Chat with us, powered by LiveChat Article attached? Write a 2 1/2 page paper that supports or opposes the author's findings.? Please find two to three other peer-reviewed articles | WriteDen

Article attached? Write a 2 1/2 page paper that supports or opposes the author’s findings.? Please find two to three other peer-reviewed articles

Article attached 

Write a 2 1/2 page paper that supports or opposes the author's findings.  Please find two to three other peer-reviewed articles that support your position/argument.

Assessing and augmenting SCADA cyber security: a survey of techniques

Nazir, Sajid; Patel, Shushma; Patel, Dilip

Published in: Computers & Security

DOI: 10.1016/j.cose.2017.06.010

Publication date: 2017

Document Version Peer reviewed version

Link to publication in ResearchOnline

Citation for published version (Harvard): Nazir, S, Patel, S & Patel, D 2017, 'Assessing and augmenting SCADA cyber security: a survey of techniques', Computers & Security, vol. 70, pp. 436-454.

General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights.

Take down policy If you believe that this document breaches copyright please view our takedown policy at for details of how to contact us.

Download date: 12. Apr. 2021

Abstract—SCADA systems monitor and control critical

infrastructures of national importance such as power generation

and distribution, water supply, transportation networks, and

manufacturing facilities. The pervasiveness, miniaturisations and

declining costs of internet connectivity have transformed these

systems from strictly isolated to highly interconnected networks.

The connectivity provides immense benefits such as reliability,

scalability and remote connectivity, but at the same time exposes

an otherwise isolated and secure system, to global cyber security

threats. This inevitable transformation to highly connected

systems thus necessitates effective security safeguards to be in

place as any compromise or downtime of SCADA systems can

have severe economic, safety and security ramifications. One way

to ensure vital asset protection is to adopt a viewpoint similar to

an attacker to determine weaknesses and loopholes in defences.

Such mind sets help to identify and fix potential breaches before

their exploitation. This paper surveys tools and techniques to

uncover SCADA system vulnerabilities. A comprehensive review

of the selected approaches is provided along with their


Index Terms— cyber defence, anomaly detection, attack tools,

vulnerability, simulation, modelling, SCADA.


UPERVISORY Control and Data Acquisition (SCADA)

systems are used to monitor and control critical national

infrastructures such as smart grids, oil and gas, power

generation and transmission, manufacturing, and

transportation networks. They are also used to manage public

utilities like buildings control, water, sewage, and traffic

lights. The downtime or compromise of these systems can

have disastrous consequences for the economy, public health

and national security.

SCADA systems (Figure 1) are cyber physical systems with

communication networks (wired and wireless) interfacing the

monitoring and control system with the hardware and

providing a large attack surface [1]. The architecture can be

envisaged as four layers as shown in Fig 1. At the lowest

level, field or slave devices (sensors, pumps, motors) provide

an interface for control and monitoring of the physical

process. At the next higher level, Remote Terminal Unit

(RTU) and Programmable Logic Controllers (PLC) aggregate

control (acting as master) for many field devices by passing

commands and responses through the communications

network to the SCADA server. PLC is a computer system

running Ladder Logic for decision making to control the field

devices. The operator monitors the process state through

Fig. 1. A simplified layered architecture for typical SCADA system.

Human-machine Interface (HMI) and controls the process by

activating commands as required [2]. A typical SCADA

system could have multiple supervisory systems, PLCs, RTUs,

HMIs, process and control instrumentation, sensors and

actuator devices over a large geographical area, interconnected

through a communications network.

The use and applications of SCADA systems has increased

as a result of rising levels of industrial process automation,

reduced cost of operation and growth in global economies.

Growth is expected to increase in the use of SCADA systems

and the investment is expected to reach up to $ 11.16 billion

by 2020 [3]. With the proliferation of the Internet of Things

(IoT), SCADA sensor and actuator devices which are Internet

connected SCADA systems are being transformed from a

traditional on-site, stand-alone system to an Internet-connected

remotely accessible system. An overview of challenges and

security requirements for IoT is provided in [4]. A significant

obstacle in IoT adoption is security aspects as it would be an

attractive target for hackers [4], [5].

There are many benefits of Internet access including

scalability, better communications protocols, efficiency, cost

effectiveness, interoperability between components [6] and

remote access, but SCADA systems were never designed with

network connectivity and security [5], [7] in mind. The focus

had always been on reliability rather than security, and

protection had been ensured through isolation and obscurity

[8], [9] by using proprietary standards. Since the 1990s the

control systems are being integrated with computer networks

[10] and also more and more Commercial-off-the-shelf

(COTS) products are being used in SCADA systems [11].

SCADA server and user interfaces are now accessible over the

Internet and cellular networks, providing many entry points

S. Nazir, S. Patel, D. Patel

Assessing and Augmenting SCADA Cyber

Security-A Survey of Techniques


for an attacker [8], [12]. Most SCADA communications

protocols are just plain-text [13], [14] with no message

authentication [15] making it easier for a man-in-the-middle

(MITM) attack. TCP/IP protocols have their own

vulnerabilities that can be exploited [5]. PLCs would treat

code as legitimate as long as it has the correct syntax [16]. The

threat landscape for SCADA systems has been broadened [8]

by Internet and cellular network connectivity, bringing along

open standards such as web technologies, which have known

security loopholes making it very easy for an attacker to gain

an in-depth knowledge of SCADA networks [17], [18]. The

modern SCADA communications use a variety of

communication media, such as WiFi, cellular, and Bluetooth.

Vulnerabilities in the communications protocols have been the

main focus and target of cyber attacks. Failure to protect the

SCADA infrastructure against the evolving threats of the

changed connectivity landscape can have disastrous

consequences. In the prevailing cyber security global

environment, it is not a matter of if an attack of catastrophic

proportion would happen, but rather when.

A Denial-of-Service (DoS) attack on a website can render a

service unavailable, but similar attacks on SCADA systems

can have potentially disastrous consequences [19] because of

the fallout of the controlled process getting out of control.

Stuxnet [16], June 2010, was the first malware designed to

attack control systems and was the first attack of its kind that

brought SCADA security vulnerabilities to prominence [19].

Prior to that although vulnerable, SCADA systems were not

considered to be actively targeted. Malware, such as Flame

(2012) that copied data, recorded Voice over Internet Protocol

(VoIP) audio and intercepted network traffic [19]. Stuxnet

(2010) and Duqu (2011) used USB devices to spread and

attacked the PLCs by changing the Ladder Logic code [19].

Havex (2014) can reportedly infect the software downloads

from the SCADA manufacturers’ web sites [20]. An active

group of attackers, Dragonfly [21], mainly target energy

sectors through malware tools and infect targeted

organisations using spam emails. These malware attacks

highlight security weaknesses in SCADA system design [22].

Other attacks like Slammer at Davis-Besse nuclear plant [10]

negate the illusion of security. The cyber attacks on SCADA

systems have seen a 100% increase [23]. General technology

awareness, widespread availability of free information, and the

current global security situation of state and non-state elements

with malicious intent, all combine to make launching such

attacks easier and probable.

Countering the cyber attack is an emergent need to provide

adequate safeguards against the cyber attacks by strengthening

the defence. The general cyber security safeguards such as

restricted physical access, cryptography, patch management,

separation of corporate and production systems (through

Demilitarized Zones (DMZ), Firewalls and Access Control

Lists (ACLs)), and activity logging are all applicable (Figure

2) but need to be viewed in conjunction with typical SCADA

systems characteristics. Nonetheless these security measures

are important as the corporate network could be the entry

point for launching an attack on the SCADA network. Most of

these security measures are not capable of defending SCADA

systems from attacks against SCADA protocols [24]. For

instance, SCADA characteristics make it difficult to apply

existing cryptographic techniques, due to limited

computational capability, low data rate, and the need for real-

time response [17]. The confidentiality, integrity and

availability (CIA) triad [25], applies to SCADA systems but

with a changed order of priority as Availability, integrity and

confidentiality (AIC), with availability being the most

important. Agencies such as the National Institute of

Standards and Technology (NIST), USA and European

Network and Information Security Agency (ENISA), provide

best practice documents for cyber security for SCADA

systems in particular. Protection for telework devices is

described in [26], Cyber security of SCADA systems in [27].

Guidelines for Patch management are provided in [28].

Protecting Industrial Control Systems (ICS) [2] has

recommendations for Europe and member states, which

identifies security challenges and recommends a common test

bed for security testing. North American Electric Reliability

Corporation (NERC) has released Critical Infrastructure

Protection (CIP) documents. The industry regulations have

started mandating the cyber security safeguards and this trend

is likely to increase in the future.

Investigating the effect of an attack on an actual system is

neither recommended due to the unintended consequences, nor

feasible on a replicated system due to the cost and effort

involved. Analysis methods and tools are very important to

secure such systems [29]. Therefore SCADA cyber security

researchers mostly rely on developments of simulation

software and hardware to model SCADA attacks to analyse

the system security. SCADA system security can be assessed

by using vulnerability analysis through actively attacking a

system which not only uncovers the vulnerabilities but can be

Fig. 2. DMZ with separation of trust zones.

used to determine the system failure response, which helps to

understand the system and provide necessary safeguards by

fixing the vulnerabilities. Techniques such as penetration

testing and vulnerability analysis can be considered inclusive

in vulnerability assessment [30].

Generic Simulators for SCADA systems are described in

[31] but the focus is not on cyber security. Smart Grid

simulators [32] provide a useful reference for simulation tools

but do not address SCADA or cyber security. Vulnerability

assessment and analysis comprises of a spectrum of

techniques from the simplest ones doing port scanning to those

involving exploitation of vulnerabilities, as in an actual attack


This paper provides a comprehensive survey of simulation,

modelling and related techniques helpful for assessing the

cyber-attack vulnerabilities of SCADA systems. In this paper

we aim to cover the array of techniques for assessing SCADA

vulnerabilities under simulation, modelling, tools and

techniques as these are often employed by researchers for

SCADA cyber security. This categorisation is purely with a

view to better organise the research literature rather than a

taxonomy. We also highlight recent technology innovations

which can aid in minimizing the effect of cyber security risks.

The rest of the paper is organized into the following

sections. Section II provides SCADA systems’ characteristics

and vulnerabilities. Section III covers the simulation and

modelling techniques for identifying security weaknesses.

Section IV describes other tools and techniques for evaluating

defence. Section V provides conclusions, and Section VI

discusses future research directions.


SCADA system (Figure 1) differs in characteristics from a

conventional information technology (IT) system [8], [27].

SCADA systems have tighter constraints on reliability, latency

and uptime that preclude some IT security measures [15].

SCADA are cyber physical systems, that is, cyber system

(control and communications) and physical system (sensors,

actuators) comprising a system of systems, interact as a

cohesive and unified whole. The software commands manifest

actions to modify physical processes. It is important to

consider these differences when devising the protection


A. Generic OS

SCADA systems run over conventional operating systems

(OS), thus inheriting vulnerabilities which can compromise

the SCADA system [10]. The vulnerabilities of the operating

systems are periodically announced by the vendors [33]. The

patches are normally issued after vulnerabilities are

discovered, but there could be a substantial time lag to release

patches or the patches may not be applied in time. The patch

for the vulnerability exploited by Stuxnet in 2010 became

available in 2012 [28]. There is generally a time lag for patch

application, for instance, Slammer infections occurred six

months after the patch to fix the vulnerability had been

released [10]. Similarly lack of user incentives [34] to apply

patching enabled Code Red, a malware to infect 360,000

servers, although a security patch had been released earlier. In

some cases, an attack comes before vulnerability is discovered

and is termed as a Zero day attack.

B. Legacy systems with long operational life

The installation of SCADA systems is costly and time-

consuming and most systems remain in operation from eight

to fifteen years [10]. A system may have devices from many

different manufacturers using various standards or proprietary

communications protocols [35]. This is sometimes well past

the expected supported lifespan of the software and also

hardware. Thus at times a system would comprise of legacy

components and their associated vulnerabilities [29].

C. Multiple Points of Entry and Failure

A SCADA system is geographically spread over a large

area starting at the sensors, in the field, to the user and control

interface. Although SCADA servers may themselves be well

protected against cyber attacks, however similar guarantees do

not exist for field devices. The communication network,

comprising of wireless Internet, cellular and Bluetooth provide

multiple remote entry points which can be exploited by

attackers. Wireless networks are especially vulnerable using

freely available tools like Aircrack-NG that can sniff, test and

even decrypt packets [36].

D. Communication Protocols

The low-level networking protocols used for industrial

systems use simple plain-text messages based on a master-

slave communications model. These lack security and

encryption, as these were designed for isolated systems [13].

For example, Modbus protocol can be attacked as reported

in [8], [37] with varying consequences [37]. Other recent

protocols, such as Distributed Network Protocol 3.0 (DNP3)

also have their vulnerabilities [5], [38], [39] and packets can

also be analysed [36] through network sniffing tools to gain

information and cause damage. Widely used protocols IEC

60870-5-101 and IEC 60870-5-104 lack application and data

link layer security and have vulnerabilities that can be

exploited [13]. With an understanding of the process and the

protocol, an attacker can maliciously alter the process control

by injecting valid control commands and responses with

malicious intent [13], [22]. Attacks on protocol

implementation [37] can cause failures resulting in possible

exploits [8].

E. Real-time and Complex Interactions

SCADA systems monitor real-world processes under very

tight timing and operational constraints. Time is critical for

decision making, affecting a control system and vital process

deviations, which must be accurately reflected and effectively

managed. The stringent operational constraints (such as

timing) of a SCADA system mean that it is more prone to fail

in response to small deviations caused by an attacker. “Aurora

Generator Test” [1], [10] in March 2007, simulated a remote

cyber-attack resulting in destruction of a $1 million dollar

diesel-electric generator [40]. A patch application [25] or loss

of time synchronization [1] may have unintended consequences

detrimental to the prescribed operation. Application of a

software update resulted in automatic shutdown of a nuclear

plant [10]. Analysing and exploiting vulnerabilities may be

complicated but unintelligent computer viruses and mere

malfunctions in small devices can result in enormous

unintended effects [10].

F. Conflicting Priorities

SCADA control and monitoring projects remain in

continuous operation [41] for many decades after

commissioning. This creates a dilemma for the administrators

between ensuring adequate protection and sustained system

operation. Application of software upgrades and patches may

get postponed due to the desire to keep the system running

without change to the execution environment [28]. Anti-virus

and patches may result in undesirable consequences [10] or

may also tend to slow down the communication and may

interfere with normal functioning of the system.

The operational nature of these systems precludes post

commissioning cyber security testing due to associated risks

of jeopardising the controlled system.

G. Social Engineering and Insider Attacks

Social engineering attacks purporting to be from a known

person or organization can be used to infiltrate a system. Often

the cyber security is focused on an outsider’s attack, which

makes sense, but equally probable and dangerous is an attack

originating from within the trusted network, through a

deliberate or unintentional omission, or sabotage.

The attack in 2000 on a sewage control system in

Queensland, Australia [10], [42] causing flooding with a

million litres of sewage, was an act of a disgruntled employee.

Stuxnet infiltrated the network [10], [16] mainly through USB


H. Backdoors

The Stuxnet [43] worm exploited system vulnerabilities to

attack a PLC in Iran’s uranium enrichment program in 2010. It

exploited an administrative backdoor, which can be used to

access a system remotely, and generally their availability on a

system is known to system maker only. Such coded backdoor

passwords which can be used to exploit a system remotely, are

not uncommon [19], [44]. Such malpractice could also take

place without the knowledge of a SCADA vendor, as

increasingly the product is assembled from components

manufactured from facilities across the globe [19].

I. Integral Protection

With cyber security awareness coming into prominence,

SCADA manufacturers also provide and emphasize security in

products. These features provide encryption and security

features such as Kerberos and multiplexing proxy. Activating

these in a project can make an intruder’s task difficult.

SCADA systems also provide other built-in mechanisms such

as User Groups, Historian, Encryption and Redundant Servers.


SCADA systems are not only complex but have many

system interdependencies which makes it difficult for them to

be tested for cyber defence. The production systems are

required to provide a continuous and reliable service, and

depending on the monitored process, even small delays are

intolerable. As such the systems cannot be taken out of service

for vulnerability checks, and also these are very costly and

hard to duplicate.

Simulation and modelling techniques are useful to model

and test complex systems. Development of realistic models

help to create scenarios that do not yet exist or would be very

costly to build. A model also makes it easier to quickly change

parameters to suit another scenario or configuration.

Simulation and modelling techniques are used

advantageously to evaluate and probe the defence of SCADA

systems. A summary is provided in Tables I and II.

A. Simulation Frameworks

Simulation frameworks are needed to model all aspects of

the SCADA system using simulators and emulators. Generally

a network simulator such as OMNeT++ is used for network

modelling and Simulink/MATLAB is used to simulate the

process control. A framework in general also provides the

facility to integrate the various simulators to realistically

represent the system as a whole.

1) High Level Architecture (HLA) HLA is a simulation integration platform designed by the

Department of Defence (DoD) [45] that can be used to

integrate simulators. This concept was chosen as no single

simulation can meet all the requirements. An individual or a

set of simulations can be applied across different uses, under

the HLA federation concept. Federation means a set of

interacting simulations, with each simulation termed as a

federate. The federates must allow exchange of data through

the Runtime Infrastructure (RTI).

HLA which is a co-simulation environment has been used

by researchers to design simulations using OMNeT++ and

MATLAB, for example.

Chabuksawar et al. [46] used Command and Control (C2)

WindTunnel as a simulation framework (based on HLA) [47]

to simulate a plant, its controller and the interconnecting

network. The objective was to simulate network security

attacks using this framework that requires domain-specific

modelling language for defining integration models. The

SCADA system was a simplified version of the Tennessee

Eastman Control challenge problem [48]. DDoS attacks were

simulated on the routers concluding a proof of concept


2) SCADASiM An integrated framework for control system simulation,

SCADASiM is presented by Mahoney and Gandhi in [9]. It

can be modelled and simulated at different levels of

abstractions commensurate with the problem at hand. The

modelling notation is through Autonomous Component

Architectures (ACA) that allows components to be modelled

at simulation runtime. The authors proposed a new language

Autonomous Component based policy Description Language

for Anomaly monitoring in Control Systems) (ADACS) that

was used for monitoring regulatory compliance.

3) SCADASim Queiroz et al. [49] present a framework for building

SCADA system simulations. Additionally it can be used to

create malicious attacks against SCADA systems. The

framework can be extended by SCADASim users to add their

own protocols otherwise there are too many protocols. The

framework is built on top of OMNeT++. Details of DoS and

spoofing attack simulation are provided in the paper.

4) Co-simulation Framework A co-simulation framework is proposed by Bytschkow et

al. [50] using Common information model (CIM) as an

intermediate model. It uses the approach of federation

enabling both simulation and deriving possible impacts. The

co-simulation framework is constructed using SCADA, CIM,


5) Emulation Framework A framework for emulation based security analysis using

Emulab and Simulink is proposed by Genge et al. [6] that can

be used to measure impact of attacks against both physical and

cyber parts of systems. The authors’ proposed framework

extends Emulab to incorporate additional features required for

cyber physical security analysis. The architecture comprises of

a cyber layer, physical layer, and a cyber physical link layer.

The authors provide a feature based, cost based and an

experimental scenario-based in comparison to other

frameworks reported in the literature and contend their

approach to be better. The authors provide two case studies

from the electrical and chemical domains. The first studies the

effect of Stuxnet on a Boiling Water power plant showing that

the proposed framework can be used to recreate a scenario

with complex malware. The second studies the effect of

network parameters on a cyber attack targeting a chemical

process, showing that in cyber attacks where the attacker

communicates with PLCs, the communications delays and

packet losses have little effect.

6) Integration Framework An integration framework has been proposed by Novak et

al. [51] that advocates semantic and technical integration of

simulation models into SCADA systems. The authors contend

that simulations cannot be developed without access to online

and historical data and thus propose a platform for integration

of simulations and SCADA. It reduces design-time errors (for

simulation) and improves re-configurability and reuse. Two

case studies are provided for design of simulation models for

passive houses, and an application allowing the management

and execution of simulations.

7) Real-time monitoring, Anomaly detection, Impact analysis, and Mitigation strategies (RAIM)

The security SCADA framework proposed by Ten et al.

[52] comprises of real-time monitoring, anomaly detection,

impact analysis, and mitigation strategies (RAIM). Real-time

monitoring can utilise the data for real-time control functions.

Anomaly detection and impact analysis can be done through

monitoring and correlating the system logs. The output is

ranked as varying degrees of risks, based on which mitigation

actions can be taken.

B. Test Beds

Test bed is a platform used to test systems or technologies

where the actual system cannot be endangered by testing, due

to unintended consequences, for example, checking the effects

of patch application and response to malware. A test bed must

capture the essence of the system under test for it to be useful.

The facility can also be shared to save cost or share

knowledge. Test bed creation is also recommended in [2].

Although some test beds have been developed by large

organisations, generally the access is restricted to affiliated

researchers only [53]. Unlike a simulation environment being

fully contained in software, a test bed uses hardware,

simulated and emulated devices. A survey of test beds in

software and hardware is provided in [53].

Test beds could be realised [54] as simple simulation based

(TrueTime), federated simulation (several dedicated

simulation federates for plant, network etc. such as HLA) or

emulation/implementation based (real hardware or emulator

such as EmuLab).

1) National SCADA Test Bed (NSTB) The Department of Energy, US, have established a National

SCADA test bed [55] that aims to provide testing, research

and training facilities to help improve the security of control

systems. However free access to academia and industry is not

available. Thus, many researchers have developed test beds to

investigate some element of security.

2) TRUST An experimental simulation test bed TRUST-SCADA [56]

was aimed to assess and address vulnerabilities, and to provide

an open-source design for a flexible test bed. DoD/HLA was

chosen as the integration platform, for the plant model

(Simulink/Stateflow), Network model using (OMNeT++,

NS2, OPNET) and controller (Simulink/Stateflow)


Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of 

Step 1

To make an Order you only need to click ORDER NOW and we will direct you to our Order Page at WriteDen. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.
 Deadline range from 6 hours to 30 days.

Step 2

Once done with writing your paper we will upload it to your account on our website and also forward a copy to your email.

Step 3
Upon receiving your paper, review it and if any changes are needed contact us immediately. We offer unlimited revisions at no extra cost.

Is it Safe to use our services?
We never resell papers on this site. Meaning after your purchase you will get an original copy of your assignment and you have all the rights to use the paper.


Our price ranges from $8-$14 per page. If you are short of Budget, contact our Live Support for a Discount Code. All new clients are eligible for 20% off in their first Order. Our payment method is safe and secure.

Please note we do not have prewritten answers. We need some time to prepare a perfect essay for you.