side computer intends to transmit the packet to the controller, the information inadvertently passes through the attacker's computer.Considering the poisoned ARP cache, the NCS is depicted schematically in Fig. 6.
Throughout the ARP-spoofing process, the source and destination MAC addresses of the received packet are overwritten.This alteration allows for the interception and forgery of the packet without alerting legitimate system operators.Consequently, the attacker can monitor and modify the packet data, as illustrated in Fig. 5, using the Python Scapy module.The subsequent section explains the methodology and specifics concerning the overwriting of the packet data.
Authorized licensed use limited to the terms of the applicable license agreement with IEEE.Restrictions apply.

B. FALSIFICATION ATTACK
In the falsification attack scenario, the attackers overwrite the communication data sent from the controller to the plant for N steps from t a : where u a is the overwritten signal, t a is the step when overwriting begins, and N > 0 is the duration of the overwriting process.The determination of u a refers to the following demonstration section.Furthermore, while the communication data sent from the plant to the controller is not falsified, the attackers overwrite certain packet information to ensure the packet passes through the attacker's computer.The parts of the data packet to be overwritten are indicated in the red areas in Fig. 5.If the data size changes when overwriting the data, the acknowledgment (ACK) and sequential (SEQ) numbers on the TCP packet layer in the gray areas in Fig. 5 must be overwritten to maintain communications during payload replacement.These are the total sequence numbers of the bidirectional communication data.At the attacker's computer, packets such as or C are overwritten at every step based on the following procedure: i) the source and destination Ethernet addresses (MAC addresses) on the Ethernet frame are overwritten; ii) the payload data on the TCP packet layer are overwritten; iii) the checksum and header checksum on the TCP and IP packet layers are recalculated and overwritten.The details of overwriting or replacing the payload data will be explained in Section V-A.Packets such as ξ or C ξ are allowed to pass through without falsification of the payload data based on the following procedure: i) the source and destination Ethernet addresses on the Ethernet frame are overwritten; ii) the header checksum on the IP packet layer is recalculated and overwritten.Additionally, checksums are required to be deleted and recalculated before data transmission because any changes in the packet would be detected by the structural corruption or fraud-detection mechanism, and the packet would not be received correctly.

C. REPLAY ATTACK
In the replay attack scenario, the attackers record the communication data sent from the controller to the plant and replace the current data with the recorded ones.The recording starts at step t r and ends at step t r +N , where N is the duration of the recording process, and the replacement persists for N steps from t a : where t a is the step when the replacement begins.The payload size of encrypted signals varies depending on the step, as a multiple-precision integer library is used to express a ciphertext as an integer.To maintain communications during payload replacement, the attacker must overwrite the ACK and SEQ numbers on the TCP packet layer for all packets.
During the recording phase, the attacker's computer saves the payload data, such as and C , based on the following procedure: i) the source and destination Ethernet addresses on the Ethernet frame are overwritten; ii) the payload data on the TCP packet layer are saved; iii) the header checksum on the IP packet layer is recalculated and overwritten.During the replacement phase, the attacker's computer replaces the payload data, such as and C , with the previously saved data based on the following procedure: i) the source and destination Ethernet addresses on the Ethernet frame are overwritten; ii) the payload data are overwritten by the recorded data; iii) the ACK and SEQ numbers on the TCP packet layer are overwritten; iv) The checksum and header checksum on the IP and TCP packet layers are recalculated and overwritten.Packets such as ξ or C ξ are allowed to pass through without replacement based on the following procedure: i) the source and destination Ethernet addresses on the Ethernet frame are overwritten; ii) the ACK and SEQ numbers on the TCP packet layer are overwritten; iii) the checksum on the IP packet layer is recalculated and overwritten.

V. DEMONSTRATION
This section demonstrates the effectiveness of the encrypted control system in detecting MITM attacks, such as falsification and replay attacks, through experiments using our developed testbed control system.For detecting the attacks, the threshold-based method presented in [49] was employed to run on the plant side, as follows: where u and ǔ are actual and decoded control inputs, respectively.If |ǔ(t)| ≥ δ is satisfied, we say that a cyberattack has been detected.This study reveals that the threshold-based detector (7) theoretically results in detecting the attacks.Theorem 1: For key-updatable encrypted control systems as described in Definition 1, if a threshold δ is chosen such that E γ (δ) ≪ p, then the probability of the detector (7) detecting falsification attack (5) or replay attack (6) during N steps from step t a is approximately one.Furthermore, if the attacker continues the attack indefinitely, i.e., N → ∞, then the detector (7) can detect the attack with probability one.
Proof: The order of the plaintext space G is q, i.e., |G| = q, and the maximum component of G is approximately p. Let G δ be a subset of the plaintext space G, consisting of elements up to E γ (δ).Because the attacker does not know the current encryption keys, the probability of the plaintext, corresponding to the injected signal, being included in G δ at a step is |G δ |/q, which represents the probability of a false negative for the detector.The probability of N consecutive false negatives is given by (|G δ |/q) N .Therefore, the probability of detecting the attack during N steps is expressed as 1−(|G δ |/q) N =: P δ,N .Since E γ (δ) ≪ p implies |G δ | ≪ q, |G δ |/q is close to zero.Consequently, under several steps N , (|G δ |/q) N approaches zero, so P δ,N ≈ 1.As N → ∞, it follows that P δ,N → 1.
Corollary 1: For static-key encrypted control systems as described in Definition 1, the falsification attack (5) or replay attack (6) can be stealthy for the detector (7).Furthermore, if the attacker does not know a public key and a threshold δ such that E γ (δ) ≪ p, then the probability of the detector (7) detecting the falsification attack (5) during N steps is approximately one.Proof: (5), an attacker with access to the public key can prepare a specific ciphertext corresponding to a plaintext belonging to G δ .For (6), the use of the recorded ciphertext results in normal operation due to the time-invariant keys.In these cases, When the attacker cannot access the public key, the proof follows similarly to that of Theorem 1.
Throughout the experiments, threshold δ was set to 6 A, five times the rated current of the AC servo motor.Additionally, when considering the unencrypted control system, ǔ was replaced by u because of the lack of encryption and decryption processes.The parameters related to the encryption scheme were set to λ = 64 and γ p = γ c = 10 8 , and q changed every experiment.The detection results are summarized in Table 3, which support Theorem 1 and Corollary 1 and will be discussed in detail in the following section.
Remark 2: The determination of threshold δ can be discussed as follows.The threshold must be set to a larger value than the upper limit of an input constraint to maintain the original control performance.Meanwhile, the change in the threshold does not impact the detection rate because q is sufficiently large.In the experimental setup, the probability introduced in the proof of Theorem 1 is computed as |G δ |/q = 1.3 × 10 −9 , using δ, γ p , and q = 9223372036854777359 ≈ 9.2 × 10 18 .If the threshold is multiplied by 10, i.e., δ ′ = 10δ, then the probability is updated to |G δ ′ |/q = 1.3 × 10 −8 , which is approximately equal to |G δ |/q, i.e., P δ,N ≈ P δ ′ ,N .
Remark 3: Because the proofs of Theorem 1 and Corollary 1 do not rely on the information about the controller and plant dynamics, we can generalize the considered control system in Definition 1.The presented ElGamal-based controller encryption can be applied to linear and polynomialtype controllers.Identifying a class of admissible nonlinear controllers needs more rigorous analysis, so it will be in future work.

A. BEHAVIOR IN THE FALSIFICATION-ATTACK SCENARIO
This study considers two falsification attack scenarios.In the first scenario, the attacker understands the data format in the payload and the dimensions of input and output in the plant.The last two digits of the payload of packets related to control inputs between 12 s and 17 s.This implies that t a and N are set to 24 and 10, respectively.For example, the encrypted payload data at step 15, C 1 31 (15) = 179ba73be04fae1fc, would be overwritten by 179ba73be04fae101.In the  second scenario, the attacker understands the data format in the payload and the input and output dimensions in the plant.It also presumes that the attacker is aware of the employed encryption scheme and its public key at the initial step, pk(0).They overwrite the packets associated with control inputs with either -0.12A or their corresponding ciphertexts (556869e0024e6b5d, 3c94b5f38f7b030f).
The experimental results of the unencrypted, statickey, and key-updatable encrypted control systems with the detector (7)  Figs. 7, 8, and 9 confirm that the control input zeros out and that the stage remains motionless during the attacks.This occurs because the decoded control input exceeds the detector's threshold, as defined in (7).Once the attacks end, the control system operation routinely resumes.12 confirms that the falsification attack could be detected.The attackers never know the updated keys and the correctness of the encryption scheme is not compromised.Thus, the decryption at the current step fails unless the attackers can identify the latest private key within the sampling period.Through the demonstration, consequently, we confirmed that the key-updatable encrypted control system serves as a cybersecurity measure to detect falsification attacks as long as the attackers never know the latest public keys.

B. BEHAVIOR IN THE REPLAY-ATTACK SCENARIO
This study considers a scenario of replay attacks to validate the attack-detection capability of the key-updatable encrypted control system.The attacker does not have any information about the plant and controller and are assumed to record packets regarding control inputs between 2 s and 7 s and inject the recorded packets between 12 s and 17 s.Accordingly, t r , t a , and N were set to 4, 24, and 10, respectively.The resulting time responses of the unencrypted, statickey, and key-updatable encrypted control systems with the detector are shown in Figs. 13, 14, and 15, respectively.The meanings of the subfigures are the same as those in Figs. 7, 8, and 9.
Fig. 13(a) confirms that the stage position deviates significantly from the reference during the injection when the injected control input shown in Fig. 13(b) is not adequate to control the current stage position.In this case, cyberattack detection becomes difficult to achieve because the injected control input is an actual signal generated in the controller and, thus, remains within the detection threshold.Moreover, Fig. 14(a) also reveals the significant deviation in the stage This occurs because the key is updated at every sampling period, and the recorded keys differ from the ones relevant to the current control inputs, which causes the decryption to fail and enables replay-attack detection.Consequently, through the experimental demonstration, we conclude that the key-updatable encrypted control system more effectively serves as a cybersecurity countermeasure than unencrypted and static-key encrypted control systems.

VI. DISCUSSION
This section examines the total processing times for each step to confirm the real-time capabilities of the control systems and discuss the potential of detecting attacks from the perspective of computational cost.The processing times for the unencrypted, static-key, key-updatable encrypted control are listed Table 4.The processing time spans the period from the sensor output is measured to when the control command is sent to the servo amplifier, including the encryption, decryption, control computation, and transmission delays.In an attack scenario, the processing time also includes delays in communicating with the router from the attacker's PC and overwriting the data.Table 4 displays the minimum, maximum, and average processing times across 100 steps for each attack scenario and encryption scheme used.The far-right column presents the ratio of the computation time in an attack relative to that in a noattack scenario.For example, the computation times of the three control systems in the replay attack and no-attack scenarios are plotted in Figs.16 and 17, respectively.The blue and red lines represent the total processing time and the processing time for overwriting the data from the attacker's PC, respectively.
As can be observed in Table 4, all values are less than the 500 ms sampling period, which confirms the real-time nature of the control systems.Moreover, the processing time in each control system increases because of the attack.The attackinduced time increases in the encrypted control systems tend to be greater than those in the unencrypted control system.For example, when considering the replay attack scenario, the time increases in the static-key and key-updatable encrypted control systems are 380.6 % and 294.6 %, respectively, whereas the increase in the unencrypted control system is 198.4 %.The tendency is illustrated by comparing Figs.16(b)(c) with Fig. 16(a), where Fig. 17 shows the similar computation load among the three control systems.The reasons for the time increases are as follows.One is that the reconstruction of the ciphertext data packet to be sent and received is time-consuming compared with the millisecond-order sampling period.The other is that the attacker has to falsify the packets two times to maintain continuous communication in a TCP protocol, which means that the ACK/SEQ numbers in the packet are overwritten in both directions of communication.
Consequently, the attack tests demonstrate that the use of an encrypted control system enhances cybersecurity since more processing time is required for the attackers to successfully implement MITM attacks.This knowledge would provide insights for the development of another attack-detection method involving the monitoring of any significant changes in processing time during operation.However, for this detection approach, control system designs that consider the occurrence of time-varying communication delays and losses must be explored.This area will be addressed in future works.

VII. CONCLUSION
This study experimentally demonstrated the effectiveness of key-updatable encrypted control systems against MITM attacks, such as falsification and replay attacks, using the industrial-grade linear stage.Encrypted and unencrypted control experimental environments were established, in which control and sensor signals were wirelessly communicated between the plant and the controller PCs.The attack processes, executed on an attacker's PC connected to the wireless router, could overwrite the communicated packets in real time using the ARP-spoofing technique.Furthermore, this study revealed the theoretical and practical features that the threshold-based detector monitoring the control input enables attack detection, and it confirmed that the experimental results support the features.Therefore, this study concludes that the key-updatable encrypted control systems outperform the static-key encrypted and unencrypted control systems in cyberattack detection.Additionally, this study offered guidance of how to determine the detector's threshold in Remark 2.
In future works, the authors will explore timestamp-based attack-detection methods to enhance cybersecurity against several cyberattacks, and they will develop a cybersecure industrial-use control technology enhancing real-time attack detection based on communication protocols such as UDP and EtherCAT, in the developed environment to ascertain the effectiveness of the encrypted control systems.

FIGURE 1 .
FIGURE 1. Whole view of the developed networked control system that allows the execution of man-in-the-middle attacks.

FIGURE 2 .
FIGURE 2. Side view of the linear stage schematic diagram.
is a constant coefficient with α := n + m and β := n+l; r is a reference to a stage position; y is a measured

FIGURE 3 .
FIGURE 3. Block diagram of the unencrypted networked control system.

FIGURE 4 .
FIGURE 4. Configurations of two types of encrypted control systems in terms of key management.

FIGURE 5 .TABLE 2 .
FIGURE 5. Structure of the Ethernet frame with the red sections indicating areas targeted for tampering in the experiments.

FIGURE 6 .
FIGURE 6. Rerouting communication paths in the networked control system using poisoned ARP cache.

FIGURE 7 .
FIGURE 7. Time responses of the unencrypted control system in the first case of the falsification attack between 12 s and 17 s.

FIGURE 8 .
FIGURE 8. Experimental time responses of the static-key encrypted control system in the first case of the falsification attack between 12 s and 17 s.
for the first falsification-attack scenario are shown in Figs. 7, 8, and 9, respectively.The results for the second falsification-attack scenario are illustrated in Figs. 10, 11, and 12, respectively.Subfigures (a) and (b) in these figures show the time responses of the measured stage position and the control input to the motor, respectively.Subfigures (c) and (d) in Figs. 8, 9, 11, and 12 depict the time responses of the encrypted component 31 .Subfigures (e) and (f) in Figs. 8, 9, and 12 show the time responses of the decoded control input and a comprehensive view of (e), respectively.The red area indicates the duration of the falsification attack.

FIGURE 9 .
FIGURE 9. Time responses of the key-updatable encrypted control system in the first case of the falsification attack between 12 and 17 s.

FIGURE 10 .
FIGURE 10.Time responses of the unencrypted control system in the second case of the falsification attack between 12 s and 17 s.

FIGURE 11 .
FIGURE 11.Experimental time responses of the static-key encrypted control system in the second case of the falsification attack between 12 s and 17 s.In this case, ǔ(t ) = u(t ).

Figs. 10
Figs.10 and 11 reveal that the attacker could identify the control input in the payload and replace the corresponding data with plaintext or their ciphertexts.In these cases, the detections failed because the decoded control input did not exceed the detector's threshold in Figs.10(b) and 11(b), although the controlled outputs in Figs.10(a) and 11(a) were affected by the attacks.Meanwhile, Fig.12confirms that the falsification attack could be detected.The attackers never know the updated keys and the correctness of the encryption scheme is not compromised.Thus, the decryption at the current step fails unless the attackers can identify the latest private key within the sampling period.

FIGURE 12 .
FIGURE 12.Time responses of the key-updatable encrypted control system in the second case of the falsification attack between 12 s and 17 s.

FIGURE 13 .
FIGURE 13.Time responses of the unencrypted control system in the case of the replay attack.

FIGURE 14 . 15 .
FIGURE 14.Time responses of the static-key encrypted control system for the replay attack.

FIGURE 16 .
FIGURE 16.Processing times in the replay-attack scenario.

FIGURE 17 .
FIGURE 17.Processing times in the no-attack scenario.

TABLE 1 .
Specifications of the experimental apparatuses.

TABLE 3 .
Summary of attack-detection experiments using the threshold-based detector.

TABLE 4 .
Computation time of the encrypted controls with a sampling period of 500 ms under cyberattacks.