ArticlePDF Available

A Survey on SCADA Systems: Secure Protocols, Incidents, Threats, and Tactics

DOI:10.1109/COMST.2020.2987688
Authors:
Dimitrios Pliatsios at University of Western Macedonia
Dimitrios Pliatsios
Panagiotis G. Sarigiannidis at University of Western Macedonia
Panagiotis G. Sarigiannidis
Thomas Lagkas at International Hellenic University
Thomas Lagkas
Antonios Sarigiannidis at Aristotle University of Thessaloniki
Antonios Sarigiannidis
Download full-text PDFDownload full-text PDF
Read full-text
Download citation

Abstract and Figures

Supervisory Control and Data Acquisition (SCADA) systems are the underlying monitoring and control components of critical infrastructures, such as power, telecommunication, transportation, pipelines, chemicals and manufacturing plants. Legacy SCADA systems operated on isolated networks, that made them less exposed to Internet threats. However, the increasing connection of SCADA systems to the Internet, as well as corporate networks, introduces severe security issues. Security considerations for SCADA systems are gaining higher attention, as the number of security incidents against these critical infrastructures is increasing. In this survey, we provide an overview of the general SCADA architecture, along with a detailed description of the SCADA communication protocols. Additionally, we discuss certain high-impact security incidents, objectives, and threats. Furthermore, we carry out an extensive review of the security proposals and tactics that aim to secure SCADA systems. We also discuss the state of SCADA system security. Finally, we present the current research trends and future advancements of SCADA security.
Figures - uploaded by Panagiotis G. Sarigiannidis
Author content
All figure content in this area was uploaded by Panagiotis G. Sarigiannidis
Content may be subject to copyright.
090668
92.pdf
Content uploaded by Panagiotis G. Sarigiannidis
Author content
All content in this area was uploaded by Panagiotis G. Sarigiannidis on Apr 16, 2020
Content may be subject to copyright.
A Survey on SCADA Systems: Secure Protocols, Incidents, Threats, and Tacti
cs.pdf
Available via license: CC BY 4.0
Content may be subject to copyright.
A preview of the PDF is not available
... Intercepting communications on a wired or wireless network [19] between master terminal units (MTUs), sub-MTUs, or remote terminal units (RTUs) is known as passive or active monitoring. To exploit the collected data, an attacker with network access can install malware [20]. ...
A Comprehensive Survey of Cybersecurity Threats, Attacks, and Effective Countermeasures in Industrial Internet of Things
Article
Full-text available
  • Nov 2023
The Industrial Internet of Things (IIoT) ecosystem faces increased risks and vulnerabilities due to adopting Industry 4.0 standards. Integrating data from various places and converging several systems have heightened the need for robust security measures beyond fundamental connection encryption. However, it is difficult to provide adequate security due to the IIoT ecosystem’s distributed hardware and software. The most effective countermeasures must be suggested together with the crucial vulnerabilities, linked threats, and hazards in order to protect industrial equipment and ensure the secure functioning of IIoT systems. This paper presents a thorough analysis of events that target IIoT systems to alleviate such concerns. It also offers a comprehensive analysis of the responses that have been advanced in the most recent research. This article examines several kinds of attacks and the possible consequences to understand the security landscape in the IIoT area. Additionally, we aim to encourage the development of effective defenses that will lessen the hazards detected and secure the privacy, accessibility, and reliability of IIoT systems. It is important to note that we examine the issues and solutions related to IIoT security using the most recent findings from research and the literature on this subject. This study organizes and evaluates recent research to provide significant insight into the present security situation in IIoT systems. Ultimately, we provide outlines for future research and projects in this field.
View
... It can connect to the internet and third-party peripherals. Additionally, this architecture enhanced the performance level of SCADA by allowing several servers to run in parallel to handle several tasks [25]. Figure 6 below shows the description of the Networked SCADA architecture. ...
Securing Industrial Control Systems: Components, Cyber Threats, and Machine Learning-Driven Defense Strategies
Article
Full-text available
Industrial Control Systems (ICS), which include Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and Programmable Logic Controllers (PLC), play a crucial role in managing and regulating industrial processes. However, ensuring the security of these systems is of utmost importance due to the potentially severe consequences of cyber attacks. This article presents an overview of ICS security, covering its components, protocols, industrial applications, and performance aspects. It also highlights the typical threats and vulnerabilities faced by these systems. Moreover, the article identifies key factors that influence the design decisions concerning control, communication, reliability, and redundancy properties of ICS, as these are critical in determining the security needs of the system. The article outlines existing security countermeasures, including network segmentation, access control, patch management, and security monitoring. Furthermore, the article explores the integration of machine learning techniques to enhance the cybersecurity of ICS. Machine learning offers several advantages, such as anomaly detection, threat intelligence analysis, and predictive maintenance. However, combining machine learning with other security measures is essential to establish a comprehensive defense strategy for ICS. The article also addresses the challenges associated with existing measures and provides recommendations for improving ICS security. This paper becomes a valuable reference for researchers aiming to make meaningful contributions within the constantly evolving ICS domain by providing an in-depth examination of the present state, challenges, and potential future advancements.
View
... The recommended method for ping-killing detection and prevention is used [7] and for the data-packet size poisoning probability function. The research paper [8] discusses cyber-attacks, including the man in the middle, Denial-ofservice, domain name systems, DDoS, and various virus-based assaults [9]. Cybercrime includes the identification of any security threat, which may be identified or tracked using various methods, such as the hidden-Markov model or machine learning techniques such as naïve Bayes, k-nearest neighbor, and cyber-bullying detection [10,11]. ...
Securing the Internet of Flying Things (LoFT): A Proficient Defense Approach
Preprint
  • Jan 2023
The Internet of Flying Things (IoFT), popularly known as drones, has been recently adopted to perform essential tasks in several mission-critical systems, such as military, medical, ambulance and firefighting, and transportation systems. However, the traffic communication of IoFT has been vulnerable to a wide range of cyberattack vectors that threaten the privacy and authentication of IoFT devices and data. This paper presents a proficient defense approach to capture cyber-attacks deliberated against the LoFT. Particularly, we characterize the performance of three supervised machine learning schemes, including the random forest classifier (RFC), the multi-layer perceptron (MLP), and the support vector machines (SVM). The models were trained and evaluated on a recent dataset for cyber-attacks over IoFT, ECU-IoFT-2022, using two balanced classes (normal vs. attack). The models' assessment showed that the based scheme for IoFT Cyber-Attacks Categorization provides the best performance indicators, achieving a 99.5% classification accuracy. Besides, its performance is improved over the existing state-of-the-art models for IoFT.
View
... The cyber-physical power system has become the main feature of modern power systems and attracts countries to compete to develop such a power system (Pliatsios et al., 2020;Liu et al., 2022). The cyber system brings flexibility to the operation of power grids. ...
Modeling and assessing load redistribution attacks considering cyber vulnerabilities in power systems
Article
Full-text available
  • Sep 2023
Introduction: Load Redistribution (LR) attacks, as a common form of false data injection attack, have emerged as a significant cybersecurity threat to power system operations by manipulating load buses’ measurements at substations. Existing LR attack methods typically assume that any substation can be equally attacked, contributing to the analysis of LR attacks in power systems. However, the diversity of cyber vulnerabilities in substation communication links implies varying costs associated with falsifying load buses’ measurements. Thus, quantitatively evaluating these costs and analyzing the impact of LR attacks on power systems within cost constraints holds practical significance. Methods: In this paper, we employ a Bayesian attack graph model to characterize the intrusion process through cyber vulnerabilities. The costs of falsifying load buses’ measurements at substations are quantitatively evaluated using the mean time-to-compromise model. Subsequently, from the attacker’s perspective, we propose a bi-level optimization model for LR attacks, considering the mean time to compromise in conjunction with limited attack resources and power flow constraints. Results: Simulations conducted on the IEEE 14-bus system illustrate the influence of cyber vulnerabilities on LR attacks within power systems. Furthermore, we verify that the attack scenario of the existing LR attack model aligns with a case of the proposed bi-level LR attack model when there is sufficient attack time to compromise all communication links. Discussion: The findings of this research demonstrate that the impact of cyber vulnerabilities on LR attacks can be quantified by assessing the attack costs. Effective management of LR attacks can be achieved under cost constraints through optimization methods. These insights contribute to enhancing network security strategies for power systems, mitigating potential threats posed by LR attacks in power system operations.
View
View
View
View
Man-in-the-Middle Attack Against a Network Control System: Practical Implementation and Detection
Conference Paper
Full-text available
  • Oct 2023
A Man-in-the-Middle (MITM) attack is a cyber-attack in which the attacker covertly intercepts and passes messages between two parties who mistakenly think they are communicating directly. However, in reality, the attacker intercepts data transfers between a client and a server by deceiving both parties. While the attack occurs, the data is secretly manipulated by inserting false information. This article explores how to create and use MITM attacks in a liquid-level networked control system. The essential tools to execute the attack include Ettercap and Wireshark software applications. Ettercap is a tool for capturing packets, allowing real-time redirection and modification of data streams by writing the packets back onto the network. Wireshark is a flexible network protocol analyzer used to analyze data packets of the networked control system. After implementing the MITM attack on the cyber-physical system, system data was collected and labeled to detect MITM attacks by leveraging machine learning classification algorithms.
View
Towards Automating Semantic Relationship Awareness in Operational Technology Monitoring
Chapter
  • Nov 2023
Critical infrastructures in areas like road traffic management naturally rely on the broad use of “Operational Technology (OT)” to ensure efficient and safe road traffic monitoring (RTM) through “OT objects” like sensors and actuators whereby monitoring OT itself (“OTM”) is evenly crucial. OTM is highly challenging, not least due to massive heterogeneity of OT, immense complexity and size and omnipresence of evolution. As a consequence, knowledge about interdependencies between OT objects in form of semantic relationships is often outdated or simply not available. Thus, in case of incidents, detection of cause and effect in the sense of a situational picture is missing. In order to counteract this fundamental deficiency, we aim to automatically recognize semantic relationships between OT objects to build up an ontological knowledge base as prerequisite for achieving OT situation awareness. The contribution of this paper is to sketch out state-of-research w.r.t. real-world challenges we are facing and based on that to put forward appropriate research questions, leading to the identification and in-depth discussion of potential concepts and technologies appearing to be useful for our work. Overall, this contribution forms the conceptual framework for a proof-of-concept prototype already realized on basis of real-world OT in the area of road traffic management.
View
View
HML-IDS: A Hybrid-Multilevel Anomaly Prediction Approach for Intrusion Detection in SCADA Systems
Article
Full-text available
  • Jul 2019
Critical infrastructures, for example, electricity generation and dispersal networks, chemical processing plants and gas distribution are governed and monitored by Supervisory Control and Data Acquisition Systems (SCADA). Detecting intrusion is a prevalent area of study for numerous years, and several intrusion detection systems have been suggested in the literature for cyber-physical systems and industrial control system (ICS). In recent years, the virus seismic net, duqu and flame against ICS attacks have caused tremendous damage to nuclear facilities and critical infrastructure in some countries. These intensified attacks have sounded the alarm for the security of the industrial control system in many countries. The challenge in constructing an intrusion detection framework is to deal with unbalanced intrusion datasets, i.e. when one class is signified by a lesser amount of instances (minority class). To this end, we outline an approach to deal with this issue and propose an anomaly detection method for ICS. Our propose approach uses a hybrid model that takes advantage of the anticipated and consistent nature of communication patterns that occur amongst ground devices in ICS setups. First, we applied some preprocessing techniques to standardize and scale the data. Second, dimensionality reduction algorithms are applied to improve the process of anomaly detection. Third, we employed Edited Nearest-Neighbor rule algorithm to balance the dataset. Forth, by using Bloom filter, a signature database is created by noting the system for a specific period lacking the occurrence of abnormalities. Finally, to detect new attacks we combined our package contents level detection with another instance-based learner to make a hybrid method for anomaly detection. Experimental results with a real large scale dataset generated from a gas pipeline SCADA system shows that the propose approach HML-IDS outperforms the benchmark models with an accuracy rate of 97%.
View
A Survey of Security in SCADA Networks: Current Issues and Future Challenges
Article
Full-text available
  • Jul 2019
Supervisory Control and Data Acquisition (SCADA) systems are used for monitoring industrial devices. However, their security faces the threat of being compromised due to the increasing use of open access networks. The primary objective of this survey paper is to provide a comparative study of the on-going security research in SCADA systems. The paper provides a classification of attacks based on security requirements and network protocol layers. To secure the communication between nodes of SCADA networks, various security standards have been developed by different organizations. We conduct a study of the security standards developed for SCADA networks along with their vulnerabilities. Researchers have proposed various security schemes to overcome the weaknesses of SCADA standards. The paper organizes security schemes based on current standards, detection, and prevention of attacks. It also addresses the future challenges that SCADA networks may face, in particular, from quantum attacks. Furthermore, it outlines directions for further research in the field.
View
Complex Approach to Assessing Resilience of Critical Infrastructure Elements
Article
Full-text available
  • Mar 2019
The resilience of elements in a critical infrastructure system is a major factor determining the reliability of services and commodities provided by the critical infrastructure system to society. Resilience can be viewed as a quality which reduces the vulnerability of an element, absorbs the effects of disruptive events, enhances the element's ability to respond and recover, and facilitates its adaptation to disruptive events similar to those encountered in the past. In this respect, resilience assessment plays an important role in ensuring the security and reliability of not only these elements alone, but also of the system as a whole. The paper introduces the CIERA methodology designed for Critical Infrastructure Elements Resilience Assessment. The principle of this method is the statistical assessment of the level of resilience of critical infrastructure elements, involving a complex evaluation of their robustness, their ability to recover functionality after the occurrence of a disruptive event and their capacity to adapt to previous disruptive events. The complex approach thus includes both the assessment of technical and organizational resilience, as well as the identification of weak points in order to strengthen resilience. An example of the application of the CIERA method is presented in the form of a case study focused on assessing the resilience of a selected element of electrical energy infrastructure.
View
View
View
View
Cybersecurity Assessment
Chapter
  • Aug 2019
The electricity sector needs assurance that its critical components are sufficiently protected from cyberthreats. This assurance can be obtained from cybersecurity assessments, provided they are conducted methodologically. This chapter is focused on presenting a cybersecurity assessment approach and its supporting infrastructure, particularly applicable to the electricity sector due to avoidance of undesired interferences and interruptions in the systems’ operation. After introducing the relevant concepts, as well as reviewing alternative methods and testbeds, the details of the approach are provided.
View
A Systematic Approach to Cybersecurity Management
Chapter
  • Aug 2019
A continuous, systematic cybersecurity management process is required to ensure the vital protection of the electric power grid. In this chapter, after an overview of cybersecurity management methods specified in standards, a cybersecurity management approach for the electricity sector is presented which takes into account the specific characteristics of the industry and aims at incorporating all the strengths of the alternative methods.
View
Systemic Vulnerability Assessment of Urban Water Distribution Networks Considering Failure Scenario Uncertainty
Article
  • May 2019
Water distribution networks (WDNs) are vital infrastructures in cities. However, reports about urban WDNs incidents that result in major system breakdowns and water outages are not uncommon, which repeatedly highlights the urgency of addressing vulnerability challenges of WDNs. This study aims to propose a new method for system-level, scenario-independent vulnerability assessment of WDNs, which considers the uncertainty in various failures that may happen in the system. The proposed method is developed based on the notion that the vulnerability of WDN is largely determined by its heterogeneity in node importance, which impacts how likely system malfunction or breakdown would happen should a small amount of nodes be attacked. Accordingly, the proposed method uses a set of indicators to measure the functional, structural and overall importance of each node in WDN, and introduces a novel network entropy model to measure the heterogeneity of importance of these nodes. The proposed method then assesses the systemic vulnerability of WDN, by benchmarking its current entropy against the entropies associated with the least and most vulnerable states of the system. The efficacy of the proposed method is demonstrated in a case study, in which the assessment yielded by the proposed method was found theoretically reasonable as well as consistent with actual conditions of the case WDN.
View
Cyber Attack Detection and Mitigation: Software Defined Survivable Industrial Control Systems
Article
  • Apr 2019
Modern Industrial Control Systems (ICS) constitute complex and heterogeneous ‘system of systems’ embracing the numerous advantages of traditional Information and Communication Technology (ICT). The pervasive integration of off-the-shelf ICT into the core of ICS broadened the palette of features and applications, but it also raised new design challenges and exposed ICS to a new breed of cyber-physical attacks. In addition, despite all the security solutions in place, unavoidably, these systems may be compromised. Therefore, survivability, that is, the ability to face malicious actions and faults, becomes a salient feature/requirement in the design of modern cyber-connected ICS. We present a comprehensive solution for ensuring the survival of ICS under malicious activities and faults. We design a Software Defined Networking (SDN) and Network Function Virtualization (NFV) based communication infrastructure particularly tailored to address the communication requirements of ICS. We develop an attack detection and localization algorithm for bidirectional ICS flows, and we design an optimal intervention strategy that embraces the communication and security requirements of industrial applications. Finally, we present intrinsic details on recreating a real-life and emulated test infrastructure. Experimental results demonstrate the solution's applicability to networked robot control systems.
View