Biblio

A Supervisory Control and Data Acquisition (SCADA) system used in controlling or monitoring purpose in industrial process automation system is the process of collecting data from instruments and sensors located at remote sites and transmitting data at a central site. Most of the existing works on SCADA system focused on simulation-based study which cannot always mimic the real world situations. We propose a novel methodology that analyzes SCADA logs on offline basis and helps to detect process-related threats. This threat takes place when an attacker performs malicious actions after gaining user access. We conduct our experiments on a real-life SCADA system of a Power transmission utility. Our proposed methodology will automate the analysis of SCADA logs and systemically identify undesired events. Moreover, it will help to analyse process-related threats caused by user activity. Several test study suggest that our approach is powerful in detecting undesired events that might caused by possible malicious occurrence.

Recent cyberattacks targeting Supervisory Control and Data Acquisition (SCADA)/Industrial Control System(ICS) exploit weaknesses of host system software environment and take over the control of host processes in the host of the station network. We analyze the attack path of these attacks, which features how the attack hijacks the host in the network and compromises the operations of field device controllers. The paper proposes a host-based protection method, which can prevent malware penetration into the process memory by code injection attacks. The method consists of two protection schemes. One is to prevent file-based code injection such as DLL injection. The other is to prevent fileless code injection. The method traces changes in memory regions and determine whether the newly allocated memory is written with malicious codes. For this method, we show how a machine learning method can be adopted.

Supervisory Control and Data Acquisition (SCADA) systems have been a frequent target of cyberattacks in Industrial Control Systems (ICS). As such systems are a frequent target of highly motivated attackers, researchers often resort to intrusion detection through machine learning techniques to detect new kinds of threats. However, current research initiatives, in general, pursue higher detection accuracies, neglecting the detection of new kind of threats and their proposal detection scope. This paper proposes a novel, reliable host-based intrusion detection for SCADA systems through the Operating System (OS) diversity. Our proposal evaluates, at the OS level, the SCADA communication over time and, opportunistically, detects, and chooses the most appropriate OS to be used in intrusion detection for reliability purposes. Experiments, performed through a variety of SCADA OSs front-end, shows that OS diversity provides higher intrusion detection scope, improving detection accuracy by up to 8 new attack categories. Besides, our proposal can opportunistically detect the most reliable OS that should be used for the current environment behavior, improving by up to 8%, on average, the system accuracy when compared to a single OS approach, in the best case.

With the increase of the information level of SCADA system in recent years, the attacks against SCADA system are also increasing. Therefore, more and more scholars are beginning to study the safety of SCADA systems. Game theory is a balanced decision involving the main body of all parties. In recent years, domestic and foreign scholars have applied game theory to SCADA systems to achieve active defense. However, their research often focuses on the entire SCADA system, and the game theory is solved for the entire SCADA system, which is not flexible enough, and the calculation cost is also high. In this paper, a dynamic local game model (DLGM) for power SCADA system is proposed. This model first obtains normal data to form a whitelist, then dynamically detects each attack of the attacker's SCADA system, and through white list to determine the node location of the SCADA system attacked by the attacker, then obtains the smallest system attacked by SCADA system, and finally performs a local dynamic game algorithm to find the best defense path. Experiments show that DLGM model can find the best defense path more effectively than other game strategies.

Cybersecurity of the supervisory control and data acquisition (SCADA) system, which is the key component of the cyber-physical systems (CPS), is facing big challenges and will affect the reliability of the smart grid. System reliability can be influenced by various cyber threats. In this paper, the reliability of the electric power system considering different cybersecurity issues in the SCADA system is analyzed by using Semi-Markov Process (SMP) and mean time-to-compromise (MTTC). External and insider attacks against the SCADA system are investigated with the SMP models and the results are compared. The system reliability is evaluated by reliability indexes including loss of load probability (LOLP) and expected energy not supplied (EENS) through Monte Carlo Simulations (MCS). The lurking threats of the cyberattacks are also analyzed in the study. Case studies were conducted on the IEEE Reliability Test System (RTS-96). The results show that with the increase of the MTTCs of the cyberattacks, the LOLP values decrease. When insider attacks are considered, both the LOLP and EENS values dramatically increase owing to the decreased MTTCs. The results provide insights into the establishment of the electric power system reliability enhancement strategies.

A rapid rise in cyber-attacks on Cyber Physical Systems (CPS) has been observed in the last decade. It becomes even more concerning that several of these attacks were on critical infrastructures that indeed succeeded and resulted into significant physical and financial damages. Experimental testbeds capable of providing flexible, scalable and interoperable platform for executing various cybersecurity experiments is highly in need by all stakeholders. A container-based SCADA testbed is presented in this work as a potential platform for executing cybersecurity experiments. Through this testbed, a network traffic containing ARP spoofing is generated that represents a Man in the middle (MITM) attack. While doing so, scanning of different systems within the network is performed which represents a reconnaissance attack. The network traffic generated by both ARP spoofing and network scanning are captured and further used for preparing a dataset. The dataset is utilized for training a network classification model through a machine learning algorithm. Performance of the trained model is evaluated through a series of tests where promising results are obtained.

Aiming at the problem that the traditional intrusion detection method can not effectively deal with the massive and high-dimensional network traffic data of industrial control system (ICS), an ICS intrusion detection strategy based on bidirectional generative adversarial network (BiGAN) is proposed in this paper. In order to improve the applicability of BiGAN model in ICS intrusion detection, the optimal model was obtained through the single variable principle and cross-validation. On this basis, the supervised control and data acquisition (SCADA) standard data set is used for comparative experiments to verify the performance of the optimized model on ICS intrusion detection. The results show that the ICS intrusion detection method based on optimized BiGAN has higher accuracy and shorter detection time than other methods.

The Automation industries that uses Supervisory Control and Data Acquisition (SCADA) systems are highly vulnerable for Network threats. Systems that are air-gapped and isolated from the internet are highly affected due to insider attacks like Spoofing, DOS and Malware threats that affects confidentiality, integrity and availability of Operational Technology (OT) system elements and degrade its performance even though security measures are taken. In this paper, a behavior-based intrusion prevention system (IPS) is designed for OT networks. The proposed system is implemented on SCADA test bed with two systems replicates automation scenarios in industry. This paper describes 4 main classes of cyber-attacks with their subclasses against SCADA systems and methodology with design of components of IPS system, database creation, Baselines and deployment of system in environment. IPS system identifies not only IT protocols but also Industry Control System (ICS) protocols Modbus and DNP3 with their inside communication fields using deep packet inspection (DPI). The analytical results show 99.89% accuracy on binary classification and 97.95% accuracy on multiclass classification of different attack vectors performed on network with low false positive rate. These results are also validated by actual deployment of IPS in SCADA systems with the prevention of DOS attack.

Cyber-physical systems contribute to building new infrastructure in the modern world. These systems help realize missions reducing costs and risks. The seas being a harsh and dangerous environment are a perfect application of them. Unmanned Surface vehicles (USV) allow realizing normal and new tasks reducing risk and cost i.e. surveillance, water cleaning, environmental monitoring or search and rescue operations. Also, as they are unmanned vehicles they can extend missions to unpleasing and risky weather conditions. The novelty of these systems makes that new command and control platforms need to be developed. In this paper, we describe an implemented architecture with 5 separated levels. This structure increases security by defining roles and by limiting information exchanges.

Cyber-event-triggered power grid blackout compels utility operators to intensify cyber-aware and physics-constrained recovery and restoration process. Recently, coordinated cyber attacks on the Ukrainian grid witnessed such a cyber-event-triggered power system blackout. Various cyber-physical system (CPS) testbeds have attempted with multitude designs to analyze such interdependent events and evaluate remedy measures. However, resource constraints and modular integration designs have been significant barriers while modeling large-scale grid models (scalability) and multi-grid isolated models (concurrency) under a single real-time execution environment for the hardware-in-the-loop (HIL) CPS security testbeds. This paper proposes a meticulous design and effective modeling for simulating large-scale grid models and multi-grid isolated models in a HIL realtime digital simulator environment integrated with industry-grade hardware and software systems. We have used our existing HIL CPS security testbed to demonstrate scalability by the realtime performance of a Texas-2000 bus US synthetic grid model and concurrency by the real-time performance of simultaneous ten IEEE-39 bus grid models and an IEEE-118 bus grid model. The experiments demonstrated significant results by 100% realtime performance with zero overruns, low latency while receiving and executing control signals from SEL Relays via IEC-61850 protocol and low latency while computing and transmitting grid data streams including stability measures via IEEE C37.118 synchrophasor data protocol to SEL Phasor Data Concentrators.

With the advancement in technology, inclusion of Information and Communication Technology (ICT) in the conventional Electrical Power Grid has become evident. The combination of communication system with physical system makes it cyber-physical system (CPS). Though the advantages of this improvement in technology are numerous, there exist certain issues with the system. Security and privacy concerns of a CPS are a major field and research and the insight of which is content of this paper.

While cyberattacks pose a relatively new challenge for power grid control systems, commercial cloud systems have needed to address similar threats for many years. However, technology and approaches developed for cloud systems do not necessarily transfer directly to the power grid, due to important differences between the two domains. We discuss our experience adapting intrusion-tolerant cloud technologies to the power domain and describe the challenges we have encountered and potential directions for overcoming those obstacles.

As key components of the power grid infrastructure, Supervisory Control and Data Acquisition (SCADA) systems are likely to be targeted by nation-state-level attackers willing to invest considerable resources to disrupt the power grid. We present Spire, the first intrusion-tolerant SCADA system that is resilient to both system-level compromises and sophisticated network-level attacks and compromises. We develop a novel architecture that distributes the SCADA system management across three or more active sites to ensure continuous availability in the presence of simultaneous intrusions and network attacks. A wide-area deployment of Spire, using two control centers and two data centers spanning 250 miles, delivered nearly 99.999% of all SCADA updates initiated over a 30-hour period within 100ms. This demonstrates that Spire can meet the latency requirements of SCADA for the power grid.

The supervisory control and data acquisition (SCADA) network in a smart grid requires to be reliable and efficient to transmit real-time data to the controller. Introducing SDN into a SCADA network helps in deploying novel grid control operations, as well as, their management. As the overall network cannot be transformed to have only SDN-enabled devices overnight because of budget constraints, a systematic deployment methodology is needed. In this work, we present a framework, named SDNSynth, that can design a hybrid network consisting of both legacy forwarding devices and programmable SDN-enabled switches. The design satisfies the resiliency requirements of the SCADA network, which are specified with respect to a set of identified threat vectors. The deployment plan primarily includes the best placements of the SDN-enabled switches. The plan may include one or more links to be installed newly. We model and implement the SDNSynth framework that includes the satisfaction of several requirements and constraints involved in resilient operation of the SCADA. It uses satisfiability modulo theories (SMT) for encoding the synthesis model and solving it. We demonstrate SDNSynth on a case study and evaluate its performance on different synthetic SCADA systems.

As power grid control systems become increasingly automated and distributed, security has become a significant design concern. Systems increasingly expose new avenues, at a variety of levels, for attackers to exploit and enable widespread disruptions and/or surveillance. Much prior work has explored the implications of attack models focused on false data injection at the front-end of the control system (i.e. during state estimation) [1]. Instead, in this paper we focus on characterizing the inherent cyber-attack vulnerabilities with power flow. Power flow (and power flow constraints) are at the core of many applications critical to operation of power grids (e.g. state estimation, economic dispatch, contingency analysis, etc.). We propose two algorithmic approaches for characterizing the vulnerability of buses within power grids to cyber-attacks. Specifically, we focus on measuring the instability of power flow to attacks which manifest as either voltage or power related errors. Our results show that attacks manifesting as voltage errors are an order of magnitude more likely to cause instability than attacks manifesting as power related errors (and 5x more likely for state estimation as compared to power flow).

While there has been considerable research on making power grid Supervisory Control and Data Acquisition (SCADA) systems resilient to attacks, the problem of transitioning these technologies into deployed SCADA systems remains largely unaddressed. We describe our experience and lessons learned in deploying an intrusion-tolerant SCADA system in two realistic environments: a red team experiment in 2017 and a power plant test deployment in 2018. These experiences resulted in technical lessons related to developing an intrusion-tolerant system with a real deployable application, preparing a system for deployment in a hostile environment, and supporting protocol assumptions in that hostile environment. We also discuss some meta-lessons regarding the cultural aspects of transitioning academic research into practice in the power industry.

SCADA control systems use programmable logic controller to interface with critical machines. SCADA systems are used in critical infrastructures, for instance, to control smart grid, oil pipelines, water distribution and chemical manufacturing plants: an attacker taking control of a SCADA system could cause various damages, both to the infrastructure but also to people (for instance, adding chemical substances into a water distribution systems). In this paper we propose a method to detect attacks targeting SCADA systems. We exploit model checking, in detail we model logs from SCADA systems into a network of timed automata and, through timed temporal logic, we characterize the behaviour of a SCADA system under attack. Experiments performed on a SCADA water distribution system confirmed the effectiveness of the proposed method.

The Supervisory Control and Data Acquisition (SCADA) system is the most commonly used industrial control system but is subject to a wide range of serious threats. Intrusion detection systems are deployed to promote the security of SCADA systems, but they continuously generate tremendous number of alerts without further comprehending them. There is a need for an efficient system to correlate alerts and discover attack strategies to provide explainable situational awareness to SCADA operators. In this paper, we present a causal-polytree-based anomaly reasoning framework for SCADA networks, named CAPTAR. CAPTAR takes the meta-alerts from our previous anomaly detection framework EDMAND, correlates the them using a naive Bayes classifier, and matches them to predefined causal polytrees. Utilizing Bayesian inference on the causal polytrees, CAPTAR can produces a high-level view of the security state of the protected SCADA network. Experiments on a prototype of CAPTAR proves its anomaly reasoning ability and its capabilities of satisfying the real-time reasoning requirement.

SCADA system is an essential component for automated control and monitoring in many of the Critical Infrastructures (CI). Cyber-attacks like Stuxnet, Aurora, Maroochy on SCADA systems give us clear insight about the damage a determined adversary can cause to any country's security, economy, and health-care systems. An in-depth analysis of these attacks can help in developing techniques to detect and prevent attacks. In this paper, we focus on the assessment of SCADA vulnerabilities from the widely used National Vulnerability Database (NVD) until May 2019. We analyzed the vulnerabilities based on severity, frequency, availability, integrity and confidentiality impact, and Common Weaknesses. The number of reported vulnerabilities are increasing yearly. Approximately 89% of the attacks are the network exploits severely impacting availability of these systems. About 19% of the weaknesses are due to buffer errors due to the use of insecure and legacy operating systems. We focus on finding the answer to four key questions that are required for developing new technologies for securing SCADA systems. We believe this is the first study of its kind which looks at correlating SCADA attacks with publicly available vulnerabilities. Our analysis can provide security researchers with useful insights into SCADA critical vulnerabilities and vulnerable components, which need attention. We also propose a domain-specific vulnerability scoring system for SCADA systems considering the interdependency of the various components.

The traditional electricity distribution system is rapidly shifting from the passive infrastructure to a more active infrastructure, giving rise to a smart grid. In this project an active electricity distribution network and its components have been studied. A 14-node SCADA-based active distribution network model has been proposed for managing this emerging network infrastructure to ensure reliability and protection of the network The proposed model was developed using matlab /simulink software and the fuzzy logic toolbox. Surge arresters and circuit breakers were modelled and deployed in the network at different locations for protection and isolation of fault conditions. From the reliability analysis of the proposed model, the failure rate and outage hours were reduced due to better response of the system to power fluctuations and fault conditions.

Supervisory control and data acquisition (SCADA) systems are becoming increasingly susceptible to cyber-physical attacks on both physical and cyber layers of critical information infrastructure. Failure Mode and Effects Analysis (FMEA) have been widely used as a structured method to prioritize all possible vulnerable areas (failure modes) for design review of security of information systems. However, traditional RPN based FMEA has some inherent problems. Besides, there is a lacking of application of FMEA for security in SCADAs under vague and uncertain environment. Thus, the main purpose of this study was to propose a new evaluation model, which not only intends to recover above mentioned problems, but also intends to evaluate, prioritize and correct security risk of SCADA system's threat modes. A numerical case study was also conducted to demonstrate that the proposed new evaluation model is not only capable of addressing FMEA's inherent problems but also is best suited for a semi-quantitative high level analysis of a secure SCADA's failure modes in the early design phases.

Due to the rise of huge population in mankind and the large variety of upcoming utilization of power, the energy requirement has substantially increased. Smart Grid is a very important part of the Smart Cities initiative and is one of the crucial components in distribution and reconciliation of energy. Security of the smart grid infrastructure, which is an integral part of the smart grid framework, intended at transitioning the conventional power grid system into a robust, reliable, adaptable and intelligent energy utility, is an impending problem that needs to be arrested quickly. With the increasingly intensifying integration of smart devices in the smart grid infrastructure with other interconnected applications and the communication backbone is compelling both the energy users and the energy utilities to thoroughly look into the privacy and security issues of the smart grid. In this paper, we present challenges of the existing security mechanisms deployed in the smart grid framework and we tried to bring forward the unresolved problems that would highlight the security aspects of Smart Grid as a challenging area of research and development in the future.

The goal of this document is to provide knowledge of Security for Industrial Control Systems (ICS,) such as supervisory control and data acquisition (SCADA) which is implemented in power transmission network, power stations, power distribution grids and other big infrastructures that affect large number of persons and security of nations. A distinction between IT and ICS security is given to make a difference between the two disciplines. In order to avoid intrusion and destruction of industrials plants, some recommendations are given to preserve their security.

Cyber-has often been considered as a coordination and control, as opposed to collaborative influence, media. This conceptual-design paper, uniquely, builds upon a number of entangled, cross disciplinary research strands – integrating engineering and conflict studies – and a detailed literature review to propose a new paradigm of assurance and deterrence models. We consider an ontology for Cyber-sûréte, which combines both the social trusts necessary for [knowledge &, information] assurance such as collaboration by social influence (CSI) and the technological controls and rules for secure information management referred as coordination by rule and control (CRC). We posit Cyber-sûréte as enabling both a 'safe-to-fail' ecology (in which learning, testing and adaptation can take place) within a fail-safe supervisory control and data acquisition (SCADA type) system, e.g. in a nuclear power plant. Building upon traditional state-based threat analysis, we consider Warning Time and the Threat equation with relation to policies for managing Cyber-Deterrence. We examine how the goods of Cyber-might be galvanised so as to encourage virtuous behaviour and deter and / or dissuade ne'er-do-wells through multiple transparencies. We consider how the Deterrence-escalator may be managed by identifying both weak influence and strong control signals so as to create a more benign and responsive cyber-ecology, in which strengths can be exploited and weaknesses identified. Finally, we consider declaratory / mutual transparencies as opposed to legalistic / controlled transparency.

Supervisory control and data acquisition system is an important part of the country's critical infrastructure, but its inherent network characteristics are vulnerable to attack by intruders. The vulnerability of supervisory control and data acquisition system was analyzed, combining common attacks such as information scanning, response injection, command injection and denial of service in industrial control systems, and proposed an intrusion detection model based on graphical features. The time series of message transmission were visualized, extracting the vertex coordinates and various graphic area features to constitute a new data set, and obtained classification model of intrusion detection through training. An intrusion detection experiment environment was built using tools such as MATLAB and power protocol testers. IEC 60870-5-104 protocol which is widely used in power systems had been taken as an example. The results of tests have good effectiveness.