A Survey on SCADA Systems: Secure Protocols, Incidents ... · Abstract—Supervisory Control and Data Acquisition (SCADA) systems are the underlying monitoring and control components

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/340453361

A Survey on SCADA Systems: Secure Protocols, Incidents, Threats, and Tactics

Article in IEEE Communications Surveys & Tutorials · April 2020

DOI: 10.1109/COMST.2020.2987688

CITATIONS

0READS

29

4 authors:

Some of the authors of this publication are also working on these related projects:

Partnership for addressing megatrends in ICT View project

SDN-microSENSE: SDN - microgrid reSilient Electrical eNergy SystEm (H2020-SU-DS-2018) View project

Dimitrios Pliatsios

University of Western Macedonia

8 PUBLICATIONS 14 CITATIONS

SEE PROFILE

Panagiotis G. Sarigiannidis

University of Western Macedonia


SEE PROFILE

Thomas Lagkas

International Hellenic University


SEE PROFILE

Antonios Sarigiannidis

Aristotle University of Thessaloniki


SEE PROFILE

All content following this page was uploaded by Panagiotis G. Sarigiannidis on 16 April 2020.

The user has requested enhancement of the downloaded file.

https://www.researchgate.net/publication/340453361_A_Survey_on_SCADA_Systems_Secure_Protocols_Incidents_Threats_and_Tactics?enrichId=rgreq-501675d89df0e30fe43afbf40be763dc-XXX&enrichSource=Y292ZXJQYWdlOzM0MDQ1MzM2MTtBUzo4ODA4ODE4NDU2NzgwODBAMTU4NzAzMDAwNjE0Nw%3D%3D&el=1_x_2&_esc=publicationCoverPdf

https://www.researchgate.net/publication/340453361_A_Survey_on_SCADA_Systems_Secure_Protocols_Incidents_Threats_and_Tactics?enrichId=rgreq-501675d89df0e30fe43afbf40be763dc-XXX&enrichSource=Y292ZXJQYWdlOzM0MDQ1MzM2MTtBUzo4ODA4ODE4NDU2NzgwODBAMTU4NzAzMDAwNjE0Nw%3D%3D&el=1_x_3&_esc=publicationCoverPdf

https://www.researchgate.net/project/Partnership-for-addressing-megatrends-in-ICT?enrichId=rgreq-501675d89df0e30fe43afbf40be763dc-XXX&enrichSource=Y292ZXJQYWdlOzM0MDQ1MzM2MTtBUzo4ODA4ODE4NDU2NzgwODBAMTU4NzAzMDAwNjE0Nw%3D%3D&el=1_x_9&_esc=publicationCoverPdf

https://www.researchgate.net/project/SDN-microSENSE-SDN-microgrid-reSilient-Electrical-eNergy-SystEm-H2020-SU-DS-2018?enrichId=rgreq-501675d89df0e30fe43afbf40be763dc-XXX&enrichSource=Y292ZXJQYWdlOzM0MDQ1MzM2MTtBUzo4ODA4ODE4NDU2NzgwODBAMTU4NzAzMDAwNjE0Nw%3D%3D&el=1_x_9&_esc=publicationCoverPdf

https://www.researchgate.net/?enrichId=rgreq-501675d89df0e30fe43afbf40be763dc-XXX&enrichSource=Y292ZXJQYWdlOzM0MDQ1MzM2MTtBUzo4ODA4ODE4NDU2NzgwODBAMTU4NzAzMDAwNjE0Nw%3D%3D&el=1_x_1&_esc=publicationCoverPdf

https://www.researchgate.net/profile/Dimitrios_Pliatsios?enrichId=rgreq-501675d89df0e30fe43afbf40be763dc-XXX&enrichSource=Y292ZXJQYWdlOzM0MDQ1MzM2MTtBUzo4ODA4ODE4NDU2NzgwODBAMTU4NzAzMDAwNjE0Nw%3D%3D&el=1_x_4&_esc=publicationCoverPdf


https://www.researchgate.net/institution/University_of_Western_Macedonia?enrichId=rgreq-501675d89df0e30fe43afbf40be763dc-XXX&enrichSource=Y292ZXJQYWdlOzM0MDQ1MzM2MTtBUzo4ODA4ODE4NDU2NzgwODBAMTU4NzAzMDAwNjE0Nw%3D%3D&el=1_x_6&_esc=publicationCoverPdf


https://www.researchgate.net/profile/Panagiotis_Sarigiannidis?enrichId=rgreq-501675d89df0e30fe43afbf40be763dc-XXX&enrichSource=Y292ZXJQYWdlOzM0MDQ1MzM2MTtBUzo4ODA4ODE4NDU2NzgwODBAMTU4NzAzMDAwNjE0Nw%3D%3D&el=1_x_4&_esc=publicationCoverPdf


https://www.researchgate.net/institution/University_of_Western_Macedonia?enrichId=rgreq-501675d89df0e30fe43afbf40be763dc-XXX&enrichSource=Y292ZXJQYWdlOzM0MDQ1MzM2MTtBUzo4ODA4ODE4NDU2NzgwODBAMTU4NzAzMDAwNjE0Nw%3D%3D&el=1_x_6&_esc=publicationCoverPdf


https://www.researchgate.net/profile/Thomas_Lagkas?enrichId=rgreq-501675d89df0e30fe43afbf40be763dc-XXX&enrichSource=Y292ZXJQYWdlOzM0MDQ1MzM2MTtBUzo4ODA4ODE4NDU2NzgwODBAMTU4NzAzMDAwNjE0Nw%3D%3D&el=1_x_4&_esc=publicationCoverPdf


https://www.researchgate.net/institution/International_Hellenic_University?enrichId=rgreq-501675d89df0e30fe43afbf40be763dc-XXX&enrichSource=Y292ZXJQYWdlOzM0MDQ1MzM2MTtBUzo4ODA4ODE4NDU2NzgwODBAMTU4NzAzMDAwNjE0Nw%3D%3D&el=1_x_6&_esc=publicationCoverPdf


https://www.researchgate.net/profile/Antonios_Sarigiannidis?enrichId=rgreq-501675d89df0e30fe43afbf40be763dc-XXX&enrichSource=Y292ZXJQYWdlOzM0MDQ1MzM2MTtBUzo4ODA4ODE4NDU2NzgwODBAMTU4NzAzMDAwNjE0Nw%3D%3D&el=1_x_4&_esc=publicationCoverPdf


https://www.researchgate.net/institution/Aristotle_University_of_Thessaloniki?enrichId=rgreq-501675d89df0e30fe43afbf40be763dc-XXX&enrichSource=Y292ZXJQYWdlOzM0MDQ1MzM2MTtBUzo4ODA4ODE4NDU2NzgwODBAMTU4NzAzMDAwNjE0Nw%3D%3D&el=1_x_6&_esc=publicationCoverPdf



This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/COMST.2020.2987688, IEEECommunications Surveys & Tutorials

IEEE COMMUNICATIONS SURVEYS & TUTORIALS 1

A Survey on SCADA Systems: Secure Protocols,Incidents, Threats and Tactics

Dimitrios Pliatsios, Member, IEEE, Panagiotis Sarigiannidis, Member, IEEE, Thomas Lagkas, SeniorMember, IEEE, and Antonios G. Sarigiannidis, Member, IEEE,

Abstract—Supervisory Control and Data Acquisition (SCADA)systems are the underlying monitoring and control componentsof critical infrastructures, such as power, telecommunication,transportation, pipelines, chemicals and manufacturing plants.Legacy SCADA systems operated on isolated networks, that madethem less exposed to Internet threats. However, the increasingconnection of SCADA systems to the Internet, as well as corporatenetworks, introduces severe security issues. Security considera-tions for SCADA systems are gaining higher attention, as thenumber of security incidents against these critical infrastructuresis increasing. In this survey, we provide an overview of thegeneral SCADA architecture, along with a detailed description ofthe SCADA communication protocols. Additionally, we discusscertain high-impact security incidents, objectives, and threats.Furthermore, we carry out an extensive review of the securityproposals and tactics that aim to secure SCADA systems. We alsodiscuss the state of SCADA system security. Finally, we presentthe current research trends and future advancements of SCADAsecurity.

Index Terms—SCADA, Cybersecurity, Protocols, Security,Smart Grid, Trends

I. INTRODUCTION

The facilities, systems, processes, networks, and services,that are crucial to the security, safety and economic

well-being of the people and organizations, are consideredas critical infrastructures. Such infrastructures include power,telecommunications, transportation, pipelines, chemicals andmanufacturing plants.

The Industrial Control Systems (ICSs) include both Super-visory Control and Data Acquisition (SCADA) systems andDistributed Control Systems (DCSs)/Process Control Systems(PCSs), as well as other control system configurations [1].In particular, SCADA systems are the underlying monitoringcomponents of many critical infrastructures, while DCSs/PCSsinterconnect the distributed sensors and actuators, and managethe control process. The ICSs enable real-time monitoring andcontrol of the process, by providing access to remote and localoperators through the Human-Machine Interfaces (HMIs).

A typical SCADA system is composed of a central con-troller, and a number of distributed field devices, such as sen-sors and actuators. The data exchange between the controllerand the field devices is enabled by certain communicationprotocols, that have been specifically developed for industrialapplications.

D. Pliatsios and P. Sarigiannidis are with the Department of Electrical andComputer Engineering, University of Western Macedonia, Kozani, Greece.

T. Lagkas is with with the Department of Computer Science, InternationalHellenic University, Kavala Campus, Greece.

A. Sarigiannidis is with Sidroco Holdings Ltd, Limassol, Cyprus.

Legacy SCADA systems operated on isolated networks thatmade them less exposed to Internet threats. In addition, thelimited availability of technical details regarding the utilizedprotocols increased the security of the systems. Nowadays,these networks are being interconnected to common networkssuch as the Internet, in order to leverage the robustness ofcommon network protocols, facilitate remote accessibility andreduce the capital and operating expenditure. However, the in-terconnection of SCADA systems with the Internet introducessevere security issues.

A cyber attack against a SCADA system can have devas-tating consequences. The continuous and reliable operation ofSCADA systems can have a crucial effect on public safetyand health. As a consequence, any security incidents on thesesystems may threaten public health and safety. For example,an attacker can compromise a SCADA system and shut downelectricity, gas, and water services, or destroy critical militaryinfrastructure.

A. Related Work and Contribution

There are several existing works that discuss and reviewthe current state of SCADA security. Igure et al. [2] providean overview of the security state in SCADA networks. Theauthors discussed the security threats and vulnerabilities incommon SCADA networks. They also presented the researchchallenges and discussed the ongoing work in several SCADAsecurity areas. The authors in [3] review research proposalsin the area of SCADA security and provide an overview ofthe vulnerabilities, risks and countermeasures. An overviewof smart grid communication technologies is provided in [4].In addition, the authors summarize the substantial securityrequirements of the smart grid communication infrastructure.The authors in [5] present a comprehensive survey of securityissues for the smart grid. Additionally, they present the securityrequirements, the vulnerabilities, and the potential counter-measures. Furthermore, they discuss the state-of-art securitysolutions and provide future research directions. Leszczyna etal. [6] provide an overview of ICS and carry out a surveyto identify the main concerns of ICS security, as well aspotential security solutions. Based on the survey findings,the authors provide recommendations for the protection ofICS [7]. The authors in [8] review SCADA standards andcommunication infrastructures, and discuss security issuesand solutions. Furthermore, they list several SCADA securityschemes. McLaughlin et al. [9] explore the ICS cyber securitylandscape. They review the vulnerability assessment process,




the emerging SCADA threats and discuss ICS testbeds forvulnerability analysis. The authors in [10] provide a compre-hensive survey of tools and techniques that assess the vulnera-bilities and evaluated the security of SCADA systems. Finally,Giraldo et al. [11] present a taxonomy of security surveysregarding cyber-physical systems. The presented taxonomy,classifies the reviewed surveys based on the application do-mains, security and privacy attacks, and counter measures. Asurvey of security in SCADA networks is provided in [12].The authors present the communication architecture, as wellas a classification of potential threats and attacks. In addition,various novel security schemes are categorized into detectionand prevention of SCADA attacks.

However, the aforementioned related works have certainshortcomings. The work in [2] lists the common SCADAprotocols, without describing their specifications. The worksin [4] and [5] only consider the communication infrastructurethat is used in the smart grid, while [3], [8], and [12] onlyprovide a description of the SCADA architecture, withoutpresenting details about the communication protocols. More-over, only a general description of security counter-measuresis provided. The work in [9] review the SCADA security ofeach layer, without considering specific protocol threats andcountermeasures. Finally, there are no previous surveys thatprovide an extensive description of common SCADA protocolspecifications, and a thorough and up-to-date review of theSCADA security measures.

Motivated by the aforementioned remarks, we present thissurvey aiming to address these shortcomings, provide furtherspecification and implementation details about a wide varietyof SCADA protocols, and offer an up-to-date analysis on thestate of SCADA security along with trends and advancements.Specifically, the following contributions are included in thissurvey:

• An overview of the general SCADA architecture and sup-ported communication protocols. Firstly, we present thegeneral SCADA architecture and its main components.Following, we list the well-known SCADA communica-tion protocols, along with their specifications, supportedtopologies, data rates, and packet structure.

• A discussion of SCADA security incidents, objectives,and threats. We report certain incidents that had a signif-icant impact in order to show the importance of securityin the SCADA systems. Then, we present the securityobjectives of a SCADA system and describe commonattack types against those systems. We also provide adescription of SCADA testbeds, that have been developedto assist security researchers.

• A thorough review of the security proposals that aimto secure SCADA systems. We have categorized thereviewed proposals into four groups based on the utilizedSCADA protocol. We also list the proposed approachesand methodologies, the challenges that the authors ad-dressed and the evaluation results.

• A presentation of the research trends and advancements ofthe SCADA security. Those trends include novel SCADAprotocols, that are being designed to support the require-ments of the emerging Industry 4.0, the integration of the

Internet of Things concept, the leverage of virtualizationtechnologies such as Software Defined Networking andNetwork Function Virtualization, the leverage of Big Dataanalytics in securing SCADA systems, and finally, theadoption of a SCADA cyber hygiene framework.

The rest of the paper is organized as follows. Section IIpresents the general architecture of a SCADA network andbriefly describes its main components. Moreover, it provides adetailed overview of commonly used SCADA communicationprotocols and their specifications. In Section III, we reportcertain well-known SCADA security incidents, we discuss thesecurity issues of SCADA networks, describe the commonattacks against SCADA systems, and review the SCADAsecurity testbeds. Section IV provides a thorough reviewof security proposals based on SCADA protocols, such asModbus, DNP3, and Profinet. Furthermore, a discussion aboutthe state of SCADA security is provided. Section V discussesthe survivability and resilience of SCADA systems in presenceof cyber and physical threats. In Section VI we provide futuretrends and advancements in SCADA systems and we concludethis paper in Section VII.

II. SCADA SYSTEMS

A. Architecture

SCADA systems are extensively used in industrial applica-tions to control and monitor the process systems. As shownin Fig. 1, a typical SCADA system consists of the followingcomponents:

The Operator, who is responsible for monitoring the sys-tem, addressing alerts and performing the necessary controloperations. The operator can be located in the premises of theorganization or he can access the system remotely through theInternet.

The HMI, which facilitates the interaction between theoperator and the SCADA system. The HMI collects informa-tion from the Master Terminal Unit and translates the controlcommands appropriately.

The organization’s Intranet, that consists of computational,networking, and storage components located within the orga-nization. It facilitates the operation of the system by runninganalytics on the data collected from field devices.

The Master Terminal Unit (MTU), which is responsiblefor gathering data from remote terminals, transmitting themto the HMI, and sending control signals. It also provides thehigh-level control logic for the system.

The Remote Terminal Units (RTU), which exchange dataand commands with the MTU and the send specified controlsignals to the field devices.

The Field Devices, which are distributed across the orga-nization and consist of devices that monitor and control theindustrial process. For example, a number of sensors is usedto gather data, while actuators perform the control actions.

In order to realize continuous, reliable and efficient com-munication between the aforementioned SCADA components,certain communication protocols have been devised. Thoseprotocols take into account the processing capabilities ofthe components and the communication requirements of the




Internet

Master Terminal

Unit

Remote Terminal

Unit

Field Devices

Remote Terminal

Unit

Remote Operator

Data StorageData Analytics Data StorageData Analytics

Intranet

OperatorHuman Machine

Interface

Fig. 1. SCADA System Architecture

industrial applications. The rest of the section provides anoverview of the well-known protocols, along with technicalspecifications such as supported topologies, data rates, packetstructure, and network layer technologies. Table I providesa summary of the protocol specifications that are describedin this section. The Network Infrastructure column showsthe underlying communication technology that each protocoluses, while each of the supported topologies are listed in theTopologies column. The Data Rates and Maximum Distancecolumns list the supported data rates and the maximum devicedistance from its controller, respectively.

B. Fieldbus-based Protocols

Fieldbus is a network system for real-time distributed con-trol in industrial applications. It enables the connection offield devices such as sensors, motors, and actuators, withtheir associated controllers. Fieldbuses differ according tothe topology, the transmission medium, and the transmissionprotocols. They also differ in regard to the maximum cablelength and the maximum data size per telegram.

Fieldbus offers certain advantages compared to parallelwiring. As it uses a single cable running through all devices,the networks can be designed and deployed more quickly. Theshort path between the devices increases the availability andreliability of the network. The use of standardized protocolsenables the connection of equipment of different manufactur-ers. Finally, the network can be easily modified and extended,in order to adapt to future requirements.

BITBUS is an open implementation of the Fieldbus pro-tocol. It can extend up to 1200 meters, while the supporteddata rates are 62.5 Kbps, 365 Kbps, and 1.5 Mbps, dependingon the distance. The interconnection is based on RS485specification, using twisted pairs cable. BITBUS is based onthe bus topology, where a maximum of 28 nodes can beconnected in a bus segment. The number of nodes can beextended up to 250, by using repeaters and decreasing the datarate. Each device is assigned a unique address in the form ofa number ranging from 1 to 249. The address 255 is reservedas the broadcast address.

Fig. 2 presents the structure of a BITBUS message, whichis encapsulated in a Synchronous Data Link Control (SDLC)frame. The frame starts with 16-bit preamble along with aunique Opening flag (1 byte). The Address field (1-2 bytes)contains the recipient of the message, while the Control field(1-2 bytes) determines the type of the frame. The lengthfield specifies the size of the message, while the MT, SE,DE, and TR fields are reserved for routing information. Thenode address ranges from 1-249 and specifies the destinationnode. The Source and Destination Tasks identify the task thathas generated the command and the reply respectively. TheCommand/Response field contains the command that has tobe executed. The Data Field has a variable length from 0 to248 bytes. Finally, two CRC fields and a Closing flag areappended by the SDLC frame

PreambleOpening

FlagAddress Control BITBUS Message CRC-1 CRC-2

Closing

Flag

Length Control Flags Reserved

1 byte

2 bytes 2 bytes 2 bytes 2 bytes 2 bytes 2 bytes 2 bytes 10 - 256 bytes

2 bytes

Node

Address

Source

Task

Destination

Task

Command/

Response

1 byte 2 bytes 1 byte 1 byte 2 bytes0 - 248 bytes

Data Field

Synchronous Data Link Control Frame

Fig. 2. BITBUS Frame Structure

Foundation Fieldbus H1 [13] is a bi-directional communi-cations protocol used for communications among field devicesand the control system. Each communication point of thecontroller can connect with up to 32 nodes using either twistedpair or fiber. The data rate is fixed to 31.25 Kbps and themaximum distance between the master and a slave is 1900meters. Using up to 4 repeaters the distance can be extendedto 9500 meters. Each device is assigned an address in theform of a number ranging from 1 to 255. The protocol doesnot support broadcasting functionalities.

The supported topologies are shown in Fig. 3. A LinkingDevice acts as an interface between the host and the fielddevices. Different topologies can be realized, such as Point-to-Point, Bus with Spurs, Daisy Chain and Tree. In the Point-to-Point topology, each field device is connected directly tothe Linking Device. The Bus with Spurs topology uses asingle bus to which the field devices are connected. In theDaisy Chain topology, the field devices are connected in serieswith each other. In the Tree topology, a Junction Box is usedas a concentrator, where several field devices connect to it.After concentrating the data from the devices the junction boxforwards them to the Linking Device.




TABLE ISCADA COMMUNICATION PROTOCOLS

Protocol Network Infrastructure Topologies Data Rates Maximum Distance

BITBUS Fieldbus Bus 62.5 Kbps, 375 Kbps,1.5 Mbps

1200m

DC-BUS 2-wire cable Line 115.2 Kbps up to 1.3Mbps

100 km

Distributed Network Protocol 3 Ethernet Line, Peer-to-Peer 100 Mbps, 1 Gbps 100mEtherCAT Ethernet Ring, Line, Daisy-chain 100 Mbps 100mEthernet Powerlink Ethernet Tree, Line, Star, Peer-to-

Peer100 Mbps 100m

Foundation Fieldbus H1 Fieldbus Point-to-point, Bus withSpur, Daisy-chain, Tree

31.25 Kbps 1900 m without repeater,9500 m with up to 4 re-peaters

Foundation HSE Ethernet Tree, Line, Star, Peer-to-Peer

100 Mbps 100m

HART 2-wire cable Point-to-point, Multi-drop 1.2 Kbps 3 kmIEC 60870 Serial, Ethernet Ring, Tree, Line, Star N/A N/AIEC 61850 Ethernet Ring, Tree, Line, Star N/A 100mModbus Serial, Ethernet Line, Star, Ring, Mesh

(MB+)100 Mbps, 1 Gbps N/A

PROFIBUS Fieldbus Point-to-point, Bus withspur, Daisy-chain, Tree

9.6 Kbps to 12 Mbps 100 to 1200m, 15km foroptical channel

PROFINET Ethernet Ring, Tree, Line, Star 100 Mbps, 1 Gbps 100mRAPIEnet Ethernet Line, Ring 100 Mbps 100mSERCOS III Ethernet Line, Ring 100 Mbps, 1 Gbps N/AUnitronics PCOM Serial, Ethernet Ring, Line, Star 100 Mbps 100mWorldFIP Fieldbus Bus 31.25 Kbps, 1 Mbps,

2.5 Mbps, 5 Mbps1km

Linking Device

Junction Box

Host

Point to Point Bus with Spur Daisy Chain Tree

Fig. 3. Foundation Fieldbus H1 Topologies

Foundation Fieldbus H1 supports three communicationmethods. The Publisher/Subscriber method is used for contin-uous, real-time data acquisition and it is scheduled at specifictime intervals. The Client/Server method is mainly used whenthe operator accesses a specific device to modify variables,manages alarms and runs diagnostics. The Report Distributionmethod is used for alarms.

The five-layer architecture and packet structure of the Field-bus Foundation H1 are shown in Fig.4. The Data from the UserApplication Layer are encapsulated with a Fieldbus Message

Specification (FMS) Protocol Control Information Field, inorder to form a FMS Protocol Data Unit (PDU). Similarly, theFMS PDU is encapsulated with the Fieldbus Access Sublayer(FAS) PCI to form the FAS PDU. The Data Link Layer (DLL)PCI and Frame Check Sequence fields encapsulate the FASPDU, in order to form the DLL PDU. Finally, the DLL PDU isencapsulated with the Physical Layer fields, namely Preamble,Start Delimiter, and End Delimiter.

Fieldbus Message Specification

(FMS)

Fieldbus Access Sublayer (FAS)

Data Link Layer (DLL)

Physical Layer

0 – 251 bytes

User DataFMS

PCI

User Data

4 bytes

FMS PDUFAS

PCI

FAS PDUDLL

PCI

Frame Check

Sequence

DLL PDUPreambleStart

Delimiter

End

Delimiter

1 byte

5 – 15

bytes 2 bytes

1 byte 1 byte 1 byte8 – 273 bytes

PCI = Protocol Control

Information

PDU = Protocol Data Unit

User Application

Fig. 4. Fieldbus Foundation H1 Network Stack

PROFIBUS [14] is a Fieldbus-based industrial commu-nication protocol, that was developed by PROFIBUS &




PROFINET International. PROFIBUS specifies the Applica-tion, Data Link and Physical layers of the Open SystemsInterconnection (OSI) model. In the Application layer, threeservice levels are defined. The first level provides the basiccyclic exchange of data and diagnostics. The second levelprovides acyclic data exchange and alarm handling, while thethird level provides interval and broadcast data exchange. TheData Link layer provides a hybrid access method, combiningtoken passing and master-slave schemes, is used for thetransmission control. Finally, the Physical layer transmits thebits using twisted pair cables or fiber optics.

As shown in Fig. 5, the five telegrams are used for transmis-sion control. The Start and End Delimiters mark the beginningand end of the telegram respectively. The Destination andSource Addresses are numbers ranging from 1 to 126, whilethe address 127 is used for broadcast addressing. The FunctionCode is used to select the function to be executed, while theFrame Check Sequence is used to check the integrity of thetelegram. The application data are stored in the PDU fieldwhich has either variable or fixed length.

Start

Delimiter

Destination

Address

Source

Address

Function

Code

Frame

Check

Sequence

End

Delimiter

1 byte 1 byte 1 byte 1 byte 1 byte 1 byte

Start

Delimiter

Length

Information

1 byte 2 bytes 1 byte

Start

Delimiter

Destination

Address

Function

Code

1 byte 1 byte 1 byte

Frame

Check

Sequence

1-246

bytes 1 byte

End

Delimiter

1 byte

Protocol

Data Unit

1 byte

Start

Delimiter

Destination

Address

Source

Address

Function

Code


Frame

Check

Sequence

8 bytes 1 byte

End

Delimiter

1 byte

Protocol

Data Unit

1 byte

Start

Delimiter

Destination

Address

Source

Address

1 byte 1 byte

1 byte

Start

Delimiter

No Data Field

Variable Data Length

Fixed Data Length

Token Telegram

Short Confirmation

Source

Address

Fig. 5. Profibus Telegram Structure

WorldFIP [15] is a Fieldbus network protocol designedto link SCADA devices and controllers. WorldFIP can beused in both synchronous and asynchronous applications. Itspecifies the application, the data link, and the physical layer.The physical layer relies on the bus topology and allows fourtransmission speeds, namely 31.25 Kbps, 1 Mbps, 2.5 Mbps,and 5 Mbps. The maximum wire length per segment is 1kmand up to 64 nodes can be connected to it.

The structure of the WorldFIP frame is illustrated in Fig. 6.The Frame Start Sequence (FSS) marks the beginning, whilethe Frame End Sequence (FES) marks the end of the framerespectively. The Control field indicates the type of the frame.The Destination and Source addresses are 24-bit numbers, thatare used to identify the devices, while broadcast addressing isnot supported. Finally, the integrity of the frame is verifiedusing the Frame Check Sequence (FCS).

C. Ethernet-based Protocols

Ethernet [16] is one of the most acclaimed networking tech-nologies. The ubiquity, cost efficiency and high flexibility ofEthernet are urging many industrial communication protocols

FSS ControlSource

Address

Destination

AddressMessage FCS FES

2 bytes 1 byte 3 bytes 3 bytes Max 256 Bytes 2 bytes 1 byte

FSS Control Data FCS FES

2 bytes 1 byte Max 128 Bytes 2 bytes 1 byte

FSS Control Identifier FCS FES

2 bytes 1 byte 2 bytes 2 bytes 1 byte

ID_DAT

RP_DAT

RP_MSG

Application Layer

Data Link Layer

Physical Layer

Fig. 6. WorldFIP Frame Structure

to incorporate it into their solutions. To satisfy the very lowlatency requirement of industrial applications, the IndustrialEthernet standard was developed which utilizes a modifiedMedia Access Control (MAC) layer.

Industrial Ethernet offers significant advantages over othertypes of industrial networks. It offers extremely increasedspeed compared to legacy serial communications, leveragingthe capacities of Cat5e/Cat6 cables and optical fiber. Moreover,the error detection and correction functionalities of the Ether-net allow for increased connection distances. The ubiquity ofthe Ethernet enables the use of common network equipmentsuch as access points, switches, and routers. In spite of themodified MAC layer, the conventional MAC addresses canbe used for identifying the devices. In addition, the MACbroadcast address (FF:FF:FF:FF:FF:FF) can be used to sendbroadcast packets to all the devices of the network. Finally,Ethernet has the capability to form peer-to-peer architectures,which will replace the legacy master-slave ones.

The Distributed Network Protocol 3 (DNP3) [17] enablescommunication between components in process automationsystems. It was developed for facilitating data exchangebetween various monitoring and control devices. It has acrucial role in SCADA systems, as it facilitates communica-tions between Master Stations, RTUs and IEDs. The originalprotocol used a slow serial interface, but the latest versionssupport TCP/IP-based operation, which improves its morerobustness, efficiency, and interoperability, at the cost of higherimplementation complexity.

Fig. 7 shows the DNP3 layers within the OSI model. TheApplication layer organizes the transmitted data in fragments,which is a block of bytes that contains request or responsedata. Fig. 8 illustrates the structure of the DNP3 Fragment. Theheader starts with the Application Control field that containsinformation on how to construct and reassemble multiplefragments. The Function Code field specifies how the fragmentshould be processed by the receiver. The Response headercontains an additional field named Internal Indications. Fol-lowing the Application Request/Response Header, a numberof DNP3 objects are, along with their associated headers areincluded into the fragment. They provide supplementary datathat are required to complete the operation. In the Requestfragment, only the DNP3 headers are included, as the masterdoes not send any data. The Response fragment contains thesame DNP3 headers followed by the associated DNP3 objects,which contain the data. The object header contains informationon the data types and values, such as analog input value, binaryevent value, counter and time values.




User Layer

DNP3 Application Layer

Transport Function

DNP3 Data Link Layer

Physical Layer

Fig. 7. DNP3 Network Stack

1 byte 2 bytes1 byteInternal

Indications

Application

ControlFunction Code

First Object

Header

First DNP3

Object

Last Object

Header

Last DNP3

Object

Application Response

Fragment

1 byte 1 byteApplication

ControlFunction Code

First Object

Header

First DNP3

Object

Last Object

Header

Last DNP3

Object

Application Request

Fragment

Fig. 8. DNP3 Fragment Structure

The Transport Function is considered a sublayer of theApplication layer that fits above the Data Link layer. Thesize of the DNP3 Application layer fragment may be largerthan the size of the Data Link frame. The Transport Functionis responsible for breaking the fragments into segments. ATransport segment (Fig. 9) is composed of the header andthe application data. The header is composed of the FINand FIR fields, which indicate whether it is the final or firstfragment respectively, and the Sequence field, which is usedto differentiate subsequent fragments.

1 bit

Application Layer DataFIN FIR Sequence

1 bit 6 bits 1 – 249 bytes

Fig. 9. DNP3 Transport Segment Structure

Finally, the Data Link layer provides an interface betweenthe physical media and the Transport Function and it is suitablefor both User Datagram Protocol (UDP)/Internet Protocol (IP)and Transmission Control Protocol (TCP)/IP communicationsystems. The Data Link layer structures the Transport Functionsegments into data link frames and forwards them to the com-munication channel for transmission. In case of data reception,the transport segments are extracted from the incoming framesand passed to the upper layers. Moreover, Data Link layermanages data link frame synchronization, flow control, errorhandling, and link status probing. The frame format of the

Data Link layer is shown in Fig. 10. The frame is composedof a header block and a number of data blocks. The headerconsists of the following fields: the Start field, which marksthe start of the frame, the Length field, which indicates thesize of user data, the Control field, which contains informationregarding the flow control, and the type of the frame, and twoMAC Address fields for Destination and Source respectively.A Cyclic Redundancy Check (CRC) field is appended at theend of the header and each data block.

2 bytes

Application Layer Data

Start Length

1 byte

Control

1 byte 2 bytes

Destination

Address

2 bytes

Source

Address

2 bytes

CRC

Header Block

1st Data Block128 bytes 2 bytes

CRC


2nd Data Block128 bytes 2 bytes

CRC


Nth Data Block8-128 bytes 2 bytes

CRC

Block Transmission

Order

Fig. 10. DNP3 Data Link Frame

EtherCAT [18] is an Ethernet-based protocol that is suitablefor industrial real-time computing requirements. The use ofplain Ethernet in automation technology has specific short-comings. Firstly, the very high bandwidth is wasted, as eachfield device only sends and receives a few bytes of data.Moreover, the low computing capacity of the field devicesis insufficient for embedding an Ethernet controller within thedevice. Finally, Ethernet has certain limitations regarding itsreal-time capabilities.

The main advantage of EtherCAT is that it does not requirea specialized interface. Any commercially available Ethernetcontroller can be used as an EtherCAT master. Another impor-tant advantage is the conformity with the Ethernet standard.This enables EtherCAT to operate with standard networkcomponents such as Ethernet switches. Finally, the very shortcycle time (< 100`B) enables new applications with moreaccurate control.

EtherCAT considers the bus as a single large Ethernetdevice, which interconnects a number of EtherCAT slaves. Thedata transfer procedure is shown in Fig. 11. The master nodeinitiates the data transfer by transmitting an Ethernet frame.A slave node extracts its own data from the frame, carries outthe received command (such as reading data), insert new datato the frame and forwards it to the next node in the bus. Thelast node sends a frame, containing data from all the nodes,back to the master completing the cycle.

Fig. 12 shows the structure of a basic EtherCAT frame,compared to a basic Ethernet Frame. The size of the Ethernetframe ranges between 64 and 1522 Bytes and includes theEthernet Header, the Ethernet Data, and the Frame CheckSequence field. In the case of the EtherCAT frame, theEthernet Header includes the destination and source 48-bitaddresses and the EthernetType value which indicates theencapsulated protocol in the payload. The value 0x88A4 isregistered to Internet Assigned Numbers Authority (IANA)for the EtherCAT.




Slave 3

Slave 2Slave 1

Slave 4

Master

Fig. 11. EtherCAT Data Transfer Procedure

Ethernet DataEthernet Header

6 bytes 2 bytes6 bytes

FCS

46 - 1500 bytes 4 bytes

64 – 1522 bytes

Ethernet

Type

Destination

AddressSource Address FCSEtherCAT Data

Basic Ethernet Frame

Basic EtherCAT Frame

Fig. 12. EtherCAT Frame

EtherCAT supports four addressing methods, namely phys-ical, logical, multiple and broadcast addressing. In physicaladdressing, which is mainly used for transferring parameterdata, the telegram is precisely addressed to a single slavedevice. In logical addressing, slave devices are not addressedindividually, and the logical address can contain any numberof slaves. The master device maps the physical MAC addressesto logical addresses and the configuration is transmitted to theFieldbus Memory Management Units (FMMU) of the slaves.In the multiple addressing method, physical address areas ofseveral slaves can be addressed, by setting the multiple readflag in the telegram. The broadcast address is used to addressall the slave devices of the network.

Foundation High-Speed Ethernet (HSE) [19] is an imple-mentation of the Foundation Fieldbus H1 protocol that usesthe Ethernet protocol. As it is shown in Fig. 13 both protocolscan be incorporated in the same network, by using a LinkingDevice (LD), which acts as a bridge between the FoundationH1 and HSE devices. The Foundation Fieldbus H1 data areencapsulated in an Ethernet frame. Each device of the networkis addressed using its MAC address.

The network stack and frame structure of the FoundationHSE is shown in Fig. 14. The highest layer contains the userapplication and data. The Field Device Access is an interfacebetween the user layer and the field devices. The TCP/IPprotocol is used at the transport and network layers, whilethe Data Link Layer is based on Ethernet. The frame consistsof the Preamble, a Start Delimiter, the Destination and Source

H1 Field Devices

Linking Device

Ethernet Switch

High-Speed

Ethernet Field

Devices

Host

Fig. 13. Foundation Fieldbus H1 and HSE joint architecture

Addresses, the Length of the payload, the Payload, and theCRC.

Destination Address

Source Address Length CRC

6 bytesPayload

6 bytes 2 bytes 46-1500 bytes 4 bytesPreamble Start Delimiter

1 byte7 bytes

Field Device Access

User Layer

TCP/IP

Physical Layer

Ethernet Data Link Layer

Fig. 14. Foundation HSE Stack and Frame Structure

International Electrotechnical Commission (IEC) 61850is an international communications standard, that defines a setof services and functions that enable data exchange betweenthe SCADA HMI and the field devices. It is a higher layerprotocol that defines a hierarchical, object-oriented, data rep-resentation model. Each node in the model consist of dataand attributes such as configuration information, naming, anddiagnostic information. This data model introduces an abstractlayer, which enables a client to browse and retrieve data froma device without knowing details and implementation of thedevice. MAC addresses are used to address the devices of thenetwork.

The network stack of IEC 61850 is shown in Fig. 15.The time-critical messages are mapped directly to Ethernetframes using non-IP protocols. These messages include theSampled Measured Values (SMV), the Generic Object Ori-ented Substation Events (GOOSE), the Generic Substation




State Events (GSSE), and the Manufacturing Messaging Spec-ification (MMS). MMS can be also transferred through TCP/IPconnections, while the time synchronization (TimeSync) mes-sages are transferred through UDP/IP connections.

SMV GSSEGOOSE

Ethernet

Physical Medium

TimeSyncMMS

UDPTCP

IP

Fig. 15. IEC 61850 Network Stack

PROcess FIeld NET (PROFINET) [20] is an industrialstandard for data exchange over Industrial Ethernet, aimingto enable data collection and equipment control, under tighttime constraints. It is a higher layer protocol that definesthe Application and Presentation layers of the OSI model.It supports three different communication methods: a) Non-Real-Time, which is used for non-time critical data with cycletimes in the range of 100ms, b) Real-Time which is usedfor time-critical data, by utilizing a communication channelwith small cycle times of 10ms, and c) Isochronous Real-Time which supports cycle times lower than 1ms, by dividingthe communication cycle and reserving the slots to specificnodes. The communication is based on Ethernet technology,while the MAC address is used for device addressing.

SERCOS III [21] is a standardized open digital inter-face for the communication between industrial controls, in-put/output devices and standard Ethernet nodes. It operatesin master/slave configuration exchanging cyclic data betweennodes. Sercos III uses two types of telegrams in order toaccomplish the data exchange: the Master Data Telegram(MDT), which contains information sent by the master to theslaves and the Acknowledge Telegram (AT), which is issuedby the master and the slaves insert the appropriate responsedata in it. Each device is equipped with two ports, namely P1and P2.

SERCOS III supports two main network topologies, whichare illustrated in Fig. 16. The line topology is a simpler andcheaper topology, as all devices are connected using a singlecable, but it provides no redundancy. In the line topology, themaster’s P1 port is unconnected, while P2 port is connectedto the first slave. The master initiates the data exchange bysending the telegram to the first slave. The slave reads thetelegram, executes the required functions, inserts its data inthe telegram and forwards it to the next slave. The final slavedetects that its second port is unconnected and reverses thetelegram forwarding procedure until it reaches the master.

In the ring topology, the master’s P1 port is connected tothe P2 port of the last slave. The master automatically detectsthe existence of the ring topology and transmits two counter-rotating telegrams. This topology enforces tighter synchroniza-tion, as well as automatic infrastructure redundancy. In case ofa link or device failure, the infrastructure will automatically be

reshaped to line topology, as the last slave will have its secondport unconnected. This scenario is illustrated in Fig. 16, wherethe link between two slaves is severed and the infrastructureis reshaped into two line topologies.

Port 1 Port 2

Master

Line Topology

Port 1 Port 2

Slave

Port 2

Slave

Port 1 Port 2

Slave

Master

Port 1

Slave

Port 1

Slave

Port 2 Port 1

Slave

Port 1 Port 2

Port 2

Port 1

Port 2

Ring Topology

Master

Port 1

Slave

Port 1

Slave

Port 2 Port 1

Slave

Port 1 Port 2

Port 2 Port 2

Link Failure

Fig. 16. SERCOS III Network Topologies

The structure of the SERCOS III telegram is shown inFig. 17. The frame starts with the preamble, followed by thedestination address, which is set to the Ethernet broadcastMAC address, and the source address, which is set to the MACaddress of the master. The Ethernet type is set by the FieldRegistration Authority to 0x88CD. The encapsulated telegramconsists of the SERCOS III header, which contains statusand control information and the varying data field, that storesthe variables for each device. Finally, the Forward CheckingSequence (FCS) field is appended for error detection.

Ethernet

Type

Destination

AddressData FieldMST

7 bytes

Preamble

6 bytes1 byte

SFD Source Address FCS

6 bytes 2 bytes 46 - 1500 bytes 4 bytes

Sercos III Data Fields

MAC Layer Fields

Fig. 17. SERCOS III Telegram Structure

Ethernet Powerlink [22] is a loyalty-free real-time indus-trial communication protocol, managed by the Ethernet Pow-erlink Standardization Group. Ethernet Powerlink implementsmixed polling and time-slicing mechanisms over the traditionalEthernet in order to provide a guaranteed transmission oftime-critical data, a high precision time synchronization ofthe devices, and an asynchronous channel dedicated to thetransmission of less time-critical data.

The Ethernet Powerlink communication cycle consists oftwo phases, namely the isochronous and the asynchronous




phases. A Start of Cyclic frame is used in order to synchro-nize all the devices. The node synchronization mitigates theframe collision and ensures real-time communication. In theisochronous phase, the master device, called Managing Node,polls the Controlled Nodes cyclically. After all the ControlledNodes have been polled, the asynchronous phase starts toallow the transmission of less-time critical data. As EthernetPowerlink is based on the traditional Ethernet, each devicehas a unique MAC address. In addition, a logical node ID isassigned to each device.

The stack of the Ethernet Powerlink is shown in Fig. 18.The highest layer includes the device profiles, which definethe properties of each device. The Application Layer contains:a) the Object Dictionary, which enables the application toexpose the data, parameters, and services to the network, b) theProcess Data Objects, which contain the values of the objectsand they are cycled among network devices in the isochronousphase, and c) Service Data Objects, which are used to es-tablish an asynchronous connection between the nodes. ThePowerlink Data Link Layer is responsible for establishingcommunication between the network nodes. It also definesthe Managing Node that is in charge of moderating accessto the shared medium. Moreover, it provides isochronous andasynchronous communication channels as well as time syn-chronization and network management services to the upperlayers. Finally, the rest of the layers are the same as in thetraditional Ethernet.

Net

wor

k M

anag

emen

t

Powerlink Data Link Layer

MAC Layer

Physical Layer

Device Profiles

Application Layer

Object Dictionary

Process Data Objects

Service Data Objects

Device ProfilesDevice Profiles

UDP/IP

MAC Destination MAC Source EtherType CRC

Message Type Powerlink Destination

Powerlink Source Powerlink Payload

6 bytesEthernet Payload

6 bytes 2 bytes 46-1500 bytes 4 bytes

1 byte 1 byte 1 byte 43-1497 bytes

Preamble SFD

1 byte7 bytes

Fig. 18. Ethernet Powerlink Stack

Fig. 19 shows the structure of the Ethernet Powerlink frame,which is encapsulated in a traditional Ethernet frame, with anEtherType value of 0x88AB. The Powerlink frame consistsof the Message type, which determines the purpose of theframe, the Powerlink destination and source addresses, andthe Powerlink Payload.

Net

wor

k M

anag

emen

t

Powerlink Data Link Layer

MAC Layer

Physical Layer

Device Profiles

Application Layer

Object Dictionary

Process Data Objects

Service Data Objects

Device ProfilesDevice Profiles

UDP/IP

Destination Address

Source Address EtherType CRC

Message Type Powerlink Destination

Powerlink Source Powerlink Payload

6 bytesEthernet Payload


1 byte 1 byte 1 byte 43-1497 bytes

Preamble SFD

1 byte7 bytes

Fig. 19. Ethernet Powerlink Frame Structure

Real-time Automation Protocols for Industrial Ethernet(RAPIEnet) [23] is an international standard for real-time datatransmission that was developed in Korea. RAPIEnet supportsunicast, multicast, and broadcast addressing. Each RAPIEnetdevice features an embedded Ethernet switch with two portsin order to enable the daisy-chain and ring topologies. Figs. 20and 21 show the stack and the frame structure of the RAPIEnetprotocol, respectively. The RAPIEnet frame starts with thePreamble and the Start Frame Delimiter (SFD), followed bythe Destination and Source addresses. The Ethernet Type fieldis used to select the type of the frame. The Type 21 headerincludes the protocol version and length of the telegram,the Destination and Source addresses, the requested FunctionCode (FC) and the corresponding function extension (EXT).The Destination Service Access Point (DSAP) and SourceService Access Point (SSAP) are appended to the end of theheader. After the Type 21 Header, the Type 21 telegram isincluded, followed by the CRC.

Real-time Application

Physical Layer

RAPIEnet MAC/DLL

RAPIEnet APPs Other APPs

Queue Message Box

Destination Address

Source Address Ethernet Type CRC

Version & Length

Destination Address

Source Address

6 bytesType 21 Telegram


2 bytes 2 bytes 2 bytes

Real-time Process Module DLL Event

MAC Layer MAC Layer

Physical Layer

Preamble SFD

1 byte7 bytesType 21 Header

4 bytes

FC EXT DSAP SSAP

2 bytes 2 bytes 2 bytes 2 bytes

Fig. 20. RAPIEnet Protocol Stack

Real-time Application

Physical Layer

RAPIEnet MAC/DLL

RAPIEnet APPs Other APPs

Queue Message Box

Destination Address

Source Address Ethernet Type CRC

Version & Length

Destination Address

Source Address

6 bytesType 21 Telegram


2 bytes 2 bytes 2 bytes

Real-time Process Module DLL Event

MAC Layer MAC Layer

Physical Layer

Preamble SFD

1 byte7 bytesType 21 Header

4 bytes

FC EXT DSAP SSAP

2 bytes 2 bytes 2 bytes 2 bytes

Fig. 21. RAPIEnet Frame Structure

D. Serial-based Protocols

The IEC 60870 is a set of standards which define thesystems used for remote control and monitoring in electricalapplications and power system automation. The IEC 60870-5specification document defines the communication specifica-tions and consists of a set of companion standards.




The IEC 60870-5-101 companion standard is mainly usedin the energy sector. It mainly utilizes the asynchronous V.24interface, which supports data rates of up to 9600 bps, whilethe X.24 and X.27 interfaces enable data rates up to 64000bit/s.

The IEC 60870-5-103 companion standard mainly utilizesthe asynchronous V.24 (RS232) and RS485 interfaces, whichfeature data rates of up to 19200 bps. The companion alsoincludes specifications regarding interfaces that support fiberoptics.

The IEC 60870-5-104 defines the Application layer ofthe OSI model and uses the conventional Ethernet transporttechnology. Various network types can be realized withinTCP/IP, such as X.25, ATM (Asynchronous Transfer Mode),FR (Frame Relay), and serial point-to-point (X.21). Data arestored in an Application PDU (APDU), while the APDU alongwith an optional Application Service Data Unit (ASDU) areencapsulated in an Application Protocol Control Information(APCI) frame, as shown in Fig. 22. The APCI frame startswith a Start byte, followed by a field denoting the length ofthe APDU. A number of control fields are appended based onthe APDU length.

Start

1 byte 1 byte

APDU

Length

Control

Field 1


Control

Field 2...

Control

Field N

Application

Service Data Unit

1 byte

APDU Length

Start

1 byte 1 byte

Block

Length

Block

Length

(copy)

1 byte 1 byte 4 bits

Start-2

4 bits

Control

Field

Function

Code

Type

Identification

Number of

Objects

Cause of

Transmission

Application

Service Data UnitChecksum Stop

9 – 1143 bytes1 byte0 - 2

bytes

Link

Address


(a)

(b)

Fig. 22. APCI Frame Structure

Modbus [24] is one of the most used communicationprotocols for the interconnection of industrial devices, dueto its industrial focus, the easy deployment and maintenance,and open specifications. Modbus also enables communicationbetween devices on different network infrastructures. Fig. 23shows a reference architecture of a Modbus network. Differenttypes of field devices (e.g., Programmable Logic Controller(PLC) , HMI, I/O devices) connect to the same network byusing different Modbus variants such as Modbus+, Serial andTCP/IP. The MB+ and Serial Gateways are used as convertersbetween the Modbus variants.

Fig. 24 illustrates the structure of a Modbus frame. The gen-eral frame form, called Application Data Unit (ADU), enclosesa PDU along with fields reserved for device addressing anderror checking. The PDU consists of the function code field,which is used to select the operation, while the Data field sizedepends on the selected function. The addressing and errorchecking fields vary depending on the transport technology.In the Modbus serial variant, the addressing field containsthe Slave ID and utilizes CRC for error detection. In caseof Modbus TCP/IP, the addressing field is replaced by theModbus Application Protocol (MBAP) Header, while the errorcheck field is removed as the error detection capabilities of theTCP/IP protocol are leveraged. The complete Modbus ADUis encapsulated into the data field of a standard TCP/IP frame.

Serial Modbus enables message exchange between masterand slave devices over serial communication mode. The masterdevice coordinates the communication and can directly address

HMI

MB+

Gateway

PLC

I/O

I/O

Mo

db

us

on

MB

+

Serial

Gateway

I/O

Mo

db

us

on

Ser

ial

I/O

I/O

I/OPLC

I/OI/O

Modbus on TCP/IP

PLC

Fig. 23. Modbus Network Architecture

the devices. The slave devices monitor the channel for requestsfrom the master and respond accordingly.

In TCP/IP communication, the Modbus TCP/IP ADU con-tains the MBAP header and the PDU. The header includesthe following fields: The Transaction Identifier, is used forlogically pairing the transactions that are carried out in thesame TCP stream. The Protocol Identifier, is always set to0, while the Length field indicates the size of the remainingfields. Finally, the Unit Identifier is used to identify hosts thatbelong to networks, for example in case of bridging TCP/IPand serial networks.

Addressing

Application Data Unit

Function Code Data Error Check

Protocol Data Unit

General Modbus

Frame

Slave ID


Function Code Data CRC

Protocol Data Unit

Modbus Serial

Frame

MBAP


Function Code Data

Protocol Data Unit

Modbus TCP/IP

Frame

Protocol Identifier Length Unit ID

2 bytes

Transaction

Identifier

2 bytes 2 bytes 1 byte

Fig. 24. Modbus Frame Structure

Unitronics PCOM [25], [26] is a communication pro-tocol that enables applications to communicate with PLCdevices, based on requests and responses. The applicationspoll the PLC using command codes to identify the typeof operation (e.g., read memory register). PCOM supportsinter-PLC communication in master-slave schemes, where themaster forwards the request/replies to/from the slave PLCs. Inaddition, PCOM also supports administrative operations thatcan be used to manage and reprogram the PLC.




Reserved Reserved Reserved

Command Details

1 bytesReserved

1 bytes 3 bytes 1 byte

6 bytes

STX Unit ID

1 byte6 bytesCommad

1 bytes

STX Unit ID Command

1-2 bytes 1 byte 2-3 bytesData Cheksum ETX

N bytes 2 bytes 1 byte

Header Checksum Data Footer

Checksum

2 bytes N bytes 2 bytesLength

2 bytesETX

1 byte

Transaction ID Protocol Mode Reserved

1-2 bytes 1 byte 2-3 bytesLength ASCII / Binary

N bytesExtra Ethernet Header

ASCII

Binary

Fig. 25. PCOM Message Structure

The message structure of the PCOM protocol is shown inFig. 25. It supports two message modes, namely ASCII andBinary. In the ASCII mode, only one type of operand perrequest is allowed, contrary to the Binary mode, where mul-tiple types of operands are allowed. The STX and ETX fieldsdenote the start and the end of the transmission, respectively.The Unit ID is used to address the PLC device, while theCommand field is used to select the command to be executed.Finally, the Checksums are used for error checking. PCOMcan also support Ethernet-based communications, by addingan extra header between the Ethernet header and the ASCIIor Binary message.

E. Common Industrial Protocol

Application Object Library

Data Management Services

Connection Management and Routing

CompoNet EtherNet/IP

DeviceNet Physical

Layer

Motion

Profiles

Com

mon I

ndust

rial

Pro

toco

l

CompoNet

TimeslotEthenet

DeviceNet ControlNet

CANControlNet

CTDMA

Motion

Control

Profiles

Transducer

ProfilesI/O Profiles

Other

Profiles

Semiconductor

Profiles

Safety

Profiles

Safety

Services

&Messages

Safety

Object

Library

ControlNet Physical

Layer

CompoNet Physical

Layer

EtherNet/IP Physical

Layer CIP

Im

ple

men

tati

on

s

Fig. 26. Common Industrial Protocol Stack

The Common Industrial Protocol (CIP) [27] is a peerto peer protocol that provides communications infrastructurefor industrial applications. The stack of the protocol is shownin Fig. 26. The top level of the stack includes a number ofdevice profiles, which are defined in order to increase deviceinteroperability and consistency across multiple device ven-dors. The Application Object Library provides an applicationinterface, where each object has as set of attributes (data),services (commands), and behaviors (reactions to events).The Data Management Services define the addressing modelsfor the CIP entities, along with the supported data types.The Connection Management and Routing layer defines themechanisms that enable the transmission of messages acrossmultiple networks, and acts as an interface between the higher

and lower protocol layers. In order to enhance the protocol’ssecurity, three additional higher level layers are included,namely Security Profiles, Safety Object Library, and SafetyServices & Messages. Concerning the lower layers, fournetwork and transport layer protocols are supported by CIP.

DeviceNet was the first implementation of CIP and it isbased on the Controller Area Network (CAN) protocol [28].The nodes are connected in a trunkline/dropline topology. Inthis topology, there is a main trunkline running across the field.A node is added to the network, by using a tap to insert thedevice in the trunkline. A 11-bit number is used for addressingthe network devices, while broadcasting is not supported.

ControlNet is a digital communications protocol that pro-vides high-speed transport of time-critical data. It forms aProducer/Consumer network that supports multiple commu-nication hierarchies and message prioritization. ControlNetuses a Concurrent Time Domain Multiple Access (CTDMA)mechanism in order ensure the precise time for messagedelivery. For the addressing, each device is assigned a numberranging from 1 to 99, while broadcasting is not supported.

CompoNet provides high-speed communication amongcontrollers, sensors and actuators. It forms a master/slavenetwork, where the communication is scheduled in timeslots.A 16-bit number is used for addressing the network devices,while broadcasting is not supported.

EtherNet/IP is CIP implementation that is based on theEthernet standard. EtherNet/IP is a data link layer protocolthat encapsulates the CIP messages in an Ethernet frame, whileMAC addresses are used for the device addressing. It employsTCP/IP for flow control, fragmentation reassembly and mes-sage acknowledgment, and UDP for transporting messages thatcontain time-critical control data.

The Highway Addressable Remote Transducer (HART)is an industrial communication protocol that supports bothanalog and digital communications. The data are modulatedusing Frequency Shift Keying (FSK). The digital signal con-sists of two frequencies, 1.2 KHz and 2.2 KHz for bits 1 and 0respectively. The analog signal is superimposed with the wavesof these two frequencies in order to provide simultaneousanalog and digital communication.

It supports Point-to-Point and Multi-drop topologies in Mas-ter/Slave configuration. In the Point-to-Point topology, both theanalog and digital signals are used. The 4-20 mA analog signalis used for reading a single value, while the digital one is usedfor accessing multiple values, and maintenance and diagnosticoperations. In the Multi-drop topology, a two-wire system isused for connecting the field devices. The analog signal isused for powering the field devices and the data exchange iscompletely digital. For the device addressing, a 4-bit numberis used, while in newer protocol versions 38-bits are used.HART does not support message broadcasting.

The structure of the HART packet is illustrated in Fig. 27.A preamble is used for carrier detection and synchronization.The Start field marks the beginning of the packet, while theAddress field specifies the address of the master and slavedevices. The Command byte represents the command to beexecuted by the slave devices. The Data Size field specifiesthe size of the user data. Finally, the Checksum byte is a XOR




operation of all the bytes beginning from the Start field up tothe last byte of the Data field.

5 – 20 bytes

Preamble Start

1 byte 1 – 5 bytes

Address

1 byte

Command Data Size

1 byte

Data Checksum

0 – 255 bytes 1 byte

Fig. 27. HART Packet Structure

DC-BUS is an analog protocol that enables reliable commu-nication over noise Direct Current (DC) or Alternating Current(AC) power lines. DC-BUS operates on the physical layerand enables the transmission of data over the power lineseven if the signal is extremely attenuated due to the linenoise. DC-BUS enables byte-oriented and message-orientedcommunication, while a sleep mechanism is implemented inorder to enable low power consumption.

Byte-oriented communication transfers a single UniversalAsynchronous Receiver/Transmitter (UART) bytes over highfrequency noisy channels, with a datarate up to 115.2 Kbps.A unique narrowband signal modulation is used, based on thecombination of phase changes. Message-oriented communica-tion offers a datarate up to 1.3 Mbps. In addition, a collisiondetection mechanism is used, while a narrowband carrier isselected in order to communicate over the power lines.

III. SCADA SECURITY INCIDENTS, OBJECTIVES ANDTHREATS

In this section, we report certain high-impact security inci-dents that affected SCADA systems, we discuss the securityobjectives and threats, and we provide a detailed overview ofseveral SCADA security testbeds.

A. Security Incidents in SCADA Systems

Reports in [29] and [30] are showing an increasing num-ber of security incidents and cyber attacks against criticalSCADA infrastructure. Consequently, security considerationsfor SCADA systems are gaining higher priority and consider-ation than those for traditional IT systems due to the potentialimpact on the physical safety of employees, customers, orcommunities.

The Repository of Industrial Security Incidents (RISI) [31]contains 228 reported incidents dating from 1982 to 2014.Each data entry contains the year, title, industry type, country,and information about the incident and its impact. RISItracks all incidents of cybersecurity nature that affect SCADAsystems and control processes. Therefore, RISI includes eventssuch as accidental cyber-related incidents, as well as deliberateevents such as internal and external attacks, Denial of Service(DoS) attacks, virus/worm infiltrations, remote access attacks,and any other cyber incident that impacted the process en-vironment. Table II lists the number of reported incidents ineach country, based on the RISI.

A list of certain high-impact SCADA security incidents isprovided in Table III. The list is ordered by the year, whenthe incident took place. The table also lists the methods thatwere used to launch the attack, and the result or aim of theattack.

TABLE IIREPORTED INCIDENTS BY COUNTRY

Country Number of Incidents

United States 123United Kingdom 32Unknown 16Canada 14Australia 12Japan 5Switzerland 4Iran, Russia 3France, India, Ireland, Israel, New Zealand 2Brazil, Chad, Germany, Guam, Guyana, Other 1

In 2000, an employee of Maroochy Shire in Queenslandgained unauthorized access to the waste management systemand spilled a large amount of raw sewage into rivers and parks,resulting in loss of marine life [32]. The Hunter WatertechPDS Compact 500 RTU was installed in each of the pump-ing stations, that was capable of receiving instructions andtransmitting alarm and data signals to the control center. Thisparticular RTU utilizes the DNP3 communications protocol.

In 2003, The Slammer worm [33] disabled monitoringsystem of the Ohio Davis-Besse nuclear power plant [34].The worm infection originated from the unsecured networkof a third-party collaborating company and penetrated theDavis-Besse’s network by exploiting a vulnerability in theMicrosoft Structured Query Language (SQL) Server 2000through the network port 1434. The worm was discoveredwhen the operators noticed the network’s slow performance.The power plant was out of commission, so the incident hadnot any hazardous consequences.

In 2003, the SoBig virus [35] was responsible for shuttingthe system that manages the train signals in Florida, US[36]. hlThe virus managed to widely spread through e-mailattachments and infect the computers that control the SCADAsystems. SoBig contained its own implementation of the Sim-ple Mail Transfer Protocol (SMTP) and managed to quicklypropagate. In addition, a variant of the virus establisheda connection through UDP port 8998 and downloaded theWinGate proxy server. Except for the train delays, no majorincidents were caused.

In 2007, a malicious software was installed on the TehamaColusa Canal Authority SCADA system [37] by a formeremployee. No details were published about the malicioussoftware, the infected systems, and the damages caused.

Chinese and Russian spies were reported to have hackedthe U.S. electrical power grid in 2009 [38]. The spies aimedto gain information about critical infrastructure specificationsusing network mapping tools. The communications throughoutthe U.S. power grid are enabled by various well-known proto-cols such as Modbus, DNP3, and IEC 61850 [39]. However,the technical details of the attack still remain vague.

A Carrell Clinic, Dallas security contractor in 2009 installedmalicious software on clinic computers causing disruptionof heating, ventilation, and air-conditioning (HVAC) systems




[40].The Stuxnet computer worm [41] was identified by Virus-

BlokAda, a security firm based in Belarus [42], in June of2010. Stuxnet’s aim was to sabotage the uranium enrichmentfacility at Natanz, where the centrifuge operational capacityhad dropped over the past year by 30 percent [43]. The attackmay have caused the destruction of fast-spinning centrifuges,however, this has never been confirmed. The worm exploiteda vulnerability in the Server Message Block (SMB) in orderto propagate itself to systems having the Siemens’ SIMATICStep7 SCADA control software, that is used to configure theSiemens S7-300 PLC [44]. Afterward, the worm propagatedto the PLC and compromised the Profibus-based monitoringsystem. Stuxnet unveiled the real threat of cyber-warfare, asit is believed to be the first cyber-weapon that aims to exploitSCADA systems.

The security firm McAfee reported a number of coordinatedcyber attacks against oil firms [45]. The attacks, code-named’Night Dragon’ are believed to originate from China and havebeen going on for over two years. The attackers penetrated theperimeter security controls through SQL injection attacks andcompromised the DeMilitarized Zone (DMZ) and firewalls. Inaddition, a Remote Administration Tool (RAT) was installedthat enabled the attackers to completely control and spy onthe organization’s systems. The attacks were not aiming forthe SCADA systems, however, the infrastructure controllingthose systems was compromised.

A new malware similar to Stuxnet, named Duqu was dis-covered in 2011 [46]. Duqu exploits a zero-day vulnerabilityin the Microsoft Word software in order to compromise thesystem. After the compromise, Duqu can secretly downloadand execute additional malware tools [47], in order to launchreconnaissance attacks against critical SCADA systems. Themalware usually aims to compromise the control systemsrather than the SCADA devices.

A series cyber attacks with the code name Dragonfly tookplace in 2014 [48], mainly targeting energy stakeholders. Thetargets of Dragonfly were petroleum pipelines, power gener-ation plants, energy grid operators, and industrial hardwarevendors. The attackers managed to compromise a number ofequipment vendors and infected them with a trojan. The trojanwas unintentionally installed by the operators, while they wereinstalling software updates. The malware contained also aSCADA scanner module that searched for SCADA deviceson TCP ports 102, 502 (Modbus port), and 44818. Additionalattacks included spear phishing e-mails delivering malwareand attacks that redirected visitors to fake websites hostingvulnerability exploit software.

In 2015, a series of cyber attacks against the Ukrainian gridcaused power outages in the country [49]. The hacker groupSandworm was reported to have launched the attacks. Theattackers sent a malicious Microsoft Excel document, whichdownloaded and installed a malware tool. The malware carriedout Denial of Service attacks against SCADA controllers thatresulted in the power outage across the country. In addition,the malware erased the infected systems’ hard disks.

The Dragonfly 2.0 campaign launched a series of cyberattacks against a large number of energy companies in 2017

[50]. As the previous Dragonfly campaign, Dragonfly 2.0utilized the same techniques and tools. In many cases, thehackers managed to successfully gain control of the companynetwork, by compromising a software that the operators use tosend commands to energy equipment, such as circuit breakers.During the first campaign, the attackers aimed to steal infor-mation about critical infrastructures, whereas in the secondcampaign they aimed to destroy the compromised equipment.

B. Security Objectives and Vulnerabilities

Authors in [51] provide the security objectives, namelyavailability, authorization, authentication, confidentiality, in-tegrity, and non-reputability. Availability refers to ensuring thatthe automation, control, safety, and communication systemsare always available to the authorized users. The authorizationmanages the user access to the system. The authorizationmechanisms determine the legitimacy of a user and restrictillegitimate users to control the system. The authenticationobjective is concerned with determining the user’s identityand privileges inside the system. The confidentiality objectiveprevents information exposure to unauthorized users. Theintegrity objective refers to preventing modification of infor-mation by unauthorized users. The non-repudiability objectiverefers to the ability to provide irrefutable evidence of whoperformed certain actions.

Ensuring the aforementioned objectives is vital to the se-curity of the SCADA systems. However, there are certainvulnerabilities that an adversary can exploit in order to com-promise the systems. SCADA systems often utilize commoncomputer protocols and functions such as file transfer overthe network and remote access. Unencrypted data exchangecan be compromised by an attacker in order to gain sensitiveinformation. Additionally, system application and servicesrequire certain open network ports. An adversary can use thoseports to gain access the SCADA system, collect informationabout it, and gain administrative privileges. Moreover, theadversary can upload malicious code that exploits a vulnerableapplication and gain unauthorized access. During the devel-opment of the first SCADA systems, security awareness hadlimited consideration as the SCADA systems were isolatedfrom other systems. However, newer SCADA systems are ableto communicate with other networks. Therefore, an attackagainst the communication networks can be escalated intoattack against the whole SCADA system.

Several research works have analyzed and assessed thevulnerabilities of SCADA communication protocols [52], [53],[54], [55], [56]. Table IV summarizes several protocol short-comings that make it vulnerable to cyber threats. The Au-thentication Control is used to authenticate the devices of thenetwork, while the Encryption Techniques are used to encryptthe data before transmitting them over the communicationchannel. The Integrity Check ensures that the messages arereceived correctly without being modified. The Anti-replayMechanisms prevent adversaries to inject malicious traffic inthe network, that is similar to the normal traffic.




TABLE IIISCADA SECURITY INCIDENTS

Year Name Method Result/Aim

2000 Maroochy Water System User Compromise Operation disruption2003 Davis-Besee Nuclear Power Plant Worm Network disruption2003 Florida Train Signaling Systems Virus Train scheduling disruption2007 Tehama Colusa Canal Authority User Compromise Unkown2009 US Electricity Grid Infrastructure Mapping Unkown2009 Dallas Carrell Clinic User compromise HVAC Equipment disruption2010 Stuxnet Worm, Root Compromise, Trojan Disruption of operations, Equipment de-

struction2011 Night Dragon Social Engineering, User Compromise,

Root Compromise, Spear Phising,Windows-based Exploits

Unauthorized access to control and informa-tion systems

2011 Duqu Virus, Root Compromise, Windows-basedExploits

Industrial control systems data and informa-tion embezzlement

2012 Aramco Virus Service Disruption, Cyber espionage2012 Flame Worm, Windows-based Exploits Cyber espionage2014 Dragonfly Campaign Worm, Trojans, Backdoors, Spear Phising Cyber espionage2016 Ukrainian Power Grid User Compromise, Trojan, Worm Service Disruption2017 Dragonfly 2.0 Phising, Malicious email attachments, Tro-

janCyber espionage, Equipment Destruction,Unauthorized information disclosure

2018 Saipem Company Virus Service disruption

TABLE IVSCADA PROTOCOL VULNERABILITIES

AuthenticationControl

EncryptionTechniques

Integrity Check Anti-replayMechanisms

BITBUS 7 7 7 7

Common Industrial Protocol 7 7 7 7

Distributed Network Protocol 3 7 3 3 7

Foundation Fieldbus H1 7 7 7 7

Foundadion HSE 7 7 3 7

HART 7 7 3 7

IEC 60870 3 7 7 7

IEC 61850 3 7 7 7

Modbus 7 7 3 7

PROFIBUS 3 3 3 7

PROFINET 3 3 3 7

SERCOS III 3 7 3 7

WorldFIP 7 7 3 7

C. SCADA Security Challenges

The study in [7] proposes seven recommendations to thepublic and private sectors regarding the SCADA system secu-rity. Additionally, various technical and non-technical securitychallenges have been identified. In this work, we present thetechnical security challenges.

One of the main challenges is the lack of mature securitytools tailored to the requirements of SCADA systems. Con-trary to traditional computer systems, SCADA systems havedifferent security requirements, as well as low computationalcapabilities. Moreover, the security mechanisms are not alwaysconsidered in the specifications of a device or protocol, poten-tially due to high implementation cost or low computational

capability of the device.

Ensuring security for a huge number of network devicesthat are often deployed in wide geographical areas is alsochallenging. In addition, physical access to these devices maybe unrestricted. Thus, exploiting these devices can allow anadversary to compromise the whole network.

Since SCADA systems typically monitor and control crit-ical infrastructures, they are targeted by technically skilledand well-organized attackers, called adaptive persistent ad-versaries. Common adversaries include criminal organizations(e.g., terrorists) and rival companies that have the requiredresources to create novel undisclosed attacks.

The use of legacy devices and protocols can introduce vul-




nerabilities that an adversary can exploit. As legacy SCADAsystems were isolated from the Internet, security measureswere not always required. In addition, the utilized proprietaryprotocols may include security breaches, therefore they cannotbe always trusted. Another important security factor is the factthat the lifecycle of SCADA systems is much longer than thestandard computer systems.

Over the last years, technologies used in standard com-puter systems are being adopted by SCADA systems. Forexample, relays and mechanical devices have been replacedby microcontrollers and electronic devices, respectively, whileoperating systems have been integrated into SCADA sys-tems. Consequently, the SCADA systems have inherited thevulnerabilities of standard computer systems. Moreover, asthe software is becoming more complex, the probability ofimplementation errors increases.

D. Attack Types in SCADA systems

A cyber-attack is considered as an intentional violationof one or more security objectives. Cyber-attacks can beclassified into untargeted and targeted. Untargeted are designedto exploit any vulnerable system they discover, while targetedattacks aim to compromise a specific system. An overview ofSCADA attack vectors is provided in [57]. The authors classifythe attacks as physical attacks against SCADA hardware,attacks against SCADA software, and attacks against SCADAcommunications. Table V shows a list of some commonattacks along with their impact on the security objectives ofthe system.

A similar classification is presented in [58]. The authors pro-posed a cyber-attack framework to extend the attack landscapefor critical infrastructure, consisting of four attack classes,namely traditional IT-based attacks, protocol-specific attacks,configuration-based attacks, and process control attacks.

TABLE VATTACK TYPES IN SCADA SYSTEMS

Attack Targeted/Untargeted Violated Objectives

Denial of Service Targeted AvailabilityEavesdropping Targeted Confidentiality,

AuthorizationMan-In-The-Middle Targeted Authentication, Confiden-

tiality, IntegritySystem break-in Targeted Authentication,

AuthorizationVirus Untargeted Availability, IntegrityTrojan Untargeted Confidentiality, Authenti-

cationWorm Untargeted Confidentiality, Integrity,

Authorization

The aim of a Denial of Service (DoS) attacks is to ravagethe availability and operation of the system. These attackswork by aggressively using all of the available resourcesof a device, so it cannot respond to the other legitimaterequests. The author in [59], grouped various DoS attacksbased on the OSI model. These attacks aim at electric power

systems, but they can also be launched against SCADA sys-tems. Specifically, there are DoS attacks against the SCADAservices running in the Application Layer, such as SimpleMail Transfer Protocol (SMTP) and Session Initiation Protocol(SIP) flooding, resource exhaustion, and requests with largepayloads. Similarly, the presentation layer attacks includemalformed Secure Sockets Layer (SSL) requests and DomainName System (DNS) queries. Regarding the session layer,common attacks include TCP sessions with long Time-to-Live (TTL) times and connection flooding. SYN floodingand Smurf are well known DoS attacks against the TransportLayer. With SYN flooding an adversary sends a massivenumber of SYN requests and the device responds and allocatesresources to each one of them. The Smurf attack sends InternetControl Message Protocol (ICMP) packets to the network’sbroadcast address. Consequently, all the devices receive theICMP packets and send the corresponding reply. If the rateof ICMP packets is too high, the network will be floodedwith reply traffic. Border Gateway Protocol (BGP) hijackingand ICMP fragmentation are common Network Layer attacks.MAC flooding is a Data Link Layer attack, where an adversarysends multitude Ethernet frames, each one containing differentsource MAC address, in order to exhaust the memory ofa switch, where the MAC addresses are stored. Finally, thephysical layer attacks consist of wireless signal jamming andphysical damage of the devices.

By eavesdropping, the attacker violates the confidentiality ofthe communication, by intercepting the communications. Thisattack mostly affects wireless communication systems, as theradio signals spread in a large area and anyone can receive thesignal and recover the message. Wired communication systemsare also vulnerable to this attack by tapping to the wires usingspecialized hardware. However, it is more difficult to carryout this attack in wired systems, as the adversary must havephysical access to the premises. In order to mitigate this attack,the message should be encrypted using a secure encryptionalgorithm that enables only the legitimate receiver to decryptit.

In a Man-In-The-Middle (MITM) attack, the attacker actsbetween the endpoints of the communication as he is alegitimate user. Additionally to the confidentiality violation,the attack can also tamper with the exchanged messages. TheMITM attack exploits an inherent vulnerability in the AddressResolution Protocol (ARP). The ARP protocol does not pro-vide an authentication mechanism, so any device connectedto the network can impersonate a device, while the otherdevices believe that they communicate with the legitimate one.This attack can be mitigated by authenticating each messageand utilizing certificates in the connection establishment. Inaddition, IDS can monitor the network to detect any unusualevents or behavior deviations.

A virus attack manages to bypass access control andauthentication mechanisms by exploiting a legitimate user.Virus attacks are often untargeted and they aim to executemalicious code in the compromised system. Trojans are untar-geted attacks that violate the confidentiality and authenticationobjectives. Their aim is to mislead a user of its true intentand deploy malicious software. Finally, a worm is malicious




software which is designed to automatically propagate itselfby discovering and exploiting the vulnerabilities of a system,without the user’s involvement. Worm infections are untar-geted and usually violate the confidentiality and authorizationobjectives of the affected systems. Usually, worms have theability to launch subsequent cyber-attacks from the infectedhosts. These attacks can be mitigated by deploying proper an-tivirus software and updating it regularly. This software scansthe system, looking for malware samples that match with anumber of pre-configured signatures. In addition, the personnelhandling these systems should receive proper training on howto avoid infecting the system with these kinds of malware.

The aforementioned mentioned attacks can affect both con-ventional computer and SCADA systems. Also, the attackscan propagate from conventional computers to SCADA sys-tems and vise versa. Regarding the communication protocols,almost all of the protocols listed in the previous section can beaffected by these attacks. Specifically, the DoS attack worksboth at the network and the application layer, meaning thatthe protocols that are based on these layers are vulnerable.The MITM attack can also affect all the protocols, as itworks in the network layer, so an adversary can impersonatea controller and send to the field devices, resulting in possibleequipment destruction. Viruses, trojans, and worms work atthe application layer and usually aim conventional computers.However, certain high-level SCADA devices can be affectedby these attacks.

E. Protocol-specific Attacks

In this subsection, we present attacks that exploit vulnera-bilities in higher layers.In order to discover these attacks, weperformed an extensive literature search.

1) MODBUS: A taxonomy of attacks against the Modbusprotocol is presented in [60] and [61]:

• Slave Reconnaissance: A Modbus message that requeststhe status information from the device is sent in order todiscover the network devices.

• Remote Restart: The attacker repeatedly sends a Modbusmessage that restarts the device and executes the power-up test.

• Slave Reconnaissance: A Modbus message that requeststhe status information from the device is sent in order todiscover the network devices.

• Remote Restart: The attacker repeatedly sends a Modbusmessage that restarts the device and executes the power-up test.

• Diagnostic Register Reset: The attacker sends a messagethat clears all the counters and the diagnostic register ofthe field device. The device configuration is modified,resulting in the disruption of the diagnostic operations.

• Network Scanning: The attacker sends legitimate mes-sages to all network addresses in order to obtain infor-mation about the devices.

• Broadcast Message Spoofing: The attacker broadcastsfake messages to all slave devices. This attack cannotbe detected easily as no response messages are sent tothe master device from the slaves.

• Irregular TCP Framing: The attacker injects improperlyframed messages or modifies the legitimate ones in orderto cause connection termination between two devices.

• Response Replay: The legitimate traffic between masterand slave devices is captured by the attacker and isreplayed in order to disrupt the communication betweenthese devices and/or insert a new fake device into thenetwork.

• Response Delay: In this attack, the response messagesare delayed that the master device receives obsolete datafrom the slave devices.

• RST Flood: The attacker injects a spoofed TCP packetwith the RST flag set in order to close the TCP connectionbetween two devices.

• FIN Flood: This attack involves injecting a spoofed TCPpacket with the FIN flag set in order to terminate the TCPconnection between two devices.

2) DNP3: As the DNP3 does not employ authenticationand authorization mechanisms, all messages are assumed tobe valid. Therefore, SCADA networks that rely to the DNP3are susceptible to various attacks. The authors in [61] and [62]provide a taxonomy of attacks on the DNP3 protocol:

• Reset Function Attack: The attacker sends a message thatcauses the device to restart, making it unavailable for aperiod of time.

• Transport Sequence Modification: The attacker modifiesthe frame sequence field to inject spoofed messages inorder to disrupt the communication.

• Write Attack: The attacker sends a message that writesdata objects to a device and corrupts the data stored inthe device memory.

• Clear Objects Attack: The attacker sends a messagethat clears the device memory, therefore erasing criticaloperation data.

• Configuration Capture Attack: The attacker sends a mes-sage with the fifth bit set in the second byte of the InternalIndications, which denotes that the configuration file ofthe device is corrupted. Consequently, the master devicesends a new configuration file, which can be interceptedby the attacker.

• Length Overflow Attack: In this attack, an incorrectlength field value is inserted that affects message pro-cessing. This can lead to data corruption and unexpectedactions such as device crash.

• Destination Address Tamper: The attacker can tamperthe destination address field in order to reroute requestsand/or replies to other devices.

• Unavailable Function Attack: The attacker sends a mes-sage to the master device indicating that a slave is notfunctioning. Therefore, the master will assume that thedevice is unavailable and will stop sending requests.

• Application Termination: In this attack, a message thatterminates the applications running in a device is sent.Consequently, the affected devices will not respond tothe legitimate requests.

• Fragmented Message Interruption: The FIR and FINflags indicate the first and final frames of a fragmented




message, respectively. When the attacker sends a messagewith the FIR flag set, the previous incomplete fragmentswill be discarded.

An overview of SCADA attack vectors is provided in [57].The authors classify the attacks as physical attacks againstSCADA hardware, attacks against SCADA software, andattacks against SCADA communications.

F. SCADA Security Testbeds

In this subsection, we present the SCADA testbeds that weredeveloped in order to assist the research regarding SCADAsecurity. We have performed an extensive literature search forsurveys (e.g., [63]) and technical papers regarding SCADAtestbeds. A summary of the the proposed SCADA securitytestbeds is shown in Table VI. The Type column indicateswhether the testbed is physical, simulated or both, while theProtocol column lists the implemented protocols. The softwarethat was used to simulate the SCADA network and devicesis listed in the Software column. Finally, the Attack columnshows the attacks that were used for testbed evaluation.

The United States Department of Energy established theNational SCADA testbed program in order to improve thesecurity of SCADA systems used in the nation’s criticalenergy infrastructures [64]. The program offers integratedexpertise and resources of multiple national laboratories, in-cluding Idaho National Laboratory, Sandia National Laborato-ries, Argonne National Laboratory, Pacific Northwest NationalLaboratory, and Oak Ridge National Laboratory.

Authors in [65] developed a vulnerability assessment testbedfor SCADA systems. The architecture consists of three sim-ulated components: The Network Client provides a graphicalview of the system states with the ability to control the com-ponent elements. The PowerWorld server [66] simulates theoperation of the power grid, while the Rinse tool [67] providesa realistic simulation of a large network. A custom protocolconverter software was developed to convert the PowerWorldprotocol into the Modbus protocl. The authors carried out aDistributed DoS (DDoS) attack against the testbed, to studythe effect of the attack.

Giani et al. [68] described the architecture of a SCADAtestbed, that will help in designing and testing solutions tocyber attacks against SCADA systems. They envision threedifferent implementations: a) A single simulation-based imple-mentation using a simulation framework such as Simulink. b)A federated simulation-based implementation in which eachcomponent of the architecture is simulated separately usingdifferent technologies, such as Speedup for plant simulations,OMNET++ [69] for network simulation and DEVS for sim-ulating software modules. c) The implementation using realcommercial SCADA devices. Finally, they planned to carryout different attack scenarios, such as DoS attacks on sensors,and phishing attacks against the exchanged data.

Authors in [70] proposed a modular SCADA testbed basedon the Modbus protocol. The OMNET++ simulator and LegoMindstorms NXT [71] are used to simulate components suchas RTUs, MTUs, and HMI. The communication between theaforementioned devices and components is realized through

the TCP version of the Modbus protocol. The authors demon-strated the testbed by performing a DDoS attack against asimulated water plant.

Authors in [72] describe the Mississippi State UniversitySCADA laboratory, which was built to facilitate the researchin the security area of SCADA systems. The testbeds consist ofcommonly used software and hardware components across awide range of industrial applications. The testbeds are dividedinto 2 categories based on their infrastructure. There are 5testbeds that are based on the serial version of the Modbusprotocol and 2 testbeds that are based on the TCP version.

Mallouhi et al. [73] presented a testbed designed to facilitatethe evaluation of security approaches for SCADA systems.The architecture is composed of four main components andthe Modbus protocol is used to support the communicationsrequirements. The Process Control component provides themain monitoring control functions of the SCADA system,through the Modbus client. The PowerWorld tool is usedto simulate the electrical grid component, which consists oftransmission lines, transformers, and generators. The ModbusRSim [74] is used for simulating Modbus PLCs, that monitorthe elements of the electrical grid. The simulated connectionbetween the Process Control and the Modbus PLCs is realizedthrough the OPNET Modeler [75]. In the attack first scenario,it is assumed that the attacker has compromised the HMI,while the second scenario involves DoS attacks against thecommunication network.

A virtualized SCADA security testbed is proposed in [76].The CORE emulator [77] is used as a basis for providingthe SCADA communication infrastructure. The Modbus HMI,master and slave components were integrated as modules inthe CORE emulator. For demonstration purposes, the authorsbuilt a water distribution system and evaluated the impact ofthe DoS and MITM attacks in the system’s performance.

Authors in [78] introduce the PowerCyber testbed located atIowa State University. The testbed consists of three simulatedcomponents, namely control, communication, and physicalsystem. The control component consists of the control center,which provides monitoring and management of the SCADAsystem and the RTUs which are as an interface with the powersystem simulations. The communication component enablesthe connection between the RTUs and the control center, byutilizing the DNP3 and IEC 61850 protocols. The physicalsystem component performs power system simulation usingthe Real Time Digital Simulator platform [79], for performingreal-time power simulation, and the DIgSILENT PowerFactorysoftware [80], for performing non-real-time simulation. Threeattack scenarios were used for evaluating the testbed. The firstscenario is a command injection attack from a compromisedRTU, the second and third scenarios are DoS attack originatingfrom the external and internal network, respectively.

DETERLab [81] is a large-scale emulation facility forcyber-physical systems, geared towards cyber-security experi-mentation. It is based on the Emulab and aims to facilitate theresearch and development program focused on the deploymentof novel methodologies and technologies for experimentalresearch in cyber-security.

The following observations are made: a) Most of the pro-




TABLE VISCADA TESTBEDS

Type Protocol Software Used Attacks

[64] Physical IEC61850,Modbus,DNP3

N/A N/A

[65] Simulated Modbus PowerWorld, RINSE,Custom protocol con-verter

DDoS

[68] Simulated&Physical

N/A Simulink, OMNET++ DDoS, MITM


Modbus OMNET++, LegoMindstorms NXT

DDoS


Modbus N/A No attacks per-formed

[73] Simulated Modbus PowerWorld, ModbusRSim, OPNET

Command Injec-tion, DoS

[76] Simulated Modbus CORE Emulator DoS, MITM[78] Simulated

&Physical

DNP3,IEC61850

Real Time DigitalSimulator platform,DIgSILENTPowerFactory

Command Injec-tion, DoS

[82] Simulated N/A Emulab DDoS

posals leverage simulation techniques in order to simulate thewhole SCADA system or several components of the system. b)The Modbus protocol is used in almost all proposals to providecommunication infrastructure. c) A range of commercial andopen source software was used for performing the simulations.d) The most commonly implemented attack type is the DoS,followed by the MITM. There are certain proposals thatimplemented a command injection attack.

G. Discussion

In this section, we listed certain high-impact security in-cidents in SCADA systems, discussed the SCADA securityobjectives, analyzed the attack types against those systems andpresented several SCADA security testbeds. There are over200 reported security incidents, mainly in the United States.We distinguished certain high-impact incidents, in order toshow the importance of protecting SCADA systems againstcyber-attacks. The impact of those attack ranges from lightservice disruption to more serious, such as critical data inter-ception and equipment destruction. Several of those attacksalso had a direct effect on public health and safety, whileothers were successfully mitigated without having irreversibleconsequences.

According to the study in [7], the priorities of the se-curity objectives are different between standard computerand SCADA systems (Fig. 28). Ensuring the confidentialityof user information has the highest priority in the securityof standard computer systems. On the other hand, ensuringsystem availability has the highest priority in SCADA systems.Any violation of those objectives is considered as a threatagainst the system. An adversary can exploit the system’svulnerabilities in order to compromise the system, by violating

these objectives. The SCADA protocols are vulnerable by de-sign to the external networks (i.e., the Internet). For example,both Modbus and DNP3 protocols do not support any accessmechanisms and the communication process is unencrypted.Any user or device that has access to the network can actas a legitimate machine and intercept data or inject malicioustraffic.

Confidentiality

Integrity

Availability Confidentiality

Integrity

Availability

Prio

rity

SCADA SystemsStandard Computer Systems

Fig. 28. Security Priority Comparison

Similarly to conventional computer systems, SCADA sys-tems are vulnerable to attacks aiming at the lower OSI layers(i.e., transport, network, and data link layers). However, thehigher layer attacks vary, based on the SCADA communicationprotocol. The attacks can violate one or more of the securityobjectives and can be targeted or untargeted. Most of theattacks violate the availability and confidentiality objectivesof the SCADA systems. There are several studies that analyzeand categorize the attacks based on their type, protocol, andlayer.

Lastly, this section includes a review of SCADA securitytestbeds that have been developed in order to assist security re-searchers. The testbeds are mainly simulated, or a combinationof physical and simulated components. Most testbeds are basedon the Modbus protocol as it is the most acclaimed protocol,due to its open specifications and high availability of hardwareequipment. The software used for the simulation consists ofopen source and commercial tools that can simulate SCADAdevices and large industrial networks. Finally, the testbedswere evaluated by testing them against common cyber-attacks,such as DDoS, MITM and command injection.

IV. SCADA SECURITY PROPOSALS

This section provides a thorough review of works that aimto secure SCADA systems. Firstly, we review the works thatare not protocol-specific and can be realized with any SCADAsystem. Afterward, we review works that specifically target theModbus, DNP3 and PROFINET protocols, respectively.

We adopted a review approach similar to the one presentedin [83]. The approach (that is based on [84]) suggests exploringthe most established literature sources, article databases andproceedings and carrying out backward and forward analy-ses to determine earlier relevant documents. We extensivelysearched the databases of well-known publishers in the areasof network and computer security, computer science, andindustrial systems, including the Institute of Electrical and




Electronics Engineers (IEEE), Elsevier, Springer, Associationfor Computing Machinery (ACM), and Wiley. The searchingterms include the following keywords: "SCADA security","SCADA intrusion detection", "SCADA cyberattacks", and"SCADA threats". The search returned 50.000 research papersthat were published within the last decade. These papers werefiltered by examining their titles and abstracts. The filteringresulted in about 120 research papers, which were manuallyanalyzed in order to identify the ones relevant to the aim ofthis work. Consequently, 39 research papers were selected tobe reviewed in-depth in this section.

A. SCADA Attack Detection Solutions

Table VII provides a summary of the security tactics thataim to secure a SCADA system. The Approach columndescribes the approach of the proposal as follows: The AttackDetection approaches aim to detect an ongoing attack and raisealerts. The Traffic Classification approaches process networkflows and classify it as normal or malicious behavior. TrafficEncryption approaches leverage cryptographic algorithms toencrypt the data. The Methodology column of the tabledescribes the specific methods or algorithms that were used,while the Testbed column provides information about theimplementation of the testbed that validates the performanceof the solution. The Reported Challenges column notes thevarious challenges that the authors encountered. Finally, theEvaluation Results column lists the overall accuracy of theproposed solution.

Linda et al. [85] presented an anomaly-based intrusion de-tection system based on the combination of two neural networkalgorithms, namely the Levenberg-Marquardt [86] and the Er-ror Back-Propagation [87] algorithms. A window based featureextraction approach was adopted in order to extract certainkey features from the packet header. The proposed detectionsystem consists of the dataset construction and the process oftraining the neural network. During the dataset construction,both normal and malicious traffic are used. The training setis fed to the combination of the Levenberg-Marquardt and theError Back-Propagation algorithms. The performance of theproposed approach was tested using recorded network trafficdatasets, consisting of normal traffic and attacks generatedfrom tools such as Nmap, Nessus, and Metasploit. The resultsshow that the proposed approach achieved a perfect detectionrate with no false positives.

Authors in [88] proposed an attack detection approach basedon Critical State Analysis. The system’s state is modeled afterthe values of certain critical components. By the continuousmonitoring of the system, it can be predicted whether thesystem is heading to a critical state. Several tests were carriedout in real testbeds in order to validate the of the proposedapproach in terms of accuracy and average detection time. Theresults indicate an accuracy rate of 99% and less than 1% falsepositive rate.

Yang et al. [89] proposed a hierarchical multi-attribute IDStailored to SCADA systems. The proposed IDS consists of thefollowing components: a) The access-control whitelist, whichexamines the addresses in the ethernet, network and transport

layers. If a corresponding source and destination pair is not inthe whitelist, the IDS takes a predefined action, such as raisingan alarm. b) The protocol-based whitelist, which only permitsthe traffic that complies with specific protocol specifications.c) The behavior-based rules that define normal behavior byperforming deep packet inspection. The behavior rules arebased on the correlation of relevant measured values, the timeand frequency related constraints, the packet length, and thepermitted function codes. If a packet fails to be validatedby any of the aforementioned components, it is consideredmalicious. The experimental validation was performed in a realgrid-connected photovoltaic system, by carrying out MITMattacks. The experimental results show that the proposed IDSsuccessfully detected all the attacks with minimal latency.

An unsupervised anomaly detection approach was proposedin [90]. The proposed approach is a combination of twonovel techniques: the identification between consistent andinconsistent data states, and the instantiation of rules regardingthe detection of state proximity. The consistency of sensormeasurements and actuator control data indicates the normalstate of the system’s operation, while any inconsistency willindicate malicious activity. The SCADA system specificationsdefine the consistent data. The separation between consistentand inconsistent states is performed based on two assumptions.Firstly, the amount of consistent data is higher than the amountof the inconsistent ones. Secondly, the inconsistent data fea-tures are statistically different. After the state identification,detection rule extraction is performed. The extracted rules areable to fully represent the system states. The authors per-formed MITM attacks in a simulated water distribution system.The performance of the proposed approach was evaluated interms of accuracy and computational complexity.

Wang et al. [91] proposed a method for detecting injec-tion attacks based on the relations between the variables ofthe system. The proposed method consists of three steps.In the Component Analysis step, the internal relations be-tween variables are analyzed, while in the Detection ModelGeneration step, a graph-based detection model for efficientdetection is designed. Finally, in the Origins Inference step,the inference model detects the intrusions and indicates thepossible origins. A simulated power plant boiler was used toevaluate the proposed approach. The values of the boiler werebeing recorded every second for 2000 seconds, while randomvariables were selected and injected with arbitrary data, withinits valid range. The results show that the proposed approachsuccessfully detected all the injection attacks, in cases that theaffected variables were few. However, the detection accuracydropped significantly in the case of injection attacks affectingmany variables.

Ponomarev and Atkison [92] proposed an IDS that uti-lizes network telemetry to detect cyber attacks. The fol-lowing network telemetry features were selected: responsetime, client-side and server-side dropped packets, elapsed timebetween dropped packet retransmission. In order to achievehigh accuracy many classification algorithms were utilized,such as REPTree [93], Naive Bayes [94], Simple Logistic [95],Ripple-Down Rule [96], and J48 [97]. The evaluation testbedconsists of simulated PLC units that generate both benign




and malicious traffic. The results show that the proposed IDSachieves 94.3% overall accuracy, 5.70% false positives and nofalse negatives.

Authors in [98] presented two algorithms to detect intru-sions in SCADA networks. The first algorithm, called IntrusionWeighted Particle based on the Cuckoo Search Optimization[99] (IWP-CSO), is used for extracting and optimizing thefeatures obtained from the dataset. The second algorithm,called Hierarchical Neuron Architecture based Neural Network(HNA-NN), is used to perform the classification based onthe optimized features. The performance evaluation was car-ried out in a simulated environment and considered differentdatasets. The combination of the proposed algorithms achievesan accuracy rate of 93.1%

Khan et al. [100] proposed a multi-level approach foranomaly detection for SCADA systems. A Bloom filter con-stitutes the first level, where the packets are analyzed. If thesignature of a packet does not match a set of pre-installedsignatures, then the packet is consider malicious and it isdropped. The packets that have been considered as benign bythe fist level will be forwarded to the second level. In thesecond level, the packets will be analyzed by a classifier k-nearest neighbors classifier. Similarly, the packets that will beclassified as abnormal will be dropped. The authors carried outperformance evaluation experiments using a real gas pipelinesystem dataset. The evaluation results indicate 97% accuracyand 98% precision.

B. Modbus

Table VIII summarizes the Modbus protocol security pro-posals, and shares the same format with VII. Cheung etal. [101] designed an anomaly detection-based Modbus IDS,that involves analyzing of TCP headers, pattern recognition,and data monitoring, combined with custom Snort rules. Theconstruction of proper detection models is challenging, as itmay lead to high false alarms. However, the communicationpatterns in SCADA networks present more static behavior thanthe common ones, so it is feasible to define the expectedcommunication patterns. The authors conclude that a model-based intrusion detection is a promising approach for securingSCADA systems.

Authors in [102] describe a modified version of the Modbusprotocol that utilizes anti-replay techniques and authenticationmechanisms. The proposed module consists of four compo-nents. The Stream Builder which extracts the payloads fromthe packet stream and sends them to the other components, theEncryption/Decryption Unit which uses the RSA algorithmto encrypt and decrypt the payloads, the SHA-2 Validatorthat validates the messages, and the ADU Builder/Readerthat constructs the Modbus ADUs. The proposed module wastested in an experimental power plant testbed, in order toevaluate the performance in terms of latency and overhead.

Goldenberg et al. [103] modeled the Modbus communica-tion traffic using Deterministic Finite Automation (DFA). Theproposal is based on the highly periodic traffic pattern. Thestatic communication pattern of SCADA networks enables themodeling of each communication channel as a DFA. The DFA

consists of certain states and transition functions. A thresholdvalue is used to detect the presence of unknown transitionsbetween states in the DFA model. The results indicate thatmost of the unknown transitions were indeed attacks or falsealarms.

A set of SNORT rules for both the seiral and TCP/IPversions of Modbus were proposed in [104]. The proposedrules consist of the name, the applicable protocol (TCP orSerial), and the rule text.

Authors in [105] develop a security solution for the Modbusprotocol, by deploying security functions in the messagingstack prior to transmission. The Modbus PDU bytes areencrypted using AES [106], RSA [107], or SHA-2 [108] algo-rithms, while the secret key is exchanged between the masterand the slave using a separate secure channel. The efficiencyof the proposal is verified by attacking a Modbus testbedusing a variety of authentication, integrity, non-repudiation andconfidentiality attacks.

Erez and Wool [109] designed an anomaly detection sys-tem based on the Modbus protocol registers. An automatedprocess for register classification was developed, based onthe following observations: the sensor register values featureda stationary distribution, the counter register values featuredmonotonic non-decreasing behavior, and the constant registervalues featured zero variance. The classification algorithm isa single-window decision tree, which evaluates whether theexamined traffic matches to one of the aforementioned ob-servations. In the learning phase, different behavioral modelswere developed for each of the observations, by training thesystem using legitimate traffic. In the enforcement phase,any deviation from the corresponding behavioral model isconsidered an anomaly. The evaluation results indicate thatthe false alert rates are 1.62%, 0%, and 0.88%, for the sensor,counter and constant registers respectively.

In [110], the authors designed an industrial firewall, basedon the Modbus TCP protocol, that combines security policieswith deep packet inspection methods. The firewall is realizedin a Linux platform by using the iptables tool. The industrialcontrol network is divided into different security zones, eachzone featuring different security policies. The data are capturedand processed in real time, in order to determine whetherthey comply with the specified policies. An environment thatsimulates a PLC that drives an electric motor, was used to val-idate the reliability of the proposed firewall. The experimentsindicate that the SYN/ACK flood attacks [111], that were usedagainst the protected network, were successfully intercepted.

Deng et al. [112] used Support Vector Machine (SVM)[113] to identify abnormal traffic. The Modbus TCP data arepreprocessed to remove unnecessary information so that onlythe function codes and coils remain in each sequence. In theproposed solution, the frequency of function codes and thenumber of coils suffice for the classification of the traffic.The experiments were carried out using different SVM kernelfunction, having accuracy results of 76.05% for the linearkernel function, 89.61% for the polynomial kernel functionsand 96.55% for the radial basis kernel function.

Li et al. [114] utilized Decision Trees and Neural Networksto classify datasets composed of normal and malicious traffic.




TABLE VIISCADA ATTACK DETECTION SOLUTIONS

Reference Approach Methodology Reported Challenges Evaluation Results

[85] TrafficClassifica-tion

Anomaly-based intrusion detection system basedon the Error Back-Propagation and the Levenberg-Marquardt algorithmsPerformance evaluation based on recorded datasets,consisted of both normal and malicious traffic

Signature-based IDSs generate high num-ber of false negativesIDSs should be continuously update inorder to detect new attacks

100% detection rate0% false positives

[88] SystemVariableInspection

System’s state modeled after critical component mea-surement valuesDetection based on the system’s proximity to criticalstateEvaluation in a real testbed considering accuracy andaverage detection time

Similar approaches cannot discriminatebetween accidental faults and cyber at-tacks

99% true positives1% false negatives

[89] AttackDetection

Proposal of an IDS that examines all layers of theSCADA systemPerformance evaluation in a real photovoltaic systemconnected to the grid

Most security countermeasures examineincoming traffic from external networks,without considering the traffic from theinternal network

100% detection rate


Combination of two techniques for identifying theSCADA system’s stateExperimental evaluation in a simulated environment,considering the accuracy and computational com-plexity

Feeding the entire captured datasets to theIDS requires high amount of storage andcomputational power, in order to classifythe traffic

The proposed approach hassignificant accuracy in detect-ing inconsistent states.

[91] SystemVariableInspection

Proposal of a graph-based detection scheme basedon the relations of the variables among the SCADAsystemPerformance evaluation using a simulated boiler ofa real power plant

Most IDSs are inefficient to detect attacksthat deeply target a critical control com-ponentThe IDSs cannot detect an attack re-peatedly performs slight modifications tocompromised control components

100% for few affected vari-ables65% for many affected vari-ables


Leverage of network telemetry data in order toclassify SCADA network trafficUtilization of multiple classification algorithmsPerformance evaluation using simulated PLCs

Attack detection based on networktelemetry can detect attacks, that are un-able to be detected by considering onlythe application and network data

94.3% overall accuracy5.70% false positives0% false negatives


Combination of IWP-CSO for feature optimizationand HNA-NN for classificationExperimental validation in simulated network

Deployment of network based IDS inSCADA networks is challengingThe high amount of dataset features pro-duces high false alarm rate for unkownattacks

93.1% accuracy


Proposal of a multi-level approachThe first level utilizes a Bloom filter, while thesecond one utilizes the k-nearest neighbor classifier

Most IDS cannot analyze SCADA trafficReal-world datasets are required in ordertrain accurate classification modelsThe analysis of network traffic is notalways sufficient

97% accuracy98% precision

The datasets were collected from a simulated factory envi-ronment based on Modbus protocol. The test environmentwas operating for a few days while four kinds of attackswere carried out, namely reconnaissance attacks, commandand response injection attacks, and DoS attacks. The generateddataset consists of 64692 instances of which 59842 werenormal, while the rest were malicious. The J48 decisiontree algorithm was used for classification, having 99,83%accuracy. Two neural networks with 1 and 2 hidden layers wereconstructed. The accuracy results were 97.41% and 97.46%respectively.

Yusheng et al [115] proposed an innovative two-part algo-rithm for intrusion detection. The rule extraction part consistsof three modules. The deep protocol parser analyzes boththe TCP/IP layers and Modbus application layer, in orderto extract the key fields of the packets. The key fields arethe IP addresses, ports, sequence numbers, acknowledgmentnumbers, payload length for the TCP/IP layers and transaction

identifiers, protocol identifiers, unit identifiers, function codesand reference numbers for the Modbus application layer. Thenormal rule set is generated by analyzing the relations withinthe protocol packet, the relations between the devices, andanalyzing the periodicity of the packets. The abnormal rulesare generated by extracting and analyzing the features andpatterns of the attack behavior (e.g., DoS attacks). The deepinspection part of the proposed algorithm performs real-timedeep packet inspection in order to identify which set of rulesthe inspected packet belongs to. The performance of theproposed algorithm was evaluated in a simulated environment.The results indicate that the proposed algorithm was able tosuccessfully detect all the attacks, namely DoS, MITM, andRelay attacks.

Authors in [116] proposed an intrusion detection method forthe Modbus TCP protocol based on honeypots. The Conpottool was used to simulate a Modbus device in order to capturethe traffic sequences. Agglomerative hierarchical clustering




[117] was applied to the captured sequences based on a simi-larity factor. For each cluster, the sequence with the maximumaverage similarity was selected as the representative sequenceof the cluster. These representative sequences were comparedwith existing attack sequences and based on their similarity,the whole cluster is classified as normal or abnormal. Theauthors evaluated both the effect of the similarity factor onthe identification of five attack types and the accuracy of theproposed solution. The results indicate that the accuracy of theIDS was 92% with 0% false positives.

Dong and Peng [118] proposed an SVM algorithm toclassify attacks on a Modbus network. The Wireshark tool[119] was used for capturing and parsing of data packets froma real Modbus device. The captured data was processed intosequences of function codes and register address combinations.The combination of function codes and register addressesis used to calculate the frequency of the sequence of pat-tern subsequences and then map the frequency to the samedimension eigenvector. The conversion of the combinationof different lengths to the same length vector is used todescribe the communication features of several packets in theModbus TCP/IP communication process. The experimentalresults indicate that the classification accuracy is 94.13%,which shows that the proposed SVM algorithm has a certainadvantage in the training of small samples.

The authors in [120] propose an IDS based on the BroIDS to detect any abnormal behavior of a system that utilizesthe Modbus communication protocol. A simulated testbedwas utilized in order to evaluate the performance of the BroIDS implementation. The evaluation results indicate that theproposed IDS implementation successfully detected the attacksthat were carried out, namely the MITM and sensor calibrationattacks.

C. DNP 3

Table IX summarizes the security proposals that aim toensure the security of the DNP3 protocol. The table shares thesame format with VII. Authors in [121] present the DNPSecframework, which aims to enable confidentiality, authenticity,and integrity in the DNP3 protocol. . The main advantageof the proposed framework is that it does not require anymodification to the applications or devices, as it only changesthe data format of the DNP3 Data Link Layer. DNPSecencrypts the frame and inserts a header, followed by a keysequence number at the start of the DNP3 frame, and anauthentication data field at the end. The header is used foraddressing and indicating the start of a new session, whichrequires the slave devices to fetch a new session key from thedatabase. The session keys are generated by the master deviceand inserted into the database. The key sequence numbercontains a counter value, which is increased each time themaster device sends a message. If the counter reaches the limit,the master terminates the session and starts a new one. Theauthentication data field is used for the integrity check of theDNP3 frame.

Mander et al. [122] implemented a set of security rulesfor data transmission between DNP3 devices. The proposed

security rules focus to the DNP3 function code, object type,qualifier field. If a frame does not comply with those rules itis discarded.

Bai et al. [123] proposed an rule-based anomaly detectionframework, consisting of two operating modes. In the trainingmode, the normal rule set is built from the collected data ofpossible normal behavior. In addition to the TCP/IP headers,the DNP3 payloads are also parsed and analyzed. In theonline mode, the traffic is classified based on its deviationfrom the initial normal rule set. The xMasterSlave simulationsoftware was used to set up the DNP3 testbed, emulating areal environment. A series of attacks were carried in order toevaluate the performance of the framework. The results showthat the framework features 0.15% rate for false positives and0.09% rate for false negatives.

Li et al. [124] analyzed the security shortcomings of theDNP3 protocol and proposed a Snort detection rule templatefor abnormal traffic. The template defines the format of therule’s header which consists of seven parameters and the rule’sbody consisting of ten parameters. A rule against DoS attackswas generated as a practical example.

Amoah et al. [125] developed a security mechanism forthe broadcast communication mode of the DNP3 protocol.The existing DNP3 Secure Authentication (DNP3-SA), whichis intended for the unicast communication mode, utilizesthe challenge-response approach. Nevertheless, this scheme isunsuitable meaning for the broadcast communication mode,as the master station must exchange and store a number ofchallenges and response messages with each device. Thiswill introduce delays and increase communication overhead,which renders the DNP3-SA impractical for broadcast com-munication. The proposed scheme utilizes the cryptographicprimitives (i.e., AES-128, AES-GMAC, SHA-1-HMAC, andSHA-256-HMAC) specified in existing DNP3-SA, in orderto effectively secure DNP3 broadcast communication againstinjection, relay and spoofing attacks. Finally, the authorsevaluated the performance of the proposed scheme in termsof computational and storage overhead.

Nivethan and Papa [126] presented an extension of Linux-based firewalls for securing DNP3-based infrastructures. Theproposed scheme uses the iptables tool [127] in order toinspect the payload of a DNP3 message and identify suspi-cious DNP3 commands. The authors evaluated the firewall bydeploying a rogue DNP3 device in a real smart-grid testbed,in order to generate malicious messages. The firewall was ableto detect and block all the malicious messages.

Lin et al. [128] presented a semantic analysis framework fordetecting and mitigating control command injection attacks.The Bro IDS and the DNP3 analyzer were utilized to validatethe network packets and detect attacks at the protocol level.Based on the extracted semantics, the effect of the commandsare evaluated by the IDS prior to their execution. The authorssimulated a small-scale power system and injected maliciouscontrol commands in the network. The experimental resultsindicate 0.78% rate for false positives, 0.01% rate for falsenegatives and a response latency of about 200ms.

Authors in [129] designed an authentication and encryptionprotocol for the DNP3 broadcast communication mode. The




TABLE VIIIMODBUS SECURITY SOLUTIONS



Model-based detection, exploiting the static commu-nication pattern of SCADA networksDeveloped Snort rules for detecting violationsExperimental validation in real network

Difficulty in constructing proper detec-tion modelsMany false alarms in case of inaccuratemodels

Model-based intrusion detec-tion is a promising approachfor monitoring SCADA net-works

[102] TrafficEncryp-tion

Proposal of a secure module that encrypts/decryptsand validates the payloads, before constructing theADUsPerformance evaluation in experimental power planttestbed

Traditional security measures do not ad-dress attacks that target the SCADA com-munication protocols

No evaluation test were per-formed in terms of accuracy


Deterministic Finite Automation-based approachUnsupervised training for the modelValidation using real power grid data

The shortcomings of Modbus in terms ofsecurity allows attackers to easily injectmalicious Modbus messages in the net-workThe proprietary nature and potential sen-sitivity of SCADA operations complicatethe acquisition of real SCADA data

Successful detection of realanomaliesVery low false-positive rates


Set of Snort rules for both TCP and Serial Modbus No challenges were reported No evaluation tests were per-formed


Encryption using AES, RSA, SHA-2 algorithmsKeys distributed through a secure channelValidation in simulated environment

The Modbus protocol does not incorpo-rate any security features

98% in unicast communication95% in broadcast communica-tion


Anomaly detection based on the deviation from thestandard behavior model

The validity of the data values is a criticalaspect of the SCADA system security

False rates:0.86% Overall1.62% for sensor registers0% for counter registers0.88% for constant registers


Iptables-based firewall that performs real-time deeppacket inspectionValidation in simulated environment

Current firewall technologies are mainlyfocused on the protection of traditionalcomputer networks

The proposed firewall success-fully intercepted the performedattacks


Support Vector Machine algorithmsClassification based on Modbus function codes andnumber of coil

The Modbus protocol does not incorpo-rate any security features

76.05% linear kernel function89.61% polynomial kernelfunctions96.55% radial basis kernelfunction


Decision Tree & Neural Network algorithmsDataset collected from a simulated realistic testbed

The common traffic datasets such asKDD99 are obsolete and unsuitable forSCADA traffic

99.83% decision tree97.41% 1-layer neural network97.46% 2-layers neural net-work


2-part IDS algorithm that involves normal and abnor-mal rule generation based on the datasets and deepreal-time packet inspection for detecting attacksSimulated real environment

Pattern matching approaches have highcomputation load and low accuracyThe Modbus protocol has certain vulner-abilities by design

100% detection rate0.045% false positives


Utilization of a honeypot system to capture attacksequencesClustering similar sequencesExtraction of representative sequence for each clusterClassification of each clustered based on the sim-ilarity of the representative sequence with existingsequencesSimulation of a Modbus smart meter using Conpot

The reported attacks on Modbus oftenpresent unexpected patterns, which com-plicates the accuracy of the IDS

92% detection rate0% false positives


Support Vector Machine classification algorithmModel based on function codes and register ad-dresses combinationsData captured from a thermal power unit usingWireshark

The relative small amount of abnormalSCADA data imposes imbalance of pos-itive and negative samples to the trainingprocess

94.13% detection rate


Implementation of Bro IDS that monitors a simulatedtestbed No challenges were reported

The proposed IDS implemen-tation can successfully detectthe two attacks that were car-ried out




proposed DNP3 Broadcast Authentication and Encryption(DNP3-BAE) protocol consists of two sub-protocols. TheIdentity Authentication and Key Agreement, which providesperiodic verification of the device’s identity and security status,while the Key-update and Broadcast Message Authenticationfacilitates the key-exchange and encryption of the communica-tions, using the existing DNP3-SA encryption primitives. TheSPAN tool was used to simulate the protocol function and ver-ify the security of the protocol. The verification results showthat the proposed solution can effectively protect sensitive dataand accurately authenticate the entities of the network.

D. PROFINET

Table X provides a summary of the reviewed securitysolutions regarding the PROFINET protocol. The table sharesthe same format with VII.

Paul et al. [130] performed vulnerability and attack analysisof the PROFINET protocol. The results of the analysis wereused for developing an IDS tailored to the security require-ments of the PROFINET protocol. The proposed networkIDS is based on N-gram anomaly detection and utilizes deeppacket inspection in order to identify protocol messages. Theresulting protocol messages are split into sequences of nevents, called n-grams. Machine learning approaches are usedfor training and distinguishing between normal network trafficand anomalies.

Authors in [131] modified the Snort packet decoding engineto enable processing of PROFINET real-time data. The exper-imental results show that the modified Snort can effectivelydetect intrusions in real-time.

Pfrang and Meier [132] presented two attack techniquesthat can compromise a PROFINET device. The first attackis based on switch port stealing, while the second exploitsthe PROFINET’s DCP command to perform a reconfigurationattack. The authors proposed an attack detection scheme,by broadcasting alerts in case of modification of the switchand PROFINET device configuration, respectively for eachattack. To perform validation of the proposed scheme theyutilized real PROFINET components and virtual machines andswitches to build the testbed. They considered 14 differentattack scenarios, utilizing the aforementioned attacks anddifferent network topologies. The experimental results showthat 6 of the 14 attack scenarios were successfully detected.

Authors in [133] proposed an anomaly detection scheme forPROFINET networks. The captured data are processed usingthe sliding window algorithm to extract a subset of traffic-related features, while an artificial neural network is usedto classify the traffic based on those features. The securityscheme was applied to three real PROFINET networks ofdifferent sizes. The authors performed experiments in orderto find the optimal extracted features as well as the optimalnumber of artificial neural network parameters. The reportedoverall accuracy of the proposed scheme is over than 90%.

E. Other SCADA Communication Protocols

Table XI provides a summary of the reviewed solutionsregarding other SCADA communication protocols. The format

of this table is the same as the previous ones, with anadditional column that denotes the utilized SCADA commu-nication protocol.

The authors in [134] proposed a set of Snort rules inorder to detect attacks in substations utilizing the IEC 61850communication protocol. The network traffic of a series ofsimulated attacks was captured and analyzed in order toextract the detection rules. The evaluation results show thatthe proposed system is capable of detecting malicious attacks.

Yang et al. [135] proposed a rule-based IDS using a deeppacket inspection method that includes signature-based andmodel-based detection approaches tailored to the IEC 60870communication protocol. In addition, they implemented theproposed rule-based IDS using Snort. The experimental resultsindicate that the proposed rule-based IDS can effectivelyidentify malicious traffic.

The authors in [136] present an anomaly-detection modelfor IEC 61850 through normal-behavior profiling of theexchanged packets. Specifically, the authors used a SVMalgorithm to create the normal-behavior models and installedthese models in the anomaly detection engine. For the perfor-mance evaluation, they carried out experiments using packetscollected from a real IEC 61850 substation. The performanceresults feature accuracy values of 98.98% and 98.56% forMMS and GOOSE messages, respectively.

An IDS for IEC 61850 substations is presented in [137].The proposed IDS approach provides anomaly-based andparameter-based detection. The main idea of parameter-baseddetection is to monitor significant operation parameters of thesubstation. A cyber-physical testbed was developed in order tovalidate the proposed IDS, while the experimental results wererecorded in a log file. The results indicate that the proposedIDS can effectively detect cyber attacks.

Wong et al. [138] consider the security of the EtherNet/IPcommunication protocol, by expanding Suricata’s parser in or-der to decode EtherNet/IP packets. Moreover, they conductedperformance evaluations in terms of packet drop rate and CPUusage.

The authors in [139] expanded the Snort tool to processEtherCAT frames. In addition, they developed an initial set ofrules in order to evaluate their Snort expansion. However, theauthors have not included any evaluation results.

V. SCADA SURVIVABILITY AND RESILIENCE

In the previous section, a number of SCADA defensemechanisms against cyber threats was presented and discussed.The reported results highlight the high performance levelof these mechanisms. Nevertheless, there are cases where adefense mechanism cannot detect and mitigate every threat. Insuch cases, attacks that reduce the availability of the system,such as DoS and virus attacks, can disable critical componentsof the infrastructure. In addition, the aforementioned defensemechanisms cannot protect the infrastructure from physicalthreats such as natural disasters, or physical attacks.

The network topology has a crucial impact on the surviv-ability and resilience of the SCADA system. The SCADAcommunication protocols, that were presented in Section II




TABLE IXDNP3 SECURITY SOLUTIONS



Modification of the Data Link Layer by adding twofields at the start and one at the end of the framerespectively

Ensurance of the confidentiality, integrityand authenticity with minimal modifica-tions to the system

No evaluation tests were per-formed


Implementation of security rules to filter out trafficthat do not comply to those rules

Protection against malicious traffic, orig-inating from corporate networks



Rule based anomaly detectionNormal rule-set was built from analyzing TCP/IPheaders and DNP3 payloadsA realistic environment testbed was simulated usingthe xMasterSlave tool

TLS and IPSec protection techniquesonly secure the layers below the appli-cation layer, without considering the se-curity of DNP3 application layer

0.15% false positives0.09% false negatives


A rule design template for Snort is proposedAn example rule for detecting a potential denial ofservice attack was presented

DNP3 protocol was initially designedfor isolated networks, however with itsincreasing integration with the Internetcertain design shortcomings arise



Proposal of a DNP3-SA for broadcast communica-tionUtilization of the existing DNP3-SA cryptographicprimitivesBroadcast messages are verified through a hash chain

The existing DNP3 Secure authenticationmechanism is limited to unicast commu-nication mode only

Performance evaluation interms of computational andstorage overhead

[126] FirewallExtension of iptables to filter common attacks on theDNP3 protocolEvaluation on real smart-grid testbed

The use of TCP/IP for communicationexposes the SCADA systems to Internetthreats

The approach successfully de-tected and blocked the mali-cious messages


Bro IDS and DNP3 analyzer for validation of packetsand extraction of control commands semanticsPower flow analysis of the semantics to evaluate theexecution consequencesSimulation of a small-scale power system

Control-related attacks modify certainpacket fields, which are encoded in a le-gitimate packet format, making the attackdetection challenging

0.78% false positives0.01% false negatives200ms latency


Proposal of an authentication and encryption proto-col for the DNP3 broadcast communication modeUtilization of DNP3-SA encryption primitivesSimulation and verification of the proposed schemeusing the SPAN tool

The existing DNP3 Secure authenticationmechanism is limited to unicast commu-nication mode only

The verification results showthat the proposed solutioncan effectively protect sensi-tive data and accurately au-thenticate the entities of thenetwork

TABLE XPROFINET SECURITY SOLUTIONS



Deep packet inspection to identify PROFINET mes-sageMessages are split into streams in order to applymachine learning techniques

Firewalls are inadequate in protectingagainst attacks that are initiated frominside the networkSCADA systems require implementationof multi-stage security



Modification of the Snort decode engine to processPROFINET real-time data

Snort is inadequate for PROFINET real-time data



Real PROFINET components and virtual machinesand switches were utilized to build the testbed

The PROFINET protocol lacks inher-ent security mechanisms, making it ex-tremely vulnerable to attacks

6 of the 14 attack scenarioswere successfully detected


Sliding Windows Algorithm for feature extractionArtificial Neural Networks for traffic classificationbased on the extracted featuresPerformance was validated in three different sizedPROFINET networks

The are limited research works that con-sider the real-time PROFINET protocol Over 90%

utilize a number of topologies, each one offering differentadvantages and disadvantages, that enable the connectionbetween the controller and the field devices. The bus, tree,

and daisy-chain topologies are the simplest and the most cost-effective, as they connect the devices in series. However, incase of a failing node due to an attack or a wiring fault, only




TABLE XIOTHER SCADA PROTOCOLS SECURITY SOLUTIONS

Reference Protocol Approach Methodology Reported Challenges Evaluation Results

[134] IEC 61850 AttackDetection

Development of Snort rules for IEC61850

Attack detection in IEC 61850 systems ischallenging, due to the limited processingcapabilities of the devices

The proposed system is capa-ble of detecting the maliciousattacks


Development of a Snort-based IDSthat uses deep packet inspection

IEC 60870 transmits messages in cleartext without any encryption mechanism.

The proposed system is capa-ble of detecting the malicioustraffic

[136] IEC 61850 TrafficClassifica-tion

Utilized SVM to create behaviormodels of a substation

Signature-based and rule-based anomalydetection approaches cannot detect novelattacks

98.98% accuracy for MMSmessages98.56% accuracy for GOOSEmessages


Proposed an IDS that utilizesanomaly-based and parameter-based detection approaches

No challenges were reportedThe results indicate that theproposed IDS can effectivelydetect cyber attacks.

[138] EtherNet/IP AttackDetection

Expansion of Suricata in order toprocess EtherNet/IP packets

Surricata cannot analyze EtherNet/IPpackets

Less than 2% drop rate20–120% CPU usage

[139] EtherCAT AttackDetection

Expansion of Snort in order to pro-cess EtherCAT frames

Snort stops the analysis after decodingthe Ethernet frameThere are no Snort rules for the Ether-CAT protocol

No evaluation results were pre-sented

the devices deployed up to this point will have a connectionwith the control center. The point-to-point and star topologiesoffer more resilience against failures, compared to the bus,line, and daisy-chain. The peer-to-peer and ring offer themost resilience in case of failures, as there are multiplepaths between the controller and the devices. Finally, themore recent and advanced SCADA communication protocols(such as the ones that are based on Ethernet technologies)implement acknowledgment mechanisms that guarantee thecorrect exchange of data.

To this end, the survivability concept was developed, whichrequires a certain functions of a SCADA system are opera-tional even if parts of the infrastructure are compromised ordestroyed. This section provides a review of proposals thataim to evaluate and/or ensure the survivability and resilienceof SCADA systems.

Authors in [140] present a model for survivability of SmartGrid under vulnerabilities and severe emergencies. They utilizeconcepts from graph theory to analyze the vulnerabilities andtheir impact on the performance of the network. Using thepresented model, they examine the survivability of an IEEE-118 bus system under random and targeted cyber attacks.

Queiroz et al. [141] propose a probabilistic model thatpredicts the survivability of SCADA systems The proposedmodel utilizes network traffic to create a Bayesian networkbased on the data exchanged among services. The performanceof the proposed model was evaluated through a demonstrationscenario involving a SCADA network under cyber attacks.

Authors in [142] propose an extensible and flexible frame-work for SCADA survivability, based on interdependencymodeling. The framework aims at vulnerability reduction byanalyzing both structural and functional vulnerabilities. Inaddition, they model an IEEE-30 bus of Smart Grid andSCADA networks under random node failures and physical

attacks targeting many nodes. Using this model, the level ofrobustness is investigated by measuring the functionality ofthe system as a function of the node failures.

Kirsch et al. [143] present a robust SCADA system capableof surviving a partial compromise based on intrusion-tolerantstate machine replication. They also discuss SCADA systemssurvivability requirements and provide an overview of noveltechniques that integrate intrusion-tolerant replication mecha-nism to SCADA systems. Finally, they evaluated the systemperformance in terms of latency, accuracy, and scalability.

In [144], the authors present a survivable intrusion-tolerantreplication model, that ensures the reliability across diversesystem components and the resilience of the system overits lifetime. The model was evaluated through experimentsinvolving both physical and virtualized environments.

Lopez et al. [145] introduce a MultiPath TCP scheme forSCADA systems based on the Modbus protocol. By utiliz-ing multiple subflows over the network interfaces, SCADAsystems are protected against network failures. A series ofsimulations involving scenarios of link failures and DDoSattacks was carried out in order to evaluate the performanceof the proposed scheme.

Authors in [146] present a resilient architecture for criticalinfrastructures based on autonomic computing and MovingTarget Defense techniques. Within the Moving Target De-fense concept, the communication infrastructure is constantlyshifting and changing in order to increase complexity for theattackers, limit the exposure of vulnerabilities, and enhance theresilience of the system. A smart grid testdbed was developedin order to evaluate its resilience against cyber attacks, suchas flooding, DDoS, and jamming attacks.

Babay et al. [147] developed a novel architecture calledSpire, which distributes replicas of the SCADA control centeracross multiple locations in order to enhance the resilience




against cyber attacks. In order to evaluate the efficiency of theproposed solution, the authors deployed Spire in a wide areaconsisting of two control centers and two data centers.

The authors in [148] proposed a framework for modelingand assessing the resilience of critical infrastructure. Specifi-cally, they built a Bayesian network model in order to assesthe risk associated with the disruption of complex electricalnetworks. In addition, a real case study was selected to validatethe proposed framework.

A comprehensive solution for ensuring the SCADA surviv-ability is presented in [149]. The proposed solution is based onvirtualization technologies in order to build a resilient commu-nication infrastructure. The experimental results demonstratethe effectiveness of the proposed solution.

The authors in [150] propose a robust extension of theMultipath-TCP protocol. The proposed extension uses a novelstream hopping mechanism that hides open port numbers byperiodically renewing the sub-flows. The experimental resultsindicate that the proposed protocol can effectively mitigateDoS attacks with low communication overhead.

Rehak et al. [151] present a CIERA methodology designedfor Critical Infrastructure Elements Resilience Assessment.The method primarily relies on the complex assessment ofthe robustness, recoverability, and adaptability of elements intechnically oriented sectors with respect to disruptive eventsof naturogenic, technogenic and anthropogenic origin. It takesinto account the functional, structural and performance pa-rameters of the elements being assessed while facilitating theidentification of the element’s weak points.

This section discussed the impact of network topologyin the survivability and resilience of SCADA systems andreviewed research works that aim to evaluate and/or enhancethe survivability and resilience. The assessment of a systems’survivability and resilience is the first step towards enhancingthem. To this end, multiple assessment schemes were pro-posed that are able to model the system survivability andresilience as well as its behavior against potential cyber andphysical threats. Regarding the survivability and resilienceenhancement, many research works replicate various criticalcomponents of the communications infrastructure, while othersprovide redundant data flows and continuous infrastructureshifting.

VI. SCADA TRENDS & ADVANCEMENTS

This section provides the trends and advancements in theSCADA systems, compelled by the ever-growing requirementsof the industrial applications, and empowered the advance-ments in processing, networking, and storage resources.

A. Novel SCADA Communication ProtocolsThe emerging Industry 4.0 is changing the way industrial

and automation applications operate [152]. The protocols men-tioned in this section are based on a master-slave configuration.However, the amount and type of data that is exchangedbetween industrial and automation components render thisconfiguration inadequate. Consequently, novel distributed pro-tocols are being designed in order to satisfy the increasingapplication requirements.

Authors in [153] developed a framework for designingdistributed communication protocols, that can satisfy the strictreal-time requirements of automation applications. The ar-chitecture consists of two layers: the interface layer, whichprovides operation in time-slots and the coordination layerthat assigns a device to each time slot. They proposed anEthernet implementation, but the framework can be appliedto other shared-medium environments such as WIFI andWirelessHART.

Skodzik et al. [154] proposed HaRTKad, which is a Peer-to-Peer approach based on the Kad network. The Kad networkis variant of the Kademlia [155] decentralized P2P protocol.Kad was extended by the Time Division Multiple Accessmechanism in order to support strict real-time applications.The proposed prototype enables the realization of time con-straint applications, ensuring high reliability, flexibility, andscalability.

Sági and Varga [156] presented the architecture of a dis-tributed SCADA system that enables efficient real-time mon-itoring and control procedures in industrial environments. Itrelies on a distributed real-time database storage system thatfacilitates data distribution with configurable bandwidth basedon the application demands.

B. Internet of Things

The Internet of Things (IoT) is an emerging concept drivenby the advancements in the wireless communication technolo-gies [157]. An IoT system is a collection of collaborating smartdevices utilized in various consumer applications. The Indus-trial Internet of Things (IIoT) [158] is considered an evolutionof SCADA systems that focuses on industrial applicationssuch as power generation and distribution, transportation, andmanufacturing. For example, a critical application of IIoT isthe predictive maintenance of industrial equipment. Predictivemaintenance can lead to decreased downtime, reduced main-tenance costs, and increased productivity. A taxonomy of IoTprotocols, schemes and mechanisms are presented in [159],while in [160] the authors provide a review of IoT protocolsthat are applicable to the Smart Grid concept.

The inherent security challenges of IoT communicationsalong with the criticality of industrial applications urges re-searchers to devise novel security schemes for addressing theindustrial security requirements [161]. An analytic frameworkfor modeling cyber attacks against IoT infrastructures is in-troduced in [162]. The authors in [163] survey the state ofIoT security and discuss the challenges, countermeasures andfuture directions.

C. Virtualization Techniques

Virtualization is another popular concept, which enables theabstraction and sharing of physical resources among differentparties. Virtualization effectively reduces the overall cost ofequipment, facilitates its configuration and provides flexibilityand scalability. Network Function Virtualization (NFV) [164]is an emerging paradigm, which offers new ways of designing,deploying, and managing network services. The abstractionbetween virtual and physical devices, that is enabled by




virtualization technologies, extends the life of older softwareand hardware [165]. Therefore, virtualization is a compellingconcept for modernizing obsolete SCADA systems that cannotbe replaced due to operational reasons or high costs. Further-more, virtualization can be used to design and develop SCADAsecurity testbeds in a cost-effective manner.

Cruz et al. [166] proposed a framework for building scalableSCADA testbeds based on virtualization technologies. More-over, a case study demonstrating security attacks is presented.

Authors in [167], proposed a novel and modular approachfor virtualizing replicates of complex SCADA systems. TheSCADA system is segmented into smaller components, whichare virtualized independently. This approach reduces the sizeand cost of SCADA testbeds, facilitating the cybersecurityresearch.

Cahn et al. [168] designed and deployed a SCADA networkarchitecture which provides a reliable, secure, auto-configurednetwork through the use of SDN technologies.

D. SDN Visibility

Software Defined Networking (SDN) [169] is an emergingconcept that separates the control and data plane, and simpli-fies the programmability of the network. The SDN controllerhas a global view of the network state, which enables thedevelopment of countermeasures against security threats withvery low impact on the communication requirements. SDNprovides high-level network abstraction and an ApplicationProgramming Interfaces (API) for monitoring and managingthe communication infrastructure. The network programmabil-ity enables the development of network security applicationsthat effectively monitor the network in order to detect mali-cious traffic.

By leveraging the advantages of SDN, the SDN visibilitysecurity measure can be deployed to protect critical infras-tructures. Using SDN visibility, the network configuration(such as the IPs of SCADA field devices or HMIs) canbe reconfigured in the presence of cyber attacks, withoutdisrupting the operation of the SCADA system. A review ofsecurity works utilizing the SDN visibility is presented below:

Mehdi et al. [170] showed the feasibility of utilizingSDN in order to accurately detect malicious activity insidethe network. For evaluation purposes, they implemented theThreshold Random Walk with Credit Based Limiting [171],Rate-Limiting [172], Maximum Entropy Detector [173], andNETAD [174] algorithms in the OpenFlow [175] controller.

Xing et al. [176] presented SnortFlow, which is an intrusiondetection system based on OpenFlow. The system leveragesSnort’s detection capabilities and the network reconfigurationfeatures of OpenFlow.

Authors in [177] proposed a source address validationmechanism based on SDN. A protective perimeter is formedby a number of OpenFlow devices. Any packet, that originatesoutside the perimeter, is forwarded to the controller. Thesource of the packet is validated based on a set of generatedrules.

Giotis et al. [178] proposed a method based on OpenFlowand sFlow, that can effectively detect and mitigate traffic

anomalies. The packet sampling capabilities of sFlow arecombined with an entropy-based detection algorithm.

Authors in [179] proposed a system for Distributed andCollaborative per-flow Monitoring (DCM). A monitoring toolis installed in SDN-enabled switches and forwards the flowinformation of a new packet to the controller. The controlleruses Bloom filters to decide how the packet should be handled.

Authors in [180] designed an eavesdropping counter-measure for securing communication flows between SCADAcomponents. Using SDN, the communication routes betweenSCADA devices are modified in certain intervals.

The authors in [181] present a deep learning anomaly detec-tion approach in SDN environments. The OpenFlow switchesforward their network statistics to a centralized controller. Thecontroller sends the statistics to the intrusion detection modulefor analysis. A Deep Neural Network is used to analyze anddetect flow anomalies.

A novel SDN-enabled security architecture for the smartgrid is proposed in [182]. It is based on a specialized SDNcontroller that forwards AES-128 encrypted metering data.

Machii et al [183] extended the IEC62443’s Zones andConduits security measure, by proposing a dynamic zoningmethodology based on SDN.

The authors in [184] leverage the SDN concept to virtualizea data diode. Data diodes provide a physical mechanism forenforcing strict unidirectional between two networks [185].They are often built using fiber optic transceivers by removingthe transmitting and receiving components from each side,respectively. Therefore, it is physically impossible to compro-mise these devices and intercept network traffic.

E. Big Data Analytics

The interconnection of SCADA systems using high speedwired or wireless networks allows the exchange of largeamounts of data in a very short time. This enables the leverageof Big Data analytics [186], [187], which can effectively assistin the detection and mitigation of cyber-attacks. There areexisting proposals that leverage the Big Data analytics in orderto secure critical infrastructures.

Authors in [188] developed a real-time IDS that performstraffic classification using Big Data analytics. In order totrain the detection model they extracted certain features fromDARPA [189], KDD99 [190], and NSL-KDD [191] datasets.The Apache Spark machine learning library [192] was used toperform classification using algorithms such as Naive Bayes,Support Vector Machine, Random Forests, and REPTree.

Vimalkumar and Radhika [193] also used the Apache Sparkto design solution for detecting cyber attacks. They built acustom dataset that consists of data from Phasor MeasurementUnits. For traffic classification, they used the Deep NeuralNetwork, Support Vector Machine, Naive Bayes, and RandomForest algorithms.

Finally, Natesan et al. [194] proposed an IDS that isbased on the Apache Hadoop framework [195]. They usedthe KDD99 dataset and the Naive Bayes algorithm for theclassification of the traffic.




F. SCADA Cyber Hygiene

The severe increase in the frequency of cyber attacks againstcritical infrastructures has raised concerns about security atevery level of an organization or company. The organizationsand companies must be better prepared to respond and recoverfrom novel cyber-attacks, as adversaries are constantly devel-oping and experimenting with different types of malware. Anexemplary countermeasure is presented in [196]. The authorsdeveloped an anonymous incident communication channel,that enables Smart Grid operators to cooperatively exchangecyber attack details and patterns. These new variants of mal-ware allow hackers to launch multiple types of attacks againstindividuals and organizations. Furthermore, certain securityincidents were reported (e.g., [48], [50]) where the cyberattacks against a company originated from the compromiseof another one.

In order to effectively secure critical infrastructures, efficientcyber hygiene strategies should be adopted. Cyber hygieneinvolves establishing certain routine measures in order tominimize the risks from cyber attacks. The adoption of goodcyber hygiene practices reduces the risk that a vulnerableorganization will be exploited in order to launch attacks andcompromise related organizations.

The insider threat is a significant security concern fororganizations managing critical infrastructures [197]. Thishighlights implications regarding the high awareness levelsamong employees about the insider threat. Therefore, theorganizations should provide proper training regarding the be-havioral indicators of insider threats and confidential reportingprocesses.

The National Institute of Standards and Technology (NIST)[198] has released a series of guidelines for the Smart Grid,which can be generalized for SCADA systems. To beginwith, the cybersecurity countermeasures should be deployedat multiple locations to resist many attack approaches. Suchmeasures are the enforcement of security policies withinthe organization and the employment of technical tools thatimplement the security mechanisms and services. Secondly,all security approaches suffer from inherent vulnerabilities.By deploying layered defenses these vulnerabilities can bediminished. Additionally, the trust relationships between sys-tems and organizations have to be evaluated, established, andmaintained. Moreover, roles and responsibilities have to bespecified for the trusted partners. The use of cryptographicmechanisms, such as security keys and certificates, should beenforced. Moreover, intrusion detection systems should be de-ployed. Those systems are responsible for detecting, analyzing,responding and reporting any intrusions and anomalous eventsin a very short time. Finally, it should be mandatory that allthe staff attends to a comprehensive program that includestraining, practical experience and awareness. Also, the systemadministrators should be certified by recognized authorities.

The European Network and Information Security Agency(ENISA) published a list of seven recommendations that focuson improving the security of SCADA systems [199]. Thoserecommendations include 1) the creation of Pan-Europeanand National SCADA security strategies, that will serve as

references for stakeholders, 2) the creation of a good practicesguide for SCADA security, 3) the creation of security plantemplates, that will guide the operators in classifying theirsystems and prioritizing the most critical ones, 4)the fosteringof security risk awareness and training, 5) the creation of acommon security framework, that will help stakeholders todetect potential threats and evaluate security countermeasuresin a controlled and isolated environment, 6) the creationof emergency response team of security experts, that willprovide the necessary services to handle and recover fromsecurity violations, and 7) the fostering of security researchby leveraging existing research programmes.

G. Lessons Learned, Open Research Problems and Chal-lenges

This subsection summarizes the lessons learned that derivefrom the review, analysis, and discussion of the securityconcerns regarding SCADA systems.

The architecture of a SCADA system consists of multiplecomponents, such as HMIs, MTUs, RTUs, and field devices.The communications among these components is enabled byindustrial communication protocols. The legacy protocols havelow requirements in terms of throughput and bandwidth, whilethe monitoring and control operations take place locally. Thenewer protocols have increased throughput and bandwidthrequirements, and they are connected to the Internet in orderto enable remote monitoring and control.

SCADA systems monitor and control the process of criticalinfrastructures such as power telecommunications, transporta-tion, and manufacturing plants. It is apparent that cyber threatsagainst critical SCADA systems are on the rise. There arereports on numerous incidents worldwide against SCADAsystems, damaging the infrastructure and threatening publichealth.

The underlying communication protocols of SCADA sys-tems are threatened from several cyber attacks that aim toviolate the availability, confidentiality, authorization, and in-tegrity of the system. To this end, the security aspect ofSCADA systems is receiving significant attention. Multipleresearch works aim to design and develop SCADA securitytestbeds (physical or and protection mechanisms. Modbusand DNP3 are the most widely used communication pro-tocols, however, they have no (Modbus) or weak (DNP3)security mechanisms. Consequently, there are many researchworks aiming to secure these protocols. Common protectionapproaches utilized throughout the reviewed works includeattack detection schemes, traffic encryption algorithms, trafficclassification techniques, and leverage of firewall tools.

Most of the reviewed solutions regarding the Modbus proto-col, attempt to classify network traffic using Neural Networks,Decision Trees, and Support Vector Machines. The attackdetection techniques are mostly based on a pre-configuredset of detection rules or models. The AES, RSA, and SHA-2are the most prominent encryption algorithms. Finally, all theproposal feature high detection rates and very low false posi-tives. Regarding the DNP3 protocol, most of the proposals arebased on attack detection approaches, leveraging rule-based




TABLE XIIAPPROACHES TO SCADA SECURITY CHALLENGES

Challenge ApproachLack of mature security tools for SCADA systems Effective security tools for SCADA systems have emerged over the

last yearsEnsuring security for huge number of devices, aswell as protection against persistent adversaries

Leverage of Big Data analytics

Legacy devices and protocols introduce security vul-nerabilities

Adoption of appropriate cyber hygiene strategies

Inherited vulnerabilities from standard computer sys-tems

Enhance the security of the SCADA system by leveraging technologiessuch as NFV and SDN.

and anomaly detection techniques. Traffic encryption solutionsuse the well-known AES, RSA and SHA-2 algorithms, whichare already included in the protocol. Similar to the Modbusprotocol, the proposed solutions feature high detection rate andlow false positives.

Finally, the PROFINET solutions are limited and there arenot many details regarding their implementation and accuracyresults. As the protocol does not have publicly availablespecifications, the proposals aim to provide security by usingschemes that do not modify the protocol’s specifications. Mostof the proposals use rule-based attack detection technique,while there is one proposal that uses Artificial Neural Net-works for traffic classification.

The attack detection techniques that are based on a pre-configured set of detection rules or models can be implementedin hardware with limited processing resources and can achievedetection with very low latency. However, these techniques areunable to detect previously unknown attacks and may resultin high false positive rates. To this end, techniques such asNeural Networks and Support Vector Machines were proposed,as they can effectively detect novel attacks. However, theyrequire hardware with more processing resources dependingon the system that they monitor.

Nevertheless, the proposed security mechanisms cannotdetect and mitigate all cyber threats. Moreover, they areincapable of protecting the SCADA system against physicalattacks. Consequently, the SCADA survivability and resilienceconcept has emerged, that provides methods for risk assess-ment and model the behavior of the system in the presence ofthreats.

The communication requirements of SCADA systems areincreasing, as new and advanced applications are emerging.In order to address the ever-increasing requirements, newSCADA communication protocols are being developed. Theemerging Software Defined Networking concept and virtual-ization technologies enable the development of novel cybersecurity mechanisms by leveraging the network’s flexibilityand programmability. The advances in the computing andstorage capabilities enable the use of Big Data analytics inlarge traffic datasets.

In light of the aforementioned remarks, the SCADA securitychallenges that were presented in Section III.C have beenaddressed as follows (also summarized in Table XII):

The lack of mature security tools for SCADA systems isone of the main security challenges. To this end, numerousresearch works have emerged over the recent years, that

propose effective security tools for SCADA systems. Par-ticularly, in this work, we have reviewed a) eight researchworks that aim to detect attacks against SCADA systems usingvarious communication protocols, b) thirteen works that aim tosecure SCADA systems utilizing the Modbus communicationprotocol, c) eight works focusing on the security of SCADAsystems using the DNP3 protocol, d) four works focusing onthe Profinet protocol, and e) six research works that aim tosecure the IEC 61850 and 60870, EtherCAT, and EtherNet/IPprotocols.

Ensuring the security for huge number of devices is chal-lenging. In addition, these devices are attractive targets foradaptive persistent adversaries. The ever-increasing comput-ing, networking, and storage capabilities enable the utilizationof Big Data analytics. There are several research works (e.g,[188], [193], [194]) that leverage Big Data analytics in order tocreate novel anomaly detection approaches. These approachescan monitor and analyze the network traffic from a hugenumber of devices, and effectively detect potential anomalies.Furthermore, as they do not rely on signature or rule detection,they can detect novel attacks.

The use of legacy devices and protocols introduces severalsecurity vulnerabilities to the SCADA system. However, thereplacement of these devices and protocols is not always possi-ble, often due to the high equipment cost or the incompatibilityof other protocols and/or equipment. These security issues canbe mitigated by adopting appropriate cyber hygiene strategies,that can effectively reduce the risk, as well as the impact of apotential compromise.

As the technologies of standard computer systems are beingadopted in SCADA systems, their vulnerabilities are alsoinherited. Nevertheless, these novel technologies can enablethe development of novel and efficient countermeasures. TheNFV and SDN concepts can be leveraged to develop secure,resilient, and auto-configured SCADA networks. For example,a SCADA network will change its configuration in case of anattack, without disrupting the operation of the monitoring andcontrol processes.

VII. CONCLUSION

SCADA systems are crucial to industrial applications suchas power generation and distribution, telecommunications in-frastructures, transportation, and manufacturing industries. AsSCADA systems are being interconnected to the Internet, theyare exposed to security threats that can disrupt their normal




operation. As a consequence, researchers are focusing onincreasing the security and reliable operation of those systems.

In this work, we described the general SCADA architectureand provided a detailed overview of the well-known SCADAcommunication protocols. Certain SCADA security incidentswere reported, in order to project the paramount importance ofSCADA security violations and their impact on public healthand safety. Afterwards, we discussed the security objectives,the threats, and the attacks that affect the SCADA systems. Itcan be observed that SCADA systems have the same securityobjectives and are affected by the same threats and attacks asthe common computer systems.

Moreover, we performed a thorough review of SCADAsecurity proposals and discussed the state of security. Most ofthe security proposals follow similar approaches, consistingof model or rule based attack detection, classifying trafficusing SVM, Neural Networks, and Decision Trees, and trafficencryption. The overall evaluation results claim high accuracyand very low false positives.

Lastly, we presented the SCADA trends and future advance-ments. These include the design of novel SCADA protocolsin order to address the requirements of the Industry 4.0 ap-plications. Additionally, the use of virtualization technologiescan further reduce the deployment cost, facilitate the con-figuration and maintenance, and provide high scalability andreliability. Furthermore, the advancements in communicationand processing technologies enable the incorporation of BigData analytics, as a measure against cyber-attacks. Finally,the adoption of good cyber hygiene strategies is crucial toefficiently securing critical infrastructures

ACKNOWLEDGMENT

This project has received funding from the EuropeanUnion’s Horizon 2020 research and innovation programmeunder grant agreement No. 787011 (SPEAR).

REFERENCES

[1] K. Stouffer, J. Falco, and K. Scarfone, “Guide to industrial controlsystems (ics) security,” NIST special publication, vol. 800, no. 82, pp.16–16, 2011.

[2] V. M. Igure, S. A. Laughter, and R. D. Williams, “Security issues inSCADA networks,” Computers & Security, vol. 25, no. 7, pp. 498–506,2006.

[3] A. Nicholson, S. Webber, S. Dyer, T. Patel, and H. Janicke, “SCADAsecurity in the light of Cyber-Warfare,” Computers & Security, vol. 31,no. 4, pp. 418–436, 2012.

[4] Y. Yan, Y. Qian, H. Sharif, and D. Tipper, “A survey on smart grid com-munication infrastructures: Motivations, requirements and challenges,”IEEE communications surveys & tutorials, vol. 15, no. 1, pp. 5–20,2012.

[5] W. Wang and Z. Lu, “Cyber security in the smart grid: Survey andchallenges,” Computer networks, vol. 57, no. 5, pp. 1344–1371, 2013.

[6] R. Leszczyna and E. Egozcue, “Enisa study: Challenges in securingindustrial control systems,” in Securing Critical Infrastructures andCritical Control Systems: Approaches for Threat Protection. IGIGlobal, 2013, pp. 105–143.

[7] R. Leszczyna, E. Egozcue, L. Tarrafeta, V. F. Villar, R. Estremera,and J. Alonso, “Protecting industrial control systems-recommendationsfor europe and member states,” tech. rep., Technical report, EuropeanUnion Agency for Network and Information Security (ENISA), 2011.

[8] J. Gao, J. Liu, B. Rajan, R. Nori, B. Fu, Y. Xiao, W. Liang, andC. Philip Chen, “Scada communication and security issues,” Securityand Communication Networks, vol. 7, no. 1, pp. 175–194, 2014.

[9] S. McLaughlin, C. Konstantinou, X. Wang, L. Davi, A.-R. Sadeghi,M. Maniatakos, and R. Karri, “The cybersecurity landscape in industrialcontrol systems,” Proceedings of the IEEE, vol. 104, no. 5, pp. 1039–1057, 2016.

[10] S. Nazir, S. Patel, and D. Patel, “Assessing and augmenting SCADAcyber security: A survey of techniques,” Computers & Security, vol. 70,pp. 436–454, 2017.

[11] J. Giraldo, E. Sarkar, A. A. Cardenas, M. Maniatakos, and M. Kantar-cioglu, “Security and privacy in cyber-physical systems: A survey ofsurveys,” IEEE Design & Test, vol. 34, no. 4, pp. 7–17, 2017.

[12] S. Ghosh and S. Sampalli, “A survey of security in scada networks: Cur-rent issues and future challenges,” IEEE Access, vol. 7, pp. 135 812–135 831, 2019.

[13] I. Verhappen and A. Pereira, Foundation Fieldbus. ISA, 2008.[14] K. Bender, Profibus: the fieldbus for industrial automation. Prentice-

Hall, Inc., 1993.[15] J. Azevedo and N. Cravoisy, “The WorldFIP protocol,” J. De Azevedo

(Version1), N. Cravoisy (Version 2), vol. 2, 1998.[16] B. P. Crow, I. Widjaja, J. G. Kim, and P. T. Sakai, “IEEE 802.11 wire-

less local area networks,” IEEE Communications magazine, vol. 35,no. 9, pp. 116–126, 1997.

[17] IEEE Power and Energy Society, “IEEE Standard for Electric PowerSystems Communications - Distributed Network Protocol (DNP3),” Oct2012.

[18] Beckhoff New Automation Technology, “EtherCAT Slave Controller,”Oct 2014, Rev. 2.2.

[19] S. J. Vincent, “Foundation fieldbus high speed ethernet control system,”Fieldbus Inc, 2001.

[20] A. Robertinit, “Profinet: the future of the ethernet-based automation,”in IPLnet Workshop, September, 2003, pp. 9–10.

[21] R.-T. Ethernet, “SERCOS III: Proposal for a publicly available speci-fication for real-time ethernet.”

[22] M. Wlas, M. Gackowski, and W. Kolbusz, “The ethernet powerlink pro-tocol for smart grids elements integration,” in 2011 IEEE InternationalSymposium on Industrial Electronics. IEEE, 2011, pp. 2070–2075.

[23] S. H. Abbas and S. H. Hong, “A top-down approach to add hot-pluggable asynchronous devices to rapienet infrastructure,” in 20099th International Symposium on Communications and InformationTechnology. IEEE, 2009, pp. 128–133.

[24] Schneider Automation Inc, “MODBUS Application Protocol Specifi-cation,” Apr 2012, v1.1b3.

[25] “Unitronics, Communication with the Vision PLC.” [On-line]. Available: https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf

[26] L. Rosa, M. Freitas, S. Mazo, E. Monteiro, T. Cruz, and P. Simões,“A comprehensive security analysis of a scada protocol: From osint tomitigation,” IEEE Access, vol. 7, pp. 42 156–42 168, 2019.

[27] V. Schiffer, D. Vangompel, and R. Voss, “The common industrialprotocol (CIP) and the family of CIP networks,” Milwaukee, Wisconsin,USA, ODVA, 2006.

[28] K. Etschberger, R. Hofmann, J. Stolberg, C. Schlegel, and S. Weiher,Controller area network: basics, protocols, chips and applications.IXXAT Automation, 2001.

[29] B. Miller and D. Rowe, “A survey SCADA of and critical infrastructureincidents,” in Proceedings of the 1st Annual conference on Researchin information technology. ACM, 2012, pp. 51–56.

[30] S. A. Baker, S. Waterman, and G. Ivanov, In the crossfire: Criticalinfrastructure in the age of cyber war. McAfee, Incorporated, 2009.

[31] “RISI - The Repository of Industrial Security Incidents.” [Online].Available: http://www.risidata.com/

[32] T. Smith, “Hacker jailed for revenge sewage attacks,” Oct 2001.[Online]. Available: https://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/

[33] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, andN. Weaver, “Inside the slammer worm,” IEEE Security & Privacy,vol. 99, no. 4, pp. 33–39, 2003.

[34] K. Poulsen, “Slammer worm crashed ohio nuke plant net,” Aug2003. [Online]. Available: https://www.theregister.co.uk/2003/08/20/slammer_worm_crashed_ohio_nuke/

[35] E. Levy, “The making of a spam zombie army. dissecting the sobigworms,” IEEE security & privacy, vol. 99, no. 4, pp. 58–59, 2003.

[36] “Computer virus brings down train signals,” Aug 2003. [Online].Available: https://www.informationweek.com/computer-virus-brings-down-train-signals/d/d-id/1020446

[37] D. Goodin, “Electrical supe charged with damaging california canalsystem,” Nov 2007. [Online]. Available: https://www.theregister.co.uk/2007/11/30/canal_system_hack/

https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf

https://unitronicsplc.com/Download/SoftwareUtilities/Unitronics%20PCOM%20Protocol.pdf

http://www.risidata.com/

https://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/

https://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/

https://www.theregister.co.uk/2003/08/20/slammer_worm_crashed_ohio_nuke/

https://www.theregister.co.uk/2003/08/20/slammer_worm_crashed_ohio_nuke/

https://www.informationweek.com/computer-virus-brings-down-train-signals/d/d-id/1020446

https://www.informationweek.com/computer-virus-brings-down-train-signals/d/d-id/1020446

https://www.theregister.co.uk/2007/11/30/canal_system_hack/

https://www.theregister.co.uk/2007/11/30/canal_system_hack/




[38] S. Gorman, “Electricity grid in u.s. penetrated by spies,”Apr 2009. [Online]. Available: https://www.wsj.com/articles/SB123914805204099085

[39] C. Glenn, D. Sterbentz, and A. Wright, “Cyber threat and vulnerabilityanalysis of the us electric sector,” Idaho National Lab.(INL), IdahoFalls, ID (United States), Tech. Rep., 2016.

[40] D. Goodin, “Feds: Hospital hacker’s ’massive’ DDoS averted,” Jul2009. [Online]. Available: https://www.theregister.co.uk/2009/07/01/hospital_hacker_arrested/

[41] R. Langner, “Stuxnet: Dissecting a cyberwarfare weapon,” IEEE Secu-rity & Privacy, vol. 9, no. 3, pp. 49–51, 2011.

[42] G. Keizer, “Is stuxnet the ’best’ malware ever?” Sep 2010. [Online].Available: https://www.computerworld.com/article/2515757/malware-vulnerabilities/is-stuxnet-the--best--malware-ever-.html

[43] Y. Melman, “Computer virus in iran actually targeted larger nuclearfacility.” [Online]. Available: https://www.haaretz.com/1.5118389

[44] D. Kushner, “Stuxnet attackers used 4 windows zero-day exploits,” Mar2014. [Online]. Available: https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet/

[45] J. Leyden, “’chinese cyberspies’ target energy giants,” Feb 2011.[Online]. Available: https://www.theregister.co.uk/2011/02/10/night_dragon_cyberespionage/

[46] K. Zetter, “Son of stuxnet found in the wild on systems in europe,”Oct 2011. [Online]. Available: https://www.wired.com/2011/10/son-of-stuxnet-in-the-wild/

[47] B. Bencsáth, G. Pék, L. Buttyán, and M. Félegyházi, “Duqu: A stuxnet-like malware found in the wild,” CrySyS Lab Technical Report, vol. 14,pp. 1–60, 2011.

[48] D. Starkey, “Hacker group dragonfly takes aim at us power grid,” Sep2017. [Online]. Available: https://www.geek.com/tech/hacker-group-dragonfly-takes-aim-at-us-power-grid-1715157/

[49] A. Greenberg, “How an entire nation became russia’s test lab forcyberwar,” Jun 2017. [Online]. Available: https://www.wired.com/story/russian-hackers-attack-ukraine/

[50] M. Kumar, “Dragonfly 2.0: Hacking group infiltrated europeanand us power facilities,” Sep 2017. [Online]. Available: https://thehackernews.com/2017/09/dragonfly-energy-hacking.html

[51] D. Dzung, M. Naedele, T. P. Von Hoff, and M. Crevatin, “Security forindustrial communication systems,” Proceedings of the IEEE, vol. 93,no. 6, pp. 1152–1177, 2005.

[52] C.-W. Ten, C.-C. Liu, and G. Manimaran, “Vulnerability assessmentof cybersecurity for SCADA systems,” IEEE Transactions on PowerSystems, vol. 23, no. 4, pp. 1836–1846, 2008.

[53] Q. Wanying, W. Weimin, Z. Surong, and Z. Yan, “The study of securityissues for the industrial control systems communication protocols,”Joint International Mechanical, Electronic and Information TechnologyConference, China, 2015.

[54] K. Coffey, L. A. Maglaras, R. Smith, H. Janicke, M. A. Ferrag, A. Der-hab, M. Mukherjee, S. Rallis, and A. Yousaf, “Vulnerability assessmentof cyber security for scada systems,” in Guide to Vulnerability Analysisfor Computer Networks and Systems. Springer, 2018, pp. 59–80.

[55] Q. S. Qassim, N. Jamil, M. Daud, A. Patel, and N. Ja’affar, “A reviewof security assessment methodologies in industrial control systems,”Information & Computer Security, vol. 27, no. 1, pp. 47–61, 2019.

[56] F. Wang, X.-z. Zheng, N. Li, and X. Shen, “Systemic vulnerabilityassessment of urban water distribution networks considering failurescenario uncertainty,” International Journal of Critical InfrastructureProtection, vol. 26, p. 100299, 2019.

[57] E. Irmak and I. Erkek, “An overview of cyber-attack vectors on scadasystems,” in 2018 6th International Symposium on Digital Forensic andSecurity (ISDFS). IEEE, 2018, pp. 1–5.

[58] N. R. Rodofile, K. Radke, and E. Foo, “Extending the cyber-attacklandscape for scada-based critical infrastructure,” International Journalof Critical Infrastructure Protection, vol. 25, pp. 14–35, 2019.

[59] R. Leszczyna, “A systematic approach to cybersecurity management,”in Cybersecurity in the Electricity Sector. Springer, 2019, pp. 87–125.

[60] P. Huitsing, R. Chandia, M. Papa, and S. Shenoi, “Attack taxonomiesfor the modbus protocols,” International Journal of Critical Infrastruc-ture Protection, vol. 1, pp. 37–44, 2008.

[61] Z. Drias, A. Serhrouchni, and O. Vogel, “Taxonomy of attacks onindustrial control protocols,” in Protocol Engineering (ICPE) andInternational Conference on New Technologies of Distributed Systems(NTDS), 2015 International Conference on. IEEE, 2015, pp. 1–6.

[62] S. East, J. Butts, M. Papa, and S. Shenoi, “A taxonomy of attacks on theDNP3 protocol,” in International Conference on Critical InfrastructureProtection. Springer, 2009, pp. 67–81.

[63] R. Leszczyna, “Cybersecurity Assessment,” in Cybersecurity in theElectricity Sector. Springer, 2019, pp. 149–179.

[64] K. Barnes and B. Johnson, “National scada test bed substation automa-tion evaluation report,” Idaho National Laboratory (INL), Tech. Rep.,2009.

[65] C. Davis, J. Tate, H. Okhravi, C. Grier, T. Overbye, and D. Nicol,“SCADA cyber security testbed development,” in Power Symposium,2006. NAPS 2006. 38th North American. IEEE, 2006, pp. 483–488.

[66] “Powerworld - the visual approach to electric power systems.”[Online]. Available: http://www.powerworld.com/

[67] M. Liljenstam, J. Liu, D. Nicol, Y. Yuan, G. Yan, and C. Grier, “Rinse:The real-time immersive network simulation environment for networksecurity exercises,” in Proceedings of the 19th Workshop on Principlesof Advanced and Distributed Simulation. IEEE Computer Society,2005, pp. 119–128.

[68] A. Giani, G. Karsai, T. Roosta, A. Shah, B. Sinopoli, and J. Wiley, “Atestbed for secure and robust SCADA systems,” ACM SIGBED Review,vol. 5, no. 2, p. 4, 2008.

[69] A. Varga and R. Hornig, “An overview of the OMNeT++ simulationenvironment,” in Proceedings of the 1st international conference onSimulation tools and techniques for communications, networks andsystems & workshops. ICST (Institute for Computer Sciences, Social-Informatics and . . . , 2008, p. 60.

[70] C. Queiroz, A. Mahmood, J. Hu, Z. Tari, and X. Yu, “Building aSCADA security testbed,” in 2009 Third International Conference onNetwork and System Security. IEEE, 2009, pp. 357–364.

[71] Y. Kim, “Control systems lab using a LEGO Mindstorms NXT motorsystem,” IEEE Transactions on Education, vol. 54, no. 3, pp. 452–461,2011.

[72] T. Morris, R. Vaughn, and Y. S. Dandass, “A testbed for SCADAcontrol system cybersecurity research and pedagogy,” in Proceedingsof the Seventh Annual Workshop on Cyber Security and InformationIntelligence Research. ACM, 2011, p. 27.

[73] M. Mallouhi, Y. Al-Nashif, D. Cox, T. Chadaga, and S. Hariri, “Atestbed for analyzing security of SCADA control systems (TASSCS),”in Innovative Smart Grid Technologies (ISGT), 2011 IEEE PES. IEEE,2011, pp. 1–7.

[74] “Modbus PLC simulator.” [Online]. Available: http://www.plcsimulator.org/

[75] “OPNET technologies – network simulator.” [Online]. Available:http://www.riverbed.com/gb/products/steelcentral/opnet.html

[76] A. Almalawi, Z. Tari, I. Khalil, and A. Fahad, “SCADAVT-a frameworkfor SCADA security testbed based on virtualization technology,” inLocal Computer Networks (LCN), 2013 IEEE 38th Conference on.IEEE, 2013, pp. 639–646.

[77] J. Ahrenholz, “Comparison of CORE network emulation platforms,” inMilitary Communications Conference, 2010-MILCOM 2010. IEEE,2010, pp. 166–171.

[78] A. Hahn, A. Ashok, S. Sridhar, and M. Govindarasu, “Cyber-physicalsecurity testbeds: Architecture, application, and evaluation for smartgrid,” IEEE Transactions on Smart Grid, vol. 4, no. 2, pp. 847–855,2013.

[79] R. Kuffel, J. Giesbrecht, T. Maguire, R. Wierckx, and P. McLaren,“RTDS-a fully digital power system simulator operating in real time,”in Energy Management and Power Delivery, 1995. Proceedings ofEMPD’95., 1995 International Conference on, vol. 2. IEEE, 1995,pp. 498–503.

[80] “Powerfactory - DIgSILENT.” [Online]. Available: http://www.digsilent.de/en/powerfactory.html

[81] J. Wroclawski, T. Benzel, J. Blythe, T. Faber, A. Hussain, J. Mirkovic,and S. Schwab, “Deterlab and the deter project,” in The GENI Book.Springer, 2016, pp. 35–62.

[82] J. Mirkovic and T. Benzel, “Teaching cybersecurity with deterlab,”IEEE Security & Privacy, vol. 10, no. 1, pp. 73–76, 2012.

[83] R. Leszczyna, “A review of standards with cybersecurity requirementsfor smart grid,” Computers & Security, vol. 77, pp. 262–276, 2018.

[84] J. Webster and R. T. Watson, “Analyzing the past to prepare for thefuture: Writing a literature review,” MIS quarterly, pp. xiii–xxiii, 2002.

[85] O. Linda, T. Vollmer, and M. Manic, “Neural network based intrusiondetection system for critical infrastructures,” in Neural Networks, 2009.IJCNN 2009. International Joint Conference on. IEEE, 2009, pp.1827–1834.

[86] B. M. Wilamowski and H. Yu, “Improved computation for levenberg–marquardt training,” IEEE transactions on neural networks, vol. 21,no. 6, pp. 930–937, 2010.

https://www.wsj.com/articles/SB123914805204099085

https://www.wsj.com/articles/SB123914805204099085

https://www.theregister.co.uk/2009/07/01/hospital_hacker_arrested/

https://www.theregister.co.uk/2009/07/01/hospital_hacker_arrested/

https://www.computerworld.com/article/2515757/malware-vulnerabilities/is-stuxnet-the--best--malware-ever-.html

https://www.computerworld.com/article/2515757/malware-vulnerabilities/is-stuxnet-the--best--malware-ever-.html

https://www.haaretz.com/1.5118389

https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet/

https://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet/

https://www.theregister.co.uk/2011/02/10/night_dragon_cyberespionage/

https://www.theregister.co.uk/2011/02/10/night_dragon_cyberespionage/

https://www.wired.com/2011/10/son-of-stuxnet-in-the-wild/

https://www.wired.com/2011/10/son-of-stuxnet-in-the-wild/

https://www.geek.com/tech/hacker-group-dragonfly-takes-aim-at-us-power-grid-1715157/

https://www.geek.com/tech/hacker-group-dragonfly-takes-aim-at-us-power-grid-1715157/

https://www.wired.com/story/russian-hackers-attack-ukraine/

https://www.wired.com/story/russian-hackers-attack-ukraine/

https://thehackernews.com/2017/09/dragonfly-energy-hacking.html

https://thehackernews.com/2017/09/dragonfly-energy-hacking.html

http://www.powerworld.com/

http://www.plcsimulator.org/

http://www.plcsimulator.org/

http://www.riverbed.com/gb/products/steelcentral/opnet.html

http://www.digsilent.de/en/powerfactory.html

http://www.digsilent.de/en/powerfactory.html




[87] A. Van Ooyen, B. Nienhuis et al., “Improving the convergence of theback-propagation algorithm.” Neural Networks, vol. 5, no. 3, pp. 465–471, 1992.

[88] A. Carcano, A. Coletta, M. Guglielmi, M. Masera, I. N. Fovino, andA. Trombetta, “A multidimensional critical state analysis for detect-ing intrusions in SCADA systems,” IEEE Transactions on IndustrialInformatics, vol. 7, no. 2, pp. 179–186, 2011.

[89] Y. Yang, K. McLaughlin, S. Sezer, T. Littler, E. G. Im, B. Pranggono,and H. Wang, “Multiattribute SCADA-specific intrusion detectionsystem for power networks,” IEEE Transactions on Power Delivery,vol. 29, no. 3, pp. 1092–1102, 2014.

[90] A. Almalawi, X. Yu, Z. Tari, A. Fahad, and I. Khalil, “An unsupervisedanomaly-based detection approach for integrity attacks on SCADAsystems,” Computers & Security, vol. 46, pp. 94–110, 2014.

[91] Y. Wang, Z. Xu, J. Zhang, L. Xu, H. Wang, and G. Gu, “Srid: Staterelation based intrusion detection for false data injection attacks inscada,” in European Symposium on Research in Computer Security.Springer, 2014, pp. 401–418.

[92] S. Ponomarev and T. Atkison, “Industrial control system networkintrusion detection by telemetry analysis,” IEEE Transactions on De-pendable and Secure Computing, no. 1, pp. 1–1, 2016.

[93] S. Kalmegh, “Analysis of WEKA data mining algorithm REPTree,”Simple Cart, 2015.

[94] I. Rish et al., “An empirical study of the naive bayes classifier,” inIJCAI 2001 workshop on empirical methods in artificial intelligence,vol. 3, no. 22. IBM New York, 2001, pp. 41–46.

[95] C.-Y. J. Peng, K. L. Lee, and G. M. Ingersoll, “An introduction tologistic regression analysis and reporting,” The journal of educationalresearch, vol. 96, no. 1, pp. 3–14, 2002.

[96] B. R. Gaines and P. Compton, “Induction of ripple-down rules ap-plied to modeling large databases,” Journal of Intelligent InformationSystems, vol. 5, no. 3, pp. 211–228, 1995.

[97] N. Bhargava, G. Sharma, R. Bhargava, and M. Mathuria, “Decisiontree analysis on j48 algorithm for data mining,” Proceedings of In-ternational Journal of Advanced Research in Computer Science andSoftware Engineering, vol. 3, no. 6, 2013.

[98] S. Shitharth et al., “An enhanced optimization based algorithm for in-trusion detection in SCADA network,” Computers & Security, vol. 70,pp. 16–26, 2017.

[99] X.-S. Yang and S. Deb, “Multiobjective cuckoo search for designoptimization,” Computers & Operations Research, vol. 40, no. 6, pp.1616–1624, 2013.

[100] I. A. Khan, D. Pi, Z. U. Khan, Y. Hussain, and A. Nawaz, “HML-IDS:a hybrid-multilevel anomaly prediction approach for intrusion detectionin SCADA systems,” IEEE Access, vol. 7, pp. 89 507–89 521, 2019.

[101] S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner, andA. Valdes, “Using model-based intrusion detection for SCADA net-works,” in Proceedings of the SCADA security scientific symposium,vol. 46. Citeseer, 2007, pp. 1–12.

[102] I. N. Fovino, A. Carcano, M. Masera, and A. Trombetta, “Designand implementation of a secure modbus protocol,” in Internationalconference on critical infrastructure protection. Springer, 2009, pp.83–96.

[103] N. Goldenberg and A. Wool, “Accurate modeling of modbus/TCPfor intrusion detection in SCADA systems,” International Journal ofCritical Infrastructure Protection, vol. 6, no. 2, pp. 63–75, 2013.

[104] T. H. Morris, B. A. Jones, R. B. Vaughn, and Y. S. Dandass, “Determin-istic intrusion detection rules for modbus protocols,” in System Sciences(HICSS), 2013 46th Hawaii International Conference on. IEEE, 2013,pp. 1773–1781.

[105] A. Shahzad, M. Lee, Y.-K. Lee, S. Kim, N. Xiong, J.-Y. Choi,and Y. Cho, “Real time MODBUS transmissions and cryptographysecurity designs and enhancements of protocol sensitive information,”Symmetry, vol. 7, no. 3, pp. 1176–1210, 2015.

[106] J. Daemen and V. Rijmen, The design of Rijndael: AES-the advancedencryption standard. Springer Science & Business Media, 2013.

[107] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtainingdigital signatures and public-key cryptosystems,” Communications ofthe ACM, vol. 21, no. 2, pp. 120–126, 1978.

[108] “Secure Hash Algorithm 2,” National Institute of Standards and Tech-nology (NIST), Standard, 2002.

[109] N. Erez and A. Wool, “Control variable classification, modeling andanomaly detection in modbus/TCP SCADA systems,” InternationalJournal of Critical Infrastructure Protection, vol. 10, pp. 59–70, 2015.

[110] W. Shang, Q. Qiao, M. Wan, and P. Zeng, “Design and implementationof industrial firewall for modbus/TCP,” JcP, vol. 11, no. 5, pp. 432–438, 2016.

[111] D. S. Rana, N. Garg, and S. K. Chamoli, “A study and detection of tcpsyn flood attacks with ip spoofing and its mitigations,” InternationalJournal of Computer Technology and Applications, vol. 3, no. 4, 2012.

[112] L. Deng, Y. Peng, C. Liu, X. Xin, and Y. Xie, “Intrusion detectionmethod based on support vector machine access of modbus TCPprotocol,” in Internet of Things (iThings) and IEEE Green Computingand Communications (GreenCom) and IEEE Cyber, Physical andSocial Computing (CPSCom) and IEEE Smart Data (SmartData), 2016IEEE International Conference on. IEEE, 2016, pp. 380–383.

[113] S. Suthaharan, “Support vector machine,” in Machine learning modelsand algorithms for big data classification. Springer, 2016, pp. 207–235.

[114] S.-C. Li, Y. Huang, B.-C. Tai, and C.-T. Lin, “Using data miningmethods to detect simulated intrusions on a modbus network,” in Cloudand Service Computing (SC2), 2017 IEEE 7th International Symposiumon. IEEE, 2017, pp. 143–148.

[115] W. Yusheng, F. Kefeng, L. Yingxu, L. Zenghui, Z. Ruikang, Y. Xi-angzhen, and L. Lin, “Intrusion detection of industrial control systembased on modbus TCP protocol,” in Autonomous Decentralized System(ISADS), 2017 IEEE 13th International Symposium on. IEEE, 2017,pp. 156–162.

[116] P.-H. Wang, I.-E. Liao, K.-F. Kao, and J.-Y. Huang, “An intrusiondetection method based on log sequence clustering of honeypot formodbus TCP protocol,” in 2018 IEEE International Conference onApplied System Invention (ICASI). IEEE, 2018, pp. 255–258.

[117] L. Hubert, “Approximate evaluation techniques for the single-linkand complete-link hierarchical clustering procedures,” Journal of theAmerican Statistical Association, vol. 69, no. 347, pp. 698–704, 1974.

[118] H. Dong and D. Peng, “Research on abnormal detection of modbusTCP/IP protocol based on one-class SVM,” in 2018 33rd YouthAcademic Annual Conference of Chinese Association of Automation(YAC). IEEE, 2018, pp. 398–403.

[119] Q.-L. Luo, K.-F. Xu, W.-Y. Zang, and J.-G. Liu, “Network protocolparser and verification method based on wireshark,” Computer Engi-neering and Design, vol. 32, no. 3, pp. 770–773, 2011.

[120] Z. Hill, J. Hale, M. Papa, and P. Hawrylak, “Using Bro with aSimulation Model to Detect Cyber-Physical Attacks in a NuclearReactor,” in 2019 2nd International Conference on Data Intelligenceand Security (ICDIS). IEEE, 2019, pp. 22–27.

[121] M. Majdalawieh, F. Parisi-Presicce, and D. Wijesekera, “DNPSec:Distributed network protocol version 3 (DNP3) security framework,”in Advances in Computer, Information, and Systems Sciences, andEngineering. Springer, 2007, pp. 227–234.

[122] T. Mander, F. Nabhani, L. Wang, and R. Cheung, “Data object basedsecurity for DNP3 over TCP/IP for increased utility commercial aspectssecurity,” in Power Engineering Society General Meeting, 2007. IEEE.IEEE, 2007, pp. 1–8.

[123] J. Bai, S. Hariri, and Y. Al-Nashif, “A network protection frameworkfor DNP3 Over TCP/IP protocol,” in Computer Systems and Appli-cations (AICCSA), 2014 IEEE/ACS 11th International Conference on.IEEE, 2014, pp. 9–15.

[124] H. Li, G. Liu, W. Jiang, and Y. Dai, “Designing snort rules to detectabnormal DNP3 network data,” in Control, Automation and InformationSciences (ICCAIS), 2015 International Conference on. IEEE, 2015,pp. 343–348.

[125] R. Amoah, S. Camtepe, and E. Foo, “Securing DNP3 broadcastcommunications in SCADA systems,” IEEE Transactions on IndustrialInformatics, vol. 12, no. 4, pp. 1474–1485, 2016.

[126] J. Nivethan and M. Papa, “A linux-based firewall for the DNP3protocol,” in Technologies for Homeland Security (HST), 2016 IEEESymposium on. IEEE, 2016, pp. 1–5.

[127] G. YANG and S.-y. CHEN, “Research on linux firewall based onnetfilter/iptables [j],” Computer Engineering and Design, vol. 17, p.022, 2007.

[128] H. Lin, A. Slagell, Z. T. Kalbarczyk, P. W. Sauer, and R. K. Iyer,“Runtime semantic security analysis to detect and mitigate control-related attacks in power grids,” IEEE Transactions on Smart Grid,vol. 9, no. 1, pp. 163–178, 2018.

[129] Y. Lu and T. Feng, “Research on trusted DNP3-BAE protocol basedon hash chain,” EURASIP Journal on Wireless Communications andNetworking, vol. 2018, no. 1, p. 108, 2018.

[130] A. Paul, F. Schuster, and H. König, “Towards the protection ofindustrial control systems–conclusions of a vulnerability analysis ofprofinet IO,” in International Conference on Detection of Intrusionsand Malware, and Vulnerability Assessment. Springer, 2013, pp. 160–176.




[131] Z. Feng, S. Qin, X. Huo, P. Pei, Y. Liang, and L. Wang, “Snortimprovement on profinet RT for industrial control system intrusiondetection,” in Computer and Communications (ICCC), 2016 2nd IEEEInternational Conference on. IEEE, 2016, pp. 942–946.

[132] S. Pfrang and D. Meier, “Detecting and preventing replay attacks inindustrial automation networks operated with profinet IO,” Journal ofComputer Virology and Hacking Techniques, pp. 1–16, 2018.

[133] G. S. Sestito, A. C. Turcato, A. L. Dias, M. S. Rocha, M. M. da Silva,P. Ferrari, and D. Brandao, “A method for anomalies detection in real-time ethernet data traffic applied to profinet,” IEEE Transactions onIndustrial Informatics, vol. 14, no. 5, pp. 2171–2180, 2018.

[134] U. K. Premaratne, J. Samarabandu, T. S. Sidhu, R. Beresh, andJ.-C. Tan, “An intrusion detection system for iec61850 automatedsubstations,” IEEE Transactions on Power Delivery, vol. 25, no. 4,pp. 2376–2383, 2010.

[135] Y. Yang, K. McLaughlin, T. Littler, S. Sezer, B. Pranggono, andH. Wang, “Intrusion detection system for iec 60870-5-104 based scadanetworks,” in 2013 IEEE power & energy society general meeting.IEEE, 2013, pp. 1–5.

[136] H. Yoo and T. Shon, “Novel approach for detecting network anomaliesfor substation automation based on iec 61850,” Multimedia Tools andApplications, vol. 74, no. 1, pp. 303–318, 2015.

[137] Y. Yang, K. McLaughlin, L. Gao, S. Sezer, Y. Yuan, and Y. Gong,“Intrusion detection system for iec 61850 based smart substations,”in 2016 IEEE Power and Energy Society General Meeting (PESGM).IEEE, 2016, pp. 1–5.

[138] K. Wong, C. Dillabaugh, N. Seddigh, and B. Nandy, “Enhancing suri-cata intrusion detection system for cyber security in scada networks,”in 2017 IEEE 30th Canadian Conference on Electrical and ComputerEngineering (CCECE). IEEE, 2017, pp. 1–5.

[139] A. Granat, H. HÖFKEN, and M. Schuba, “Intrusion detection of theics protocol ethercat,” DEStech Transactions on Computer Science andEngineering, no. cnsce, 2017.

[140] P. Chopade and M. Bikdash, “Modeling for survivability of smart powergrid when subject to severe emergencies and vulnerability,” in 2012Proceedings of IEEE Southeastcon. IEEE, 2012, pp. 1–6.

[141] C. Queiroz, A. Mahmood, and Z. Tari, “A probabilistic model to predictthe survivability of SCADA systems,” IEEE Transactions on IndustrialInformatics, vol. 9, no. 4, pp. 1975–1985, 2012.

[142] P. Chopade, M. Bikdash, and I. Kateeb, “Interdependency modelingfor survivability of smart grid and SCADA network under severeemergencies, vulnerability and WMD attacks,” in 2013 Proceedingsof IEEE Southeastcon. IEEE, 2013, pp. 1–7.

[143] J. Kirsch, S. Goose, Y. Amir, D. Wei, and P. Skare, “Survivable SCADAvia intrusion-tolerant replication,” IEEE Transactions on Smart Grid,vol. 5, no. 1, pp. 60–70, 2013.

[144] M. Platania, D. Obenshain, T. Tantillo, R. Sharma, and Y. Amir,“Towards a practical survivable intrusion tolerant replication system,”in 2014 IEEE 33rd International Symposium on Reliable DistributedSystems. IEEE, 2014, pp. 242–252.

[145] I. Lopez, M. Aguado, C. Pinedo, and E. Jacob, “SCADA systemsin the railway domain: enhancing reliability through redundant Multi-pathTCP,” in 2015 IEEE 18th International Conference on IntelligentTransportation Systems. IEEE, 2015, pp. 2305–2310.

[146] J. Pacheco, C. Tunc, and S. Hariri, “Design and evaluation of resilientinfrastructures systems for smart cities,” in 2016 IEEE InternationalSmart Cities Conference (ISC2). IEEE, 2016, pp. 1–6.

[147] A. Babay, T. Tantillo, T. Aron, M. Platania, and Y. Amir, “Network-attack-resilient intrusion-tolerant SCADA for the power grid,” in 201848th Annual IEEE/IFIP International Conference on Dependable Sys-tems and Networks (DSN). IEEE, 2018, pp. 255–266.

[148] N. U. I. Hossain, R. Jaradat, S. Hosseini, M. Marufuzzaman, and R. K.Buchanan, “A framework for modeling and assessing system resilienceusing a bayesian network: A case study of an interdependent electricalinfrastructure system,” International Journal of Critical InfrastructureProtection, vol. 25, pp. 62–83, 2019.

[149] H. Sándor, B. Genge, Z. Szántó, L. Márton, and P. Haller, “Cyber attackdetection and mitigation: Software defined survivable industrial controlsystems,” International Journal of Critical Infrastructure Protection,vol. 25, pp. 152–168, 2019.

[150] K. Demir, F. Nayyer, and N. Suri, “MPTCP-H: A DDoS attackresilient transport protocol to secure wide area measurement systems,”International Journal of Critical Infrastructure Protection, vol. 25, pp.84–101, 2019.

[151] D. Rehak, P. Senovsky, M. Hromada, and T. Lovecek, “Complexapproach to assessing resilience of critical infrastructure elements,”

International Journal of Critical Infrastructure Protection, vol. 25, pp.125–138, 2019.

[152] M. Hermann, T. Pentek, and B. Otto, “Design principles for industrie4.0 scenarios,” in 2016 49th Hawaii International Conference onSystem Sciences (HICSS), Jan 2016, pp. 3928–3937.

[153] K. Schmidt and E. Schmidt, “Distributed real-time protocols for indus-trial control systems: Framework and examples,” IEEE Transactions onParallel and Distributed Systems, vol. 23, pp. 1856–1866, 10 2012.

[154] J. Skodzik, P. Danielis, V. Altmann, and D. Timmermann, “HaRTKad:A hard real-time kademlia approach,” in 2014 IEEE 11th ConsumerCommunications and Networking Conference (CCNC), Jan 2014, pp.309–314.

[155] P. Maymounkov and D. Mazieres, “Kademlia: A peer-to-peer informa-tion system based on the XOR metric,” in International Workshop onPeer-to-Peer Systems. Springer, 2002, pp. 53–65.

[156] M. Sági and E. Varga, “Dependable peer-to-peer SCADA architecture,”Acta Polytechnica Hungarica, vol. 14, no. 6, 2017.

[157] L. Atzori, A. Iera, and G. Morabito, “The internet of things: A survey,”Computer networks, vol. 54, no. 15, pp. 2787–2805, 2010.

[158] H. Boyes, B. Hallaq, J. Cunningham, and T. Watson, “The industrialinternet of things (IIoT): An analysis framework,” Computers inIndustry, vol. 101, pp. 1–12, 2018.

[159] A. Triantafyllou, P. Sarigiannidis, and T. D. Lagkas, “Network proto-cols, schemes, and mechanisms for Internet of Things (IoT): Features,open challenges, and trends,” Wireless Communications and MobileComputing, vol. 2018, 2018.

[160] S. K. Goudos, P. Sarigiannidis, P. I. Dallas, and S. Kyriazakos,“Communication protocols for the IoT-based smart grid,” in IoT forSmart Grids. Springer, 2019, pp. 55–83.

[161] K. Kimani, V. Oduol, and K. Langat, “Cyber security challengesfor iot-based smart grid networks,” International Journal of CriticalInfrastructure Protection, vol. 25, pp. 36–49, 2019.

[162] P. Sarigiannidis, E. Karapistoli, and A. A. Economides, “Modeling theinternet of things under attack: A G-network approach,” IEEE Internetof Things Journal, vol. 4, no. 6, pp. 1964–1977, 2017.

[163] R. Mahmoud, T. Yousuf, F. Aloul, and I. Zualkernan, “Internet of things(IoT) security: Current status, challenges and prospective measures,”in Internet Technology and Secured Transactions (ICITST), 2015 10thInternational Conference for. IEEE, 2015, pp. 336–341.

[164] R. Mijumbi, J. Serrat, J.-L. Gorricho, N. Bouten, F. De Turck, andR. Boutaba, “Network function virtualization: State-of-the-art and re-search challenges,” IEEE Communications Surveys & Tutorials, vol. 18,no. 1, pp. 236–262, 2016.

[165] J. Reeser, T. Jankowski, and G. M. Kemper, “Maintaining HMI andSCADA systems through computer virtualization,” IEEE Transactionson Industry Applications, vol. 51, no. 3, pp. 2558–2564, 2014.

[166] T. Cruz, R. Queiroz, P. Simões, and E. Monteiro, “Security implicationsof SCADA ICS virtualization: Survey and future trends,” in Proc. 15thEur. Conf. Cyber Warfare Security (ECCWS), 2016, pp. 74–83.

[167] T. Alves, R. Das, A. Werth, and T. Morris, “Virtualization of SCADAtestbeds for cybersecurity research: A modular approach,” Computers& Security, vol. 77, pp. 531–546, 2018.

[168] A. Cahn, J. Hoyos, M. Hulse, and E. Keller, “Software-defined energycommunication networks: From substation automation to future smartgrids,” in Smart Grid Communications (SmartGridComm), 2013 IEEEInternational Conference on. IEEE, 2013, pp. 558–563.

[169] O. N. Fundation, “Software-defined networking: The new norm fornetworks,” ONF White Paper, vol. 2, pp. 2–6, 2012.

[170] S. A. Mehdi, J. Khalid, and S. A. Khayam, “Revisiting traffic anomalydetection using software defined networking,” in International work-shop on recent advances in intrusion detection. Springer, 2011, pp.161–180.

[171] S. E. Schechter, J. Jung, and A. W. Berger, “Fast detection of scanningworm infections,” in International Workshop on Recent Advances inIntrusion Detection. Springer, 2004, pp. 59–81.

[172] J. Twycross and M. M. Williamson, “Implementing and testing a virusthrottle.” in USENIX Security Symposium, vol. 285, 2003, p. 294.

[173] Y. Gu, A. McCallum, and D. Towsley, “Detecting anomalies in networktraffic using maximum entropy estimation,” in Proceedings of the 5thACM SIGCOMM conference on Internet Measurement. USENIXAssociation, 2005, pp. 32–32.

[174] M. V. Mahoney, “Network traffic anomaly detection based on packetbytes,” in Proceedings of the 2003 ACM symposium on Appliedcomputing. ACM, 2003, pp. 346–350.

[175] N. McKeown, T. Anderson, H. Balakrishnan, G. Parulkar, L. Peterson,J. Rexford, S. Shenker, and J. Turner, “OpenFlow: enabling innovation




in campus networks,” ACM SIGCOMM Computer CommunicationReview, vol. 38, no. 2, pp. 69–74, 2008.

[176] T. Xing, D. Huang, L. Xu, C.-J. Chung, and P. Khatkar, “Snortflow: Aopenflow-based intrusion prevention system in cloud environment,” inResearch and Educational Experiment Workshop (GREE), 2013 SecondGENI. IEEE, 2013, pp. 89–92.

[177] G. Yao, J. Bi, and P. Xiao, “Source address validation solution withOpenFlow/NOX architecture,” in Network Protocols (ICNP), 2011 19thIEEE International Conference on. IEEE, 2011, pp. 7–12.

[178] K. Giotis, C. Argyropoulos, G. Androulidakis, D. Kalogeras, andV. Maglaris, “Combining OpenFlow and sFlow for an effective andscalable anomaly detection and mitigation mechanism on SDN envi-ronments,” Computer Networks, vol. 62, pp. 122–136, 2014.

[179] Y. Yu, C. Qian, and X. Li, “Distributed and collaborative trafficmonitoring in software defined networks,” in Proceedings of the thirdworkshop on Hot topics in software defined networking. ACM, 2014,pp. 85–90.

[180] E. G. da Silva, L. A. D. Knob, J. A. Wickboldt, L. P. Gaspary,L. Z. Granville, and A. Schaeffer-Filho, “Capitalizing on SDN-basedSCADA systems: An anti-eavesdropping case-study,” in IntegratedNetwork Management (IM), 2015 IFIP/IEEE International Symposiumon. IEEE, 2015, pp. 165–173.

[181] T. A. Tang, L. Mhamdi, D. McLernon, S. A. R. Zaidi, and M. Ghogho,“Deep learning approach for network intrusion detection in softwaredefined networking,” in Wireless Networks and Mobile Communica-tions (WINCOM), 2016 International Conference on. IEEE, 2016,pp. 258–263.

[182] A. Irfan, N. Taj, and S. A. Mahmud, “A novel secure SDN/LTE basedarchitecture for smart grid security,” in Computer and InformationTechnology; Ubiquitous Computing and Communications; Dependable,Autonomic and Secure Computing; Pervasive Intelligence and Comput-ing (CIT/IUCC/DASC/PICOM), 2015 IEEE International Conferenceon. IEEE, 2015, pp. 762–769.

[183] W. Machii, I. Kato, M. Koike, M. Matta, T. Aoyama, H. Naruoka,I. Koshijima, and Y. Hashimoto, “Dynamic zoning based on situationalactivitie for ICS security,” in Control Conference (ASCC), 2015 10thAsian. IEEE, 2015, pp. 1–5.

[184] M. B. de Freitas, L. Rosa, T. Cruz, and P. Simões, “Sdn-enabled virtualdata diode,” in Computer Security. Springer, 2018, pp. 102–118.

[185] J.-H. Yun, Y. Chang, K.-H. Kim, and W. Kim, “Security validationfor data diode with reverse channel,” in International Conference onCritical Information Infrastructures Security. Springer, 2016, pp. 271–282.

[186] S. John Walker, “Big data: A revolution that will transform how welive, work, and think,” 2014.

[187] M. Chen, S. Mao, and Y. Liu, “Big data: A survey,” Mobile networksand applications, vol. 19, no. 2, pp. 171–209, 2014.

[188] M. M. Rathore, A. Ahmad, and A. Paul, “Real time intrusion detectionsystem for ultra-high-speed big data environments,” The Journal ofSupercomputing, vol. 72, no. 9, pp. 3489–3510, 2016.

[189] “DARPA Intrusion Detection Data Sets.” [Online]. Available:http://www.ll.mit.edu/ideval/data/

[190] “KDD Cup 1999 Data.” [Online]. Available: http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html

[191] “NSL-KDD Dataset.” [Online]. Available: http://www.unb.ca/cic/datasets/nsl.html

[192] “Apache Spark.” [Online]. Available: http://spark.apache.org/[193] K. Vimalkumar and N. Radhika, “A big data framework for intrusion

detection in smart grids using apache spark,” in Advances in Comput-ing, Communications and Informatics (ICACCI), 2017 InternationalConference on. IEEE, 2017, pp. 198–204.

[194] P. Natesan, R. Rajalaxmi, G. Gowrison, and P. Balasubramanie,“Hadoop based parallel binary bat algorithm for network intrusiondetection,” International Journal of Parallel Programming, vol. 45,no. 5, pp. 1194–1213, 2017.

[195] “Apache Hadoop.” [Online]. Available: http://hadoop.apache.org/[196] A. Triantafyllou, P. Sarigiannidis, A. Sarigiannidis, E. Rios, and

E. Iturbe, “Towards an anonymous incident communication channelfor electric smart grids,” in Proceedings of the 22nd Pan-HellenicConference on Informatics. ACM, 2018, pp. 34–39.

[197] A. J. Bell, M. B. Rogers, and J. M. Pearce, “The insider threat: Be-havioral indicators and factors influencing likelihood of intervention,”International Journal of Critical Infrastructure Protection, vol. 24, pp.166–176, 2019.

[198] U. NIST, “Guidelines for smart grid cyber security (vol. 1 to 3),” NISTIR-7628, Aug, 2010.

[199] European Network and Information Agency, “Protecting industrialcontrol systems, recommendations for europe and member states,”2011.

Dimitrios Pliatsios is a PhD Candidate in theDepartment of Informatics and Telecommunica-tions Engineering, University of Western Macedonia,Kozani, Greece. He received his degree from theDepartment of Electrical and Computer Engineering,Aristotle University of Thessaloniki, Greece in 2016.His research interests are in the areas of 5th Genera-tion (5G) Mobile Networks, Network VirtualizationTechnologies, and Computer & Network Security

Dr. Panagiotis Sarigiannidis is an Assistant Profes-sor in the Department of Informatics and Telecom-munications Department of University of WesternMacedonia, Kozani, Greece since 2016. He receivedthe B.Sc. and Ph.D. degrees in computer sciencefrom the Aristotle University of Thessaloniki, Thes-saloniki, Greece, in 2001 and 2007, respectively. Hehas published over 120 papers in international jour-nals, conferences and book chapters. He has beeninvolved in several national, EU and internationalprojects. He is currently the project coordinator of

the H2020 project SPEAR: Secure and PrivatE smArt gRid (DS-SC7-2017)and the Operational Program MARS: sMart fArming with dRoneS (Com-petitiveness, Entrepreneurship, and Innovation), while he serves as principalinvestigator in the Erasmus+ KA2 ARRANGE-ICT: pArtneRship foR Ad-dressiNG mEgatrends in ICT (Cooperation for Innovation and the Exchange ofGood Practices). His research interests include telecommunication networks,internet of things and telecommunications and network security.

Thomas Lagkas received his PhD in computer sci-ence from the Aristotle University of Thessaloniki,Greece, in 2006. He is Assistant Professor of theComputer Science Department of the InternationalHellenic University. He has been Lecturer and thenSenior Lecturer of The University of Sheffield Inter-national Faculty - CITY College, from 2012 to 2019.He also served as Research Director of the ComputerScience Department of CITY College and Leader ofthe ICT Track of the South-East European ResearchCentre. His research interests are in the areas of

IoT communications and distributed architectures, wireless communicationnetworks, QoS in medium access control, mobile multimedia communications,power saving/fairness ensure for resource allocation in wireless sensor-cooperative broadband networks as well as in hybrid Fiber-Wireless networks,e-health data monitoring, 5G systems, flying ad hoc networks, communicationsecurity, and computer-based educational technologies with more than 70publications at a number of widely recognized international scientific journalsand conferences. He is IEEE Senior Member and Fellow of the HigherEducation Academy in UK. He also participates in the Editorial Boardsof the following journals: IEEE Internet of Things, Computer Networks,Telecommunication Systems, and the Journal on Wireless Communicationsand Networking.

http://www.ll.mit.edu/ideval/data/

http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html

http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html

http://www.unb.ca/cic/datasets/nsl.html

http://www.unb.ca/cic/datasets/nsl.html

http://spark.apache.org/

http://hadoop.apache.org/




Antonios G. Sarigiannidis received the B.S. andM.S. degrees in computer science from the De-partment of Informatics, Aristotle University, Thes-saloniki, Greece, in 2007 and 2009, respectively.Also, he received the PhD degree from the samedepartment in 2016. His research interests includemedium access protocols, dynamic bandwidth al-location and traffic engineering in optical, wirelessand hybrid optical-wireless networks, visualization,analytics and security analysis. He is author orcoauthor of more than 10 journal and conference

papers. He received the CCNA Routing and Switching certification from Ciscoin 2018. He is currently with Sidroco Holdings Ltd, Limassol, Cyprus.

View publication statsView publication stats

https://www.researchgate.net/publication/340453361

Documents

A Survey on SCADA Systems: Secure Protocols, Incidents ... · Abstract—Supervisory Control and Data Acquisition (SCADA) systems are the underlying monitoring and control components