This paper considers the security control problem over a finite horizon for distributed cyber-physical systems (CPSs) under replay attacks and switching topologies. A more reasonable attack model is established to describe the randomly occurring replay attacks, where the measurement information is maliciously replaced by previous unnecessary information. Under the Markovian switching communication network, a distributed observer-based H ∞ control protocol is developed to mitigate the influence on system performance resulting from disturbances and replay attacks. Then, by using recursive linear matrix inequality method and stochastic analysis technique, two sufficient conditions are derived to ensure the consensus of the closed-loop system while satisfying the prescribed H ∞ performance index. Gain matrices of observer and controller are derived by resorting to the matrices inequalities that are reality solvable. Finally, simulated examples are presented to compare the control performance under different attack strategies, and explore the relationship between the number of consecutive attacks and the performance index.