Liao Zhang

DOI: https://doi.org/10.48550/arXiv.1701.05323

2017-01-19

Abstract:The security of industrial network has become an increasing concern in industry infrastructure operation. Motivated by on-going collaborations with Fortinet Corp., a security company, this project implements a testbed for supervisory control and data acquisition (SCADA) network security research by software emulation. Concepts about SCADA and Modbus protocol are reviewed in the report. Besides Modbus, vulnerabilities about several other industrial protocols are also studied for this project. In this report, a typical tank system following Modbus protocol is built as a testbed. Both attack and defense toolkits are introduced to emulate the attack and protection of the Modbus network. The emulation platform is also capable of entrapping hackers and gathering their activity data.

Cryptography and Security

Wang Chunlei,Fang Lan,Dai Yiqi

DOI: https://doi.org/10.1109/ICMTMA.2010.603

2010-01-01

Abstract:Simulation experiment is an important means of analyzing and assessing the security of SCADA (Supervisory Control and Data Acquisition) system, however, the existing simulation environments have some limitations in flexibility and extensibility. According to the type of industrial infrastructure and the structure of SCADA system, the abstract models of SCADA system are established, the reference architecture of SCADA system simulation environment is proposed, and the simulation environment for analyzing and assessing the security of SCADA system is designed and implemented. This simulation environment has the characteristics of extensibilities and adaptability, and integrated several components including the simulated enterprise network, OPC Client/HMI, industrial OPC server, SCADA protocol tester, SCADA RTUs, and the sensors and actuators, etc. Finally, experiment on the representative SCADA system attack scenario of has been conducted in this simulation environment to analyze and assess their security status, and the results demonstrate the effectiveness and practicability of the simulation environment.

Dinghua Wang,Dongqin Feng

DOI: https://doi.org/10.1109/iaeac.2018.8577543

2018-01-01

Abstract:Supervisory control and data acquisition system is an important part of the country's critical infrastructure, but its inherent network characteristics are vulnerable to attack by intruders. The vulnerability of supervisory control and data acquisition system was analyzed, combining common attacks such as information scanning, response injection, command injection and denial of service in industrial control systems, and proposed an intrusion detection model based on graphical features. The time series of message transmission were visualized, extracting the vertex coordinates and various graphic area features to constitute a new data set, and obtained classification model of intrusion detection through training. An intrusion detection experiment environment was built using tools such as MATLAB and power protocol testers. IEC 60870-5-104 protocol which is widely used in power systems had been taken as an example. The results of tests have good effectiveness.

Manar Alanazi,Abdun Mahmood,Mohammad Jabed Morshed Chowdhury

DOI: https://doi.org/10.1016/j.cose.2022.103028

2022-11-26

Abstract:Supervisory control and data acquisition (SCADA) serves as the backbone of several critical infrastructures, including water supply systems, oil pipelines, transportation and electricity. It accomplishes essential functions, such as monitoring data from pumps, valves and transmitters. Across different generations, SCADA has undergone a significant evolution from a typically isolated environment to a highly interconnected network. Although this conversion has benefits for SCADA, such as enhanced performance efficiency and the cost reduction of heavy equipment, it has made SCADA more vulnerable to various cyber-attacks. Several SCADA security approaches are still provided by IT-based systems that are possibly not efficient enough to deflect the risks and threats originating from SCADA field operations. As a result, it is critically important to analyse cyber risks associated with the industrial SCADA system. The goal of this survey is to explore the security vulnerabilities of SCADA systems and classify the threats accordingly. In this project, we initially reviewed SCADA systems from different scopes, including architecture, vulnerabilities, attacks, intrusion detection techniques (IDS) and testbeds. We proposed taxonomies of vulnerabilities, attacks, IDS and testbeds according to predefined criteria. We concluded the survey by highlighting the research challenges and open issues for future research in the field of SCADA security.

computer science, information systems

Marcio Andrey Teixeira,Tara Salman,Maede Zolanvari,Raj Jain,Nader Meskin,Mohammed Samaka

DOI: https://doi.org/10.48550/arXiv.1904.00753

2019-02-10

Networking and Internet Architecture

Abstract:This paper presents the development of a Supervisory Control and Data Acquisition (SCADA) system testbed used for cybersecurity research. The testbed consists of a water storage tank's control system, which is a stage in the process of water treatment and distribution. Sophisticated cyber-attacks were conducted against the testbed. During the attacks, the network traffic was captured, and features were extracted from the traffic to build a dataset for training and testing different machine learning algorithms. Five traditional machine learning algorithms were trained to detect the attacks: Random Forest, Decision Tree, Logistic Regression, Naive Bayes and KNN. Then, the trained machine learning models were built and deployed in the network, where new tests were made using online network traffic. The performance obtained during the training and testing of the machine learning models was compared to the performance obtained during the online deployment of these models in the network. The results show the efficiency of the machine learning models in detecting the attacks in real time. The testbed provides a good understanding of the effects and consequences of attacks on real SCADA environments

Ruiwen He,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei250167.2020.9346835

2020-01-01

Abstract:With the development of information technology and Power Internet of Things, the increasing number of networked terminals presents new network security threats. Industrial control equipment and systems have vulnerabilities in hardware, software and firmware, and advanced persistent threat against ICS has become more complex and diverse. However, most of the research are aimed at the detection of single vulnerability, and lack attack mechanism analysis and threat assessment for attack chain. We proposed a threat assessment method based on vulnerability descriptive text and described the attributes of attack samples according to the classification results in attack targets, methods and consequences. We constructed attack graphs based on attack sample attributes and cyber-physical topology to quantitatively evaluate the feasibility and benefits of each attack path from vulnerability capabilities and the impact of devices in the physical world. Finally, we took the substation device status monitoring system as an example to verify the feasibility of this method.

Yinan Wang,Gangfeng Yan,Ronghao Zheng

DOI: https://doi.org/10.3390/app8050768

2018-01-01

Applied Sciences

Abstract:The integration of modern computing and advanced communication with power grids has led to the emergence of electrical cyber-physical systems (ECPSs). However, the massive application of communication technologies makes the power grids become more vulnerable to cyber attacks. In this paper, we study the vulnerability of ECPSs and develop defence strategies against cyber attacks. Detection and protection algorithms are proposed to deal with the emergency of cascading failures. Moreover, we propose a weight adjustment strategy to solve the unbalanced power flows problem which is caused by splitting incidents. A MATLAB-based platform with advantages of easy programming, fast calculation, and no damage to systems is built for the offline simulation and analysis of the vulnerability of ECPSs. We also propose a five-aspect method of vulnerability assessment which includes the robustness, economic costs, degree of damage, vulnerable equipment, and trip point. The study is of significance to decision makers as they can get specific advice and defence strategies about a special power system.

Jose Rubio-Hernan,Juan Rodolfo-Mejias,Joaquin Garcia-Alfaro

DOI: https://doi.org/10.1007/978-3-319-61437-3_1

2017-11-30

Abstract:Traditional control environments connected to physical systems are being upgraded with novel information and communication technologies. The resulting systems need to be adequately protected. Experimental testbeds are crucial for the study and analysis of ongoing threats against those resulting cyber-physical systems. The research presented in this paper discusses some actions towards the development of a replicable and affordable cyber-physical testbed for training and research. The architecture of the testbed is based on real-world components, and emulates cyber-physical scenarios commanded by SCADA (Supervisory Control And Data Acquisition) technologies. We focus on two representative protocols, Modbus and DNP3. The paper reports as well the development of some adversarial scenarios, in order to evaluate the testbed under cyber-physical threat situations. Some detection strategies are evaluated using our proposed testbed.

Cryptography and Security

Chuan Sheng,Yu Yao,Qiang Fu,Wei Yang

DOI: https://doi.org/10.1016/j.comnet.2020.107677

IF: 5.493

2021-02-01

Computer Networks

Abstract:<p>Supervisory Control and Data Acquisition (SCADA) systems are becoming increasingly susceptible to the sophisticated and targeted cyber attacks which are typically carried out by exploiting the vulnerabilities of industrial control devices or protocols. However, most of the existing network intrusion detection methods only focus on detecting and characterizing cyber attacks against the SCADA system, but cannot fully describe their real impact on the system. In this paper, we propose a cyber-physical model for the SCADA system to detect intrusions from the SCADA network and evaluate their risk levels against the industrial process. The model aims at characterizing the network structure and industrial process of the SCADA system through extracting and correlating the communication patterns and states of ICS devices. And any violation of the model is considered abnormal behavior, which can be caused by false operation or network attacks. Through associating network intrusions with the status of the SCADA system, a risk assessment method is proposed to estimate the potential damage degree of the attack on the system, which provides network administrators with richer information about network attacks. Moreover, the comprehensive performance evaluation conducted on public SCADA network data sets shows that the proposed method outperforms the existing methods in detecting and analyzing various cyber attacks against the SCADA system.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Li Feng,Shen Limin,Si Yali,Niu Jingchun

DOI: https://doi.org/10.1109/ICMTMA.2009.263

2009-01-01

Abstract:This paper presents a new method which ensures the validity and availability of the essential services in SCADA systems using the real-time monitor and the simulation monitor. The real-time monitor is responsible for monitoring the states and critical control commands of systems, estimating whether there are faults and risk in systems based on security rules. The simulation monitor is responsible for simulating execution of control command, monitoring the simulation process, predicting the execution results of critical control commands, and estimating whether the control commands are dangerous and unsafe based on the results. The principles and process of attack detection, attack resistance, and potential faults prediction are introduced. Finally, a simplified water treatment system and its simulation results are given to illustrate the feasibility and effectiveness of the method.

Yongge Wang

DOI: https://doi.org/10.48550/arXiv.1207.5434

2012-07-23

Information Theory

Abstract:Distributed control systems (DCS) and supervisory control and data acquisition (SCADA) systems were developed to reduce labour costs, and to allow system-wide monitoring and remote control from a central location. Control systems are widely used in critical infrastructures such as electric grid, natural gas, water and wastewater industries. While control systems can be vulnerable to a variety of types of cyber attacks that could have devastating consequences, little research has been done to secure the control systems. American Gas Association (AGA), IEC TC57 WG15, IEEE, NIST and National SCADA Test Bed Program have been actively designing cryptographic standard to protect SCADA systems. American Gas Association (AGA) had originally been designing cryptographic standard to protect SCADA communication links and finished the report AGA 12 part 1. The AGA 12 part 2 has been transferred to IEEE P1711. This paper presents an attack on the protocols in the first draft of AGA standard (Wright et al., 2004). This attack shows that the security mechanisms in the first version of the AGA standard protocol could be easily defeated. We then propose a suite of security protocols optimised for SCADA/DCS systems which include: point-to-point secure channels, authenticated broadcast channels, authenticated emergency channels, and revised authenticated emergency channels. These protocols are designed to address the specific challenges that SCADA systems have.

Mauro Conti,Denis Donadel,Federico Turrin

DOI: https://doi.org/10.48550/arXiv.2102.05631

2021-02-10

Cryptography and Security

Abstract:The increasing digitization and interconnection of legacy Industrial Control Systems (ICSs) open new vulnerability surfaces, exposing such systems to malicious attackers. Furthermore, since ICSs are often employed in critical infrastructures (e.g., nuclear plants) and manufacturing companies (e.g., chemical industries), attacks can lead to devastating physical damages. In dealing with this security requirement, the research community focuses on developing new security mechanisms such as Intrusion Detection Systems (IDSs), facilitated by leveraging modern machine learning techniques. However, these algorithms require a testing platform and a considerable amount of data to be trained and tested accurately. To satisfy this prerequisite, Academia, Industry, and Government are increasingly proposing testbed (i.e., scaled-down versions of ICSs or simulations) to test the performances of the IDSs. Furthermore, to enable researchers to cross-validate security systems (e.g., security-by-design concepts or anomaly detectors), several datasets have been collected from testbeds and shared with the community. In this paper, we provide a deep and comprehensive overview of ICSs, presenting the architecture design, the employed devices, and the security protocols implemented. We then collect, compare, and describe testbeds and datasets in the literature, highlighting key challenges and design guidelines to keep in mind in the design phases. Furthermore, we enrich our work by reporting the best performing IDS algorithms tested on every dataset to create a baseline in state of the art for this field. Finally, driven by knowledge accumulated during this survey's development, we report advice and good practices on the development, the choice, and the utilization of testbeds, datasets, and IDSs.

Geeta Yadav,Kolin Paul

DOI: https://doi.org/10.1016/j.ijcip.2021.100433

IF: 3.683

2021-09-01

International Journal of Critical Infrastructure Protection

Abstract:Pipeline bursting, production lines shut down, frenzy traffic, trains confrontation, the nuclear reactor shut down, disrupted electric supply, interrupted oxygen supply in ICU – these catastrophic events could result because of an erroneous SCADA system/ Industrial Control System (ICS). SCADA systems have become an essential part of automated control and monitoring of Critical Infrastructures (CI). Modern SCADA systems have evolved from standalone systems into sophisticated, complex, open systems connected to the Internet. This geographically distributed modern SCADA system is more vulnerable to threats and cyber attacks than traditional SCADA. Traditional SCADA systems were less exposed to Internet threats as they operated on isolated networks. Over the years, an increase in the number of cyber-attacks against the SCADA systems seeks security researchers’ attention towards their security. In this review paper, we first review the SCADA system architectures and comparative analysis of proposed/implemented communication protocols, followed by attacks on such systems to understand and highlight the evolving security needs for SCADA systems. A short investigation of the current state of intrusion detection techniques in SCADA systems is done, followed by a brief study of testbeds for SCADA systems. The cloud and Internet of things (IoT) based SCADA systems are studied by analyzing modern SCADA systems’ architecture. In the end, the review paper highlights the critical research problems that need to be resolved to close the security gaps in SCADA systems.

engineering, multidisciplinary,computer science, information systems

Xueqin Gao,Tao Shang,Da Li,Jianwei Liu

DOI: https://doi.org/10.1109/pst55820.2022.9851965

2022-01-01

Abstract:SCADA systems are one of the critical infrastructures and face many security threats. Attackers can control SCADA systems through network attacks, destroying the normal operation of the power system. It is important to conduct a risk assessment of security threats on SCADA systems. However, existing models for risk assessment using attack trees mainly focus on describing possible intrusions rather than the interaction between threats and defenses. In this paper, we comprehensively consider intrusion likelihood and defense capability and propose a quantitative risk assessment model of security threats based on attack countermeasure tree (ACT). Each leaf node in ACT contains two attributes: exploitable vulnerabilities and defense countermeasures. An attack scenario can be constructed by means of traversing the leaf nodes. We set up six indicators to evaluate the impact of security threats in attack scenarios according to NISTIR 7628 standard. Experimental results show the attack probability of security threats and high-risk attack scenarios in SCADA systems. We can improve defense countermeasures to protect against security threats corresponding to high-risk scenarios. In addition, the model can continually update risk assessments based on the implementation of the system’s defensive countermeasures.

K. L. Burke,George W. Dinolt

2006-09-01

Abstract:Abstract : Presidential Decision Directive (PDD) 63 calls for improving the security of Supervisory Control And Data Acquisition (SCADA) and other control systems which operate the critical infrastructure of the United States. In the past, these industrial computer systems relied on security through obscurity. Recent economic and technical shifts within the controls industry have increased their vulnerability to cyber attack. Concurrently, their value as a target has been recognized by terrorist organizations and competing nation states. Network reconnaissance is a basic tool that allows computer security managers to understand their complex systems. However, existing reconnaissance tools incorporate little or no understanding of control systems. This thesis provided a conceptual analysis for the creation of a SCADA network exploration/reconnaissance tool. Several reconnaissance techniques were research and reviewed in a laboratory environment to determine their utility for SCADA system discovery. Additionally, an application framework using common non-SCADA security tools was created to provide a proof of concept. Development of a viable tool for identifying SCADA systems remotely will help improve critical infrastructure security by improving situational awareness for network managers.

Computer Science,Engineering

Venkata S. Koganti,Mohammad Ashrafuzzaman,Ananth A. Jillepalli,Frederick T. Sheldon

DOI: https://doi.org/10.1109/malware.2017.8323960

2017-10-01

Abstract:Industrial Control Systems (ICS), at the heart of critical infrastructures, have been developing into more and more powerful tools over the years with the incorporation of networking and cyber, among other, technologies. As with great power comes great risks, ICS&#x27;s inherited risks and vulnerabilities not only from the cyber domain but also gave rise to unique security risks and vulnerabilities. Security management, i.e., identifying vulnerabilities, assessing threats, preventing and tolerating malicious and harmful activities, mitigating and recovering from attacks, etc., for ICS&#x27;s have been identified as a key, if not the key, area for the protection of critical infrastructures. The importance of a test-bed mimicking a real-life ICS and having capabilities to support ICS security management is paramount. In this paper, after briefly surveying the vulnerabilities in ICS and surveying the existing ICS test-beds, we describe the implementation of a virtual ICS testbed controlling the distribution breaker system of a power grid. We also describe simulating two cyber attacks using the testbed.

Xinchun Yin,XiaoBin Shen,Fuchao Yuan,Bing Mao,Li Xie

DOI: https://doi.org/10.1109/IFCSTA.2009.329

2009-01-01

Abstract:Recently, the research on the detection and defense of malicious attacks are becoming the main subject of information security. Various tools and technologies of detecting and defense malicious attacks are proposed in an endless stream, tools detecting vulnerabilities as well. However, there is a lack of method to test and evaluate the correctness and validity of these technologies and tools. In this paper, we first analyzed the characteristics and disadvantages of existing tools and testbeds for vulnerability attack, and discussed popular software bug types, including buffer overflows and integer overflows. On that basis, proposed an enhanced testbed for vulnerability attack. Then introduced the components of the testbed and their design and implementation details. Finally, validated its correctness and availability by experiment. © 2009 IEEE.

Guowen Li,Zhiyao Yang,Yangyang Fu,Lingyu Ren,Zheng O'Neill,Chirag Parikh

DOI: https://doi.org/10.48550/arXiv.2210.11234

2023-04-21

Abstract:As smart buildings move towards open communication technologies, providing access to the Building Automation System (BAS) through the intranet, or even remotely through the Internet, has become a common practice. However, BAS was historically developed as a closed environment and designed with limited cyber-security considerations. Thus, smart buildings are vulnerable to cyber-attacks with the increased accessibility. This study introduces the development and capability of a Hardware-in-the-Loop (HIL) testbed for testing and evaluating the cyber-physical security of typical BASs in smart buildings. The testbed consists of three subsystems: (1) a real-time HIL emulator simulating the behavior of a virtual building as well as the Heating, Ventilation, and Air Conditioning (HVAC) equipment via a dynamic simulation in Modelica; (2) a set of real HVAC controllers monitoring the virtual building operation and providing local control signals to control HVAC equipment in the HIL emulator; and (3) a BAS server along with a web-based service for users to fully access the schedule, setpoints, trends, alarms, and other control functions of the HVAC controllers remotely through the BACnet network. The server generates rule-based setpoints to local HVAC controllers. Based on these three subsystems, the HIL testbed supports attack/fault-free and attack/fault-injection experiments at various levels of the building system. The resulting test data can be used to inform the building community and support the cyber-physical security technology transfer to the building industry.

Cryptography and Security

L. Rajesh,Penke Satyanarayana

DOI: https://doi.org/10.1007/s11277-023-10738-0

IF: 2.017

2023-09-21

Wireless Personal Communications

Abstract:Industrial control systems (ICS) like supervisory control and data acquisition (SCADA) systems play a crucial role in monitoring and controlling various process industries in national critical infrastructures. They are connecting to internet and highly inter-connected corporate networks for sharing the field data to third party heterogeneous systems like enterprise resource planning, third party SCADA systems etc. Even though it helps to share the data for monitoring and control of systems, it also opens the doors for cyber-attacks. It needs to strengthen the cyber security of these SCADA systems. There are various components in SCADA systems which requires to build security in these components. Generally, most of the SCADA systems uses MODBUS communication protocol for scanning the PLC devices to acquire the field data. The communication protocol security is one of the main components which was little addressed. The MODBUS protocol was developed without security in mind because security aspect was not a concern in closed environments of industrial control systems. It is highly vulnerable to cyber-attacks. There are some methods already developed by scholars to implement security in MODBUS protocol, but the existing methods modified the MODBUS frame formats. Hence, they are not suitable to the existing legacy systems because they do not support interoperability between various industry manufacturer’s products. Another critical problem in existing methods is all the required security features were not implemented in a single method which would satisfy the security features like integrity, confidentiality, non-repudiation, authorization and authentication. In this paper, we designed and developed a new method by developing Secure Modbus Gateway Server and Client modules to provide secure data transfer between data acquisition servers and PLCs. In this methodology, the modules were developed using RSA and AES algorithms for achieving confidentiality and non-repudiation, SHA algorithm to provide integrity of the message. These modules also support authorization and authentication features. The time stamp in the Modbus frame was also included and transmitted to prevent replay attacks. The advantages of these modules/methodology are, it supports all required features for secure data transfer like integrity, confidentiality, non-repudiation, authorization and authentication. They also provide time stamp, frame filtering and exception response alarm triggering features. These modules also support interoperability and they can be easily installed in existing legacy systems. We measured performance metrics like attack resilience rate (ARP), attack penetration rate (APR) and overheads. This method protects the ICS system for 97% of attacks. The overhead on protocol was also calculated and it is found that 3.5% extra delay in round trip time which is very minor and can be tolerated in exchange of the important security benefits offered.

telecommunications