ArticlePDF Available

Behavior Based Anomaly Detection Model in SCADA System


Abstract and Figures

With the arrival of Industry 4.0, more and more industrial control systems are connected with the outside world, which brings tremendous convenience to industrial production and control, and also introduces many potential security hazards. After a large number of attack cases analysis, we found that attacks in SCADA systems can be divided into internal attacks and external attacks. Both types of attacks are inevitable. Traditional firewalls, IDSs and IPSs are no longer suitable for industrial control systems. Therefore, we propose behavior-based anomaly detection and build three baselines of normal behaviors. Experiments show that using our proposed detection model, we can quickly detect a variety of attacks on SCADA (Supervisory Control And Data Acquisition) systems.
Content may be subject to copyright.
* Corresponding author:
Behavior Based Anomaly Detection Model in SCADA System
Xiaojun Zhou1,2, Zhen Xu1, Liming Wang1, Kai Chen1, Cong Chen1,2, Wei Zhang1,2
1State Key Laboratory of Information Security, Institute of Information Engineering,Chinese Academy of Sciences, 100195 E-park C1
Norh, No. 80 Xingshikou Road, Haidian District, Beijing, China
2School of Cyber Security, University of Chinese Academy of Sciences, 100049 No.19(A) Yuquan Road, Shijingshan District, Beijing,
Abstract. With the arrival of Industry 4.0, more and more industrial control systems are connected with the
outside world, which brings tremendous convenience to industrial production and control, and also
introduces many potential security hazards. After a large number of attack cases analysis, we found that
attacks in SCADA systems can be divided into internal attacks and external attacks. Both types of attacks
are inevitable. Traditional firewalls, IDSs and IPSs are no longer suitable for industrial control systems.
Therefore, we propose behavior-based anomaly detection and build three baselines of normal behaviors.
Experiments show that using our proposed detection model, we can quickly detect a variety of attacks on
SCADA (Supervisory Control And Data Acquisition) systems.
1 Introduction
With the continuous development of the industrial
control system and the introduction of the concepts of
"Industry 4.0" and "Internet +", the industrial control
system is no longer an isolated and closed operating
environment. Instead, the control system has been a
combination of communication technology, computer
network technology and industrial control technology.
The industrial control system has gradually evolved into
a standard system of openness, intelligence and
interaction to enhance the production efficiency and
support large scale of production. However, the
increasing risk of information security is accompanied
by it. In 2010, the earthquake-stricken network
"STUXNET" attacked the SIMATIC WinCC monitoring
system and SCADA system at the Iranian nuclear power
station[1], breaking the myth of the absolute security of a
"closed" industrial control system. Very similar to the
Stuxnet, duqu trojan mainly targets industrial control
systems for stealing private information [2] . Havex [3], a
malware specifically targeting the ICS / SCADA system
in 2014, has the capability of disabling hydroelectric
dams and overloading nuclear power plants; hackers
have used it to attack industrial systems in Europe and
the United States. On December 23, 2015, the Ukrainian
power network was attacked by BlackEnergy's APT and
eventually the system crashed, resulting in a massive
power outage[4].
SCADA system, as the core control system of ICS
(industrial control system), faces the most serious
security threats. After a lot of analysis, we found that
SCADA systems mainly face two types of attacks, i.e.
internal attacks and external attacks. However, at present,
the security protection for SCADA lacks a very effective
security protection method. Since SCADA system
attacks are inevitable, we need to combine the SCADA
system features within itself to develop security methods.
As a result, this paper presents a method based on the
entity behavior for security protection, the results of
experiments proved its efficiency and effectiveness.
The structure of this paper is as follows: Section 2
depicts the structure and characteristics of the SCADA
system, analyzes the security threats faced by the
SCADA system, and proposes a mechanism of security
protection based on entity behavior. Part 3 details the
security framework based on entity behavior and the role
of each module, and analyzes the operating principles of
each module. Section 4 uses experiments to validate our
proposed framework for entity-based behavior. The 5th
part is the conclusion of the paper and 6th part gives an
introduction of future work. Finally, we make our
acknowledgements in Section 7.
2 SCADA system model
The National Institute of Standards and Technology
(NIST) defines and describes an industrial control
system as such: Industrial Control Systems (ICSs) are a
collective term for a class of control systems for
industrial production that includes a supervisory control
and data acquisition system (SCADA), Distributed
Control Systems (DCS), and other small control systems
commonly found in the industrial sector and critical
infrastructure such as programmable logic controllers
(PLCs). Now, let’s have a close look at the SCADA
system components.
MATEC Web of Conferences 173, (2018)
SMIMA 2018
01011 01011
© The Authors, published by EDP Sciences. This is an open access article distributed under the terms of the Creative Commons Attribution
License 4.0 (
2.1. SCADA system structure
A typical industrial network[5] shown in Figure 1,which
is the reference model of Purdue University.
Fig. 1. The architecture of SCADA system.
The complete industrial control system consists of
five parts: enterprise system, business planning and
logistics system, site manufacturing operations, area
supervisory controls, basic monitoring and control, and
physical processes. Among them, enterprise system,
business planning and logistics system are traditional IT
systems that form the business information system of an
enterprise. The remaining layers make up the on-site
control system. SCADA system is the core control
system of the entire ICS. On the one hand, it controls
and dispatches the underlying on-site control equipment
according to the production instructions of the upper
level; on the other hand, it real-time monitors the
production status of the industrial site and collects
statistics to provide feedback for the upper control.
2.2 Threat analysis of SCADA system
Industrial control system is a complex system involving
a variety of computer technologies and network
technologies. It has both computer operating system
level of industrial control software, monitoring programs,
database systems, but also network systems involved in
the network protocol and data packet processing
mechanism. In addition, with the industrial control
system docking with the external network, to access
open Internet, it has also become an integral part of the
Internet. The following describes major security threats
faced by the SCADA system.
According to the sources, the security threats to
industrial control systems mainly include external threats
and internal threats (Figure 2). External threats are: APT
attacks, Trojans, malware, viruses, etc., which may be
politically relevant or may be related to industrial
Internal threats include: annoying employees
(including internal attacks and data breaches), employee
misuse, software contractors, third-party integrators, and
more. Due to the lack of authentication and encryption
mechanisms that limit user activity in most industrial
control systems, users have unfettered access to devices
on the network, even modifying device configuration
and operating parameters. Typical attacks include the
incident of Maluqi, Australia Vitek Boden, former
engineer of the technology service provider of the plant,
was deliberately repaying for being dissatisfied with the
renewal of his contract of work. A total of 1 million
liters of untreated sewage were drained directly into the
natural water system through storm drains. The United
States Davis-Besse nuclear power plant was attacked by
the Slammer worm [6].
Fig. 2. Threats faced by SCADA system.
Fig. 3. Commands and operations will be feflected on entity
A supplier provided application software to the
server and established an unprotected T1 link at the back
end of the nuclear plant's network firewall, through
which the virus entered the nuclear power plant network.
The United States Hatch nuclear power plant automatic
shutdown event [7], an engineer operates a computer of
the plant business network (used to collect diagnostic
data in the control network) for software updates to
synchronize the business network and control data in the
network, when the engineer restarts the computer, the
synchronization program resets the data of the control
network, the control system experiences such a sudden
drop in reactor water storage reservoir that it
automatically shuts down the entire unit. In view of the
many threats to industrial control, it is necessary to take
effective security measures to ensure the safety, security
MATEC Web of Conferences 173, (2018)
SMIMA 2018
01011 01011
and stable operation of industrial control systems. And
we come to the conclusion that all these threats and
attacks will be refelected on the behavior of
devices(Figure 3).
Since SCADA system attacks are inevitable, there is
a need for a method that can detect attacks in time and
avoid attacks such as Stuxnet[8]. Therefore, we propose a
behavioral based anomaly detection mechanism.
3 Framework for behavior-based
anomaly detection mechanism
In this section, we will describe the model in detail. The
framework is shown in Figure 4.
Fig. 4. The framework of behavior-based anomaly detection.
The basic anomaly detection steps include:
information collection, uniquely entity determination,
constructing three kinds of normal behavior baseline
from different dimensions and using the baseline for
anomaly detection. Below we describe each step in detail.
3.1. Information collection
We employ passive information collection to avoid any
possible system interference. The best solution is to have
a transparent network snoop on the ICS system
components. Passive recognition methods utilize PCAP
files generated by tools such as Wireshark or direct on-
line sniffers for data analysis. It does not inject network
traffic and does not respond to upcoming messages, thus
ensuring that ICS system operations are not interrupted.
In addition, not all network flow data is valuable. The
pre-process step filters ICS network session-independent
data and dirty data (such as TCP retransmissions,
duplicate ACK packets, etc.). Five basic conversational
features were extracted and the eigenvalues were rated.
The five basic conversational features include:
I. Source IP (S-IP)
II. Source Port (S-Port)
III. Target IP (D-IP)
IV. The target port (D-Port)
V. Unit interval length (1s) (SegSize)
Then we use machine learning method to process all
the information.
3.2 Entity determination
This step we want to uniquely identify an entity. Device
fingerprint is a series of device-related data that uniquely
depicts a device. This information includes: device
operating system, configuration information, operational
behavior features, and more.
Generally, industrial control protocols (such as
Modbus) provide the query function, which can be used
to collect information. Moreover, the conversations in
industrial control systems have significant stability and
periodicity. Researchers can make fingerprints of
industrial control systems by using data sources such as
network traffic characteristics and interaction modes
based on time dimension.
Then we will determine the relationship between
entities and infer the topology. Industrial control systems
have their inherent characteristics and drawbacks over
conventional Internet and corporate LANs. First of all,
compared with the traditional IT systems, industrial
control devices in industrial control systems generally
have a longer life cycle; second, the industrial control
system has a stable network topology; Finally, in
industrial control systems, the role of a single device is
usually unique, with a fixed communication object.
Therefore, the network topology of the SCADA
system can be reconstructed based on the traffic in the
SCADA system.
3.3 Baseline construction
After each communication object is uniquely identified,
combining the topological relations among different
entities, we can construct a normal behavior baseline for
each entity in the SCADA system.
The establishment of normal behavior baseline is
divided into three aspects:
(1) Historical Baseline. It is based on the notion that
a device's role and function are relatively fixed, and
therefore today's behavior and historical behavior should
have obvious similarities. If there is inconsistency
between the two, you can be judged as abnormal.
(2) Peer Baseline. It is based on the behavior of peer
devices for analysis. Multiple devices in a SCADA
system will perform the same functions. If there is a
large difference in behavior between devices of the same
type that perform the same function, they can be
determined to be abnormal.
(3) Partner Baseline. According to the feedback from
the communication partner, if a certain machine
suddenly bursts out frequently sending query
information packets, it is considered as abnormal.
MATEC Web of Conferences 173, (2018)
SMIMA 2018
01011 01011
3.4 Anomaly detection
By building three behavioral baselines, you can quickly
discover anomalous behavior. Moreover, based on
historical data, three baseline information can be verified
against each other horizontally and vertically, so as to
ensure the authenticity and accuracy of alarms generated,
and to reduce the proportion of false alarms and false
negatives. The whole anomaly detection process is
shown below in Figure 5.
Fig. 5. Anomaly detection process.
4 Experimental verification
Let's experiment with the behavior-based anomaly
detection model we built.
4.1. Fake attack
Due to the lack of authentication of communication
entities in SCADA systems, there is a large number of
counterfeit attacks. We have installed a PLC simulation
software in an experimental notebook, the laptop
disguised as PLC and communicated with host computer.
In this way, anomaly detection system installed on the
host computer will quickly detect abnormalities. Because
according to the uniqueness of the entity, you can
determine that PLC is fake which is now communicating
with the host computer.
4.2. Tampering attack
Tampering with packet attack is an attack that many
attackers prefer. The main means of this kind of attack is
to modify the instruction of the data packet, tamper with
the data packet load, modify the measured value of the
data packet and so on. According to the historical
behavior, we can determine that such behavior is
4.3. Logical disorder attack
This kind of attack is more difficult to defend because all
the packets are valid and the communicating entity is
legal, but we can detect abnormalities in time by
recording the historical behavior of the communicating
5 Conclusion
This paper first analyzes the structure of SCADA system
and the security threats faced by SCADA system. Then it
introduces the framework of behavior-based anomaly
detection mechanism and introduces each module in the
framework in detail. Based on the collected information,
we construct three different normal behavior baseline
from multiple dimensions and use these to detect the
attack. Experiments show that the proposed detection
model can find fake attacks, data packet tampering
attacks and logical sequential attacks well.
6 Future work
Future work we intend to focus on the following two
research directions:
(1). Establish a defense-in-depth system[9] suitable
for industrial control systems. According to the
characteristics of industrial control system, the depth
defense system will be improved so that it can be better
applied to the security of industrial control systems[10].
(2). Establish a kill-chain model[11] specially for
industrial safety. The current kill chain model is rough,
ignoring a lot of details of attack. We intend to create a
kill chain model that is specific to industrial control
We thank our shepherdsZhen Xu, Liming Wang in
our research group, for providing insightful feedback of
the draft that helped improve the final paper. We would
also like to thank Kai Chen, Zelong Chen and Zhenbo
Yan for their help in early discussions and providing
insightful comments. This work was supported by
Security Services for Informatization Applications
Program, Institute of Information Engineering, Chinese
Academy of Sciences, under grant No. XXH13505-02,
for which we are grateful.
MATEC Web of Conferences 173, (2018)
SMIMA 2018
01011 01011
1. Langner R. Stuxnet: Dissecting a cyberwarfare
weapon[J]. IEEE Security & Privacy, 2011, 9(3):
2. Bencsáth B, k G, Buttyán L, et al. Duqu: A
Stuxnet-like malware found in the wild[J]. CrySyS
Lab Technical Report, 2011, 14: 1-60.
3. HENTUNEN D T. A: Havex Hunts for ICS/SCADA
Systems [on-line][J]. 2014.
4. Case D U. Analysis of the cyber attack on the
Ukrainian power grid[J]. Electricity Information
Sharing and Analysis Center (E-ISAC), 2016.
5. Knapp E D, Langill J T. Industrial Network Security:
Securing critical infrastructure networks for smart
grid, SCADA, and other Industrial Control
Systems[M]. Syngress, 2014.
6. Moore D, Paxson V, Savage S, et al. Inside the
slammer worm[J]. IEEE Security & Privacy, 2003,
99(4): 33-39.
7. Krebs B. Cyber incident blamed for nuclear power
plant shutdown[J]. Washington Post, June, 2008, 5:
8. Byres E, Ginter A, Langill J. How Stuxnet spreads
A study of infection paths in best practice systems[J].
Tofino Security, white paper, 2011.
9. Kuipers D, Fabro M. Control systems cyber security:
Defense in depth strategies[R]. Idaho National
Laboratory (INL), 2006.
10. Stouffer K, Falco J, Scarfone K. Guide to industrial
control systems (ICS) security[J]. NIST special
publication, 2011, 800(82): 16-16.
11. Greenert J, Welsh M. Breaking the kill chain[J].
Foreign Policy, 2013, 16.
MATEC Web of Conferences 173, (2018)
SMIMA 2018
01011 01011
Artificial intelligence is making significant changes in industrial internet of things (IIoT). Particularly, machine and deep learning architectures are now used for cybersecurity in smart factories, smart homes, and smart cities. Using advanced mathematical models and algorithms more intelligent protection strategies should be developed. Hacking of IP surveillance camera systems and Closed-Circuit TV (CCTV) vulnerabilities represent typical example where cyber attacks can make severe damage to physical and other Industrial Control Systems (ICS). This chapter analyzes the possibilities to provide better protection of video surveillance systems and communication networks. The authors review solutions related to migrating machine learning based inference towards edge and smart client devices, as well as methods for DDoS (Distributed Denial of Service) intelligent detection, where DDoS attack is recognized as one of the primary concerns in cybersecurity.
Conference Paper
For the multiple parameters estimation of BOC signal at the low SNR and multipath environment, the method which applies the characteristics of cyclic spectrum is developed. Firstly, the cyclic spectrum function of multipath BOC signal is derived. Then the cyclostationary property of BOC signal is analyzed. Finally, a novel parameter estimation algorithm of BOC signal, which makes use of the position of cyclic spectral peaks to estimate the carrier frequency, the subcarrier rate and PN code rate, is present. In the experiment the time-domain smoothing method is used to calculate the cyclic spectrum of BOC signal when the frequency is equal to zero in order to avoid the multidimensional search. At the same time using the method of the cumulative average can increase the SNR margin of the algorithm. Simulation results show that the multiple parameters of multipath BOC signal can be estimated effectively and the estimation performance is associated with the multipath environment.
As the sophistication of cyber-attacks increases, understanding how to defend critical infrastructure systems-energy production, water, gas, and other vital systems-becomes more important, and heavily mandated. Industrial Network Security, Second Edition arms you with the knowledge you need to understand the vulnerabilities of these distributed supervisory and control systems.
A nuclear power plant in Georgia was recently forced into an emergency shutdown for 48 hours after a software update was installed on a single computer. The incident occurred on March 7 at Unit 2 of the Hatch nuclear power plant near Baxley, Georgia. The trouble started after an engineer from Southern Company, which manages the technology operations for the plant, installed a software update on a computer operating on the plant's business network. The computer in question was used to monitor chemical and diagnostic data from one of the facility's primary control systems, and the software update was designed to synchronize data on both systems. According to a report filed with the Nuclear Regulatory Commission, when the updated computer rebooted, it reset the data on the control system, causing safety systems to errantly interpret the lack of data as a drop in water reservoirs that cool the plant's radioactive nuclear fuel rods. As a result, automated safety systems at the plant triggered a shutdown. Southern Company spokeswoman Carrie Phillips said the nuclear plant's emergency systems performed as designed, and that at no time did the malfunction endanger the security or safety of the nuclear facility. Phillips explained that company technicians were aware that there was full two-way communication between certain computers on the plant's corporate and control networks. But she said the engineer who installed the update was not aware that that the software was designed to synchronize data between machines on both networks, or that a reboot in the business system computer would force a similar reset in the control system machine. "We were investigating cyber vulnerabilities and discovered that the systems were communicating, we just had not implemented corrective action prior to the automatic [shutdown]," Phillips said. She said plant engineers have since physically removed all network connections between the affected servers.
Information infrastructures across many public and private domains share several common attributes regarding IT deployments and data communications. This is particularly true in the control systems domain. A majority of the systems use robust architectures to enhance business and reduce costs by increasing the integration of external, business, and control system networks. However, multi-network integration strategies often lead to vulnerabilities that greatly reduce the security of an organization, and can expose mission-critical control systems to cyber threats. This document provides guidance and direction for developing defense-in-depth strategies for organizations that use control system networks while maintaining a multi-tier information architecture that requires: Maintenance of various field devices, telemetry collection, and/or industrial-level process systems Access to facilities via remote data link or modem Public facing services for customer or corporate operations A robust business environment that requires connections among the control system domain, the external Internet, and other peer organizations.
Last year marked a turning point in the history of cybersecurity-the arrival of the first cyber warfare weapon ever, known as Stuxnet. Not only was Stuxnet much more complex than any other piece of malware seen before, it also followed a completely new approach that's no longer aligned with conven tional confidentiality, integrity, and availability thinking. Con trary to initial belief, Stuxnet wasn't about industrial espionage: it didn't steal, manipulate, or erase information. Rather, Stuxnet's goal was to physically destroy a military target-not just meta phorically, but literally. Let's see how this was done.
The characteristic features of spread of Slammer worm are discussed. The worm's spreading strategy uses random scanning which randomly selects IP addresses, eventually finding and infecting all susceptible hosts. Slammer's scanner is limited by each compromised machine's Internet bandwidth. Slammer uses a linear congruent or power residue pseudo random number generation (PRNG) algorithm. The scanner of Slammer produced a heavy load in large traffic volume, lots of packets and large number of new destinations.
Analysis of the cyber attack on the Ukrainian power grid
  • D Case
Case D U. Analysis of the cyber attack on the Ukrainian power grid[J]. Electricity Information Sharing and Analysis Center (E-ISAC), 2016.
How Stuxnet spreads-A study of infection paths in best practice systems
  • E Byres
  • A Ginter
  • J Langill
Byres E, Ginter A, Langill J. How Stuxnet spreads-A study of infection paths in best practice systems[J].