We present a resource-planning game for cyber-security of networked control systems (NCSs). The NCS is assumed to be operating in closed loop using a linear state feedback H2-controller. A zero-sum, two-player Stackelberg game (SG) is developed between an attacker and a defender for this NCS. The attacker aims to disable communication of selected nodes and thereby render the feedback gain matrix to be sparse, leading to degradation of closed-loop performance, while the defender aims to prevent this loss by investing in the protection of targeted nodes. Both the players trade their H2-performance objectives for the costs of their actions. The standard backward induction (BI) method is modified to determine a cost-based Stackelberg equilibrium (CBSE) that saves the players' costs without degrading the control performance. We analyze the dependence of a CBSE on the relative budgets of the players and on the node 'importance' order. Moreover, a robust defense (RD) method is developed for the realistic case when the defender is not informed about the attacker's resources. The proposed algorithms are validated using examples from wide-area control of electric power systems. It is demonstrated that reliable and RD is feasible unless the defender's resources are severely limited relative to the attacker's resources. We also show that the proposed methods are robust to time-varying model uncertainties and thus are suitable for long-term security investment in realistic NCSs. Finally, we use computationally efficient genetic algorithms (GAs) to compute the optimal strategies of the attacker and the defender in realistic large power systems.