Need Paper On Following

Assessing and augmenting SCADA cyber security: a survey of techniques
Nazir, Sajid; Patel, Shushma; Patel, Dilip
Published in:
Computers & Security
DOI:
10.1016/j.cose.2017.06.010
Publication date:
2017
Document Version
Peer reviewed version
Link to publication in ResearchOnline
Citation for published version (Harvard):
Nazir, S, Patel, S & Patel, D 2017, ‘Assessing and augmenting SCADA cyber security: a survey of techniques’,
Computers & Security, vol. 70, pp. 436-454. https://doi.org/10.1016/j.cose.2017.06.010
General rights
Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners
and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.
Take down policy
If you believe that this document breaches copyright please view our takedown policy at https://edshare.gcu.ac.uk/id/eprint/5179 for details
of how to contact us.
Download date: 12. Apr. 2021
Abstract—SCADA systems monitor and control critical
infrastructures of national importance such as power generation
and distribution, water supply, transportation networks, and
manufacturing facilities. The pervasiveness, miniaturisations and
declining costs of internet connectivity have transformed these
systems from strictly isolated to highly interconnected networks.
The connectivity provides immense benefits such as reliability,
scalability and remote connectivity, but at the same time exposes
an otherwise isolated and secure system, to global cyber security
threats. This inevitable transformation to highly connected
systems thus necessitates effective security safeguards to be in
place as any compromise or downtime of SCADA systems can
have severe economic, safety and security ramifications. One way
to ensure vital asset protection is to adopt a viewpoint similar to
an attacker to determine weaknesses and loopholes in defences.
Such mind sets help to identify and fix potential breaches before
their exploitation. This paper surveys tools and techniques to
uncover SCADA system vulnerabilities. A comprehensive review
of the selected approaches is provided along with their
applicability.
Index Terms— cyber defence, anomaly detection, attack tools,
vulnerability, simulation, modelling, SCADA.
I. INTRODUCTION
UPERVISORY Control and Data Acquisition (SCADA)
systems are used to monitor and control critical national
infrastructures such as smart grids, oil and gas, power
generation and transmission, manufacturing, and
transportation networks. They are also used to manage public
utilities like buildings control, water, sewage, and traffic
lights. The downtime or compromise of these systems can
have disastrous consequences for the economy, public health
and national security.
SCADA systems (Figure 1) are cyber physical systems with
communication networks (wired and wireless) interfacing the
monitoring and control system with the hardware and
providing a large attack surface [1]. The architecture can be
envisaged as four layers as shown in Fig 1. At the lowest
level, field or slave devices (sensors, pumps, motors) provide
an interface for control and monitoring of the physical
process. At the next higher level, Remote Terminal Unit
(RTU) and Programmable Logic Controllers (PLC) aggregate
control (acting as master) for many field devices by passing
commands and responses through the communications
network to the SCADA server. PLC is a computer system
running Ladder Logic for decision making to control the field
devices. The operator monitors the process state through
Fig. 1. A simplified layered architecture for typical SCADA system.
Human-machine Interface (HMI) and controls the process by
activating commands as required [2]. A typical SCADA
system could have multiple supervisory systems, PLCs, RTUs,
HMIs, process and control instrumentation, sensors and
actuator devices over a large geographical area, interconnected
through a communications network.
The use and applications of SCADA systems has increased
as a result of rising levels of industrial process automation,
reduced cost of operation and growth in global economies.
Growth is expected to increase in the use of SCADA systems
and the investment is expected to reach up to $ 11.16 billion
by 2020 [3]. With the proliferation of the Internet of Things
(IoT), SCADA sensor and actuator devices which are Internet
connected SCADA systems are being transformed from a
traditional on-site, stand-alone system to an Internet-connected
remotely accessible system. An overview of challenges and
security requirements for IoT is provided in [4]. A significant
obstacle in IoT adoption is security aspects as it would be an
attractive target for hackers [4], [5].
There are many benefits of Internet access including
scalability, better communications protocols, efficiency, cost
effectiveness, interoperability between components [6] and
remote access, but SCADA systems were never designed with
network connectivity and security [5], [7] in mind. The focus
had always been on reliability rather than security, and
protection had been ensured through isolation and obscurity
[8], [9] by using proprietary standards. Since the 1990s the
control systems are being integrated with computer networks
[10] and also more and more Commercial-off-the-shelf
(COTS) products are being used in SCADA systems [11].
SCADA server and user interfaces are now accessible over the
Internet and cellular networks, providing many entry points
S. Nazir, S. Patel, D. Patel
Assessing and Augmenting SCADA Cyber
Security-A Survey of Techniques
S
for an attacker [8], [12]. Most SCADA communications
protocols are just plain-text [13], [14] with no message
authentication [15] making it easier for a man-in-the-middle
(MITM) attack. TCP/IP protocols have their own
vulnerabilities that can be exploited [5]. PLCs would treat
code as legitimate as long as it has the correct syntax [16]. The
threat landscape for SCADA systems has been broadened [8]
by Internet and cellular network connectivity, bringing along
open standards such as web technologies, which have known
security loopholes making it very easy for an attacker to gain
an in-depth knowledge of SCADA networks [17], [18]. The
modern SCADA communications use a variety of
communication media, such as WiFi, cellular, and Bluetooth.
Vulnerabilities in the communications protocols have been the
main focus and target of cyber attacks. Failure to protect the
SCADA infrastructure against the evolving threats of the
changed connectivity landscape can have disastrous
consequences. In the prevailing cyber security global
environment, it is not a matter of if an attack of catastrophic
proportion would happen, but rather when.
A Denial-of-Service (DoS) attack on a website can render a
service unavailable, but similar attacks on SCADA systems
can have potentially disastrous consequences [19] because of
the fallout of the controlled process getting out of control.
Stuxnet [16], June 2010, was the first malware designed to
attack control systems and was the first attack of its kind that
brought SCADA security vulnerabilities to prominence [19].
Prior to that although vulnerable, SCADA systems were not
considered to be actively targeted. Malware, such as Flame
(2012) that copied data, recorded Voice over Internet Protocol
(VoIP) audio and intercepted network traffic [19]. Stuxnet
(2010) and Duqu (2011) used USB devices to spread and
attacked the PLCs by changing the Ladder Logic code [19].
Havex (2014) can reportedly infect the software downloads
from the SCADA manufacturers’ web sites [20]. An active
group of attackers, Dragonfly [21], mainly target energy
sectors through malware tools and infect targeted
organisations using spam emails. These malware attacks
highlight security weaknesses in SCADA system design [22].
Other attacks like Slammer at Davis-Besse nuclear plant [10]
negate the illusion of security. The cyber attacks on SCADA
systems have seen a 100% increase [23]. General technology
awareness, widespread availability of free information, and the
current global security situation of state and non-state elements
with malicious intent, all combine to make launching such
attacks easier and probable.
Countering the cyber attack is an emergent need to provide
adequate safeguards against the cyber attacks by strengthening
the defence. The general cyber security safeguards such as
restricted physical access, cryptography, patch management,
separation of corporate and production systems (through
Demilitarized Zones (DMZ), Firewalls and Access Control
Lists (ACLs)), and activity logging are all applicable (Figure
2) but need to be viewed in conjunction with typical SCADA
systems characteristics. Nonetheless these security measures
are important as the corporate network could be the entry
point for launching an attack on the SCADA network. Most of
these security measures are not capable of defending SCADA
systems from attacks against SCADA protocols [24]. For
instance, SCADA characteristics make it difficult to apply
existing cryptographic techniques, due to limited
computational capability, low data rate, and the need for realtime response [17]. The confidentiality, integrity and
availability (CIA) triad [25], applies to SCADA systems but
with a changed order of priority as Availability, integrity and
confidentiality (AIC), with availability being the most
important. Agencies such as the National Institute of
Standards and Technology (NIST), USA and European
Network and Information Security Agency (ENISA), provide
best practice documents for cyber security for SCADA
systems in particular. Protection for telework devices is
described in [26], Cyber security of SCADA systems in [27].
Guidelines for Patch management are provided in [28].
Protecting Industrial Control Systems (ICS) [2] has
recommendations for Europe and member states, which
identifies security challenges and recommends a common test
bed for security testing. North American Electric Reliability
Corporation (NERC) has released Critical Infrastructure
Protection (CIP) documents. The industry regulations have
started mandating the cyber security safeguards and this trend
is likely to increase in the future.
Investigating the effect of an attack on an actual system is
neither recommended due to the unintended consequences, nor
feasible on a replicated system due to the cost and effort
involved. Analysis methods and tools are very important to
secure such systems [29]. Therefore SCADA cyber security
researchers mostly rely on developments of simulation
software and hardware to model SCADA attacks to analyse
the system security. SCADA system security can be assessed
by using vulnerability analysis through actively attacking a
system which not only uncovers the vulnerabilities but can be
Fig. 2. DMZ with separation of trust zones.
used to determine the system failure response, which helps to
understand the system and provide necessary safeguards by
fixing the vulnerabilities. Techniques such as penetration
testing and vulnerability analysis can be considered inclusive
in vulnerability assessment [30].
Generic Simulators for SCADA systems are described in
[31] but the focus is not on cyber security. Smart Grid
simulators [32] provide a useful reference for simulation tools
but do not address SCADA or cyber security. Vulnerability
assessment and analysis comprises of a spectrum of
techniques from the simplest ones doing port scanning to those
involving exploitation of vulnerabilities, as in an actual attack
[27].
This paper provides a comprehensive survey of simulation,
modelling and related techniques helpful for assessing the
cyber-attack vulnerabilities of SCADA systems. In this paper
we aim to cover the array of techniques for assessing SCADA
vulnerabilities under simulation, modelling, tools and
techniques as these are often employed by researchers for
SCADA cyber security. This categorisation is purely with a
view to better organise the research literature rather than a
taxonomy. We also highlight recent technology innovations
which can aid in minimizing the effect of cyber security risks.
The rest of the paper is organized into the following
sections. Section II provides SCADA systems’ characteristics
and vulnerabilities. Section III covers the simulation and
modelling techniques for identifying security weaknesses.
Section IV describes other tools and techniques for evaluating
defence. Section V provides conclusions, and Section VI
discusses future research directions.
II. SCADA SYSTEM CHARACTERISTICS AND
VULNERABILITIES
SCADA system (Figure 1) differs in characteristics from a
conventional information technology (IT) system [8], [27].
SCADA systems have tighter constraints on reliability, latency
and uptime that preclude some IT security measures [15].
SCADA are cyber physical systems, that is, cyber system
(control and communications) and physical system (sensors,
actuators) comprising a system of systems, interact as a
cohesive and unified whole. The software commands manifest
actions to modify physical processes. It is important to
consider these differences when devising the protection
strategies.
A. Generic OS
SCADA systems run over conventional operating systems
(OS), thus inheriting vulnerabilities which can compromise
the SCADA system [10]. The vulnerabilities of the operating
systems are periodically announced by the vendors [33]. The
patches are normally issued after vulnerabilities are
discovered, but there could be a substantial time lag to release
patches or the patches may not be applied in time. The patch
for the vulnerability exploited by Stuxnet in 2010 became
available in 2012 [28]. There is generally a time lag for patch
application, for instance, Slammer infections occurred six
months after the patch to fix the vulnerability had been
released [10]. Similarly lack of user incentives [34] to apply
patching enabled Code Red, a malware to infect 360,000
servers, although a security patch had been released earlier. In
some cases, an attack comes before vulnerability is discovered
and is termed as a Zero day attack.
B. Legacy systems with long operational life
The installation of SCADA systems is costly and timeconsuming and most systems remain in operation from eight
to fifteen years [10]. A system may have devices from many
different manufacturers using various standards or proprietary
communications protocols [35]. This is sometimes well past
the expected supported lifespan of the software and also
hardware. Thus at times a system would comprise of legacy
components and their associated vulnerabilities [29].
C. Multiple Points of Entry and Failure
A SCADA system is geographically spread over a large
area starting at the sensors, in the field, to the user and control
interface. Although SCADA servers may themselves be well
protected against cyber attacks, however similar guarantees do
not exist for field devices. The communication network,
comprising of wireless Internet, cellular and Bluetooth provide
multiple remote entry points which can be exploited by
attackers. Wireless networks are especially vulnerable using
freely available tools like Aircrack-NG that can sniff, test and
even decrypt packets [36].
D. Communication Protocols
The low-level networking protocols used for industrial
systems use simple plain-text messages based on a masterslave communications model. These lack security and
encryption, as these were designed for isolated systems [13].
For example, Modbus protocol can be attacked as reported
in [8], [37] with varying consequences [37]. Other recent
protocols, such as Distributed Network Protocol 3.0 (DNP3)
also have their vulnerabilities [5], [38], [39] and packets can
also be analysed [36] through network sniffing tools to gain
information and cause damage. Widely used protocols IEC
60870-5-101 and IEC 60870-5-104 lack application and data
link layer security and have vulnerabilities that can be
exploited [13]. With an understanding of the process and the
protocol, an attacker can maliciously alter the process control
by injecting valid control commands and responses with
malicious intent [13], [22]. Attacks on protocol
implementation [37] can cause failures resulting in possible
exploits [8].
E. Real-time and Complex Interactions
SCADA systems monitor real-world processes under very
tight timing and operational constraints. Time is critical for
decision making, affecting a control system and vital process
deviations, which must be accurately reflected and effectively
managed. The stringent operational constraints (such as
timing) of a SCADA system mean that it is more prone to fail
in response to small deviations caused by an attacker. “Aurora
Generator Test” [1], [10] in March 2007, simulated a remote
cyber-attack resulting in destruction of a $1 million dollar
diesel-electric generator [40]. A patch application [25] or loss
of time synchronization [1] may have unintended consequences
detrimental to the prescribed operation. Application of a
software update resulted in automatic shutdown of a nuclear
plant [10]. Analysing and exploiting vulnerabilities may be
complicated but unintelligent computer viruses and mere
malfunctions in small devices can result in enormous
unintended effects [10].
F. Conflicting Priorities
SCADA control and monitoring projects remain in
continuous operation [41] for many decades after
commissioning. This creates a dilemma for the administrators
between ensuring adequate protection and sustained system
operation. Application of software upgrades and patches may
get postponed due to the desire to keep the system running
without change to the execution environment [28]. Anti-virus
and patches may result in undesirable consequences [10] or
may also tend to slow down the communication and may
interfere with normal functioning of the system.
The operational nature of these systems precludes post
commissioning cyber security testing due to associated risks
of jeopardising the controlled system.
G. Social Engineering and Insider Attacks
Social engineering attacks purporting to be from a known
person or organization can be used to infiltrate a system. Often
the cyber security is focused on an outsider’s attack, which
makes sense, but equally probable and dangerous is an attack
originating from within the trusted network, through a
deliberate or unintentional omission, or sabotage.
The attack in 2000 on a sewage control system in
Queensland, Australia [10], [42] causing flooding with a
million litres of sewage, was an act of a disgruntled employee.
Stuxnet infiltrated the network [10], [16] mainly through USB
sticks.
H. Backdoors
The Stuxnet [43] worm exploited system vulnerabilities to
attack a PLC in Iran’s uranium enrichment program in 2010. It
exploited an administrative backdoor, which can be used to
access a system remotely, and generally their availability on a
system is known to system maker only. Such coded backdoor
passwords which can be used to exploit a system remotely, are
not uncommon [19], [44]. Such malpractice could also take
place without the knowledge of a SCADA vendor, as
increasingly the product is assembled from components
manufactured from facilities across the globe [19].
I. Integral Protection
With cyber security awareness coming into prominence,
SCADA manufacturers also provide and emphasize security in
products. These features provide encryption and security
features such as Kerberos and multiplexing proxy. Activating
these in a project can make an intruder’s task difficult.
SCADA systems also provide other built-in mechanisms such
as User Groups, Historian, Encryption and Redundant Servers.
III. SIMULATION AND MODELLING
SCADA systems are not only complex but have many
system interdependencies which makes it difficult for them to
be tested for cyber defence. The production systems are
required to provide a continuous and reliable service, and
depending on the monitored process, even small delays are
intolerable. As such the systems cannot be taken out of service
for vulnerability checks, and also these are very costly and
hard to duplicate.
Simulation and modelling techniques are useful to model
and test complex systems. Development of realistic models
help to create scenarios that do not yet exist or would be very
costly to build. A model also makes it easier to quickly change
parameters to suit another scenario or configuration.
Simulation and modelling techniques are used
advantageously to evaluate and probe the defence of SCADA
systems. A summary is provided in Tables I and II.
A. Simulation Frameworks
Simulation frameworks are needed to model all aspects of
the SCADA system using simulators and emulators. Generally
a network simulator such as OMNeT++ is used for network
modelling and Simulink/MATLAB is used to simulate the
process control. A framework in general also provides the
facility to integrate the various simulators to realistically
represent the system as a whole.
1) High Level Architecture (HLA)
HLA is a simulation integration platform designed by the
Department of Defence (DoD) [45] that can be used to
integrate simulators. This concept was chosen as no single
simulation can meet all the requirements. An individual or a
set of simulations can be applied across different uses, under
the HLA federation concept. Federation means a set of
interacting simulations, with each simulation termed as a
federate. The federates must allow exchange of data through
the Runtime Infrastructure (RTI).
HLA which is a co-simulation environment has been used
by researchers to design simulations using OMNeT++ and
MATLAB, for example.
Chabuksawar et al. [46] used Command and Control (C2)
WindTunnel as a simulation framework (based on HLA) [47]
to simulate a plant, its controller and the interconnecting
network. The objective was to simulate network security
attacks using this framework that requires domain-specific
modelling language for defining integration models. The
SCADA system was a simplified version of the Tennessee
Eastman Control challenge problem [48]. DDoS attacks were
simulated on the routers concluding a proof of concept
implementation.
2) SCADASiM
An integrated framework for control system simulation,
SCADASiM is presented by Mahoney and Gandhi in [9]. It
can be modelled and simulated at different levels of
abstractions commensurate with the problem at hand. The
modelling notation is through Autonomous Component
Architectures (ACA) that allows components to be modelled
at simulation runtime. The authors proposed a new language
Autonomous Component based policy Description Language
for Anomaly monitoring in Control Systems) (ADACS) that
was used for monitoring regulatory compliance.
3) SCADASim
Queiroz et al. [49] present a framework for building
SCADA system simulations. Additionally it can be used to
create malicious attacks against SCADA systems. The
framework can be extended by SCADASim users to add their
own protocols otherwise there are too many protocols. The
framework is built on top of OMNeT++. Details of DoS and
spoofing attack simulation are provided in the paper.
4) Co-simulation Framework
A co-simulation framework is proposed by Bytschkow et
al. [50] using Common information model (CIM) as an
intermediate model. It uses the approach of federation
enabling both simulation and deriving possible impacts. The
co-simulation framework is constructed using SCADA, CIM,
GRIDLAB-D and AKKA.
5) Emulation Framework
A framework for emulation based security analysis using
Emulab and Simulink is proposed by Genge et al. [6] that can
be used to measure impact of attacks against both physical and
cyber parts of systems. The authors’ proposed framework
extends Emulab to incorporate additional features required for
cyber physical security analysis. The architecture comprises of
a cyber layer, physical layer, and a cyber physical link layer.
The authors provide a feature based, cost based and an
experimental scenario-based in comparison to other
frameworks reported in the literature and contend their
approach to be better. The authors provide two case studies
from the electrical and chemical domains. The first studies the
effect of Stuxnet on a Boiling Water power plant showing that
the proposed framework can be used to recreate a scenario
with complex malware. The second studies the effect of
network parameters on a cyber attack targeting a chemical
process, showing that in cyber attacks where the attacker
communicates with PLCs, the communications delays and
packet losses have little effect.
6) Integration Framework
An integration framework has been proposed by Novak et
al. [51] that advocates semantic and technical integration of
simulation models into SCADA systems. The authors contend
that simulations cannot be developed without access to online
and historical data and thus propose a platform for integration
of simulations and SCADA. It reduces design-time errors (for
simulation) and improves re-configurability and reuse. Two
case studies are provided for design of simulation models for
passive houses, and an application allowing the management
and execution of simulations.
7) Real-time monitoring, Anomaly detection, Impact
analysis, and Mitigation strategies (RAIM)
The security SCADA framework proposed by Ten et al.
[52] comprises of real-time monitoring, anomaly detection,
impact analysis, and mitigation strategies (RAIM). Real-time
monitoring can utilise the data for real-time control functions.
Anomaly detection and impact analysis can be done through
monitoring and correlating the system logs. The output is
ranked as varying degrees of risks, based on which mitigation
actions can be taken.
B. Test Beds
Test bed is a platform used to test systems or technologies
where the actual system cannot be endangered by testing, due
to unintended consequences, for example, checking the effects
of patch application and response to malware. A test bed must
capture the essence of the system under test for it to be useful.
The facility can also be shared to save cost or share
knowledge. Test bed creation is also recommended in [2].
Although some test beds have been developed by large
organisations, generally the access is restricted to affiliated
researchers only [53]. Unlike a simulation environment being
fully contained in software, a test bed uses hardware,
simulated and emulated devices. A survey of test beds in
software and hardware is provided in [53].
Test beds could be realised [54] as simple simulation based
(TrueTime), federated simulation (several dedicated
simulation federates for plant, network etc. such as HLA) or
emulation/implementation based (real hardware or emulator
such as EmuLab).
1) National SCADA Test Bed (NSTB)
The Department of Energy, US, have established a National
SCADA test bed [55] that aims to provide testing, research
and training facilities to help improve the security of control
systems. However free access to academia and industry is not
available. Thus, many researchers have developed test beds to
investigate some element of security.
2) TRUST
An experimental simulation test bed TRUST-SCADA [56]
was aimed to assess and address vulnerabilities, and to provide
an open-source design for a flexible test bed. DoD/HLA was
chosen as the integration platform, for the plant model
(Simulink/Stateflow), Network model using (OMNeT++,
NS2, OPNET) and controller (Simulink/Stateflow).
The authors [54] have also proposed a test bed for SCADA
vulnerabilities and validating security. The specific scenarios
analysed were DoS attack on sensors, integrity attacks, and
phishing attacks
3) Live Virtual and Constructive (LVC) Test Bed
Urias et al. [29] describe a hybrid test bed that can be used
to perform cyber-physical security analysis. It was developed
at Sandia National Laboratories to identify system level
vulnerabilities, results of their exploitation, and approaches to
eliminate it. Simulated network devices were represented
using OPNET, enabling passing of simulated traffic to real
devices. Virtual machines were used as hosts, servers and
Cisco routers’ emulation, and physical devices to which the
simulated network traffic could be addressed. The experiments
setup simulated the enterprise and control system network and
provides analysis of cyber attacks against the business and
control system network. The experiments investigated the
effects of attacks on SCADA protocols (DNP and Modbus
TCP) and how to mitigate such attacks using network security.
4) TrueTime
A simple test bed [57] has been proposed by Farooqui et al.
using TrueTime (MATLAB/Simulink based simulator
developed by Lund University) to simulate DoS attacks and its
effects. The SCADA network is designed to control four
different DC servo motors through a reference signal. The
DoS attack scenarios covered attack on a PID controller and a
specified actuator.
5) Research and Pedagogy
A test bed for SCADA cyber security research and
pedagogy has been developed by Morris et al. [58]. It provides
the facility to discover vulnerabilities, implications and
classification of vulnerabilities by type, mitigations and
validations. Developed at Mississippi State University, it
models various industrial applications such as smart grid and
gas pipeline, through hardware and software.
6) TASSCS
The OPNET test bed by Mallouhi et al. [5] is used to
simulate networks, PowerWorld simulation system to simulate
the functioning of power grid, and Autonomic Software
Protection System (ASPS) for detection and protection against
SCADA cyber security attacks. The attack detection is based
on an anomaly based approach. It provides details of DNP,
Modbus, and TCP/IP attacks through a training and detection
phase.
7) Power Station Simulation
The test bed proposed by Hahn et al. [59] consists of
power station simulation, substation automation and SCADA
system, and uses scenarios based on anomaly detection. It is
based on real-time monitoring, anomaly detection, impact
analysis, and mitigation strategies (RAIM). The test bed uses
ICCP, DNP 3.0 over TCP/IP, and OPC communication
protocols.
8) Power Control System
A test bed for a simulated power control systems is
reported by Dondossola et al. [60] for collection of data
through controlled experiments on a power system test bed,
and activities for using the collected data for analysis and risk
assessment frameworks. Cyber threats such as DoS and false
injection attacks were investigated. The authors also gathered
statistics based on message delays, number of lost messages,
and time to failure to UDP flooding attacks.
9) Common Open Research Emulator (CORE)
Tesfahun and Bhaskari [61] propose a scalable and
reconfigurable virtual SCADA security test bed for developing
and evaluating security solutions. The authors provide a
labelled dataset for other researchers. It is based on Common
Open Research Emulator (CORE) for simulating SCADA
networks. It is possible to launch multiple attacks
simultaneously and benchmark datasets can also be generated.
CORE can be connected to real world networks, with the
Python module to customise network emulation. The
researchers represented SCADA devices by a virtual node in
CORE. DDoS and False Data Injection attack were simulated.
10) Software Defined Networking (SDN)
SDN makes it possible to dynamically reconfigure an IP
network. Dong et al. [1] explore the use of SDN techniques
for enhancing the protection against cyber attacks. The authors
propose a co-simulation test bed comprising Mininet (to
emulate smart grid communications), and PowerWorld (to
simulate physical aspects of power systems). The test bed has
Bro-based IDS to analyse the DNP3 traces and provide results
for SDN countermeasures. Three use cases were considered to
demonstrate the SDN potential for strengthening the
resilience.
11) SCADA Virtual Test Environment
A test environment is proposed by Boldea [62] to assess
the security of SCADA systems, and the use of virtual systems
to emulate the real systems, and used GNS3 for network
components and Virtual Box for software virtualisation. The
SCADA test bed used the free SCADA 2 software with a
Designer and Runtime tool to simulate DDoS attacks.
C. Simulating SCADA Attacks
Simulating SCADA attacks makes it possible to explore the
cyber defence of the system under investigation. The results
can then be used to strengthen the defence.
1) Malware Attacks
Malware or malicious software poses a serious threat to
SCADA systems. The vulnerabilities present in the IT and
communications systems can be exploited by viruses and
malware, hence making SCADA systems vulnerable to such
attacks as reported by Fovinoa et al. [24].
A malware attack simulator for testing SCADA system
under controlled environments, Mobile Agent Malware
Simulator MAlSim has been proposed by Leszczyna et al.
[63]. The toolkit provides the facility to implement various
types of malware. The aim was to provide security assessment
based on simulated attacks. It can be used to simulate wellknown malware such as Code Red, SQL Slammer. A malware
template is comprised of a MAlsim agent with its behavioural
and migration patterns.
MAlsim was used by Fovinoa et al. [24] to investigate
malware attacks on a SCADA system on a power plant test
bed comprising of a process network, field network, intranet,
data exchange network, external network and observer
network. The code for Code Red, Nimda, Slammer and
Scalper was obtained and injected into the process network to
activate these malwares. The malwares infected the machines
but did not lead to system failures. The authors also provide
results for a Modbus DoS and network attack.
Ciancamerla et al. [64] provide results for a malware
injection on an electric grid.
2) Network Attacks
Chabuksawar et al. [46] used a simulator that uses
C2WindTunnel. The paper emphasizes co-simulation of
controller and plant dynamics in Simulink/MATLAB and
network architecture and behaviour in a network simulator
like OMNeT++ [24].
NETA is a framework for the simulation of
communication networks attacks. Network Attacks (NETA)
[65] is based on OMNeT++ and provides a framework for
simulating attacks in heterogeneous networks.
3) Communication Protocol Attacks
There are hundreds of communications protocols in use for
SCADA communications. Jin et al. [39] provide modelling of
buffer flooding attack on DNP3 protocol. A simple flooding
attack fills the event buffer in the data aggregator so that the
critical alerts from legitimate devices cannot be buffered
which impacts the control station’s situational awareness. The
behaviour is analysed through a simulation model [39]. Moya
et al. [66] describe a Grey Hole attack against a SCADA
substation using DNP3.0.
Fovino et al. [67] provided a filtering system based on
state analysis for securing SCADA protocols, Modbus and
DNP3. The aim of the study was to detect attacks where a set
of licit commands on execution can disrupt a SCADA system
while in particular states. A firewall does not guarantee
complete protection to SCADA systems, as it operates on a
signature-based approach. Thus a firewall needs the system
state and the set of unwanted states. In order to check whether
the system is proceeding to a critical state from which the
distance from critical states can be calculated. The proposed
method was validated on a prototype system.
A ‘C’ language graph based implementation by Genge and
Siaterlis [22] for network segmentation separates control
hardware regulating input flows from output flows of the
industrial process for SCADA resilience. The human expert is
needed to construct a directed graph where vertices are
process units and edges are product flows, the segmentation is
performed through a heuristic algorithm. The methodology
was applied on the Tennessee-Eastman chemical process using
two attack scenarios on PLCs using Modbus protocol and the
results show that it can be used for defence against Stuxnet
like attacks.
A graph theory analysis for IEEE 118 bus system is
presented by Srivastava et al.[40].
4) Denial-of-Service/MITM
This has been the most well studied type of attack as it is
easy to implement and launch. A malicious agent can flood a
specific device through protocol exploitation, resulting in
bandwidth saturation that renders the service unavailable as
described by Ciancamerla et al. [64]. SCADA system
vulnerability analysis through DDoS attack is presented by
Petrovic and Stojanovic [74]. The simulation considers a
corporate and SCADA network. A DoS attack on an actual
SCADA system of a medium voltage electrical grid is
provided in [64]. Malware attack results for DoS for Modbus
protocol is provided in [24].
The wireless packets are easy to exploit because the
intruder does not have to be physically connected to the
network (as in wired) to access the network traffic. Xie et al.
[68] have proposed a simulation platform based on radio
modem for analysing radio modem security. Radio modems
are typically used for long range communications to connect
PLC, RTU etc. but often the data is sent in plain text that can
be exploited. The paper explored four types of attacks, that is,
communication jam, data eavesdropping data tamper and
eavesdropping, and DoS attack.
MITM attacks on IEC 60870-5-104 SCADA networks are
described by Maynard et al. [76]. Details of the protocol
packet payload are provided. MITM attacks will follow the
stages of detection (to identify targets), capture (data
collection), and finally attack. The experiments cover relay
and MITM attacks and, attackers with varying degrees of
experience can compromise the system by hiding fault
condition from a SCADA server.
5) False Data Injection (FDI)
In False data injection attack the stored or transmitted data
from RTUs, control centre or communications infrastructure is
modified with a malicious intent [77].
Hug and Giampapa [77] considered the FDI attack on a
SCADA system for a power grid for ac state estimation.
Through simulation using IEEE 57 bus system, details are
provided for a number of measurements that the attacker needs
to alter, to stay hidden. If the attacker has knowledge of the
system data then the attack will not be noticed through the ac
state estimation. FDI were also investigated in [60].
6) False Sequential Logic Attacks
Li et al. [79] proposed a false sequential logic attack on a
SCADA system. An informed attacker can alter the sequential
logic of control to disrupt the physical process before the
intrusion is detected. The sequential logic of the physical
process is modelled as finite state machine (FSM). Traditional
IDS will not be able to detect an intrusion as it is based on licit
commands, demonstrated for a three tank system. To detect
the proposed attack there is a need for sequential logic featurebased IDS to continuously monitor the control sequence.
7) Integrity Attacks
An attacker can gain access to the sensors and/or actuators
and modify the software to launch a coordinated attack as
reported by Mo et al. [80]. Data integrity attacks wherein the
sensor or control signals are manipulated can have severe
consequences as the operator could be misled into taking
wrong actions. These attacks are more difficult to overcome as
their onset is not as obvious as DoS attacks. In [80] the authors
focused on techniques for integrity attack detection and
describe an analytic approach verified through simulation for
detecting replay attacks on sensors. It assumes that the
attacker has capability to read sensor inputs and capability to
inject input.
Such an attack however would require knowledge of the
system as described by Sridhar and Manimaran [81]. In [81]
an integrity attack is simulated on an Automatic Gain Control
(AGC) loop that keeps both tie-line flow and frequency
deviation values correct. Simulation is performed on a twoarea system, and verifies that the system can be led to an
unhealthy state by an attacker manipulating values
intelligently.
Unsupervised anomaly detection for integrity attacks on
SCADA systems is described in [11].
8) Real-time and Simulation Monitor
A methodology to ensure SCADA availability through a
real-time monitor and a simulation monitor is proposed by
Shen et al. [82]. The real-time monitor, monitors states and
events and based on that, estimates if there are faults or risks.
The simulation monitor simulates control commands, monitors
and predicts the results of those commands and estimates
whether the commands are dangerous or not. The
methodology is then tested on a simulated water treatment
system.
D. Mathematical Modelling
Modelling techniques provide a reliable and formal
mechanism for validating a system under attack. Linear
dynamical models [30] are used to model the behaviour of
control systems. A model for a web robot network (botnet) is
proposed by Brand et al. [83], which can be used to attack the
system in different ways. Botnets can bring down a server
through a DDoS attack from many compromised machines as
investigated by Baecher et al. [84].
Backhaus et al. [12] describe a game theory model to
outline a scenario where the attacker, after gaining access to
the system will interact through its control system with the
system operator, and the outcome of these machine-machine
interactions will be governed by the design of the physical and
control systems. Considering a simple model, the interactions
of the attacker and defender are explored and the outcome is
estimated. Extensions to real world complex problems would
increase the computational requirements exponentially.
Yang et al. [85] proposed Factor Neural Network (FNN)
to study the security problem in SCADA through developing a
FNN-based security defence architecture model. The attack
and defence of SCADA is taken as online digital intelligent
antagonising process and all reasoning, judgement and
thinking is abstracted into corresponding network attacks and
defence knowledge system. The proposed model needs further
research into SCADA network attack simulation.
Cardenas et al. [75] use a mathematical formulation to
detect and survive attacks in specific research problems. The
physical system is modelled as a linear dynamical system.
Testing complex SCADA systems is challenging, Süß et
al. [86] propose the use of Modelica and Eclipse Modeling
framework. Modelica is a mathematical modelling language
for complex physical systems and offers Ecore, the metalanguage of the Eclipse framework. The focus is on an
integrated unified model driven development environment.
E. Probabilistic Modelling
Queiroz et al. [87] propose a survivability model based on
Bayesian networks, taking into account the type of protocol
communication. The focus is on system survivability despite
attacks. The simulated system consisted of fibre networks
modelled using SCADASim [62] to simulate and test the
model. Such techniques are very useful as the complex
interaction between system components can be easily
validated. A Bayesian attack graph model is proposed Zhang
et al. [88].
F. Risk Modelling and Assessment
A review of risk assessment techniques is provided by
Cherdantseva et al. [89]. Risk management reduces the
likelihood of cyber attacks disrupting SCADA and in the event
of a successful attack reducing the severity of the
consequences as described by Henry and Haimes [90].
An integrated methodology for managing the risk of cyber
attacks is reported in [91]. Minimax envelopes are developed
for dynamic multi objective models to address scenario
uncertainty, due to different attacker motives and points of
access.
A Network Security Risk Model (NSRM) for cyber risk
analysis of the control system is proposed in [90]. The model
is applied on an example system of a simplified crude oil
pipeline pump station. NSRM is an attack model with a
directed graph, where nodes represent process components
and edges are the linkages from one process component to
another. The model defines the state space where transitions
take place with transition probabilities in response to
attacker’s actions.
A survey of available tools for SCADA risk assessment is
provided by Ralston et al. [92]. It mainly covers probabilistic
risk assessment to estimate the risk from SCADA systems.
A network vulnerability analysis using attack graphs is
provided by Phillips and Swiler [94]. The attack paths and
their probabilities could be identified and vulnerable system
components can also be identified. In attack graphs, each node
represents a possible attack state and each edge represents a
success probability. The inputs to the system are configuration
files, attacker profiles, and attack templates. An example is
provided for generation and analysis of graph.
Attack-Trees were first described by Schneier [69] and are
a widely used technology for risk assessment of safety-critical
systems. The attack goal is modelled as the root of the tree and
various possible ways of accomplishing the goal are the
leaves. These make it easier to identify the more probable
causes and make predictions. Attack trees visually describe the
possible attack paths and can be used for risk assessment as
described by Bouchti and Haqiq [70].
Moore et al. [71] provide guidance on documenting
security attacks in a reusable form through an example. The
practicality of an attack tree for a real-world system is
governed by re-using an attack pattern. Through the chosen
example of an enterprise, the authors describe the
documentation of security attacks in a reusable form. Thus it
provides a means to organize historical attack data for later
analysis.
The attack tree methodology was used by Byres et al. [72]
to model cyber attacks on SCADA systems. The authors
provide some examples of risk analysis for attackers’ goals of
gaining access to the SCADA system, identifying Modbus
device and compromising the master, and highlight the
security issues. The authors describe their methodology
through identifying eleven attackers’ goals which were
elaborated for their technical difficulty, probability of
detection, and underlying critical vulnerabilities. They
conclude that all the attack avenues depend on an attacker
getting network access. The authors point to more rigorous
work that is required for the techniques to be usefully
employed.
Ten et al. [73] used attack trees for vulnerability
assessment of SCADA systems. The paper considers an
analytical model to measure vulnerabilities of a control centre.
The methodology used vulnerability index as likelihood that
an attack tree or leaf will be compromised.
Bouchti et al. [70] extended the attack trees with new
modelling constructs and analysis approaches to propose
Colored Petri Net (CoPNet) to model intrusion. Petri Net is a
mathematical modelling language that can be used as a visual
communication tool. Based on the mapping rules, a CoPNet
model can be built from Attack trees. CoPNet can model both
defences and attacks, unlike an attack tree that can only model
attacks. The proposed method is applied to a 3bus power grid
and its SCADA network. The model provides better modelling
compared to attack trees but has a more complicated form.
Attack trees have been used by Ten et al. [52] for intrusion
modelling. The study is focused on the ports and passwords on
control network computers. The vulnerabilities were depicted
as a risk table. The hardening through administrative
passwords was also tested.
Bayesian attack graph models are applied by Zhang et al.
[88] for power system attack scenarios of breaker trips through
IEDs. A mean time-to-compromise (MTTC) model is used to
estimate time for successful intrusion of cyber components.
Bayesian networks model attack graphs using probabilities.
Two attack graph models are considered, first is the attack
graph of vulnerabilities, and the second estimates successful
intrusion on communications links. The reliability analysis is
provided for the attacks considered.
IV. TOOLS AND TECHNIQUES
In this Section, we describe the tools that can be used either
for gathering more information about an intended target
system or those which can actively attack a system with or
without such analysis. A summary is provided in Table III.
A. Scanning Tools
Any information about network addresses or open ports of
a potential target can help the attacker to develop an attack
methodology. By knowing which ports are open and listening,
it is easy to infer about the running programs and then
devising an exploit or attack methodology. If the attacker has
access to the network, then through freely available tools it is
possible to gather information about a system or to actively
target it. In general the more information that gets collected
the higher will be the damage caused [13]. Using similar tools
as available to a hacker, can help to determine the weaknesses
of the system and to provide a timely fix.
Nmap [95] is a freely downloadable scanning tool that can
be used to gather information about a single machine or the
whole network. It can provide information about the open
ports, services being run and the operating system, and even
the firewalls in use, as well as other characteristics. All of this
provides valuable information to an attacker to plan the attack.
Port scanning is often done before the penetration testing.
Traffic to an open port would legitimately pass through a
firewall and may be used to determine the Trojan or other
malicious code running on a machine. However, Nmap can be
run from one of the machines in the network which may be
difficult for an intruder.
In contrast to a wired network, packets on a wireless
network are easy to intercept because the intruder could
intercept packets just by being in the range. There are tools
such as Aircrack-NG that let packets to be captured.
B. Penetration Testing
Tools such as metasploit [96] can be use for penetration
testing. Sploitware [97] which is a framework designed
specifically for penetration testing of SCADA systems can be
used to check for SCADA vulnerabilities.
C. Machine Learning
Machine learning techniques are mostly based on statistics
and can analyse the process data to isolate anomalous data that
signal malicious behaviour. Thus making automated machine
learning techniques more appropriate and efficient compared
to human analysts [98].
Almalawi et al. [11] proposed an unsupervised anomaly
based detection scheme for a water distribution system to
detect inconsistent states using k-nearest neighbours (KNN)
and clustering using k-means. The inconsistencies could be
either inconsistent network traffic pattern or SCADA data
[11]. Simulated and real data sets are used to simulate MITM
attacks on Modbus/TCP. The authors show their scheme to
perform better than supervised and semi-supervised schemes.
Machine learning techniques have been applied to
telecommunications; [98] proposed one class SVM for
automated anomaly detection from SCADA
telecommunications data.
Torrisi et al. [78] propose SVM based traffic analysis using
message direction and timing information to protect against
Grey Hole attacks. Unlike other work that is focused on
identifying the different protocols in an encrypted tunnel, the
authors consider an attack classifying messages that belong to
the same application layer protocol, DNP3, and investigate the
ability to cause interference in SCADA monitoring. In a grey
hole attack, as the solicited responses from the master are let
through and the unsolicited messages are dropped, the master
would still not be aware of the message drop and thus the
attacker can remain undetected. The message drop would
result in the operator observation to be off by about 10-20%.
Such attacks could be mitigated through use of TCP as the
sequence numbering works in both directions and loss would
be detected or by modifying the DNP3.0 protocol to use
related sequence numbers for both unsolicited and solicited
messages.
SVM techniques were used in [99] to identify malware and
demonstrate use of an ‘eigenvector’ pre-filter to remove
irrelevant features from the dataset.
Nader et al. [100] propose to detect malicious intrusions
through machine learning after they have bypassed IDS. The
paper investigates lp-norms in Radial Basis Function (RBF)
kernels for intrusion detection using one class classification
techniques of support vector data description (SVDD) and the
Kernel Principal Component Analysis (KPCA). The selected
algorithms are applied on the gas pipeline test bed and
compared to other selected methods, was faster, had higher
error detection rates, and lowest false alarm rates. Application
on a water treatment dataset gave better results for KPCA
compared to SVDD.
A cloud based data analysis system for Los Angeles Smart
Grid Project is described by Simmhan et al. [101]. It was
based on Floe data flow framework which is hosted elastically
on VMs and is supported by major cloud providers. The work
demonstrates value of cloud computing and data analytics for
smart grids but provides insights for mining similar data for
just SCADA systems. Some principles for smart grid analysis
are provided in [102] by Accenture.
D. Network Intrusion Detection Systems (IDS)
IDS work by inspecting the network traffic and mainly
comprise of two approaches: signature based and anomaly
based. The signature detection matches traffic to a known
misuse pattern, while the anomaly detection works on the
normalities in the observed data and can detect unknown
attacks [14], [15].
A review of IDS schemes and a decentralised multi agent
scheme is proposed by MacDermott et al. [103]. Digital Bond
Quickdraw project [104] releases IDS signatures for DNP3,
EtherNet/IP and Modbus/TCP that can be used to identify
possible attacks [14].
A rule-based IDS is proposed by Yang et al. [14] for IEC
60870-5-104 protocol which is used for basic telecontrol tasks
but the messages are in plain text and it also has inherent
TCP/IP issues. The authors use Internet Traffic and Content
Analysis (ITACA) tool for traffic sniffing. The proposed
signature and model based approaches were validated by
capturing normal traffic followed by abnormal packets, and
effectively identified all abnormal data for the given rules and
dataset.
This work has been extended by the authors of [14] for IEC/
60870-5-104 protocols by deriving stateful protocol analysis
approach [105]. Stateful analysis compares predetermined
acceptable protocol behaviours against observed activities to
detect deviations or intrusions. A detection state machine is
proposed and applied for stateful IDS for SACDA systems.
Similar to attack tools, there are freely available tools that
make it possible to detect and prevent an intrusion. A guide
[106] to intrusion detection and protection is available by
NIST.
Malicious users understand signature-based technologies
and can craft malware that can elude such systems and remain
undetected, as described by Winn et al. [107].
Some work has been reported based on machine learning
techniques. The communications data sets from SCADA are
analysed by Jiang and Yasakethu [98] with one class SVM to
cluster the anomalies and generate an alarm based on
perceived severity.
Oman and Phillips [35] described an implementation of a
customised IDS and event monitoring system. The system can
assist operators to identify erroneous or malicious settings and
activities in the system.
The inadequacy of rule based approaches with reference to
firewalls is elaborated in [67] by stating that for control
systems, even a sequence of licit commands can lead the
system to an unsafe state.
IDS based on critical state analysis in a power plant are
proposed by Carcano et al. [108]. The authors contend that the
system critical states, as a result of cyber attacks or system
faults, can be segregated based on IDS that is aware of such
critical system states, from known or unknown attacks. The
authors develop a new Industrial State Modelling Language
(ISML) and use it to define states. By monitoring the system
states a critical state can be detected before it occurs by
monitoring the distance form a critical state. The proposed
scheme can also detect zero day attacks as it is based on
system states from known to critical.
Kirsch et al. [41] describe what they term as a first
survivable SCADA system using replication of SCADA
master that continues with minimal degradation during cyber
attacks. The system runs several copies of SCADA master
thus the application acts as its own firewall and does not
require prior knowledge of attack signatures. The replication
protocol assumes that some of the replicas are compromised.
The authors propose a state machine approach where all
replicas start in the same initial state and cooperate to execute
an event that ensures all replicas proceed through the same
state sequence. Prime client library is used to link RTUs and
HMI to SCADA master. A polling and scalability scenario
were used to validate the proposed system.
Snort [109] is a free tool for intrusion detection that can
analyse traffic, packet logging, and protocol analysis. OSSEC
[110] is another open source tool for intrusion detection. An
early detection of an intrusion can help to contain its effect
and potential damage [98], thus making such techniques
extremely useful.
E. Intrusion Prevention Systems (IPS)
An IPS performs the intrusion detection and additionally
also attempts to prevent/stop certain incidents [103]. An IPS
monitors the network for any malicious activity and also
attempts at stopping the intrusion, and raises an alert. Snort
[109] can also perform intrusion prevention.
There is little research reported on IPS unlike IDS which is
comparatively heavily researched.
F. Honey pots (also conpot)
Honey pots are computer systems deployed as decoys to
attract hackers to attack them and thus record the attackers’
actions. Thus sources and intentions of the attackers are
obtained without exposing an actual system to exploitation
risk. They provide knowledge about the tactics and techniques
employed by the malicious users [107] and also about the
origin of such attack.
The implementation could be a low-interaction honeypot
(LIH) that offers limited services or high-interaction honeypot
(HIH) that implements a complete system [19], [84]. Honeyd
and GenIII honeynet are examples of a LIH and HIH
respectively [84]. For details of different honeypot based tools
and their relative merits please see [84].
Honeypot should mimic a device (such as PLC) as part of
a larger system to be of interest to the attackers as described
by Winn et al. [107]. Honeyd is a cost effective solution to
deploy a realistic honeypot. During pilot studies it was used to
advertise 75 PLC in [107]. Disso et al. [19] used honeynet
Honeywall CDROM in a virtual machine as a honey pot. A
PLC (low interaction) was emulated using HoneyD, and
another PLC as high interaction.
Although mimicking an industrial system is complex, the
open source honeyd [111] makes it easier. The attack traces
can be stored and analysed to determine the sources of attacks.
The information about the potential people interested in
acquiring information, hacking, and frequent visits can help to
bolster up the defence. On identifying a honey pot, the hackers
may employ anti-honeypoting techniques [107].
A study to identify and group the traces left on honeypots
to the botnets’ originating machines is described by Pham and
Dacier [112] that enables identifying new botnets. The traces
are represented as time series that could be arranged based on
the country of origin of a source. The time series can then be
correlated to detect attack events. The attack events then help
to identify attacks from the same botnet or a group of botnets.
A large scale collection of malware [84] can help design
counter-strategies such as network and host IDS. Baecher et
al. introduce Nepenthes as a platform to deploy honeypots as
vulnerability modules. It’s a scalable solution to emulate
different operating systems and authors report experiments by
emulating more than 16,000 different IP addresses on a single
physical machine. Nepenthes is effective at detecting zero day
attacks but is capable of collecting malware that is
autonomously spreading. Their system collected 15,500
unique binaries over a four months period, and analysing them
with different anti-virus systems detected 80-90% as
malicious, that is different anti-virus engines are missing a
significant percentage of malware.
Brand et al. [83] describe a malware rebirthing botnet that
can be used to collect malware and rebirth it with new
signatures to launch an orchestrated attack and avoid detection
by AV software.
Viruses can be countered by propagating the immunization
agent as an epidemic as proposed by Goldenberg et al. [113].
The authors propose using the honey pot architecture for early
virus discovery and fast antivirus dissemination. They provide
a concrete example of an email network.
G. Security Information and Event Management (SIEM)
SIEM works by aggregating the information from the
selected tools to a central repository for real-time trend
analysis. An open-source product is OSSIM [93], [114].
Mahboob and Zubairi [93] proposed OSSIM (by AlienVault
as above), that is an open source Linux based Security
information and event management (SIEM) system for
SCADA security by configuring OSSIM. OSSIM can bring
together several security tools such as Open source security
(OSSEC) and a GUI. OSSIM can correlate events from
different sources such as firewalls, anomaly detectors,
IDS/IPS, and network switches and combine these with known
vulnerabilities. The authors used a PLC (as VM), Honeynet
and Honeywall VM for GUI. Snort is used for IDS and
OpenVAS for vulnerability scanning. Based on the results
mitigation actions (patches) can be taken and the scanning can
be performed again. OSSIM assigns a risk value to each event
and has many other correlation features not fully explored by
the authors.
H. Ethical or White-hat Hacking
The term white-hat hacking means to perform the same
actions as that of a real or black-hat hacker to determine the
security weaknesses in a system with the intention to fix them
before exploitation. Encouragement through recognition and
rewards for finding and reporting vulnerabilities will bring
such skills to prominence and help protect systems from
malicious black-hat hackers. At a more formal level [115]
describes the certification of the cyber security skills
I. Forensic Science
It may be useful to do post attack analysis for protecting the
systems as investigated by Erol-Kantarci and Mouftah [7]
against similar future attacks. It is a new research area for
SCADA with similarities to digital forensic in other areas.
Valuable information can be gleaned from events preceding an
attack. However as pointed by the authors there are some
challenges such as live analysis and issues like privacy of data
etc. that need to be overcome.
Forensics [112] has also been applied to honey pot traces to
identify new botnets originating from the same source
machines or countries.
V. CONCLUSION
SCADA systems have gained prominence and widespread
use beyond the traditional applications for highly critical
systems such as power generation and transportation systems.
Internet connectivity has changed the threat landscape and the
recent interest and ability to monitor and control processes
over the mobile network means even more diverse entry
points. Thus effective strategies are required that can provide
adequate protection against cyber-security threats and attacks.
Perhaps the most important transformation needed is a
different threat perception for SCADA systems.
Current strategies such as simulation, modelling and other
approaches reported in the research literature for determining
the efficacy of a system against a cyber-attack have been
reviewed in this paper. These techniques can be used to
uncover the system vulnerabilities by determining the degree
of protection against a possible attack. This helps the system
developers and providers to assess their systems before
commissioning, and system users/clients to be aware of
security provisions and compliance to regulatory
requirements.
In view of the fast changing cyber threat landscape,
adoption of security techniques will be offset by
corresponding new threats being evolved. Hence there would
always be a need for continuous evaluation and evolution of
cyber defence practises to match the corresponding threats.
The guidelines provided by the agencies [2], [106], [122] are
steps in the right direction to lay down industry’s best
practices. One of the promising techniques in this category is
penetration testing, especially by third party that can help to
expose hidden vulnerabilities [17] and implement corrective
action enabling system validation and remedy of any security
weaknesses.
There are other promising techniques, such as simulation,
modelling, and security assessment and honey pots. This
coupled with the desire of the SCADA vendors to provide
integration with commercial database systems, will make it
possible for real time data analytics to identify a threat vector
before it strikes. The selected techniques are important for the
system developers to confirm adherence to security policies
and certify a degree of protection against threats.
VI. FUTURE RESEARCH DIRECTIONS
Recent technological developments in communications
and networking have revolutionised the control and process
networks making it much easier to access the data remotely
and conveniently. The current research for cyber security
protection has many promising techniques.
The emerging techniques such as SDN (highlight reconfigurability) and virtualization platform provides many
benefits such as copying, restoring, deleting and backing-up
virtual machines (VMs) on the fly. High Availability and
Vmotion which enable continued operation of a virtual
machine during migration. The virtualization platform
provides many benefits such as isolation, snapshots, migration
and restoring of virtual machines. Virtualised deployments are
thus easier to protect compared to physical servers. Through
update manager the vital updates can be automatically
downloaded and applied.
Cloud computing is still a new technology for SCADA
[116]. The control and monitoring industry has not yet fully
embraced cloud computing because it is different to
conventional IT systems. With further increase in network
speeds, reliability and storage technologies; SCADA servers
could be hosted on the cloud infrastructure. The advantages
would be an easy enforcement of security standards, data
analytics and disaster recovery. A technology similar to cloud
that is gradually being adopted by the control industry is
virtualisation. With a private cloud [101] or virtual
infrastructure an organization can have the benefits of on-site
SCADA deployment and the benefits of disaster recovery,
migration, and high availability. This also ensures keeping the
data latency to a minimum.
In future, more open communications standards for
SCADA systems are expected to be adopted reversing the
trend where most of the products were closed and proprietary.
There are open source projects such as, OpenSCADA [117].
Although debatable [118] whether better protection is offered
by a closed system by ‘obscurity’ of its implementation, or an
open system, where the source is a public domain with a
possibility for misuse by implementing a targeted attack. In
the case of open systems, the user community can help by
providing fixes both before and after vulnerability gets
exploited through an attack. Such fixes could be quicker as
there are more people using the system with full knowledge
with more likelihood to uncover a potential threat.
The OPC UA (Unified Architecture) is an open industrial
[120], [121] Machine-to-Machine communication protocol
that replaced OPC DA. OPC UA is a set of 9 standards, with
one devoted to security. The general concept is to simplify the
SCADA communication interface by providing a common
medium of communication. [119] used OPC communication
from SCADA systems to collect system data for modelling a
water distribution network. The data from the OPC server
could similarly be used to investigate real-time cyber security
issues by applying data analysis techniques.
Machine learning and data analytics have now advanced
and are increasingly being used in new application domains.
The large data generated [61] in a smart system can be used to
extract information through data analytics for effective
management. Machine learning techniques can be very useful
for implementing strategies using an anomaly based
unsupervised detection [11] approach for detecting attacks on
SCADA systems. Future deployments of SCADA projects
would see tighter integration between the process data and
machine learning based data analysis engines observing
historical data for anomalous behaviour to thwart cyber
security breaches.
With industry regulations mandating cyber security for the
SCADA systems, vendors will provide more built-in security
features in their systems against cyber-attacks. For example,
features such as multiplexing proxies
There is also a lot of ongoing work to improve the
communications protocols [15] to provide better protection
against attackers. For example, security was added to DNP3
protocol by creating its extension called DNPSec [24]. These
developments are to be seen in the context of emerging IoT or
smart devices which are now common in SCADA networks.
There are both benefits and pitfalls to their use with the
security as the main hurdle to their widespread adoption. IoT
with its unique IPv6 addresses is both an opportunity and
challenge for cyber security.
In future, there will be a need for lot more collaboration
[42] between researchers, academics, vendors, developers, and
government agencies to design foolproof solutions through
integrated and cohesive efforts to meet the security challenges.
ACKNOWLEDGMENT
The authors gratefully acknowledge funding support from
Innovate UK for sponsoring the KTP project at London South
Bank University, in collaboration with Firstco Ltd.
REFERENCES
[1] X. Dong, H. Lin, R. Tan, R. K. Iyer, and Z. Kalbarczyk, “Softwaredefined networking for smart grid resilience: Opportunities and
challenges,” in Proc. of the 1st ACM Workshop on Cyber-Physical
System Security, New York, NY, USA, 2015, pp. 61-68.
[2] Protecting Industrial Control Systems, Recommendations for Europe
and Member States, ENISA, 2011.
[3] SCADA growth, [online]. Available:
http://www.marketsandmarkets.com/PressReleases/supervisory-controldata-acquisition.asp
[4] S. Li, T. Tryfonas, and H. Li, “The internet of things: a security point of
view”, Internet Research, vol. 26, no. 2, 2016, pp. 337-359.
[5] M. Mallouhi, Y. Al-Nashif, D. Cox, T. Chadaga, S. Hariri “A test bed
for analyzing security of SCADA control systems (TASSCS),” IEEE
PES Innovative Smart Grid Technologies (ISGT), Jan 2011, pp. 1-7.
[6] B. Genge, C. Siaterlis, I. N. Fovino, and M. Masera, “A cyber-physical
experimentation environment for the security analysis of networked
industrial control systems,” Computers & Electrical Engineering, vol.
38, no. 5, Sep 2012, pp. 1146-1161.
[7] M. Erol-Kantarci, and H. T. Mouftah, “Smart grid forensic science:
applications, challenges, and open issues,” IEEE Communications
magazine, vol. 51, no. 1, Jan 2013, pp. 68-74.
[8] B. Zhu, A. Joseph, S. Sastry, “A taxonomy of cyber attacks on SCADA
systems,” IEEE International Conference on Internet of Things, and
Cyber, Physical and Social Computing, 2011.
[9] W. Mahoney, and R. A. Gandhi, “An integrated framework for control
system simulation and regulatory compliance monitoring,” Elsevier Intl.
Journal of Critical Infrastructure Protection, vol. 4, no. 1, Apr 2011, pp.
41-53.
[10] B. Kesler, “The Vulnerability of Nuclear Facilities to Cyber Attack,”
Strategic Insights, vol. 10, no. 1, 2011.
[11] A. Almalawi, X. Yu, Z. Tari, and A. Fahad, “An unsupervised anomalybased detection approach for integrity attacks on SCADA systems,”
Elsevier Computers & Security, vol. 46, Oct 2014, pp. 94-110.
[12] S. Backhaus, R. Bent, J. Bono, R. Lee, B. Tracey, D. Wolpert, D. Xie,
and Y. Yildiz, “Cyber-physical security: A game theory model of
humans interacting over control systems,” arXiv:1304.3996 [cs.GT]
[13] D. S. Pidikiti, R. Kalluri, R. K. S. Kumar, and B. S. Bindhumadhava,
“SCADA communication protocols: vulnerabilities, attacks and possible
mitigations,” CSIT, Mar 2013.
[14] Y. Yang, K. McLaughlin, T. Littler, S. Sezer, and H.F. Wang, “Rulebased intrusion detection system for SCADA networks,” in Proc. 2
nd IET
Conference in Renewable Power Generation, (RPG 2013), pp. 9-11, Sep
2013.
[15] P. Jain, and P Tripathi, “SCADA security: a review and enhancement for
DNP3 based systems,” CSIT, Dec 2013, 1(4): pp. 301-308. DOI
10.1007/s40012-013-0024-2.
[16] R. Langner, “Stuxnet- Dissecting a cyberwarfare weapon,” IEEE
Security & Privacy, vol. 9, no. 3, pp. 49-51, May 2011. DOI:
10.1109/MSP.2011.67.
[17] V. M. Igure, S. A. Laughter, and R. D. Williams, “Security issues in
SCADA networks,” Elsevier Computers & Security, vol. 25, Oct 2006,
pp. 498-506.
[18] White paper, “Web services security-The technology and its concerns,
[online]. Available: https://www.acunetix.com/websitesecurity/webservices-wp/
http://www.acunetix.com/websitesecurity/web-services-wp/
[19] J. P. Disso, K. Jones, and S. Bailey, “A plausible solution to SCADA
security honeypot systems,” in Proc. 2013 Eighth Intl. Conf. on
Broadband, Wireless Computing, Communication and Applications, Oct
2013.
[20] L. Constantin, “New Havex malware variants target industrial control
system and SCADA users,” PC World, Jun 2014.
[21] Symantec Security Response, “Dragonfly: Cyberespionage Attack
Against Energy Suppliers”, July 2014. [online]. Available:
https://www.symantec.com/content/en/us/enterprise/media/security_resp
onse/whitepapers/Dragonfly_Threat_Against_Western_Energy_Supplier
s.pdf
[22] B. Genge, and C. Siaterlis, “Physical process resilience-aware network
design for SCADA systems,” Comput. Electr. Eng, vol. 40, no. 1,
January 2014, pp. 142-157.
[23] Dell Security Annual Threat Report, [online]. Available:
https://software.dell.com/docs/2015-dell-security-annual-threat-reportwhite-paper-15657.pdf
[24] I. N. Fovinoa, A. Carcanoa, M. Maseraa, and A. Trombettab, “An
experimental investigation of malware attacks on SCADA systems,”
International Journal of Critical Infrastructure Protection , vol. 2, no. 4,
Dec 2009, pp. 139-145.
[25] Information Security Management (ISMS), ISO/IEC 27001 [online].
Available:
http://www.bsigroup.com/en-GB/iso-27001-information-security/
[26] K. Scarfone and M. Souppaya, NIST Special Publication 800-114,
“User’s Guide to Securing External Devices for Telework and Remote
Access,” Nov 2007.
[27] Guide to industrial control systems (ICS), NIST Special Publication
800-82, Revision 2, May 2015.
[28] A. Pauna, et al., “Window of exposure… a real problem for SCADA
systems?” ENISA Recommendations for Europe on SCADA patching,
Dec 2013.
[29] V. Urias, B. V. Leeuwen, and B. Richardson “Supervisory command
and data acquisition (SCADA) system cyber security analysis using a
Live,Virtual, and Constructive (LVC) testbed,” MILCOM 2012 IEEE
Military Communications Conference, Oct 2012, pp. 1-8.
[30] C. W. Ten, C.C. Liu, and G. Manimaran, “Vulnerability assessment of
cybersecurity for SCADA systems,” IEEE Transactions on Power
Systems, vol. 23, no. 4, Nov 2008.
[31] K. Mathioudakis, N. Frangiadakis, A. Merentitis, and V. Gazis,
“Towards generic SCADA simulators: A survey of existing multipurpose co-simulation platforms, best practices and use-cases,”. [online].
Available: http://conf-scoop.org/ACE-2013/6_Kostas_ACE.pdf.
[32] K. Mets, J. A. Ojea, and C. Develder, “Combining power and
communication network simulation for cost-effective smart grid
analysis,”, IEEE Communications Surveys & Tutorials, vol. 16, no. 3,
pp. 1771-1796, Mar 2014.
[33] Microsoft Security Bulletins, [online]. Available:
https://technet.microsoft.com/en-us/security/bulletins.aspx
[34] T. August, R. August, and H. Shin, “Designing user incentives for
cybersecurity,” Communications of the ACM, vol. 57, no. 11, Nov 2014,
pp. 43-46.
[35] P. Oman, and M. Phillips, “Intrusion detection and event monitoring in
SCADA networks,” Chapter Critical Infrastructure Protection, vol. 253
of the series IFIP International Federation for Information Processing,
pp. 161-173.
[36] Aircrack-NG, [online]. Available: https://www.aircrack-ng.org/
[37] P. Huitsing, R. Chandia, M. Papa, and S. Shenoi, B, “Attack taxonomies
for the Modbus protocols”, Int. J. Critical Infrastructure Protection, vol.
1, pp. 37–44, Dec. 2008.
[38] DNP-3 Protocol. [online]. Available:
http://www.dnp.org/pages/aboutdefault.aspx.
[39] D. Jin, D. M. Nicol, and G. Yan, “An event buffer flooding attack in
DNP3 controlled SCADA systems,” in Proc. of Winter Simulation
Conference, AZ, USA, 2011, pp. 2614-2626.
[40] A. Srivastava, T. Morris, T. Ernster, C. V. Shengyi, and U. Adhikari
“Modeling cyber-physical vulnerability of the smart grid with
incomplete information,” IEEE Transactions on smart grid, vol. 4, no. 1,
Mar 2013.
[41] J. Kirsch, S. Goose, Y. Amir, D. Wei, and P. Skare, “Survivable
SCADA via intrusion-tolerant replication,” IEEE Trans. on Smart Grid,
vol. 5, no. 1, Jan 2014, pp. 60-70.
[42] J. Slay, and M. Miller, “Lessons learned from the Maroochy water
breach,” chapter Critical Infrastructure Protection, vol. 253 of the series
IFIP International Federation for Information Processing, vol. 253,
Springer Boston, pp. 73–82.
[43] B. Vijayan “Stuxnet renews power grid security concerns,”
Computerworld, Jul 26, 2010. [online]. Available:
http://www.computerworld.com/article/2519574/security0/stuxnetrenews-power-grid-security-concerns.html
[44] P. Roberts, “SCADA vendors still need security wake-up call,” [online].
Available: https://threatpost.com/scada-vendors-still-need-securitywake-call-102410/74603/
[45] IEEE Standard for Modeling and Simulation (M&S) High Level
Architecture (HLA) Framework and Rules, 1516.2-2010.
[46] R. Chabuksawar, B. Sinopoli, G. Karsai, A. Giani, A. Davies, H. Neems,
and A. Davis “Simulation of network attacks on SCADA systems,” First
Workshop on Secure Control Systems, 2010.
[47] G. Hemingway, H. Neema, H. Nine, J. Sztipanovits, and G. Karsai,
“Rapid synthesis of HLA-based heterogeneous simulation: A modelbased integration approach,” Journal Simulation, vol. 88, no. 2, Feb
2012, pp. 217-232.
http://www2.engr.arizona.edu/~sprinkjm/research/c2wt/uploads/Internal
/Heterogeneous-Simulation.pdf
[48] J. J. Downs and E. F. Vogel. A plant-wide industrial process control
problem. Computers & Chemical Engineering, 17(3):245–255, 1993.
[49] C. Queiroz, A. Mahmood, and Z. Tari, “SCADASim—A framework for
building SCADA simulations,” IEEE Trans. on Smart Grid, vol. 2, issue
4, pp. 589-597, Sep 2011.
[50] D. Bytschkow, M. Zellner, and M. Duchon, “Combining SCADA, CIM,
GridLab-D and AKKA for smart grid co-simulation,” IEEE innovative
Smart Grid Technologies Conference, Jun 2015.
[51] P. Novak, R. Šindelarˇ, R. Mordinyi, “Integration framework for
simulations and SCADA systems,” Elsevier Simulation Modelling
Practice and Theory, vol. 47, Sep 2014, pp. 121-140.
[52] C. W. Ten, G. Manimaran, C. C. Liu, “Cyber security for critical
infrastructures: Attack and defence modelling,” IEEE Trans. on Systems,
Man, and Cybernetics-Part A: Systems and Humans, vol. 40, no. 4, Jul
2010.
[53] Z. J. Zhang, Z. Yang, L. H. Zhu, L. Xiao, and L. Zhao, “A survey of
SCADA test bed”, Int. J. Wireless and Mobile Computing, vol. 8, no. 1,
2015, pp. 9-14.
[54] A. Giani, G. Karsai, T. Roosta, A. Shah, B. Sinopoli, and J. Wiley, “A
test bed for secure and robust SCADA systems,” Special issue on the
14th IEEE real-time and embedded technology and applications
symposium, vol. 5, no. 2, Jul 2008.
[55] National SCADA Test Bed: Available online:
http://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/NSTB_Fa
ct_Sheet_FINAL_09-16-09.pdf
[56] A. Davies, G. Karsai, H. Neems, A. Giani, B. Sinopoli, and R.
Chabuksawar “TRUST for SCADA: A simulation-based experimental
platform,” presentation [online]. Available:
http://slideplayer.com/slide/3377726/
[57] A. A. Farooqui, S. S. H. Zaidi, A. Y. Memon, and S. Qazi, “Cyber
security backdrop: A SCADA testbed,” IEEE Conference on
Computing, Communications and IT Applications, ComComAp 2014,
Beijing, pp. 98-103, Oct 2014.
[58] T. Morris, R. Vaughn and Y. S. Dandass, ”A testbed for SCADA control
system cybersecurity research and pedagogy”, in Proc. of the Seventh
Annual Workshop on Cyber Security and Information Intelligence
Research, 2011.
[59] A. Hahn, B. Kregel, M. Govindarasu, J. Fitzpatrick, R. Adnan, S.
Sridhar and M. Higdon, ”Development of the powercyber SCADA
security testbed”, in Proc. of the Sixth Annual Workshop on Cyber
Security and Information Intelligence Research, 2010.
[60] G. Dondossola, F. Garrone and J. Szanto, ”Supporting cyber risk
assessment of power control system with experimental data,” IEEE
PCSE Power Systems Conference and Exposition Seattle, Washington
USA, 15-18 March 2009.
[61] A. Tesfahun, and D. L. Bhaskari, “A SCADA testbed for investigating
cyber security vulnerabilities in critical infrastructures,” Automatic
Control and Computer Sciences, 2016, vol. 50, no. 1, pp. 54–62.
[62] C. N. Boldea, “SCADA virtual test environment development,”
[online]. Available: www.eeajournal.ro/includes/showArticle.php?identificatorArticol=310
[63] R. Leszczyna, I. N. Fovino, and M. Masera, “Simulating malware with
MalSim” Journal in Computer Virology, vol. 6, no. 1, pp. 65-75, Feb
2008.
[64] E. Ciancamerla, M. Minichino, and S. Palmieri “Modeling cyber-attacks
on a critical infrastructure scenario,” Fourth International Conference
on Information, Intelligence, Systems and Applications, IISA 2013, pp.
1-6, Jul 2013.
[65] NETA: [online]. Available:
www.omnetpp.org/component/content/article?id=3712:neta-release
[66] J. M. Moya, A. Araujo, Z. Bankovic, J. Goyeneche et al., “Improving
security for SCADA sensor networks with reputation systems and SelfOrganizing Maps,” Sensors 2009, vol. 9, pp. 9380-9397;
doi:10.3390/s91109380.
[67] I. N. Fovino, A. Coletta, A. Carcano, and M. Masera, “Critical statebased filtering system for securing SCADA network protocols,” IEEE
Transactions on Industrial Electronics, vol. 59, no. 10, Oct 2012.
[68] F. Xie, Y. Peng, W. Zhao, X. Han, H. Li, R. Zhang, J. Zhao, and J. Liu,
“Using simulation platform to analyze radio modem security in
SCADA,” 7th International Symposium on Resilient Control Systems
(ISRCS), 2014, pp. 19-21 Aug. 2014.
[69] B. Schneier, “Attack Trees,” Dr. Dobb’s Journal of Software Tools 24,
Dec 1999, pp. 21–2.
[70] A. E. Bouchti, and A. Haqiq, “Modeling cyber-attack for SCADA
systems using CoPNet Approach,” International Conference on
Complex Systems (ICCS), 2012, pp. 1-6, Nov 2012.
[71] A. P. Moore, R. J. Ellison, and R. C. Linger “Attack modelling for
information security and survivability,” Technical note, CMU/SEI-2001-
TN-001, 3-15-2001.Software Engineering Institute, Carnegie Mellon
University.
[72] E.J. Byres, M. Franz, and D. Miller, “The use of attack trees in assessing
vulnerabilities in SCADA systems,” International Infrastructure
Survivability Workshop (IISW’04), Lisbon, Portugal, 2004.
[73] C. W. Ten, C. C. Liu, and M. Govindarasu, “Vulnerability assessment of
cybersecurity for SCADA systems using attack trees,” IEEE Power
Engineering Society General Meeting, Jun 2007.
[74] J. D. Markovic-Petrovic, and M. D. Stojanovic, “Analysis of SCADA
system vulnerabilities to DDoS attacks,” 11th International Conference
on Telecommunication in Modern Satellite, Cable and Broadcasting
Service, TELSIKS, Oct 2013.
[75] A. A. C´ardenas, S. Amin, and S. Sastry, “Research challenges for the
security of control systems,” in Proc. of the 3rd conference on Hot
topics in security, HOTSEC’08, Article No. 6.
[76] P. Maynard, K. McLaughlin, and B. Haberler “Towards understanding
Man-in-the-middle attacks on IEC 60870-5-104 SCADA networks,”
International Symposium for ICS & SCADA Cyber Security Research
(ICS-CSR), St Polten, Austria, Sep 2014.
[77] G. Hug, and J. A. Giampapa, “Vulnerability assessment of AC state
estimation with respect to false data injection cyber-attacks,” IEEE
Trans. On Smart Grid, vol. 3, no. 3, Sep 2012, pp. 1362-1370.
[78] N. M. Torrisi, O. Vukovic, G. Dan, and S. Hagdahl, “Peekaboo: A gray
hole attack on encrypted SCADA communication using traffic analysis,”
IEEE International Conference on Smart Grid Communications, Nov
2014.
[79] W. Li, L. Xie, Z. Deng, and Z. Wang, “False sequential logic attack on
SCADA system and its physical impact analysis,” Computers &
Security, vol. 58, May 2016, pp. 149-159.
[80] Y. Mo, R. Chabukswar, B. Sinopoli, “Detecting integrity attacks on
SCADA systems,” IEEE Transactions on Control Systems Technology,
vol. 22, no. 4, July 2014, pp. 1396-1407.
[81] S. Sridhar and G. Manimaran, “Data integrity attacks and their impacts
on SCADA control system,” IEEE PES General Meeting, pp. 1-6, Jul
2010.
[82] F. Li, L. Shen, Y. Si, and J. Niu, “A method to enhance SCADA systems
survivability through simulation technology,” 2009 International
Conference on Measuring Technology and Mechatronics Automation,
ICMTMA, Apr 2009.
[83] M. Brand, C. Valli, and A. Woodward, “A Threat to Cyber Resilience:
A malware rebirthing botnet,” International Cyber Resilience
conference, 2011.
[84] P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. Freiling, “The
Nepenthes platform: An efficient approach to collect malware,” LNCS
4219, pp. 165-184, 2006.
[85] L. Yang, X. Cao, J. Li, A. Wang, W. Tan, Z. Yu, “Research on FNNbased security defence architecture model of SCADA network,” in Proc.
of IEEE 2
nd International Conference on Cloud Computing and
Intelligent Systems, CCIS2012, Nov 2012.
[86] J. G. Süß, A. Pop, P. Fritzson, and L. Wildman, “Towards integrated
model-driven testing of SCADA systems using the Eclipse modeling
framework and Modelica,” in Proc. of 19th Australian Conference on
Software Engineering, pp. 149-159.
[87] C. Queiroz, A. Mahmood, and Z. Tari, “A probabilistic model to predict
the survivability of SCADA systems,” IEEE Transactions on Industrial
Informatics, vol. 9, issue 4, pp. 1975-1985, Dec 2012.
[88] Y. Zhang, L. Wang, Y. Xiang, and C. W. Ten, “Power system reliability
evaluation with SCADA cybersecurity considerations,” IEEE
Transactions on Smart Grid, vol. 6, no. 4, July 2015, pp. 1707-1721.
[89] Y. Cherdantseva, P. Burnap, A. Blyth, P. Eden, K. Jones, H. Soulsby,
and K. Stoddart, “A review of cyber security risk assessment methods
for SCADA systems”, Computers and Security, vol. 56, Feb 2016, pp 1-
27.
[90] M. H. Henry and Y. Y. Haimes, “A comprehensive network security risk
model for process control networks,” Risk Analysis, vol. 29, no. 2, 2009.
[91] M.H. Henry, Minimax Envelopes for total cyber risk management in
process control networks, Ph.D. Dissertation, Department of Systems
and Information Engineering, University of Virginia, 2007.
[92] P.A.S. Ralston, J.H. Graham, and J.L. Hieb, “Cyber security risk
assessment for SCADA and DCS networks,” Elsevier ISA Transactions,
vol. 46, issue 4, Oct 2007, pp. 583-594.
[93] A. Mahboob, and J. A. Zubairi, “Securing SCADA systems with open
source software,” 10th International Conference on High capacity
Optical Networks and Enabling Technologies (HONET-CNS), Dec
2013.
[94] C. Phillips, and L. P. Swiler, “A graph-based system for networkvulnerability analysis,” NSPW ’98 in Proc. of the 1998 workshop on new
security paradigms, pp. 71-79, 1998.
[95] nmap, [online]. Available: https://nmap.org/
[96] Metaspoilt, [online]. Available: https://www.metasploit.com/
[97] Sploitware [online]. Available: https://github.com/enaqx/sploitware
[98] J. Jiang, and L. Yasakethu, “Anomaly detection via one class SVM for
protection of SCADA systems,” International Conference on CyberEnabled Distributed Computing and Knowledge Discovery (CyberC),
2013.
[99] P. O’Kane, S. Sezer, K. McLaughlin, and E. G. Im, “SVM training
phase reduction using dataset feature-filtering for malware detection,”
IEEE Transactions on Information Forensics and Security, vol. 8, no. 3,
Mar 2013.
[100]P. Nader, P. Honeine, and P. Beauseroy, “lp -norms in one-class
classification for intrusion detection in SCADA systems,” IEEE
Transactions on Industrial Informatics, vol. 10, no. 4, Nov 2014, pp.
500-509
[101]Y. Simmhan, S. Aman, A. Kumbhare, R. Liu, S. Stevens, Q. Zhou, V.
Prasanna, “Cloud-based software platform for big data analytics in smart
grids,” Computing in Science & Engineering, vol. 15, issue 4, July-Aug.
2013, pp. 38-47.
[102]Ten Leading Practices for Smart Grid Analytics, Accenture Report.
[online]. Available: https://www.accenture.com/gben/accenturesmartsolutions-sustainability.
[103]A. MacDermott, Q. Shi, M. Merabti and K. Kifayat, “Intrusion
detection for critical infrastructure protection,” 2012 PGNet.
[104] Quickdraw SCADA IDS. [Online]. Available:
http://www.digitalbond.com, 2012.
[105]Y. Yang, K. McLaughlin, S. Sezer, Y.B. Yuan, and W. Huang, “Stateful
intrusion detection for IEC 60870-5-104 SCADA security,” IEEE PES
General Meeting, Conference & Exposition, 27-31 July 2014.
[106] K. Scarfone, and P. Mell, “Guide to Intrusion Detection and Prevention
Systems (IDPS),” NIST Special Publication 800-94.
[107]M. Winn, M. Rice, S. Dunlap, J. Lopez and B. Mullins, “Constructing
cost-effective and targetable industrial control system honeypots for
production networks,” Elsevier Intl. Journal of Critical Infrastructure
Protection, vol. 10, issue C, Sep 2015, pp. 47-58.
[108] A. Carcano, A. Coletta, M. Guglielmi, M. Masera, I. Nai Fovino, and A.
Trombetta, “A multidimensional critical state analysis for detecting
intrusions in SCADA systems,” IEEE Transactions on Industrial
Informatics, vol. 7, no. 2, May 2011.
[109] Snort, [online]. Available: https://www.snort.org/
[110] OSSEC, [online]. Available: http://ossec.github.io/
[111]Honeyd: Open source tool for creating Honeypots, [online]. Available:
www.honeyd.org/
[112]V. H. Pham and M. Dacier, “Honeypot trace forensics: The observation
viewpoint matters,” Elsevier Future Generation Computer Systems, vol.
27, issue 5, May 2011, pp. 539-546.
[113] J. Goldenberg, Y. Shavitt, E. Shir, S. Solomon, “Distributive
immunization of networks against viruses using the ‘honey-pot’
architecture,” Nature physics, vol. 1, pp. 184-188, Dec 2005.
[114]OSSIM. [online]. Available: https://www.alienvault.com/products/ossim
[115]Good practices and recommendations for developing harmonised
certification schemes, ENISA, Dec 2014.
[116]R.S.H. Piggin, “Securing SCADA in the cloud: Managing the risks to
avoid the perfect storm,” IET & ISA 60th International Instrumentation
Symposium, Jun 2014.
[117]OpenSCADA, [online]. Available: http://openscada.org/
[118]R. Clarke, D. Dorwin, and R. Nash, “Is open source software more
secure? [online]. Available:
https://courses.cs.washington.edu/courses/csep590/05au/whitepaper_tur
nin/oss(10).pdf
[119]W. Wu, J. Gao, Y. Yuan, H. Zhao, and K. Chang “Water distribution
network real-time simulation based on SCADA system using OPC
communication,” Networking, Sensing and Control (ICNSC), 2011 IEEE
International Conference on, Delft, 2011, pp. 329-334.
doi: 10.1109/ICNSC.2011.5874916.
[120]S. H. Leitner, and W. Mahnke, “OPC UA – Service-oriented architecture
for industrial applications,” [online]. Available: http://pi.informatik.unisiegen.de/stt/26_4/01_Fachgruppenberichte/ORA2006/07_leitnerfinal.pdf
[121]S. Cavalieri, G. Cutuli and S. Monteleone, “Evaluating impact of
security on OPC UA performance,” 3rd Conference on Human System
Interactions (HSI), 2010, 23 July 2010.
[122]K. Stouffer, NIST Briefing: ICS Cybersecurity Guidance – NIST SP
800-82, Guide to ICS Security, Aug 2013.
TABLE I: SIMULATION FRAMEWORKS, TEST BEDS, AND RISK ASSESSMENT TECHNIQUES WITH THEIR FOCUS OF INVESTIGATION, TOOLS USED, AND
APPLICATION.
Category Sub-category Focus Tools used Application Citations
Simulation
framework
SCADASiM Regulatory monitoring ADACS Water supply system [9]
SCADAsim DDoS, spoofing attacks OMNeT++ Smart meters, wind power
plant
[49]
MAlsim Malware simulation for
security evaluation
MAlsim based on JADE Power plant [63]
Co-simulation Custom smart grid
component analysis
CIM, GridLab-D, AKKA,
EclipseSCADA
Power system [50]
Framework Integration of simulations
and SCADA
EngSB Software prototype [51]
Framework Malware experimentation MATLAB, Emulab Stuxnet on a power plant,
Tennessee-Eastman
[6]
Test bed
Simulation DoS TrueTime
(MATLAB/Simulink)
American Gas Association
Report No. 12
[57]
Hybrid
(simulation,
emulation,
hardware)
Anomaly based detection
for HMI attack, DoS
OPNET, PowerWorld,
ASPS
Biosphere 2 Power
Grid at the University of
Arizona
[5]
Pedagogy Modbus, HMI Hardware, software, Snort Various industrial
applications
[58]
Intrusion and
Defence
Communication protocols,
networks
Software, hardware,
anomaly detection
PowerCyber testbed [59]
Statistical data
gathering
DoS, Data logging Data statistics Power Control
Systems – Resilience
Testing Laboratory of
CESI-RICERCA
[60]
Attack DoS, integrity, phishing Simulation Single simulation-based
instantiation
[54]
Communications
network
DDoS, Network Simulink/Stateflow, HLA,
NS2, OPNET, OMNeT++
Tennessee Eastman
chemical process
[56]
Attack DDoS SCADA 2, Modbus
simulator, GNS3
Generic implementation [62]
Virtual machine Modbus TCP/IP, DDoS,
False data injection
Common Open Research
Emulator, Python,
Pymodbus, Ettercap
Water tank system [61]
Intrusion
detection, event
monitoring
RTUs Snort, Perl, XML Electric substation [35]
Risk
assessment
Probabilistic Risk estimation HMM, IIM, RFRM Generic system [92]
Modeling Control systems NSRM Oil pipeline pump station [90]
Network
vulnerability
Graph Attack graph Simplified example [94]
Attack graphs Bayesian network MTTC, CVSS IEEE RTS79 [88]
Attack trees Vulnerability assessment Vulnerability index Control centre [73]
TABLE II: SIMULATION AND MODELLING TECHNIQUES WITH THEIR MAIN FOCUS, TOOLS USED, AND APPLICATION.
Category Sub-category Focus Tools used Application Citations
Simulation
Attack trees Intrusion Colored Petri Net SCADA case study [70]
False sequential
logic attack
Intrusion MATLAB/Simulink Three tank system [79]
Malware attacks Modbus MAlsim Power plant testbed [24]
Test bed Modbus TCP OSSIM, Snort, Sebekd,
OpenVAS
Simulated PLC [93]
MITM IEC 60870-5-104 Snort, Qtester, Kali Linux,
WinPP104
Software simulated
laboratory, testbed
[76]
Graph Modbus ‘C’ Language Tennessee Eastman
chemical process
[22]
Monitoring Malicious commands Real-time and simulation
monitor
Water treatment plant [82]
Attack DDoS OPNET Hydropower [74]
Attack Malware injection,
DoS, MITM
Netlogo Electrical grid connected
to corporate network,
NS2
[64]
Modelling
Mathematical DoS, deception attacks Linear dynamical models Water tank [75]
Mathematical Model-driven testing Modelica, Eclipse Tank with valves and
pumps
[86]
Game Theory Interactions between
cyber intruder and
operator
Semi network-form game
(SNFG)
Distribution feeder line [12]
Bayesian Networks System survivability SCADASim MITM [87]
FNN Defence Factor neural network Generic [85]
Framework, attack
trees
Modbus, DoS RAIM power system control
network
[52]
Attack
Attack trees Modbus/tcp Attack trees Generic system [72]
Replay attack sensors Analytical, simulation Tenessee Eastman
problem
[80]
False data injection Ac state estimation Analytics IEEE 57 bus system [77]
TABLE III: TOOLS AND TECHNIQUES WITH THEIR MAIN FOCUS, TOOLS USED AND APPLICATION.
Category subcat Focus Tools Used Application Citations
Machine
Learning
Anomaly based Integrity attacks, MITM,
Modbus/TCP
WEKA, EPANET,
VMs, k-means
Simulated and
real data sets,
Water distribution
system
[11]
Anomaly detection Telecommunications networks SVM Data sets [98]
Feature filtering Malware detection SVM, N-gram
analysis
Generic [99]
One class
classification
Malware intrusions SVDD, kernel PCA Real data from
gas pipeline
testbed and water
treatment plant
[100]
Reputation system,
distributed agents
Sensors Unsupervised
learning, SOM
Sensor networks [66]
Communication
protocols
DNP3, gray hole attack SVM Trace based
simulation
[78]
Analytics Cloud based data analytics OpenPlanet, Hadoop,
regression tree, Floe,
MapReduce, WEKA,
VM
Los Angeles
Smart Grid
Project
[101]
Intrusion
Detection
System
Rule based IEC 60870-5-104 Deep packet
inspection, ITACA
Protocol traffic
case study
[14]
Filtering system Modbus and DNP311 Firewall Industrial
Network Security
Laboratory
[67]
Intrusion tolerance,
state machine
approach
SCADA master Hardware, Prime
replication
Simple SCADA
master, and RDU
for electricity
transmission and
distribution
[41]
Critical state based Modbus on PLC ISML Joint Research
Centre testbed,
[108]
Honey Pots
Botnets Detect new botnets honeyd Data traces [112]
Analysis Protection to SCADA, antihoneypot techniques
Honeywell CDROM Anti-honeypot
techniques
[19]
Using proxy Techniques for low cost honey
pots
Honeyd+, Raspberry
Pi
Study Slammer,
Code Red, Blaster
[107]
Malware Large scale malware collection nepenthes nepenthes [84]
Virus Virus discovery and fast antivirus
dissemination
Dynamic distributed
immunisation
strategy
Email network [113]
Post attack Forensics Smart grids Traces, Leurré.com
system
Attack attribution [7], [112]