ArticlePDF Available

Identifying and Anticipating Cyberattacks That Could Cause Physical Damage to Industrial Control Systems


Abstract and Figures

Physical control systems are increasingly controlled by reconfigurable, network-enabled devices to increase flexibility and ease commissioning and maintenance. Such capability creates vulnerabilities. Devices may be remotely reprogrammed by a malicious actor to act in unintended ways, causing physical damage to mechanical equipment, infrastructure, and life and limb. In this paper, past examples of actual damage to cyber-physical systems are shown, threats posed by software-controlled Variable Frequency Drives (VFDs) are analyzed, and a small-scale version of an attack on ubiquitous VFD equipment is demonstrated.
Content may be subject to copyright.
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
Abstract-- Physical control systems are increasingly controlled
by reconfigurable, network-enabled devices to increase flexibility
and ease commissioning and maintenance. Such capability creates
vulnerabilities. Devices may be remotely reprogrammed by a
malicious actor to act in unintended ways, causing physical
damage to mechanical equipment, infrastructure, and life and
limb. In this paper, past examples of actual damage to cyber-
physical systems are shown, threats posed by software-controlled
Variable Frequency Drives (VFDs) are analyzed, and a small-scale
version of an attack on ubiquitous VFD equipment is
Index Terms Cyberattack, Physical Damage, Energy Storage,
Industrial Control, Internet of Things, Motor Drives
HYSICAL industrial control systems are increasingly tied
to the internet to enable remote monitoring and control,
creating new vulnerabilities. Intended to allow simplification
of product lines and ease of installation and commissioning,
such flexibility introduces the potential for misuse. No longer
limited to stealing credit cards, data, or other personal
information, hackers or other malicious actors may now
remotely access hardware, change settings, or reprogram
devices to cause real physical damage on an unlimited scale.
It is typical in engineering training to view physical failures as
statistically independent events, based on principles such as
mean-time-to-failure. But, a cyber attack can occur at any time
and impact many devices simultaneously. This has important
consequences that must be carefully considered and are the
primary contribution of this paper.
A few selected examples show the breadth of the problem’s
motivations, methods, and potential impacts. The Aurora
Vulnerability, a United States Department of Homeland
Security program established a potential vulnerability. In other
This material is based, in part, upon research supported by the Department
of Energy under Award Number DE-OE0000780 and a seed grant from the MIT
Energy Initiative (MITei).
Matthew G. Angle is with the Department of Electrical Engineering and
Computer Science, Massachusetts Institute of Technology, Cambridge, MA
02139 USA (e-mail:
Stuart Madnick is with the Sloan School of Management and School of
Engineering, Massachusetts Institute of Technology, Cambridge, MA 02139
USA (e-mail:
examples, the power grid in the Ukraine was brought down for
a short time, a pipeline in Turkey was blown up, and malicious
computer worm halted the Iranian nuclear fuel enrichment
A. Aurora Vulnerability
The so-called “Aurora Vulnerability” was demonstrated at
Idaho National Labs as part of a 2007 Department of Homeland
Security investigation of vulnerabilities in the United States
power grid. In the test, researchers used remotely-controllable
relays to connect and disconnect a diesel backup generator to
the grid. The test resulted in the complete destruction of the
generator unit [1].
To understand the mechanism of attack requires an
understanding of generator synchronization. Generator
synchronization is required to connect a generator to the grid.
The states of the grid and generator are determined by two
parameters: voltage and phase. Rotating electric machinery
produces an alternating current waveform of the form Vsin(ωt),
Where V is the amplitude of the voltage, and ω is the frequency
at which it oscillates. In the United States, this frequency is 60
Hz, or approximately 377 radians per second. The three phases
are separated by 120°, forming a balanced set whose sum is
If the voltage and phase of the generator do not match those of
the grid when the two are connected, current will flow into the
generator and produce torque sufficient to pull the generator
into correct phase alignment. Generator voltage will determine
whether power flows into or out of the generator. The
mechanisms of these actions vary with the type of generator,
but they all result in torque applied to the generator to drag it
into matching phase. To accomplish this task, an instrument
called a synchroscope, as shown in Fig. 1, is normally used. It
shows the relative phases of the machine and grid. The operator
will adjust the speed of the generator to allow the phases of the
James L. Kirtley, Jr. is with the Department of Electrical Engineering and
Computer Science, Massachusetts Institute of Technology, Cambridge, MA
02139 USA (e-mail:
Shaharyar Khan is a fellow of the System Design and Management
program, Massachusetts Institute of Technology, Cambridge, MA 02139 USA
Matthew G. Angle, Member, IEEE, Stuart Madnick, Member, IEEE, James L. Kirtley, Jr., Fellow, IEEE,
Shaharyar Khan
Identifying and Anticipating Cyber Attacks that
could cause Physical Damage to Industrial
Control Systems
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
generator to align with that of the grid, at which point a switch
is used to connect the two [2].
Fig. 1: Typical Synchroscope used for synchronization of electric machinery
to grid
During the Aurora test, electronic switches were used to open
and close the connection of the generator to the grid. When
disconnected, the generator would become unloaded, and
would speed up slightly, pulling it out of phase with the grid.
At this point, the switch would be reconnected, whereby power
would flow into the generator, operating it as a motor to realign
itself with the grid phase. The massive amount of torque
stressed the mechanical components in the generator. By
repeatedly connecting and disconnecting the generator,
mechanical components were driven to failure. The massive
generator, shown in Fig. 2, basically tore itself apart.
Fig. 2: Screen capture showing Generator used in the Aurora test
This test demonstrated a problem faced by industry, but
previously only as an accident. One example occurred at the
Clinton Power Station Nuclear Plant in Clinton, IL. During a
backup generator test, an out-of-phase synchronization
occurred, damaging the stator windings of the generator and
causing an overvoltage event on the power bus. The cause of
the incident was not immediately known [3]. Other problems
include breakers that close slowly, allowing the generator to
move out of phase between the time that the command to close
is given and the time electrical contact is made [4].
Such vulnerability is not confined to diesel backup generators.
Any electrical generator that is connected to the grid can
experience this problem, including those in wind turbines,
water turbines, fossil-fuel-driven power plants, and nuclear
While this event was not an attack, it demonstrated a
vulnerability that could be exploited to take a power system out
of commission reliably, suddenly, and for a long time in a
manner that may not initially be recognized as a cyber attack.
B. Ukrainian Power Grid Attack
On December 23, 2015, the lights went off in the Ivano-
Frankivsk region of the Ukraine, shown in Fig. 3. Months
before, a phishing email had been sent to workers at three
electricity companies, causing them to enable macros in an
attached Word document. BlackEnergy3, a malware program,
would then be installed, giving hackers a back door into the
systems in the substation. From here, the attackers performed
surveillance on the network, eventually obtaining login
credentials for remote access to the SCADA (Supervisory
Control and Data Acquisition) systems [5].
Fig. 3: Diagram of Electrical Grid in the Ukraine [6]
The attack had several different prongs. The UPS
(Uninterruptible Power Supplies) that provided backup power
for the control systems were disabled. Then the hackers used
access to the SCADA systems to open switches which
distributed power to the grid. Firmware controlling serial-to-
ethernet controllers was overwritten, preventing further control
of the switches. A telephone Denial-of-Service was mounted
against the power utility call centers, enraging the public.
Finally, a program called KillDisk was used to overwrite the
computers in control centers, preventing any further action on
the part of the operators. While power was out for only one to
six hours, seven 110 kV and twenty-three 35 kV substations
were hit by the attack, resulting in outages to 225,000 customers
[5] [7].
Months after the attack, substations were still being operated
manually. While the attack merely disrupted power
distribution, the potential for physical damage was there. The
attackers chose only to send a message, rather than damage
equipment. Russia has widely been blamed for the attack, but
no one has stepped forward to claim responsibility.
C. Turkish Pipeline
On August 5, 2008, an oil pipeline near Refahiye, Turkey
exploded, shown in Fig. 4. The Turkish government initially
blamed the explosion on a mechanical failure. Later, the
Kurdistan Workers’ Party (PKK) claimed responsibility,
though it is suspected that Russia was behind the attack. The
attack caused a spill of 30,000 barrels of oil and shut down the
pipeline for three weeks. Due to the routing of the pipeline,
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
shown in Fig. 5, this cost British Petroleum $5 million per day
in transit tariffs and the State Oil Fund of the Republic of
Azerbaijan $1 billion in lost export revenue [8].
Fig. 4: Explosion of oil pipeline
The pipeline itself was built with security in mind. Most of
it is buried, and substations are surrounded with fences and
barbed wire. Cameras monitor most of its length, and
sophisticated alarms are present to warn of damage.
Fig. 5: BakuTbilisiCeyhan (BTC) pipeline route
The attack was preceded by two men entering one of the
substations with laptops a few days before the explosions. They
were able to gain entry to the network via a vulnerability in the
security cameras, from which they were able to access the
computers that hosted the SCADA systems. They were able to
cause the pipeline to become over pressurized, an action that
may have directly led to the explosion without a secondary
ignition source. The satellite communications for the alarm
systems had been jammed, and the explosion was eventually
reported by local residents. The security camera footage was
erased, though a single thermal camera was on a different
network and recorded the entry of the two men [8] [9].
This attack consisted of a deliberate act of sabotage that had
measurable economic impact for multiple actors.
D. Stuxnet
Stuxnet is the name given to a software worm that disrupted
the Iranian Uranium enrichment centrifuges, shown in Fig. 6.
Centrifuges are long metal cylinders that are spun at high
speeds, in this case, to separate isotopes of Uranium to build
nuclear weapons or to fuel power plants. These devices are run
right at the mechanical limit of the cylinders, which are placed
inside vacuum chambers to reduce surface drag.
Widely believed to have been developed by the United
States and Israel, Stuxnet utilized four separate zero-day
exploits to infiltrate SCADA systems controlling centrifuges in
Iran and quietly cause failures indistinguishable from normal
mechanical failures. The worm itself was only discovered long
after damage had been done.
Fig. 6: Iranian President Ahmadinejad during inspects centrifuges at Natanz
The worm infected Windows operating systems via the LNK
vulnerability that exploited the auto-play functionality in USB
drives. It could then spread throughout a network through a
vulnerability in print spoolers. From there, it would look for a
copy of the Siemens Step7 software, then PLCs (programmable
logic controllers) controlling certain models of VFDs running
at certain speeds corresponding to operation of centrifuges.
Once the target was identified, the worm would cause the
centrifuges to speed up and slow down, crossing through
mechanical resonances until they failed, while simultaneously
reporting normal operation back to the SCADA system. Since
the Iran attacks, it has been found existing on many other
systems, but with little damage to them.
Stuxnet is an attack that caused widespread damage to a
system that requires only a few failures to damage the
effectiveness of the whole system. Its operation was carefully
tuned to produce frustrating mechanical failures that would
cause delays in a large program, and it remained hidden until
long after its intended damage had been done [10] [11].
E. Lessons Learned
The motivations, methods, and impacts of cyber attacks
come in different flavors. The Ukranian power grid attack
appears to be politically motivated and caused a relatively
minor inconvenience, stopping well short of the physical
damage that could have been caused with the sort of control
authority obtained for the attack. The Turkish pipeline attack
consisted of a much lower level of effort with real physical
damage that cost many interested parties substantial amounts of
money. Stuxnet was a widely-distributed piece of malware
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
with a very specific target, designed to look like a normal
mechanical failure that delayed a massive, state-sponsored
research effort.
In the past, most cyber attacks to Industrial Control Systems
have either targeted the IT infrastructure (e.g. the Aramco
Shamoon attack) or circuit breakers of the Operational
Technology (e.g., the Ukraine attack [5] [11] [13]). In such
cases, recovery is usually quite fast either by rebooting the IT
computers or by resetting the breakers. But, if the Operational
Technology (OT) equipment, especially the important, large,
customized equipment, such as generators, is physically
damaged, recovery can take weeks or even months. The largest
reported such attack was to the centrifuges of the Iranian
uranium enrichment facility [7] [12].
Many works have been published which introduce cyber
attacks against industrial control systems. In this paper, we
provide a short overview of the state of the art in industrial
control system security research with a predominant focus on
energy delivery systems.
Morris [18] provides a taxonomy of industrial control system
cyber attacks. The work provides detailed descriptions of 17
attacks, grouped into 4 classes (reconnaissance, response and
measurement injection, command injection and denial of
service) against industrial control systems. The analysis,
however, stops short of explaining the consequences of such
attacks on the physical system.
Experiments demonstrating actual physical damage to
industrial control systems via simulated cyberattacks are
extremely rare. As stated by Krotofil and Gollman [17],
conducting experiments on real systems comes with inherent
risk (due to the hazardous nature of the test) and is costly
because it involves the physical destruction of actual
The alternative is to employ theoretic approaches to identify
vulnerabilities in industrial control systems or utilize models of
the physical process and run simulations using software-based
Gollman et. al [19] simulate a cyber-physical attack on a
chemical plant. The analysis demonstrates how expert domain
knowledge of the physical components and processes of a
system are required to transform a cyber attack into a cyber-
physical attack. Winniki et. al [20] show via simulations how
it is possible to reverse engineer a controlled physical process
from observations of responses to crafted impulses.
Srivastava et. al [21] analyze vulnerability of the electric grid
using graph theoretic approaches. They conclude, based on
simulations, that an aurora kind of attack has the potential to
cause physical damage to generators, making them unavailable
for restoration operation.
Huang et. al [22] present a risk assessment method to
quantify the impact of cyberattacks on the physical part of the
industrial control system. The applicability of this method is
limited to linear systems (while the vast majority of industrial
control systems are non-linear) and is based on probabilities of
failure of actuators and sensors.
Friedberg et. al [23] provide a hazard analysis methodology
that integrates safety and security analysis into a concise
framework using the System-Theoretic Accident Model and
Processes (STAMP) accident-causality model. The analysis
identifies vulnerabilities in synchronous-islanded operation
As may be evident, there is a plethora of published papers on
the topic of physical damage of industrial control systems
caused by cyber attacks, using a range of different simulation
methods and techniques. To the best of our knowledge, the only
other demonstrated cyber attack (in the academic literature) that
caused physical damage to an industrial control system was the
Aurora Vulnerability, mentioned earlier.
In this part of our study, we want to explore other
vulnerabilities to industrial control systems. We use an
example plant, shown in Fig. 7, as a starting point for our
investigation and demonstrate the exploitation of one such
vulnerability to cause actual physical damage to a VFD.
As part of our research, we studied a plant that contained a
gas turbine generator used to provide electricity. Waste heat is
used to fire boilers that produce steam for heating and to drive
chillers which provide chilled water and air conditioning. The
plant also draws on a regional power grid, and the plant’s
generation capability is throttled to most economically supply
power based on fluctuating electricity and natural gas prices.
As an example of the challenges, recently, a water/fuel
injection nozzle was clogged as a result of a contaminated filter
(i.e., not caused by cyber attack). As a result, the turbine was
down for three months while replacement parts were sourced
from the manufacturer in Germany. The point is that repairs can
take a long time, as many components are built specifically for
each installation.
Fig. 7 is an example wiring diagram of such a system,
showing pumps that keep chilled and hot water flowing,
switches that distribute electricity, and all of the major electrical
loads. Many of these components use VFDs, as highlighted in
the diagram, and are automated and controlled remotely from a
control room at the plant. This facility makes for an excellent
study of vulnerabilities in power grids.
The plant has many points that are vulnerable to attack. The
turbine itself is a large, expensive, and complicated system that
may be easily damaged. It must be kept spinning while it cools
to avoid damaging blades. This is accomplished by a system
powered by a lead-acid battery bank. Simply disabling the
charging system and monitoring alarms for this battery bank
could easily cause significant damage to the turbine. Similar
lead-acid battery banks exist to provide start-up power to
backup generators.
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
Fig. 7: Electrical layout of the a plant showing 350 hp Chilled Water Pump
The turbine is also supported by systems that regulate natural
gas pressure. These are pneumatic-actuated regulators that step
down pressure from a 300 PSI line pressure to a 25 PSI feed for
the boilers. A loss of pneumatic pressure would, at minimum,
cause a turbine shutdown. The lesson is that this complicated
piece of hardware is supported by many other complicated
systems, each with vulnerabilities of their own. An attack is as
simple as identifying one point in one support system, and the
turbine may be shut down or irreparably damaged.
Many ways to access the controls of the various systems
exist. Each of the control units on the more modern pieces of
hardware (chillers, turbine) has a remote monitoring system
installed by the manufacturer with a communication line out.
Some versions of these systems have only remote monitoring
capability, while others have remote control authority. Industry
experts that we conferred with confirmed that they do both
configuration and firmware updates remotely over the internet
and that the whole industry is moving in that direction. Various
strategies exist for isolating them from remote commands, but
at the expense of the inability to use common two-way
communication protocols, such as TCP/IP.
The turbine, in particular, has a system installed that allows
remote monitoring by the manufacturer. We were fortunate
enough to talk with Siemens technicians while they were
working on the turbine. They told us that there are many similar
systems, and while most provide them with only remote
monitoring privileges, a few allow remote engineering
privileges, meaning that they can remotely control the turbine.
As described in the Department of Homeland Security (DHS)
guide for managing remote access for industrial control systems
[24], the typical method to facilitate this connection is
straightforward; the network switch that is connected to the
master PLC is simply connected to a router that has internet
access. When connected, the vendor connects to the web
interface of the master PLC and begins remote administration
of the device and other field equipment connected to it.
Remote access introduces several vulnerabilities in the
security architecture of the industrial control system. For
instance, an attacker may send direct malicious commands to
the data acquisition equipment or manipulate the database that
records process control parameters (or historical data). An
effective attack may be able to export the HMI screen back to
the attacker which may be used to gain an intimate
understanding of the operations to be used in subsequent attacks
or launch Man-in-the-middle attacks by spoofing the operator
HMI displays and fully controlling the control system.
A 2017 advisory by DHS against one of the vendors that
provides remote monitoring capability (OSIsoft) warns of a
security vulnerability in one of its products that “could allow
the attacker to spoof a PI Server or cause undefined behavior
within the PI Network Manager” [25]. While it is unclear at this
time what the exact differences are between remote monitoring
and remote control hardware, or if the same hardware is used
and certain capabilities are precluded via software
configuration, the point is that remote access capability
introduces vulnerabilities that could be exploited by malicious
Outside contractors are used to maintain various systems,
including the VFDs that drive all of the larger pumps in the
system. The contractor that maintains the VFDs in the plant
reports that it has never updated the firmware, but does
periodically plug a laptop into the devices to monitor their
operation. In some models of VFDs, a firmware update may be
pushed over this same connection, and operating parameters
may be changed. Either of these actions is sufficient to damage
either the VFD or the load attached to it. By changing operating
parameters, grossly incorrect control strategies may be imposed
on physical hardware. The ability to change the firmware
provides the ability to do much more or potentially non-obvious
damage. In this case, infecting the computer system of the
contractor may be sufficient to introduce malware into the plant
Another outside company is used to make recommendations
on turbine throttle. The plant is set up to optimize expense,
purchasing power from the grid as well as natural gas to fire the
turbine. The throttle settings are changed up to three times per
day to take advantage of fluctuating electricity and gas prices.
This company has monitoring capability for the plant, but it is
unknown exactly what hardware is installed to do so or its
The computers in question, while normally “air gapped” run
old versions of Windows that are no longer supported,
presenting many software vulnerabilities that could be
exploited to damage the plant or provide service outage.
The plant has several targets and methods of breaking in to
them. The power distribution switches are controlled from the
control room, presenting a situation that could unfold in a
similar manner to the Ukraine power grid attack, albeit on a
smaller scale. The turbine synchronization is controlled from
the control room, which allows the same sort of control that was
exploited in the Aurora demonstration, destroying a generator,
although protection relays are present to hopefully prevent
these sorts of faults. The steam and chilled water valves are
remotely controlled from the control room, so a situation
similar to the Turkish pipeline, minus the flammable mixture in
the pipes, could be orchestrated. Almost all of the hardware is
either remotely monitored or monitored by an outside company.
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
Anything that allows communication in this manner may be
coopted to cause mischief or worse.
The security of such a facility is also vulnerable to human
error. In some studies, it was discovered that files containing
movies had been transferred to computers in the control room
of a plant. They were presumably brought in on a USB drive
and connected to a computer that is “air gapped” from the
internet, meaning that it does not have network connectivity.
So, even presumably “air gapped” facilities can be vulnerable
to inevitable human errors.
In typical facilities, it is expected that mechanical components
(e.g., pumps) will eventually experience failures. So, various
approaches are used to mitigate the impact, such as extra
capacity, redundant equipment, and/or backups.
But these approaches are largely based on the notion of
independence of mechanical failures. That is, the probability of
a high-quality pump failing is small, but the probability of two
failing at the same is extremely small, etc.
But, that independence does not apply to a cyber attack that
damages multiple components at the same time as easily as it
damages one. As illustrated earlier, recovery from such
physical damage can take a long time, which could lead to a
catastrophic large-scale and long-term disruption to energy
A VFD is used to drive an electric machine at a variable
speed. Applications usually include pumps and fans, where
load is throttled by changing the shaft speed driving the
equipment. Such devices have become ubiquitous in industrial
environments, driving a majority of large motor loads.
Fig. 8: Block representation of VFD
A VFD consists of two main functional blocks, as shown in
Fig. 8. There is a rectification stage, which takes alternating
current (AC) power and turns it in to direct current (DC) power.
This is usually a diode bridge, or in some cases, an active
rectifier where controllable switches are used to improve
performance. An inverter stage then turns DC back to AC, but
at a different frequency and voltage than the original. This
usually consists of a series of switches that are driven with a
variable duty cycle to produce the proper output waveform.
This output waveform is scaled to properly drive the attached
motor. Various schemes exist to drive machines. A common
one is a simple volts/Hz scaling, where the voltage of the AC
waveform is scaled with the frequency. As the motor spins
faster, the voltage required to drive it increases proportionally,
keeping the flux inside the machine constant. Other, more
complicated schemes model various parameters inside the
motor and attempt to control them directly. Vector control is a
popular scheme.
Sitting between the two stages is an energy storage element.
This consists of capacitors that store charge at an intermediate
DC voltage to provide power to the driven motor. They are
referred to as DC link capacitors. These capacitors are sized
such that their voltage does not change appreciably throughout
a single cycle. Given that power coming in from the rectifier is
at comparatively low frequency, these devices are usually quite
large and store large amounts of energy.
A power factor correction stage is often placed between the
rectifier and energy storage elements. Its function is to cause
power to be drawn at a power factor close to 1. Power factor is
a measure of offset between the voltage and current waveforms
drawn from the source. At a power factor of 1, the voltage and
current are in phase. If the two are not in phase, the load draws
reactive power, which does no real work, but is still charged for
by the utility. Electric machines run at light load (reduced
throttle) often draw significant reactive power, increasing their
running costs
A. VFD Test Kit
Shown in Fig. 9 is a Texas Instruments High Voltage Motor
Development Kit. This is a unit built around TI’s C2000 motor
control chip and includes all of the hardware necessary to
evaluate its function in driving a machine. In the lab, it is used
to build custom motor drives. For our purposes in this project,
it is a complete VFD with the added benefit of being supplied
with source code with which we are immediately familiar. Such
kits are sold with the idea that the control chip will be easily
evaluated by a company’s engineers and in turn used in their
product lines.
Fig. 10 shows the block diagram of the TI motor driver. We
can see the two main functional blocks mentioned above. The
left side shows the AC mains (Vac) feeding a diode rectifier.
On the middle right, we see a box labeled, “PWM” that contains
the switches that comprise the inverter. In between, we have
the power factor correction stage (PFC) as well as storage
capacitors attached to the DC bus.
Fig. 9: Texas Instruments High Voltage 1 hp Motor Control Development Kit
The immediately interesting aspect of this layout, from a
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
cybersecurity perspective, which is shared by many VFDs used
in industrial environments, is the power factor correction stage
combined with the DC link capacitors. The power factor
correction stage consists of two boost converters that operate
out-of-phase with one another. By turning them on and off at
opposite times, they draw power at near unity power factor.
Boost converters are usually used in battery-powered
electronics to boost the voltage from the battery level to that
required by the device. They are also used in devices like
flashes for cameras to create voltages high enough to fire a
flash, which can be in the hundreds of volts range, from a
battery at single digit volts. In our case, we rectify 120 V AC,
then pass it through the power factor correction stage which
brings it up to the ~400 V DC bus. The DC bus is monitored,
and the drive signals to the power factor correction stage are
adjusted to keep the DC bus voltage in the proper range. The
important aspect here is that a large energy storage device is
kept in its proper range by software control.
Fig. 10: Block Diagram of TI Motor Drive
A DC link capacitor stores a large amount of energy. In the
lab, they are known to explode when they are exposed to
excessive AC current, reverse biased, or exposed to voltages
larger than their rating.
B. VFD vulnerability to malicious software
To demonstrate vulnerability to malicious software, the
firmware in the VFD was modified to intentionally allow the
voltage on the DC bus to run away.
Fig. 11 and Fig. 12 show modifications performed to disable
software control of the power factor correction stage and
protection of the DC bus voltage. In Fig. 12, the converter is
set up to run in an open-loop diagnostic mode, and then line 360
is modified to command a constant duty cycle, in this case .5.
In Fig. 13, the procedures that protect the DC bus voltage are
simply commented out. This prevents the unit from shutting
down once the voltage rating is exceeded.
The result of these software tweaks is shown in Fig. 13. The
oscilloscope is showing the drive signal to the power factor
correction stage (PWM 4A from Fig. 10). This was performed
to demonstrate control of the duty cycle feeding the power
factor correction stage. Also seen in Fig. 13 are the capacitors
on the DC bus, they are the cylindrical items in the drive on the
far right.
Fig. 11: Duty cycle modification on line 360
Fig. 12: Disabling of overvoltage protections (lines 1031-1036)
Fig. 13: Demonstration of Duty Cycle control on Power Factor Correction
The capacitors on the DC bus are rated to 450V. The DC
bus is somewhat less than this to ensure a long component life.
When run open-loop and with no load connected to it, the
voltage on the output of a boost converter will rise without limit.
In our case, we expect the capacitors to begin leaking current,
eventually constraining voltage on the output of the boost
converter far beyond their voltage rating. It will then be only a
matter of time before the capacitors catastrophically fail, as the
current leakage will heat the fluid inside until the point where
the case bursts. If one of the capacitors shorts internally, it may
cause further damage to the rest of the capacitors on the bus.
Fig. 14 shows the result of a small-scale test of this concept.
The power factor correction stage was set to run open-loop, and
the voltage protection shutdowns were disabled. Voltage on the
bus rose to approximately 550 V, and the capacitors exploded
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
one by one. While there was no violent explosion or damage to
nearby structures, it did fill a large outside area with smoke.
The DC bus in this case stores 200 Joules at rated voltage, or
the energetic equivalent of approximately seven firecrackers
Once all of the capacitors had exploded, voltage rose to the
point where one of the switches in the converter failed, causing
an internal short and blowing the input fuse on the VFD. In an
industrial setting, this would have disabled any load attached to
it, but only after significant damage had been done to the
capacitors, the VFD, and possibly nearby equipment.
Fig. 14: Small Scale Test showing destruction of DC link capacitors
C. Larger scale vulnerability possibilities
Capacitors scale with output power of the drive. Shown in
Fig. 15 is the DC link capacitor bank of a 100 hp drive. The
white cylinders are capacitors, and the metal plates on the ends
are the DC bus bars.
Fig. 15: DC Link Capacitors on 100 hp Inverter
The capacitors in the DC link are 7290 µF and rated to 280
V. If they were to explode in the same manner as the
demonstration, they would release approximately 1700 Joules,
or about 60 firecrackers [12].
In an industrial setting, VFDs may be much larger. In the
plant studied, there are several large VFDs driving chilled water
pumps. One large VFD driving a 350 hp pump is highlighted in
the electrical layout drawing of the plant presented earlier in
Fig. 7.
Fig. 16 shows a 500 hp VFD. The cabinet contains breakers
and large cooling devices, but also very large energy storage
capacitors on a DC bus that could be attacked in the same way
as the capacitors in the 1 hp unit in the demonstration above.
Fig. 16: Size comparison with 500 hp VFD
D. Cybersecurity vulnerabilities and prior VFD energy
storage failure examples
Modern VFDs may be configured and commissioned over a
network connection. Firmware may be remotely pushed to the
device over the network as well. Such capabilities may be
readily exploited by malicious actors to cause damage to the
VFD itself or the machinery connected to it.
Many attack surfaces exist for VFDs in industrial settings.
Features may be used by a malicious hacker to damage the
hardware attached to the drive. One such feature is the ability
to skip certain frequencies when starting up or running. This is
done to prevent excitation of resonances in the mechanical
systems the drives are controlling. This feature, being a user
programmable setting, may be queried from the network on
many drives. It is then a simple matter to command the drive
to operate at the damaging frequency [13] [14].
As mentioned earlier, there are other ways to cause an
energy storage capacitor to fail. Fig. 17 and Fig. 18 show the
result of a capacitor failure in the harmonic filter of the cruise
ship Queen Mary II. In this case, the dielectric oil inside the
capacitor evaporated over time, eventually allowing an arc to
form inside the capacitor. The heat generated from the
flashover caused an increase in pressure, which ruptured the
case, spraying out the remaining oil, which presented a
conduction path to the bus bars. This caused a major arc flash
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
event, destroying the compartment and even blowing out the
door to the compartment (Fig. 18).
Fig. 17: Capacitor Explosion on Queen Mary II REF SB4-10
In this case, the damage to one capacitor did not disable the
ship, but simultaneously damaging several harmonic filter
capacitors on the main propulsion motors could strand the ship.
This has obvious military implications as well with the move to
electric propulsion.
This sort of damage can be caused by many factors,
including excessive harmonic content in the output of the motor
drives. This is something that could be intentionally caused by
very subtle, unnoticeable, changes to the way in which the
output stage of the drive operates, causing very large amounts
of damage at unpredictable times.
Fig. 18: Steel Door from Harmonic Filter Capacitor bank on Queen Mary II
REF SB4-10
An example of unintentional physical damage caused by a
VFD is shown in Fig. 19. This is the guard surrounding the
coupling on an 18000 hp pump owned by ExxonMobil. In this
case, a speed feedback signal was improperly wired around a
filter, creating an unfiltered feedback path that caused a system
resonance at the natural frequency of the coupling. Resulting
torque pulsations quickly destroyed the coupling, requiring
repair and research to determine the cause of the failure. While
there was expensive damage done to the machine, down time
was likely the real cost. Stuxnet was an example of exactly the
same phenomenon, except implemented intentionally as an
Fig. 19: VFD-induced Coupling Failure on 18000 hp LPG Compressor [15]
The cost of physical damage incurred as a result of a cyber
attack on an industrial control system varies widely between
industries based on the application, the complexity of the attack
as well as the target component. Some attacks may impact the
cost of production, whereas others may cause worker fatalities
or injuries. Past safety or accident incident reports from
governmental and regulatory agencies can be a good starting
point to develop initial understanding of the costs associated
with cyber-physical attacks using analogical reasoning. For
instance, querying the Accident Search database compiled by
Occupational Safety and Health Agency (OSHA), revealed at
least two cases where VFD explosions resulted in worker
injuries (including third degree burns in one case) [26]. The
quantification of cyber-risk is a rich topic in its own right and
while we provide some guidance on how to quantify risk of
cyber attack on an industrial control system, it is beyond the
scope of this paper.
Electronics with energy storage components or that control
physical systems are capable of a wide variety of physical
damage should the software that controls them, be improperly
configured or maliciously attacked. This phenomenon is
immediately obvious to anyone who has spent time in the lab
building such devices, as mistakes are often righted with a fire
extinguisher. But large-scale electrical energy storage devices
in a variety of systems contain sufficient energy to cause serious
The small-scale VFD demonstration presented here scales to
catastrophic damage in an industrial setting, potentially
endangering personnel as well as industrial processes. Through
the demonstration we have added to the small list of
documented experiments that show physical damage through
exploitation of vulnerabilities in industrial control system
components. The techniques discussed in this paper are
adaptable to cause other modes of physical damage in a wide
variety of industries; from critical infrastructure such as electric
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
utilities and gas and water distribution facilities, to mining
operations and building management systems.
Given the ever-increasing occurrences of cyber attacks, for
many different purposes, engineers must investigate, in
advance, such threats to their industrial control systems and
take preemptive measures to prevent or minimize the impact of
such attacks.
This material is based, in part, upon research supported by
the Department of Energy under Award Number DE-
OE0000780, a seed grant from the MIT Energy Initiative
(MITei), and Cybersecurity at MIT Sloan: the Interdisciplinary
Consortium for Improving Critical Infrastructure
Disclaimer: Neither the United States Government nor any
agency thereof, nor any of their employees, makes any
warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process disclosed, or
represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial product,
process, or service by trade name, trademark, manufacturer, or
otherwise does not necessarily constitute or imply its
endorsement, recommendation, or favoring by the United States
Government or any agency thereof. The views and opinions of
authors expressed herein do not necessarily state or reflect those
of the United States Government or any agency thereof.
[1] J. Meserve, "Sources: Staged cyber attack reveals vulnerability in
power grid," 26 September 2007. [Online]. Available:
[2] M. J. Thompson, Fundamentals and Advancements in Generator
Synchronizing Systems.
[3] M. T. Coyle, "USNRC 50-461: Licensee Event Report (LER) No.
2000-002-00," 2000. [Online]. Available:
[4] L. Scott Anderson and Lawrence C. Gross, Jr., "Avoid Generator
and System Damage Due to a Slow Synchronizing Breaker,” 24th
Annual Western Protective Relay Conference, October 1997.
[5] K. Zetter, "Inside the Cunning, Unprecedented Hack of Ukraine’s
Power Grid," 3 March 2016. [Online]. Available:
[6] "Ukranian National Electric Grid," [Online]. Available:
[7] "Analysis of the CyberAttack on the Ukranian Power Grid," 18
March 2016. [Online]. Available:
[8] Jordan Robertson and Michael Riley, "Mysterious ’08 Turkey
Pipeline Blast Opened New Cyberwar," 10 December 2014.
[Online]. Available:
[9] H. English, "Turkish official confirms BTC pipeline blast is a
terrorist act," 14 August 2008. [Online]. Available:
[10] D. Kushner, "The Real Story of Stuxnet," 26 February 2013.
[Online]. Available:
[11] K. Zetter, "An Unprecedented Look at Stuxnet, the World’s First
Digital Weapon," 3 November 2014. [Online]. Available:
[12] J. Zimbelman, "How Big is ‘BIG!’?: Comparing Forms of Energy
Release,"[Online]. Available:
[13] K. Zetter, "There’s a Scary Easy Way for Hackers to Remotely
Attack Industrial Motors," 13 January 2016. [Online]. Available:
[14] "Variable Frequency Drives - VFD Vulnerabilities," 14 March 2016.
[Online]. Available:
[15] J. Kocur, in Proceedings of the 37th Turbomachinery Symposium.
[16] "Iran’s gas flow to Turkey halted after pipeline blast – official,"
[Online]. Available:
[17] Krotofil, Marina and Dieter Gollmann. “Industrial control systems
security: What is happening?” 2013 11th IEEE International
Conference on Industrial Informatics (INDIN) (2013): 664-669.
[18] Morris, Thomas H. and Wei Gao. “Industrial Control System Cyber
Attacks.” ICS-CSR (2013).
[19] Gollmann, Dieter et al. “Cyber-Physical Systems Security:
Experimental Analysis of a Vinyl Acetate Monomer Plant.”
[20] Winnicki, Alexander et al. “Cyber-Physical System Discovery:
Reverse Engineering Physical Processes.” CPSS@AsiaCCS (2017).
[21] Srivastava, Anurag Kumar et al. “Modeling Cyber-Physical
Vulnerability of the Smart Grid With Incomplete Information.” IEEE
Transactions on Smart Grid 4 (2013): 235-244.
[22] Huang, Kaixing, et al. “Assessing the Physical Impact of
Cyberattacks on Industrial Cyber-Physical Systems.” IEEE
Transactions on Industrial Electronics, vol. 65, no. 10, 2018, pp.
81538162., doi:10.1109/tie.2018.2798605.
[23] Friedberg, Ivo et al. “STPA-SafeSec: Safety and security analysis for
cyber-physical systems.” J. Inf. Sec. Appl. 34 (2017): 183-196.
[24] Configuring And Managing Remote Access For Industrial Control
Systems | ICS-CERT." 2010. [Online]. Available:
Industrial-Control-Systems. (Accessed 11 Aug. 2018)
[25] Advisory (ICSA-17-164-02), OSIsoft PI Server 2017”, Industrial
Control System Cyber Emergency Response Team ICS-CERT,
2017. [Online]. Available: (Accessed 11 Aug. 2018)
[26] "Accident Report Detail | Occupational Safety And Health
Administration." [Online]. (Accessed 11 Aug.
Matthew G. Angle is a Postdoc in the Department of Electrical Engineering
and Computer Science at the Massachusetts Institute of Technology. He
received his SB (2007), MEng (2011), and Ph.D. (2016) degrees in Electrical
Engineering from MIT.
Stuart Madnick is the John Norris Maguire (1960) Professor of Information
Technology and a Professor of Engineering Systems at the Massachusetts
Institute of Technology. He has been an MIT faculty member since 1972. He
has served as the head of MIT’s Information Technologies Group in the MIT
Sloan School of Management for more than twenty years. Currently he is the
Director of MITs Interdisciplinary Consortium for Improving Critical
Infrastructure Cybersecurity, (IC)3. He is the author or co-author of over 350
books, articles, or reports including the book Computer Security in 1979 and
the classic textbook on Operating Systems, plus several patents. His current
research interests include cybersecurity, information integration technologies,
semantic web, software project management, internet applications, and the
strategic use of information technology. Madnick has been active in industry,
as a key designer and developer of projects such as IBM’s VM/370 operating
system and Lockheed’s DIALOG information retrieval system. He has served
as a consultant to major corporations, including IBM, AT&T, and Citicorp. He
has also been the founder or co-founder of five high-tech firms, and currently
This work is licensed under a Creative Commons Attribution 3.0 License. For more information, see
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JPETS.2019.2923970, IEEE Power
and Energy Technology Systems Journal
operates a hotel in the 14th century Langley Castle in England. Madnick holds
an SB in electrical engineering, an SM in management, and a PhD in computer
science from MIT.
James L. Kirtley Jr. is Professor of Electrical Engineering at the
Massachusetts Institute of Technology. He has also worked for General
Electric, Large Steam Turbine Generator Department, as an Electrical Engineer,
for Satcon Technology Corporation as Vice President and General Manager of
the Tech Center and as Chief Scientist, and was Gastdozent at the Swiss Federal
Institute of Technology. He continues as a Director for Satcon. Dr. Kirtley
attended MIT as an undergraduate and received the degree of Ph.D. from MIT
in 1971. Dr. Kirtley is a specialist in electric machinery and electric power
systems. He served as Editor in Chief of the IEEE Transactions on Energy
Conversion from 1998 to 2006 and continues to serve as Editor for that journal
and as a member of the Editorial Board of the journal Electric Power
Components and Systems. Dr. Kirtley was made a Fellow of IEEE in 1990. He
was awarded the IEEE Third Millenium medal in 2000 and the Nikola Tesla
prize in 2002. Dr. Kirtley was elected to the United States National Academy
of Engineering in 2007. He is a Registered Professional Engineer in
Shaharyar Khan is a fellow (S.M) of the System Design and Management
(SDM) program at the Massachusetts Institute of Technology. He received his
BASc Hons. (2010) degree in Mechanical Engineering from the University of
Waterloo. He has worked as a structural design engineer for BWX technologies,
designing and analyzing critical components for nuclear power plants. He has
also worked as a Site Project Engineer at a nuclear generating station, deploying
tools for reactor inspections and maintenance. He is a Registered Professional
Engineer in Ontario, Canada.
... VPN is often used by vendors and system integrators to access OT networks and, if compromised, can allow hard-to-detect adversary access into operation environments [230]. Remote connection capabilities are commonly used to monitor the OT assets, perform software updates, or perform maintenance [172], [231]. Complex systems like large power plants are often supported by multiple equipment manufacturers and other specialized service providers that may access the ICS network to monitor or remotely control devices, which multiplies the risk of exploitation in vulnerabilities present in remote connection systems. ...
... For instance, the system targeted by Stuxnet was thought to be air-gapped, which would have been circumvented in the attack [242]. Also, it is often found that incorrect cybersecurity practices and training of personnel can lead to breaches in the air gap [231]. Systems not connected to the internet are hard to patch and very often use legacy software that is no longer supported by their vendor, which carries vulnerabilities that could be exploited by an attacker capable of breaching the air gap. ...
Full-text available
This paper presents a literature review on current practices and trends on cyberphysical security of grid-connected battery energy storage systems (BESSs). Energy storage is critical to the operation of Smart Grids powered by intermittent renewable energy resources. To achieve this goal, utility-scale and consumer-scale BESS will have to be fully integrated into power systems operations, providing ancillary services and performing functions to improve grid reliability, balance power and demand, among others. This vision of the future power grid will only become a reality if BESS are able to operate in a coordinated way with other grid entities, thus requiring significant communication capabilities. The pervasive networking infrastructure necessary to fully leverage the potential of storage increases the attack surface for cyberthreats, and the unique characteristics of battery systems pose challenges for cyberphysical security. This paper discusses a number of such threats, their associated attack vectors, detection methods, protective measures, research gaps in the literature and future research trends.
... Motter and Lai [7] pointed out that because the network has a cascading failure phenomenon, intentional attacks can lead to a cascade of overload failures, which can in turn cause the entire or a substantial part of the network to collapse. As physical control systems are increasingly controlled by network-enabled devices, cyberattacks will have an important impact on the real world [8]. For example, the load frequency of the equipment in the power system is maliciously changed by remote programming, which further leads to the failure of the power system cascade [9,10]; in 2012, part of the line in the Indian power system jumped, leading to the collapse of the northern power system [11], and network fluctuations at the autonomous system level have caused the Internet to collapse [12]. ...
... If the latest solution is accepted, the disturbance continues in the original direction; otherwise, a random disturbance is performed. 8 Security and Communication Networks ...
Full-text available
By studying an attacker’s strategy, defenders can better understand their own weaknesses and prepare a response to potential threats in advance. Recent studies on complex networks using the cascading failure model have revealed that removing critical nodes in the network will seriously threaten network security due to the cascading effect. The conventional strategy is to maximize the declining network performance by removing as few nodes as possible, but this ignores the difference in node removal costs and the impact of the removal order on network performance. Having considered all factors, including the cost heterogeneity and removal order of nodes, this paper proposes a destruction strategy that maximizes the declining network performance under a constraint based on the removal costs. First, we propose a heterogeneous cost model to describe the removal cost of each node. A hybrid directed simulated annealing and tabu search algorithm is then devised to determine the optimal sequence of nodes for removal. To speed up the search efficiency of the simulated annealing algorithm, this paper proposes an innovative directed disturbance strategy based on the average cost. After each annealing iteration, the tabu search algorithm is used to adjust the order of node removal. Finally, the effectiveness and convergence of the proposed algorithm are evaluated through extensive experiments on simulated and real networks. As the cost heterogeneity increases, we find that the impact of low-cost nodes on network security becomes larger.
... While there has been considerable attention to attacks on Information Technology (IT) systems, such as data theft and ransomware, the vulnerabilities and dangers posed by industrial control systems (ICS) have received significantly less attention. Events such as the cyberattacks on the Ukrainian power grid, as well as attacks on oil and gas plants and nuclear facilities in Saudi Arabia and Iran, respectively, have demonstrated not only the capability but also the willingness of nation-states and advanced cyber adversaries to disrupt and/or cause damage to an adversary's critical infrastructure [1]. Part of the reason for the lack of attention to cyberattacks on ICS is because of an underlying assumption that the control systems (that operate the pumps, valves and machines) are isolated from the public internet. ...
Full-text available
Recent world events and geopolitics have brought the vulnerability of critical infrastructure to cyberattacks to the forefront. While there has been considerable attention to attacks on Information Technology (IT) systems, such as data theft and ransomware, the vulnerabilities and dangers posed by industrial control systems (ICS) have received significantly less attention. What is very different is that industrial control systems can be made to do things that could destroy equipment or even harm people. For example, in 2021 the US encountered a cyberattack on a water treatment plant in Florida that could have resulted in serious injuries or even death. These risks are based on the unique physical characteristics of these industrial systems. In this paper, we present a holistic, integrated safety and security analysis, we call Cybersafety, based on the STAMP (System-Theoretic Accident Model and Processes) framework, for one such industrial system—an industrial chiller plant—as an example. In this analysis, we identify vulnerabilities emerging from interactions between technology, operator actions as well as organizational structure, and provide recommendations to mitigate resulting loss scenarios in a systematic manner.
... A smart grid will involve many industrial control system (ICS) components to regulate the processes of electrical equipment. In [26] the authors show through a survey of notable cyberattacks how threat actors may quickly shift from the cyber to the physical and inflict real-world damage. The temporary shutdown of the Ukrainian power grid, the Turkish Pipeline explosion, and Stuxnet are all highlighted to show the potential for sophisticated cyberattacks on otherwise highly secure targets. ...
Full-text available
Malware that attack the electrical power grid consist of exploits and operations modules. The exploits are similar to those of traditional malware. These malware hack into an industrial computer and subsequently deploy operational modules. Some operational modules penetrate the operating system of the compromised industrial computer to take over computing functions and hence facilitate further attacks. Examples include interception of cryptographic keys, and generation of deceptive status data that indicate normal operation of a power transformer, while in reality the transformer is in distress due to the attacks. Other operational modules are designed to recognize and disrupt the physics of the physical equipment. We refer to these operations modules as physics-centric modules. The subject of this research is how physics-centric modules of malware can cause physical damage to power grid equipment. This research simulates a power transformer and a set of its protection algorithms. We make several contributions in this research, namely: i) we emulate in Python the protection algorithms that run on an industrial computer and monitor and protect a power transformer from a variety of faults; ii) we leverage these emulations to analyze the cyberattack surface of a power transformer; iii) with these insights at hand, we devise attack modus operandi that malware could use against a power transformer; and iv) we emulate these cyberattacks in Python to empirically observe and quantify their destructive effects on a power transformer. Our overall research findings in this paper serve the purpose of informing better defense against the physics-centric modules of malware that attack the electrical power grid.
... Several studies have investigated the impact of cyberattacks. Angle et al. (2019) reviewed a few past examples of actual damage to cyber-physical systems. A load-altering attack is studied for the power system frequency control (Chen et al., 2020), and model-free defense strategies were proposed to improve the frequency control performance. ...
Dispatchable distributed energy resources (DERs) in distribution networks are envisioned to aid frequency regulation for transmission systems. In this paper, a real-time optimal dispatch framework for DERs in distribution networks is designed to offer frequency regulation services simultaneously. Different from the existing research that distribution networks track uniaxially the predetermined auxiliary-services commands of the transmission system, here we regard transmission system frequency regulation as a black box and learn the parameters of its proxy satisfaction function from the perspective of DER optimization. To solve such a special optimization problem with control performance feedback, first we employ Gaussian processes to learn the satisfaction function, and, especially, build pertinent upper confidence bounds to achieve the optimal provision of ancillary services. Next, the primal-dual gradient projection process is embedded into the Gaussian process upper confidence bound algorithm to pursue the optimal DER dispatch. Accordingly, the output powers of DERs can be controlled in real-time: in disaggregate mode, they meet the goal of the distribution network; in aggregate mode, they provide a more satisfactory tie-line power flow to the transmission system. Simulations for illustrative systems are provided to validate the approach.
Full-text available
The overwhelming acceptance and growing need for Internet of Things (IoT) products in each aspect of everyday living is creating a promising prospect for the involvement of humans, data, and procedures. The vast areas create opportunities from home to industry to make an automated lifecycle. Human life is involved in enormous applications such as intelligent transportation, intelligent healthcare, smart grid, smart city, etc. A thriving surface is created that can affect society, the economy, the environment, politics, and health through diverse security threats. Generally, IoT devices are susceptible to security breaches, and the development of industrial systems could pose devastating security vulnerabilities. To build a reliable security shield, the challenges encountered must be embraced. Therefore, this survey paper is primarily aimed to assist researchers by classifying attacks/vulnerabilities based on objects. The method of attacks and relevant countermeasures are provided for each kind of attack in this work. Case studies of the most important applications of the IoT are highlighted concerning security solutions. The survey of security solutions is not limited to traditional secret key-based cryptographic solutions, moreover physical unclonable functions (PUF)-based solutions and blockchain are illustrated. The pros and cons of each security solution are also discussed here. Furthermore, challenges and recommendations are presented in this work.
Digital twins (DTs) under industry 4.0 provide the manufacturing industry with the mapping relationship between products in physical space and virtual space, as well as the process of recording, simulating, and predicting the operation trajectory of the all life cycle of objects in the physical world and digital virtual space. This paper is to analyze and study the configuration security of industrial automation and control systems to contribute to the security of the world’s industrial control networks. Also, it is hoped to the world’s industries as soon as possible to get rid of the risk of invasion of industrial control systems. This paper uses an improved artificial bee colony (ABC) algorithm combined with support vector machine technology for research, and expects to achieve good attack detection results. In the case of small-scale data, the performance of this method is more general. However, in the case of large-scale data, the detection accuracy, false alarm rate, and detection time of this method are all excellent. Compared with other attack detection methods, the method proposed has certain advantages in various aspects. Security situation awareness can be used to detect, analyze, and visualize the security situation of industrial control network platform and data flow process, and analyze the security threat intelligence from the time and space dimensions through DTs technology. The attack detection method of industrial control system based on ABC algorithm can effectively detect the attack state, and provides an important theoretical basis for the research of attack detection methods.
Full-text available
With the incarnation of novel COVID-19, health care is getting more preference in each country. IoT-based health monitoring systems might be the best option to monitor infected patients and be helpful for elderly population. In this paper, analyzed different IoT-based health monitoring systems and their challenges. Searched through established journal and conference databases using specific keywords to find scholarly works to conduct the analysis. Investigated unique articles related to this analysis. The selected papers were then sifted through to understand their contributions/research focus. Then tried to find their research gap and challenges, created them into opportunities and proposed a GSM-based offline health monitoring system that will conduct with the healthcare providers through communication networks. Hopefully, this model will work as an absolute pathway for the researchers to establish a sustainable IoT-based health monitoring system for humankind.
Conference Paper
Full-text available
Full-text available
Cyber-physical systems tightly integrate physical processes and information and communication technologies. As today's critical infrastructures, e.g., the power grid or water distribution networks, are complex cyber-physical systems, ensuring their safety and security becomes of paramount importance. Traditional safety analysis methods, such as HAZOP, are ill-suited to assess these systems. Furthermore, cybersecurity vulnerabilities are often not considered critical, because their effects on the physical processes are not fully understood. In this work, we present STPA-SafeSec, a novel analysis methodology for both safety and security. Its results show the dependencies between cybersecurity vulnerabilities and system safety. Using this information, the most effective mitigation strategies to ensure safety and security of the system can be readily identified. We apply STPA-SafeSec to a use case in the power grid domain, and highlight its benefits.
Conference Paper
Full-text available
We describe an approach for analysing and attacking the physical part (a process) of a cyber-physical system. The stages of this approach are demonstrated in a case study, a simulation of a vinyl acetate monomer plant. We want to demonstrate in particular where security has to rely on expert knowledge in the domain of the physical components and processes of a system and that there are major challenges for converting cyber attacks into successful cyber-physical attacks. is held by the owner/author(s).
Conference Paper
Full-text available
Increasing awareness of ICS security issues has brought about a growing body of work in this area, including pioneering contributions based on realistic control system logs and network traces. This paper surveys the state of the art in ICS security research, including efforts of industrial researchers, highlighting the most interesting works. Research efforts are grouped into divergent areas, where we add “secure control” as a new category to capture security goals specific to control systems that differ from security goals in traditional IT systems.
Full-text available
This paper addresses the attack modeling using vulnerability of information, communication and electric grid network. Vulnerability of electric grid with incomplete information has been analyzed using graph theory based approach. Vulnerability of information and communication (cyber) network has been modeled utilizing concepts of discovery, access, feasibility, communication speed and detection threat. Common attack vector based on vulnerability of cyber and physical system have been utilized to operate breakers associated with generating resources to model aurora-like event. Real time simulations for modified IEEE 14 bus test case system and graph theory analysis for IEEE 118 bus system have been presented. Test case results show the possible impact on smart grid caused by integrated cyber-physical attack.
Industrial Cyber-Physical systems (ICPSs) are widely applied in critical infrastructures such as chemical plants, water distribution networks, and power grid. However, they face various cyber-attacks, which may cause physical damage to these industrial facilities. Therefore, ensuring the security of ICPSs is of paramount importance. For this purpose, a new risk assessment method is presented in this paper to quantify the impact of cyber-attacks on the physical system of ICPSs. It helps carry out appropriate attack mitigation measures. The method uses a Bayesian network to model the attack propagation process and infers the probabilities of sensors and actuators to be compromised. These probabilities are fed into a stochastic hybrid system (SHS) model to predict the evolution of the physical process being controlled. Then, the security risk is quantified by evaluating the system availability with the SHS model. The effectiveness of the proposed method is demonstrated with a case study on a hardware-in-the-loop simulation testbed.
Conference Paper
Successful cyber attacks against cyber-physical systems require expert knowledge about the dynamic behaviour of the underlying physical process. Therefore, obtaining the relevant information is a crucial part during attack preparation. Previous work has shown manual acquisition of knowledge about process dynamics to be prohibitively laborious. This paper presents - first insights into semi-automated process-aware system discovery that goes beyond IT-related trivia, and focuses on the physical core of a system.
Conference Paper
Synchronizing a generator to the power system must be done carefully to prevent damage to the machine and disturbances to the power system. Traditionally, power plants include a synchronizing panel to indicate what adjustments the operator should make to the governor and exciter and when it is acceptable for the operator to close the breaker. In many cases, the process is automated using an automatic synchronizer with manual control available as a backup. In power plants with more than a single generator or installations with multiple synchronizing breakers, complicated synchronizing circuits with many contacts are required to switch the voltage transformer (VT) and control signals between the operator controls and the high-voltage equipment. Maintaining proper isolation and safety grounding of sensing and control circuits often requires the use of problem-prone auxiliary relays and VTs. Today, protective-relay-grade microprocessor devices can significantly improve manual and automatic synchronizing systems. This paper discusses how this technology can simplify synchronizing circuits to reduce cost, improve reliability, and easily accomplish complete integration, automation, and remote control of the system.
Computer cables snake across the floor. Cryptic flowcharts are scrawled across various whiteboards adorning the walls. A lifesize Batman doll stands in the hall. This office might seem no different than any other geeky workplace, but in fact it¿s the front line of a war¿a cyberwar, where most battles play out not in remote jungles or deserts but in suburban office parks like this one. As a senior researcher for Kaspersky Lab, a leading computer security firm based in Moscow, Roel Schouwenberg spends his days (and many nights) here at the lab¿s U.S. headquarters in Woburn, Mass., battling the most insidious digital weapons ever, capable of crippling water supplies, power plants, banks, and the very infrastructure that once seemed invulnerable to attack.