Analysis of SCADA System Vulnerabilities

to DDoS Attacks
Jasna D. Markovic-Petrovic1, Mirjana D. Stojanovic2

Abstract – Several factors have contributed to the escalation of Advanced ICT networks for utilities assume that the
risks specific to novel control systems, including the network Internet Protocol (IP) technology is used to integrate both
architecture, adoption of standardized technologies with known operating and corporate telecommunication services. Such
vulnerabilities and connectivity of control systems to other networks may have a number of vulnerabilities and
networks. This paper considers SCADA (Supervisory Control
weaknesses that are known to malicious users. A starting
And Data Acquisition) system vulnerabilities as well as securing
the infrastructure of power utility information- point for securing these networks is to analyze different kinds
telecommunication systems. We first present a concept of of attacks and their consequences to network performance.
SCADA architecture in the hydropower plants. The simulation Four basic categories of attacks on the information system
model assumes Distributed Denial of Service (DDoS) attack to infrastructure have been identified in [2]: (1) DNS (Domain
SCADA system. A comprehensive simulation points to SCADA Name System) hacking; (2) routing table poisoning; (3)
performance deterioration under DDoS attack. Possible security packet mistreatment and (4) Denial of Service – DoS. Several
solutions have also been discussed. attacks on industrial control systems have been noted
Keywords – Network security, Distributed Denial of Service, worldwide such as the attacks on the ICT systems in power
SCADA, Simulation. generation [3], [4]. Security management is a continuous
process, which needs to provide safe approach to information
I. INTRODUCTION and resources. The network requires: securing the
confidentiality and integrity of information, user
authentication, access control, service availability and non-
Important role of the electric power system raises the need
for modern telecommunication network that will fully meet repudiation. Network security consists of prevention,
the requirements of such companies. This system has to detection and reaction to the attack. Security management
provide availability of correct and timely information in order assumes defining a set of policies and choosing the
to plan production, efficient utilization of energy resources, corresponding security mechanisms. These activities are a
remote controlling of facilities for production, transmission constituent part of the risk management process. The basic
and distribution of electric power, reporting and successful steps are value and criticality analysis, vulnerability analysis,
operation of electric power system. threat identification, risk analysis, risk assessment, security
The architecture of modern ICT (Information and safeguards selection and implementation, development of
Communications Technology) networks for utilities assumes contingency plans, and effectiveness reviews [5].
connectivity between a corporate and the SCADA system The objective of this paper is to provide the analysis of the
network. The design of these networks should enable SCADA system vulnerability, particularly regarding DDoS
provisioning of operating and corporate telecommunications attacks. For that purpose, comprehensive simulations have
services along with meeting a certain number of technical been carried out, assuming a typical IP-based SCADA system
requirements and features. Operating services include: remote architecture within a power plant. Directions towards SCADA
control, teleprotection, operating telephony and operating security solutions have also been outlined.
video. All of these are directly or indirectly connected with
the technological procedure of power generation in electric II. SCADA SYSTEMS VULNERABILITIES
power systems. Due to their significance, strict requirements
for reliability, availability and delay have been defined for The peculiarity of the ICT system in power utility is the
these services [1]. Operating services do not generate variable integrated system for remote control and management of
and unpredictable intensity of traffic. Corporate services are power facilities where SCADA is also included. Fig. 1 shows
transfer of corporate data, telephony, multimedia services. the “rings of defence” of the corporate and SCADA networks.
Requirements such as delay, reliability and availability are far Attacks on the SCADA system can be external, via the
less strict, while the dominant one is the requirement for Internet through the corporate network, or internal which can
enough network bandwidth. influence from the corporate network or the SCADA system
from the RTU (Remote Terminal Unit) level or the application
level. The development of a corresponding security strategy
1
Jasna D. Markovic-Petrovic is with the CE Djerdap HPP Ltd., includes an analysis of multiple layers of the corporate
Kralj.Marka 2, Negotin, Serbia, E-mail: [email protected] network and the SCADA system architecture (this includes
2
Mirjana D. Stojanovic is with the Faculty of Transport and firewalls, proxy servers, operating systems, applications,
Traffic Engineering University of Belgrade, Vojvode Stepe 305, communications, policies and security procedures) [6].
Belgrade, Serbia, E-mail: [email protected]

978-1-4799-0902-5/13/$31.00 ©2013 IEEE 591

Authorized licensed use limited to: ULAKBIM UASL - Bogazici Universitesi. Downloaded on March 20,2022 at 22:37:45 UTC from IEEE Xplore. Restrictions apply.
 technologies and practices; (4) insecure remote connections
and (5) widespread availability of technical information about
control systems.
Malicious users use well-known weaknesses of the ICT
system but also the specific vulnerabilities within the SCADA
system security mechanisms such as: (1) operating systems
vulnerabilities; (2) frequently neglected authentication; (3)
remote access, which enables system configuration; (4)
connectivity to the other networks; (5) the use of wireless
connections; (6) the absence of antivirus software with the
purpose of rational use of processor resources due to the work
Fig. 1. Relationship between corporate and SCADA networks
in real time; (7) the absence of any kind of the Intrusion
Detection System; (8) insufficient experience of employees
Remote control is an adopted approach of monitoring and (9) insufficient physical security of places where SCADA
generation and working parameters in power plants. The system devices are located, which are quite often
SCADA system provides timely and accurate information on geographically dispersed and without attendance.
the process and condition of power facilities which
contributes to an efficient, reliable and safe control and III. SIMULATION AND RESULTS
management as well as to optimisation of the production
process, transmission and distribution of power. This service We use the OPNET (Optimized Network Engineering Tool)
is characterised by a transmission of data in real time. In IT Guru Academic Edition [8], which represents a virtual
general, the SCADA system consists of three hierarchical network environment for modelling, simulation and analysis
layers: (1) the process level; (2) the communication system of different network topologies. OPNET enables simulation of
and (3) the central system [6], [7]. Fig. 2 shows a schematic characteristics of the modelled network, statistical analysis as
conception of the SCADA system architecture in a selected well as a graphic display of the obtained results.
power plant. The simulation is carried out via two scenarios: (1) a model
without an attack on the network infrastructure and (2) a
model during the DDoS attack. In the first scenario, the
simulation model is created by defining a network topology
and a traffic model under non-attack conditions. By repeating
the first scenario the other one appears where the simulation
traffic model is extended by a traffic profile which simulates a
DDoS attack based on the intensity of generated traffic and
not on its content. In DDoS attacks, the attacker can generate
traffic similar to legitimate traffic which makes defence
mechanisms more difficult. By using multiple sources the
attack force becomes increased. A typical DDoS attack
involves two phases [9]. In the first phase, the attacker uses
vulnerabilities of the available systems and takes control over
Fig. 2. SCADA block diagram them thus making them “zombies”. In the second phase, the
attacker sends commands thus giving instructions to attack the
Advanced ICT networks, which are implemented in the victim. The attacker spoofs the IP address of the traffic source
SCADA systems, differ from the initial dedicated networks thus disabling identification of the attack source. The
due to the possibility of integration in the corporate network. simulation model assumes that the malicious user has already
The tendency to set up a unique communication infrastructure taken control over the “zombie” network, which is located
for transmission of different types of data has led to the inside the corporate network connected to the Internet. In both
breakthrough of the Ethernet and TCP/IP technologies into the scenarios the simulation lasts 150 seconds, while the DDoS
SCADA systems. These technologies enable access to the attack in the 2nd scenario starts at the 100th second.
SCADA systems data through Web browsers. This way the The network consists of the two subnetworks. The first one
data are available even to users who are not located within the represents the corporate network, while the second
local computer network and do not own any SCADA subnetwork includes nodes of the remote control system and
software. The use of the mentioned open standards causes power plant management. The SCADA system network is
vulnerability of the SCADA system [6]. modelled without aggregation and is made up of a station part
Over the last decade there have been several successful of the network with servers and HMI (Human Machine
attacks on industrial control systems worldwide. There has Interface) computers for visualisation of the process and a
been an increase in the SCADA system vulnerability due to: process part of the network with remote stations for
(1) the adoption of standardised technologies with known management of hydro aggregates and additional systems of
vulnerabilities; (2) connectivity of control systems to other the plant. SCADA servers have two network interfaces (the
networks; (3) constraints on the use of existing security object is created by using Device Creator options). Fig. 3

592

Authorized licensed use limited to: ULAKBIM UASL - Bogazici Universitesi. Downloaded on March 20,2022 at 22:37:45 UTC from IEEE Xplore. Restrictions apply.
shows a part of the topological model representing the system Such a simulation model offers possibilities of thorough
for control and management in the plant. The corporate analysis of network performances. Remote control service sets
network includes 50 clients, out of which 20 clients stand for up certain requirements for performances. This is not a time-
the “zombie” network. critical service so that a 1s delay is permitted, but it does set
up strict requirements for service availability which needs to
be higher than 99.98% [1].
Fig. 4 shows a graphic display of outgoing traffic on the
router interface towards the SCADA network. The level of
victim’s processor utilization is depicted in Fig. 5. The
graphics refer to the initial moment of the DDoS attack. The
attack’s influence on the remote control operating service is
depicted in Fig. 6, through the packets dropped from the
corresponding queue. Fig. 7 illustrates the TCP packet delay
on the SCADA server.

Fig. 3. Simulation model: Topology of the SCADA network

There are three streams of traffic in the simulation model:

(1) within the network of systems for remote control and
management; (2) between the corporate network and the
SCADA systems and (3) the traffic resulting from DDoS
attacks.
There are three profiles based on the FTP application which
uses a reliable transport service implemented through TCP
protocols that are defined for SCADA traffic: (1) forwarding
the measurement results from the facility towards the
dispatcher centre (the time of event repeating is a constantly Fig. 4. SCADA network: Received traffic
short period, while the amount of data matches the uniform
distribution within lesser values); (2) the exchange of alarm
signals and commands between the dispatcher centre and the
facilities (generated traffic is based on the Poisson
distribution); (3) the exchange of dispatcher reports between
the SCADA systems (the repeating time is a constantly longer
period, while the amount of data matches the uniform
distribution – larger files).
The other group of traffic features: (1) Web applications
that help to obtain a visual display of the process and the
needed reports on the corporate network clients; (2)
transmission of data towards superior and other remote
control centres and (3) access to servers for the needs of
configuration from the corporate network clients. The traffic
is modelled by using standard applications (Database, FTP,
Web) in seven different profiles.
The UDP flood option is selected for the DDoS attack, Fig. 5. CPU utilization at the victim node
while malicious traffic has been modelled by using a user-
defined application. For this purpose, a task has been defined From the obtain results, we can conclude that a high
by using the Task Configuration object, where the traffic flow intensity of the incoming malicious traffic has caused
exists only from the source towards the destination and is blockage of the victim SCADA server resources. This can be
based on the UDP transport protocol. The target of the attack seen in the utilization of processor time which is over 80%. At
is the SCADA server. the moment the attack starts, due to congestion, packet
The WFQ (Weighted Fair Queuing) packet scheduling dropping happens on the router interface towards the part of
discipline is applied at each node. The traffic in the user queue the network where the victim is located, so the level of
is classified in four priority classes according to the ToS dropped packets which belong to the traffic stream of the
(Type of Service) field value, while the remote control remote control operating service becomes increased and
operating service is given the highest priority.

593

Authorized licensed use limited to: ULAKBIM UASL - Bogazici Universitesi. Downloaded on March 20,2022 at 22:37:45 UTC from IEEE Xplore. Restrictions apply.
comes to 3.6% in comparison to the total traffic in the highest essential step in the roadmap towards security of digital
priority queue. At the same time delay in processing the world. Another important step is to make such technologies
requests of legitimate traffic also increases. easy to deploy and use. Security of the data will require that
these data be encrypted, both at rest and in transit, and that
strong authentication mechanisms be used. This means that
the user further needs support in managing their cryptographic
keys and credentials. An application should be designed so
that only the minimal amount of information gets revealed to
each party that is necessary for the party to perform its task.
Data minimization should be done at following layers: the
network, the authentication and identities, and at last,
application layer.

V. CONCLUSION
The evolution of modern SCADA systems architecture has
led to identifying a number of security issues over the last
decade. There are no safe mechanisms of defence from DDoS
attacks, so this kind of attacks poses a serious threat to the
infrastructure of advanced networks in power generation. The
Fig. 6. Highest priority queue: Traffic dropped
development of simulation models has provided the
possibility of analysing the performances of remote control
operating services in terms of DDoS attacks. The results of the
simulation indicate to a degradation of performances and lack
of services of the remote control operating services. In a broad
sense, the safety of control systems is of great significance
due to their irreplaceable role in the economy. This is why this
is a current field of research where concrete improved
solutions of SCADA systems security are anticipated.

REFERENCES
[1] CIGRÉ Technical Brochures, “Integrated Service Networks for
Utilities”, WGD2.07, 2004.
[2] A. Chakrabarti and G. Manimaran, “Internet Infrastructure
Security: A Taxonomy”, IEEE Network, vol. 16, no.6,
November/December 2002, pp. 13-21
[3] B. Zhu, A. Joseph, and S. Sastry, “Taxonomy of Cyber Attacks
Fig. 7. TCP delay at the victim node on SCADA Systems”, Proceedings of CPSCom 2011: The 4th
IEEE International Conference on Cyber, Physical and Social
Computing, Dalian, China, 2011.
IV. POSSIBLE SOLUTIONS [4] K. Barnes and B. Johnson, “Introduction to SCADA Protection
and Vulnerabilities”, Technical Report INEEL/EXT-04-01710,
At this time there is no comprehensive method of securing Idaho National Engineering and Environmental Laboratory,
from the known forms of DDoS attacks. Possible security Idaho Falls, Idaho, 2004.
solutions can be listed as: (1) preventive, which are based on [5] T. Tsiakis, "Information Security Expenditures: a Techno-
filtering with the aim of preventing the attacks; (2) reactive Economic Analysis", International Journal of Computer
whose aim is to identify the attacker when the attack has Science and Network Security, 10. 4, April 2010, pp. 7-11.
already begun and (3) mechanisms following the attack which [6] Technical Information Bulletin 04-1, “Supervisory Control and
Data Acquisition (SCADA) Systems”, NCS TIB 04-1, Oct.
include the use of forensic analysis on the network [2]. We 2004.
here give a brief overview of the main approaches in area of [7] R. L. Krutz, Securing SCADA Systems, Wiley, 2005.
information privacy, detailed discussion can be found in [9], [8] “OPNET IT Guru Academic Edition: A tool for networking
[10]. These approaches are of three types depending on their education”, MSCIT Practicum Paper, Regis University
locality of deployment: victim-end, source-end and [Online]. Available: http://www.opnet.com.
in−network approach. Detection approaches include [9] T. Peng, C. Leckie and K. Ramamohanarao, “Survey of
statistical, soft-computing, clustering, knowledge-based and network-based defense mechanisms countering the DoS and
other data mining and machine learning methods. DDoS problems”, ACM Computing Surveys 39, 1, Article 3,
April 2007.
Proper security and privacy have to become core [10] J. Camenisch, “Information privacy?!”, Computer Networks,
requirements for any mechanism or application that is built. vol. 56, no. 18, Dec. 2012, pp. 3825-3833.
The education about privacy-enhancing technologies is an

594

Authorized licensed use limited to: ULAKBIM UASL - Bogazici Universitesi. Downloaded on March 20,2022 at 22:37:45 UTC from IEEE Xplore. Restrictions apply.