TO APPEAR IN IEEE TRANSACTIONS ON POWER SYSTEMS 1

Vulnerability Assessment of Cybersecurity for

SCADA Systems
Chee-Wooi Ten, Student Member, IEEE, Chen-Ching Liu, Fellow, IEEE, and
Manimaran Govindarasu, Member, IEEE

Abstract—Vulnerability assessment is a requirement of networked environment. With the recent trend of using stan-
NERC’s cybersecurity standards for electric power systems. The dardized protocols, more utilities are moving toward Internet
purpose is to study the impact of a cyber attack on supervisory protocol (IP) based system for wide area communication.
control and data acquisition (SCADA) systems. Compliance of
the requirement to meet the standard has become increasingly The compatibility of standards has also leveraged the cost
challenging as the system becomes more dispersed in wide ar- of system deployment among the vendors to improve system
eas. Interdependencies between computer communication system upgradeability. However, a tighter integration may also result
and the physical infrastructure also become more complex as in new vulnerabilities. Vulnerability risks associated with the
information technologies are further integrated into devices and connection of SCADA systems to the Internet have been
networks. This paper proposes a vulnerability assessment frame-
work to systematically evaluate the vulnerabilities of SCADA known [2]. The security concern over information exchange
systems at three levels: system, scenarios, and access points. The between various power entities is more challenging as the po-
proposed method is based on cyber systems embedded with the tential of cyber threats grows [3]. The increasing dependence
firewall and password models, the primary mode of protection upon communications over the Internet has added to the signif-
in the power industry today. The impact of a potential electronic icance and magnitude of the problem. Security awareness and
intrusion is evaluated by its potential loss of load in the power
system. This capability is enabled by integration of a logic-based personnel training concerning supervisory control systems are
simulation method and a module for the power flow computation. crucial [4], [5]. A recent report comparing different security
The IEEE 30-bus system is used to evaluate the impact of guidelines and standards has been provided to emphasize the
attacks launched from outside or from within the substation critical elements of cybersecurity for SCADA systems [6].
networks. Countermeasures are identified for improvement of The cybersecurity technologies identified in [7] address the
the cybersecurity.
effectiveness of defense.
Index Terms—Cyber-physical system, dependability measures, Recent research emphasizes security interdependency mod-
passwords, Petri nets, power systems, vulnerability indices.
eling that includes deliberate sabotage, and the improvement
on power system information architecture and communica-
I. I NTRODUCTION
tion interaction [8]–[10]. The SCADA test bed development

S ECURITY threats against utility assets have been recog-

nized for decades. In the aftermath of the terrorist attacks
on September 11, 2001, great attention has been paid to the
is an effective way to identify vulnerabilities of power in-
frastructure cybersecurity [11]–[13]. Reference [14] proposes
a novel approach using wireless sensor technology to assess
security of critical infrastructures. Insecure computer systems the mechanical health of a transmission system. The develop-
may lead to catastrophic disruptions, disclosure of sensitive ment of quantitative techniques for systems interdependency
information, and frauds. Cyber threats result from exploitation is reported in [15]. There are model-based attack-detection
of cyber system vulnerabilities by users with unauthorized techniques [16] to detect anomaly and to recognize malicious
access. A potential cyber threat to supervisory control and electronic signatures.
data acquisition (SCADA) systems, ranging from computer Cybersecurity for the power grid is an emerging area of
system to power system aspects, is recognized [1]. It is shown research. Efforts by International Electrotechnical Commission
that an attack can be executed within an hour once the Technical Council (IEC TC 57) on power systems management
computer system security is compromised. The ever increasing and associated information exchange has advanced communi-
power of the Internet facilitates simultaneous attacks from cation protocols with stronger encryption and authentication
multiple locations. The highest impact of an attack is when mechanisms. Specifically, this has been proposed in IEC62351
an intruder gains access to the supervisory control access of a for data and communication security that assures access to
SCADA system and launches control actions that may cause sensitive power equipment and provides higher reliability with
catastrophic damages. audit capabilities [17]. They allow verification and evaluation
Since the 1970s, the control center framework has gradually of potential threats. Besides the power industry standards,
evolved from a closed monolithic structure to a more open control system standards applicable to oil and gas have been
This work was supported by Electric Power Research Center (EPRC) at reported [18]. While its importance is well recognized and
Iowa State University. test beds have been developed, no systematic modeling and
C.-W. Ten, C.-C. Liu, and M. Govindarasu are with the Electrical and Com- analytical technique exists for the evaluation of critical assets
puter Engineering Department, Iowa State University of Science and Technol-
ogy, Ames, IA, 50010 USA (e-mails: [email protected], [email protected], in the power infrastructure such as the SCADA system.
and [email protected]). Moreover, there has not been an approach to measure the
TO APPEAR IN IEEE TRANSACTIONS ON POWER SYSTEMS 2

Fig. 1. Cyber Network Environment of a Control Center

vulnerability of a cyber system by incorporating the impact purposes. In addition, wireless networks may be installed
on the power system. The main contribution of this paper for local communication. Virtual private network (VPN) is a
is a vulnerability assessment framework for a systematic cybersecurity technology used to connect with other corporate
analysis incorporating both power and cyber systems of the networks. Remote logon programs in the VPN provide the
control networks. The proposed integration of cyber-power capability to control other machines within the networks.
system attack/defense modeling with the system simulation These access points can be password protected [1], [7], [20].
capability makes it possible to quantify the potential impact an A successful intrusion to an Ethernet-based substation enables
attack can cause. Some preliminary concepts on cyber-physical an attacker to perform potential damaging actions, such as
vulnerability assessment are presented in [19]. opening breakers. This includes the creation of fake data to
The remaining of this paper is organized as follows. Sec- cause unwanted operations of protective devices [21].
tion II provides an overview of the SCADA system security Convenient access to Internet resources and online search
measures and the vulnerabilities. Section III proposes a cyber- capabilities provide a systematic footprint for hackers to iden-
net model for evaluation of the system vulnerability. Section tify an organization’s security posture. There are increasingly
IV addresses the computational issue. Section V provides the sophisticated intrusion tools that include [20]:
simulation results. Section VI gives the conclusion.
1) War dialing - It can be executed in the scripts to the
II. S YSTEM M ODEL AND V ULNERABILITIES surrounding numbers to detect potential connection once
the main phone number prefix is determined.
The control center cybernet environment, depicted in Fig. 1,
2) Scanning - It scans the destination IP addresses to
describes the connectivity of the corporate networks that are
determine the service ports on the machine that are either
normally protected by firewalls. The control center network
running or in listening state for connection to potential
is connected to other corporate networks and substation and
access points.
power plant networks maintained by information technology
3) Traffic sniffing - The network analyzer is used to capture
personnel. It is recognized that control center networks are
the packets traversing within a network.
highly secured and therefore unlikely to be penetrated directly.
4) Password cracking - A program that repeatedly tries to
In this research, the focus is on the intrusion to control center
guess a password in order to gain (unauthorized) access
networks through other networks such as those networks at
to a network.
the substations or power plants.
Through an intranet, each of the geographically dispersed With the available information and tools, there are several pos-
substations is set up with a dial-up network for maintenance sible ways to penetrate existing connections of a network: 1)
TO APPEAR IN IEEE TRANSACTIONS ON POWER SYSTEMS 3

VPN, 2) Dial-up connections, 3) Wireless connections, 4) Any load, (ii) loss of information, (iii) economic loss, and (iv)
remote logon programs, and 5) Trojan horses (on unknown equipment damage, depending on the level of success of a
service ports). Necessary information can be acquired from cyber attack and motivation of an individual attacker. Two
different tools and resources to determine IP addresses in the types of attacks can cause the above consequences:
networks. Detection of a VPN connection by a hacker indicates 1) Directed attacks: Attacks with short term effects that
what the defenders are trying to protect. Trojan horses may can be determined by the behaviors. The consequences
use unknown service ports to establish a remote connection. of shutting down the SCADA systems through denial of
The most important element of cybersecurity is the software. service (DoS) attacks or deleting the file systems can
Each year, the number of known vulnerabilities grows. This re- disable the online monitoring and control system. The
sults in potential threats for attacks from hackers. Statistics for direct consequence of a cyber-attack may also result in
the reported software flaws are maintained by the Computer events such as loss of load in a power system.
Emergency Response Team / Coordination Center (CERT/CC) 2) Intelligent attacks: These are the well-planned attacks
and the US-CERT [22]. Statistics show that the evolution of the that require in-depth power system knowledge. An ex-
software technology over decades has significantly increased ample is the intrusion to alter relay settings. Such attacks
the number of known operating systems vulnerabilities and may require intrusions into networks at critical substa-
security holes. However, the statistics are not exhaustive due tion to trigger cascading effects. Cascading events may
to the following reasons: (1) No obvious alerts or detection result in a major power outage that can be catastrophic.
of the penetration attacks due to a weak defense system, (2) Other attack includes slowing down the communications
Organizations are reluctant to publicly disclose the statistical between substations and control centers by overloading
dataset about intrusion attempts [7]. In addition, the increase of the local computer network systems. Another scenario
individual computer programming skills has resulted in more is to change the one-line diagram of the control center
intrusion tools development for specific domains. Depending that may mislead dispatchers.
on the intent of attackers, sophisticated software for attack
can be embedded as worms / viruses in order to achieve their III. M ODELING FOR V ULNERABILITY E VALUATION
objectives. The intrusion processes can be programmed as
software agents with the combination of various forms, such The purpose of the proposed methodology is to model
as worms and Trojan horse, to reach specific targets for further intrusions and evaluate the consequences of a cyber-attack on
attacks. the SCADA system. The proposed method is used to assess
the vulnerability of computer networks and the potential loss
of load in a power system as a result of a cyber attack.
Compromised cybersecurity of a SCADA system can cause
serious impact to a power system if the attack is able to
launch disruptive switching actions leading to a loss of load.
This is particularly troublesome if the attack can penetrate the
control center network that is connected to substations under
the SCADA system. The combination of access points from
substation-level networks to other networks leads to various
attack scenarios. The proposed framework is composed of two
Fig. 2. Proposed Model and Model with OS Vulnerability aspects: 1. cyber-net model, and 2. power flow simulation. A
cyber-net defines the intrusion scenarios and its events and
Fig. 2 depicts the proposed model and the model with status. Power flow is the most basic model of the steady state
operating system (OS) vulnerability. The proposed method behavior of a power system. The integration of these two
incorporates the firewall and password models. Such behaviors models makes it possible to quantify the impact caused by
are studied based on the modeling that provides the boundary a potential cyber attack. The proposed methodology can be
inspection of malicious packets and intrusion attempts on each used to:
computer system. Model (b) includes the OS vulnerability. 1) Model the access points to a SCADA system.
Vulnerabilities of the OS are security holes from ports and 2) Construct a cyber-net model for intrusions and the status.
services that can establish a malicious connection. The vul- 3) Simulate a cyber attack using the intrusion models to
nerability includes the unused ports and services that are not evaluate their impact based on power flow simulations.
disabled due to their limitations. Network ports range from 4) Improve cybersecurity of the SCADA system based
0 to 65535. Well known services reserve the ports from 0 on vulnerability assessment results with the available
and 1024 for establishing connections for applications, e.g., technologies.
HTTP-80. The OS vulnerability can be scanned to identify The proposed vulnerability assessment method is performed
specific services using unknown ports, which can be used to in three levels: system, scenarios, and access points. The flow
compromise a system. A complete development of model (b) chart depicted in Fig. 3 illustrates the simulation procedures.
will require future work to develop detailed models of known The proposed method has been implemented in Visual Basic
vulnerabilities and acquire statistical data for the model. .NET with the interactions between SPNP [24] and MATLAB.
Possible consequences of cyber attacks include (i) loss of An extensible markup language (XML) file that stores the
TO APPEAR IN IEEE TRANSACTIONS ON POWER SYSTEMS 4

models for simulation is used to automatically generate an sented by I.

intermediate file called C-Based SPNP Language (CSPL). This ­ ®
is prepared by an algorithm that builds a topology of the cyber- Vs = max V (I) (1)
net according to the net definition of a network. The definition
is composed of password and firewall models. B. Scenario Vulnerability
An intrusion scenario consists of the steps taken by an at-
tempted attack from a substation-level network through a local
or outside network that is targeted at the SCADA system in
the control center. Substation-level networks in a power system
are connected to generator and/or load. These substation-level
networks are associated with substation automation systems,
power plant control systems, or distribution operating centers.
The total set of scenarios depends on the number of
substations that are installed with the IP-based system for
communications. For a given scenario associated with a sub-
station, there are three cases depending on the supervisory
control privileges: 1. Substation with no load or generator,
2. Substation with load, and 3. Substation with load and
generator. These cases are considered in the logic- and power
flow-based evaluations of each scenario. Each specific scenario
is evaluated to determine the impact based on the potential
loss of load. The total set of scenarios I includes all attack
scenarios through access points in the networks. The scenario
vulnerability is defined by
V (I) = {V (i1 ), V (i2 ), . . . , V (iK )} (2)
where K is the number of intrusion scenarios to be evaluated.

C. Access Point Vulnerability

An access point provides the port services to establish a
connection for an intruder to penetrate the SCADA computer
systems. The vulnerability of a scenario i, V (i), through an
access point is evaluated to determine its potential impact. For
a set of access points to the SCADA system S, the scenario
vulnerability is a weighted sum of the potential damages over
the set S. The scenario vulnerability V (i) for a scenario is
defined by
Fig. 3. Flowchart for Proposed Vulnerability Assessment Framework
X
V (i) = πj × γj (3)
j∈S

where πj is the steady state probability that a SCADA system

A. System Vulnerability
is attacked through a specific access point j, which is linked to
In this research, a system is defined as the wide area the SCADA system. The impact factor, γj , represents the level
interconnected, IP-based computer communication networks of impact on a power system when a substation is removed,
linking the control center and substation-level networks. The i.e., electrically disconnected, by switching actions due to the
scope of this research is defined based on the following attack. The impact caused by an attack through an access point
practical considerations: will be evaluated by a logic- and power flow-based procedure.
• Each intrusion scenario through a substation-level net- The steady state probabilities πj will be determined from a
work is an independent event that has no correlation with cyber-net model. They will be discussed further later in this
intrusion scenarios on other substations. section.
• A “direct” connection through local access to the (highly- Since attacks occur randomly, a stochastic process is needed
secured) control center network is unlikely. However, a for the model. In this study, the intrusion and cyber-net are
connection to the control center from substation-level modeled by a generalized stochastic Petri net (GSPN) model
networks can be established through VPN or other remote [23]. The states of the stochastic process are the status of
logon systems. intrusions to a network that are inferred from the abnormal
As shown in (1), system vulnerability, Vs , is determined the activities. These include malicious packets flowing through
maximum vulnerability level over a set of scenarios repre- pre-defined firewall rules and failed logon password on the
TO APPEAR IN IEEE TRANSACTIONS ON POWER SYSTEMS 5

computer system. Transition probabilities are obtained from

the abnormal activity data in the system.
A GSPN consists of two different transition classes: imme-
diate and timed transitions. As depicted in Fig. 4, which is an
illustration of a firewall model that will be elaborated later, a
status node is represented by a circle. An arrow head denotes
a transition of the system status. An immediate transition
is shown as a solid bar. Immediate transitions are assigned
probability values. Timed transitions denoted by empty bars
have delay times associated with the response that an attacker
receives from the system. Tokens (dots inside a circle) are used
to model the number of intrusion attempts where an attack
starts. Token passing describes the change of each transition,
or marking.
SCADA systems typically have specially designed firewall
rules and password policies to achieve a high level of computer
security. There are two submodels in a cyber-net: Firewall
model and Password model. These models support the high
level of abstractions on penetration transitions for each sce- Fig. 4. Firewall Model with Malicious n Rules
nario. The transition probability and rates for each submodel
will be detailed.
1) Firewall Model: A firewall is a technology of cyber- of firewall rules is large, only a subset of rules considered
security defense that regulates the packets flowing between potentially malicious are included in the formulation. The
two networks. As there may be different security trust levels submodel consists of circles that are the states representing
between networks, a set of firewall rules is configured to the denial or access of each rule. Each solid bar is assigned
filter out unnecessary traffic. These rules are written with the a firewall penetration probability that can be calculated from
following criteria for acceptance or rejection: firewall logs. The transition probability of malicious packets
1) Type of protocols going through a firewall with respect to an individual rule can
2) Incoming and outgoing traffic be evaluated by
3) Specific port service or a port service range fp
fp fi,j fif r
4) Specific IP address or an IP address range Pi,j = fp
; Pif r = (4)
Ni,j Nif r
These audit fields are recorded in a firewall and are used offline
by a system administrator to analyze malicious behaviors. Due In the above equation, only the malicious packets traveling
to the high volume of daily network traffic, it is not practical through any policy rule j on each firewall i are taken into ac-
for a system administrator to monitor the network with the count. The probability of malicious packets traveling through
fp fp fp
available datasets. Thus, an add-on commercial firewall ana- a firewall rule policy Pi,j is the ratio of fi,j and Ni,j , where
fp
lyzer is implemented to detect anomalies in these datasets. fi,j denotes the frequency of malicious packets through the
fp
The malicious packets flowing through a firewall must be firewall rule, and Ni,j is the total record of firewall rule j.
identified. Together with the traffic denied by the firewall, such Similarly, the probability of the packets being rejected Pi,j fr

data can determine the probability of cyber attack occurrences can be evaluated by the ratio of fi,j fr fr
to Ni,j fr
where fi,j is the
either being granted access or being attempted. These datasets fr
number of rejected packets and Ni,j denotes the total number
can be analyzed from the firewall logs in two ways:
of packets in the firewall logs.
1) The number of records rejected compared to the total The empty bars represent timed delay transitions for the
number of firewall traffic records, and firewall execution rate and average response rate. The firewall
2) The number of malicious records bypassing compared execution rate, λfi , is the number of instructions executed
with total records for each rule. per second. This value estimates the time required to validate
The firewall model depicted in Fig. 4 includes n paths corre- the rules traveling through the firewall. The average response
sponding to n rules in the firewall model. The attacker receives rate λnr
i depends on the network traffic condition that can be
responses from the system through the feedback paths starting estimated using ping commands.
with the circles representing rules. The paths vertically passing 2) Password Model: The password model is used to eval-
the circles representing rules are successful attempts. uate penetration attempts based on repeatedly failed logons
This model consists of two terminals that can be connected without establishing authentication credentials. The mecha-
to other submodels. For instance, a network that consists of nism for storing these failed logon trials, or other security-
three zones, including a demilitarized zone (DMZ), can be relevant events, is embedded in the computer system for
modeled by connecting two firewall models in series. The analysis, e.g., security logs from event viewer in the Windows
construction of the model conforms to the number of rules platform. This model includes two components: failed logon
that are implemented in the firewall. In case the number probability and the response rate. The probability is evaluated
TO APPEAR IN IEEE TRANSACTIONS ON POWER SYSTEMS 6

by the number of failed logons. The response rate is the An example given in Fig. 6 illustrates a cyber-net (shown
central processing unit (CPU) clock rate, which represents on right side) representing a substation network (shown on left
the performance of a computer system that validates the side). The settings of each IED are configured on the com-
credentials of a user. These two components provide a means puters that are mapped to the data points for communication
for evaluating intrusion attempt behavior with respect to how purposes. For a successful intrusion to the network, the steps
fast each attempt can be made on each machine. In addi- for a cyber attack involve (i) identification of the availability
tion, the anomaly profile, discerned statistically from failed of the computer system in the network, (ii) attempt to intrude
authentication, enables an estimation of the expected behavior into the computer systems, (iii) learning how to perform an
(attempted intrusions) that has occurred over time. attack through the SCADA system.
The password model shown in Fig. 5 consists of two
status nodes and two types of transitions representing the
intrusion status to a computer system. The intrusion attempt
to a machine is modeled by a transition probability associated
with a solid bar. An empty bar represents the processing
execution rate that responds to the attacker. To model this
behavior as a defense, an account lockout feature, with a
limited number of attempts, can be simulated by initiating the
N number of tokens (password policy threshold). The tokens
are independent of the user types and privileges.

Fig. 6. Formulation of Cyber-Net with Firewall and Password Models

Since these computers provide supervisory control capabil-

ities, it is important to model these with password models. In
this setup, a cyber-net is the composite of a firewall model and
two password models for analysis of the malicious behaviors.
Suppose the (fictitious) probabilities for each firewall rule
are P f p = (.0095324 .0181514 .0019415), and packet
rejection P f r = (.71457). An estimated 10% failed logons
is assumed for both machines. The rates are assumed to be
Fig. 5. Password Model
by λpw pw
1 = λ2 = 63 × 10
−7
, and λf1 = λnr
1 = 12 × 10
−10
.
These values are obtained by random number generators. The
The transition probability can be estimated by:
reachability graph of this example is shown in Fig. 6. The 7
fipw reachable states are obtained by initiating a token from the top
Pipw = (5)
Nipw in Fig. 6. A label of M inside a circle in Fig. 8 indicates a
For a computer system i, the probability is evaluated based on reachable state. The transition probabilities and rates are the
the number of intrusion attempts fipw and the total number of given parameters assigned on each directed arc.
observed records Nipw . A successful logon within a specified Overall, the transition probabilities can be composed into
time interval, i.e., a minute after two failed logons, does matrix P with respect to the marking sets for immediate and
not count toward the number of intrusion attempts; they timed transitions in (6).
µ ¶ µ ¶
are considered typographical errors from authorized users. C D 0 0
The response rate λpw is the time delay of iterative logons P=A+B= + (6)
i 0 0 E F
to estimate the next attempt, assuming there is a tool that
The matrix A corresponds to markings induced by immediate
automates the process.
transitions; submatrix C moves from immediate to immediate
markings and submatrix D moves from immediate to timed
D. Quantitative Analysis of Cyber-Net markings. The second row of the block matrix has similar
A cyber-net is a composite model that is formulated by properties where its submatrix E moves from timed transitions
the combination of the firewall and password models. These to immediate transitions and submatrix F represents markings
submodels are used for the analysis of a compromised SCADA within timed transitions. Using parameter values of the exam-
system. A cyber-net based on the computer network connec- ple, the matrix P is constructed as follows. Since there are
tivity is illustrated in Fig. 7. The cyber-net contains modules 4 for this example, the dimensions of C, D, E, F are 4 by
representing several networks located at the power plant (bold- 4, 4 by 3, 3 by 4 and 3 by 3, respectively. The columns are
faced in Fig. 7), substation, distribution operating center, and a the markings sorted in this order where M1 , M3 , M4 , M5 ,
control center. Within each module, the firewall and password are induced by immediate transitions and M2 , M6 , M7 are
models for that network are shown. induced by timed transitions. The first row of P represents the
TO APPEAR IN IEEE TRANSACTIONS ON POWER SYSTEMS 7

Fig. 7. Construction of Cyber-Net Based on Substation with Load and Generator (Model 3)

λpw
transitions from M1 to M1 , M3 , M4 , M5 (immediate) and M2 , and f23 = λ1pw = 1.
1
M6 , M7 (timed). The probability or rate for each transition can  
be computed by the weighted sum of probabilities or rates, 0 .0128 .0244 .0026 .9602 0 0
pf1 p λf1  0 0 0 0 0 .5 .5 
e.g., c12 = pf r +pf p +p = .0128, d22 = λf +λ f = .5,
 
fp
+pf p  0 0 0 0 0 .5 .5 
1 2 3 1 1  
P =   0 0 0 0 0 .5 .5 

 0 0 0 0 0 0 0 
 
 0 0 0 0 0 0 1 
0 0 0 0 0 1 0
The solution of the linear system is expressed as [23]
π̃P = π̃
X
π̃ = 1 (7)
M ∈T ∪V

where T and V are the marking sets for immediate and timed
transitions, respectively. The vector π̃ denotes steady state
probabilities for the states of the embedded Markov chain
(EMC). This is interpreted in terms of the number of state
transitions. Using the fact that the time spent for each marking
induced by an immediate transition is zero, P can be reduced
to a smaller matrix, P0 , where only quantities directly related
to timed transitions is of interest. To reduce the state transition
probability P of EMC, it can be rewritten as P0 in the following
form [23]:
³X ∞ ´
P0 = F + E Ch D (8)
Fig. 8. Reachability Graph of Cyber-Net (One-Firewall-Two-Machines)
h=0
TO APPEAR IN IEEE TRANSACTIONS ON POWER SYSTEMS 8

P∞
where h=0 C h = (I − C)−1 is needed by the probabilities
moving within the markings from immediate transitions in h
step. For the value of P, P0 can be obtained as
 
0 0 0
P0 =  0 0 1 
0 1 0
P
Solving the linear equation π̃P = π̃; and i=2,6,7 π̃i = 1
yields π̃ = (0 .5 .5), indicating that π̃6 = π̃7 . The steady state
probabilities π can be obtained by weighting each entry π̃ with
the sojourn time of corresponding markings [23]. The mean
time that a process spends in state Ms between the visits to
Mj is given by
1 X ³ X ´−1
τ s (Ms ) = π̃s × ωk (9)
π̃j
Ms ∈T k:tk ∈EN (Ms )

where EN and t denote the enabled transition markings and Fig. 9. Impact Factor vs. Loading Level
transition, respectively. The time units spent, on the average,
in state Mj is the mean cycle (recurrence) time that follows
³ X ´−1 diverges. The value of L∗ at this point is used for (12). A plot
τ c (Mj ) = ωk (10) with the range of different values for PLOL and L is depicted
k:tk ∈EN (Mj )
in Fig. 9 with the substation 13. The range of L is from 0 to
In general, the steady state probabilities π of the stochastic 3.2.
process can be determined by
( τ (M ) IV. C OMPUTATIONAL I SSUE
s s
Mj ∈ T
π = τ c (Mj ) (11) The proposed method discussed in Section III can be used
0 Mj ∈ V
to analyze each scenario independently. However, for an n-
where the mean time spent in marking Mj is divided by substation power system, a large size of state space for each
the mean cycle time. By applying (11) and π2 = .9602 is scenario combined with a large number of intrusion attempts
determined, the steady state distribution for π6 and π7 are can result in a very large state space. Computationally, this can
both (1 − .9602) × .5 = .00199. be a challenging task. For illustration, a test using the same
The correlation between the historical data and factor π is construction of the cyber-net in Fig. 7 is performed. This test is
based on the construction of the composition of cyber-net and conducted using Pentium CPU 3.0 GHz processor with 1 GB
the probabilities associated with the Petri net transitions. The memory. In this cyber-net, the total number for firewalls and
probability π also depends on the rule set corresponding to machines is 6 (with 3 malicious rules) and 20, respectively. In
each firewall and the number of computers in the network. The Table I, the number of intrusion attempts is denoted by N and
weighted sum of steady-state probabilities among the SCADA J is the total reachability sets induced by timed transitions.
systems in (3) provides a measure of the system vulnerability. The execution time has indicated a tremendous growth of
the reachability sets with the increase of number of intrusion
E. Evaluation of Impact Factor attempts. When simulating N = 5, the computer memory
The impact factor for the attack upon a SCADA system is resource has been exhausted. This indicates the infeasibility
determined by the ratio and loading level, L. Specifically, the of an exhaustive approach in practical implementation.
loss of load (LOL) is quantified for a disconnected substation. TABLE I
The impact can be described by C OMPUTATION T IMES BY E XHAUSTIVE A PPROACH
³P ´L∗ −1
LOL N J Time Elapsed
γ= (12)
PT otal 1 43 0s
The impact level is assigned with a ratio to the power of 2 974 3s
3 15, 059 91s
L − 1 where PLOL and PT otal denote the loss of load and 4 177, 669 1, 701s
total load, respectively. L is the loading level at the substation
being evaluated. At the value of L, the power flow diverges
which is an indication of a severe impact. (A more accurate One well-known alternative is the simulation method. This
analysis can be achieved by computation of the well-known is an empirical approach based on discrete event to character-
P-V curves.) To determine the value of L, one starts with the ize the change of states by generating a sample path through
value of L = 1 at the substation and gradually increases the the state spaces. An experiment is conducted to compare
loading level of the entire system without the substation that the accuracy performance for both methods. The simulation
has been removed. This process continues until the power flow parameters with time length= 99, 999, 999, 999 and simulation
TO APPEAR IN IEEE TRANSACTIONS ON POWER SYSTEMS 9

runs= 1, 000 are set to ensure that the system output reaches
steady state values. With these parameters, the result has
shown that at least a precision level of 97% is estimated using
−2
the one-firewall-two-machines example, i.e., 2.0319×10
1.9904×10−2 −1 ≈
2%. The simulation time takes approximately 3-6 minutes.
These parameters will be used in next section.

V. V ULNERABILITY E VALUATION AND I MPACT S TUDIES

The case studies are based on the IEEE 30 bus system. Sim-
ulations are performed to evaluate the scenario vulnerability.

A. IEEE Case Study and Implementations

The wide area communication link between a control center
network and substation-level networks is depicted in Fig. 10.
In this test case, there are 24 substations associated to 30 buses.
The link of each substation-level network (denoted as sub.
in the figure) is represented in any of the 3 models, Model
1-3. Model 3 means that there are 3 possible access points
that can be established to the network. Connections can be
made to a substation network from a power plant network or
a distribution operating center. Model 1 and Model 2 are set
up without other sub-networks. Connections between any two
networks are protected by firewalls. Each model consists of a
number of firewall and password models.
Fig. 10. Case Setup for IEEE 30 Bus System
B. Simulation Results
The attacks launched from different locations will result in
different levels of vulnerability. Two cases for vulnerability CCen) where x and y are the sets of machines at each net-
evaluations are considered: work; x = {SB3, SC4} and y = {SE5, SE7, SE8, SE9}.
1) An attack from outside the substation-level networks The steady state probabilities for each network are evalu-
2) An attack from within the substation networks ated separately, corresponding to different impacts. Likewise,
the scenario vulnerability from inside is .9230. Using the
Case 1 is initiated by hackers from outside of the network
same evaluation, the complete set of scenario vulnerability is
who are trying to reach one of the substation networks. Case
evaluated in Table II. The first and second columns are the
2 can be caused by an inadequate physical defense around
substation and associated buses. As shown in Table III, each
the substation. The simulation showing the substation itself
bus corresponds to a substation except for sub. 4, sub. 6, and
is demonstrated by shifting the token, where it starts from
sub. 22. Column 3 indicates the expected loss of load for each
A to C in Fig. 7, to indicate where the intrusion attempts are
substation under attack, column 4 is the maximum loading
launched, i.e., within the substation network. The purpose here
level, and column 5 is the impact factor.
is to determine the existing vulnerability level for both cases
To support an intuitive judgment, Table II shows steady
and identify measures for improvement.
state probabilities for an attack through sub. 1 (Model 3)
The following table is the steady state probabilities for
compared with another attack through sub. 22 (Model 1). The
intrusion scenario of sub. 1 in Fig. 10. Each probability is a
two substations use different models, i.e., Model 1 and Model
steady state value for each computer system under supervisory
3 in Fig. 10, for the purpose of comparison. Assuming that
control located at different locations. The analysis includes
comparable computer systems are used, the use of a smaller
calculations of the steady state probabilities from both outside
scale substation computer network can lead to a higher level
and inside the substation. Given the steady state probabilities
of vulnerability. This is due to the fact that on a smaller
for an intrusion scenario, the scenario vulnerability from
scale computer network it may be easier to identify the target
outside can be computed using (3) as follows.
X X for attack. The scenario vulnerability indices for substations
V (Isub1 ) = ( πx ) × γsub1 + ( πy ) × γCCen 22 and 1 are .2329 and .1513, respectively, indicating that
substation 22 is more vulnerable.
.3 1.5 189.2 0
= (.5789) × ( ) + (.1512) × ( )
189.2 189.2 For the purpose of formulating realistic probabilities about
= .1513
firewall and password models, actual one month logon data
This evaluation involves two parts: the attack of sub. 1 network from university information technology division was obtained.
and the attack of control center from the networks (denoted as These datasets have been observed with the criteria, i.e.,
TO APPEAR IN IEEE TRANSACTIONS ON POWER SYSTEMS 10

TABLE II
S TEADY S TATE P ROBABILITIES FOR S UB . 1 AND S UB . 22 the firewalls and intrusion attempts on the SCADA systems
that lead to higher steady state probabilities. The system
vulnerability, which indicates a bottleneck, does not have
Attack Starts from Machines Sub. 1 (Model 3) Sub. 22(Model 1) a high impact factor either. However, high discrepancies of
SB3 .5783 −
SC4 .0007 .0004
system vulnerability, among other scenario vulnerabilities,
Outside SE5 .0412 .1401 play a pivotal role that requires vigilant attention for security
SE7 .0283 .0141 improvements. It is concluded that the scenario vulnerability
SE8 .0178 .0380
SE9 .0640 .0405
for each substation is dependant on pre-defined firewall rule
SB3 .0294 − sets, security system policies, and the impact factor.
SC4 .0015 .0037
Inside SE5 .2521 .4038
SE7 .1722 .0404
SE8 .1086 .1088
VI. C ONCLUSION
SE9 .3903 .1164
Vulnerability assessment is a critical task to ensure that
power infrastructure cybersecurity is systematically evaluated.
The proposed analytical framework provides a measure to
failed logons within a minute are considered typographical quantify the system vulnerability. The emphasis of this re-
errors from authorized users. This sample datasets with ap- search includes the 3 substation-level models for a cyber
proximately 3 million records is acquired from the Kerberos system. A lower password policy threshold would lead to
authentication system from university for all users. The set of a lower probability of success for the intrusion attempts.
datasets has been analyzed that ranges from 1 × 10−5 to .005. However, the drawback of a low threshold may result in a user
A random generator has been implemented according to the account lockout, which may well be caused by typographical
range for the probability set for firewall and password models. errors from authorized users. Case studies in this research
For this simulation, the rates are assumed to be constant for demonstrate variations of vulnerability indices with respect
all computer systems and firewalls within the networks. to attacks from insider and outside and the effectiveness
The improved countermeasures are enhanced by password of a countermeasure. The proposed framework can be used
as a planning tool that assists security analysts to identify
TABLE III the bottleneck of the system where improvements are most
I MPACT FACTOR FOR E ACH S UBSTATION
effective.
There is a lack of statistical information about intrusion at-
Sub. Associated Buses LOL(MW) L γ tempts toward the power infrastructure. This limitation can be
1 1 .3 2.5 .0016 partially removed through future development of the test beds
2 2 21.7 1.8 .1769
3 3 2.4 2.5 .0014 for comprehensive evaluations. Test beds are powerful tools
4 4, 12, 13 18.8 1.4 .3971 for development and evaluation of mitigation and economic
5 5 0 2.5 0 strategies.
6 6, 9, 10, 11 5.8 1 1
7 7 22.8 2.8 .0222
8 8 30 3.6 .0083
9 14 6.2 2.9 .0015
10 15 8.2 3 .0019
11 16 3.5 2.6 .0017
12 17 9 2.9 .0031
13 18 3.2 3.1 .0002
14 19 9.5 2.9 .0034
15 20 2.2 2.9 .0002
16 21 17.5 2.6 .0222
17 22 0 2.2 0
18 23 3.2 2.7 .0010
19 24 8.7 2.9 .0029
20 25 0 2.8 0
21 26 3.5 2.8 .0008
22 27, 28 0 1 1
23 29 2.4 2.8 .0004
24 30 10.6 2.8 .0056

policy thresholds of 3. As shown in Fig. 11, it can be seen

that the improvement has lowered the vulnerability indices
for all substations. System vulnerability is in bold. Another
interesting observation is that the vulnerability indices from
substations 5, 17, 20, and 22, with 0 impact factors, are
not the lowest among the intrusion scenarios. This is due
to the malicious packets going through defined rule sets in Fig. 11. Scenario Vulnerability Indices for Each Intrusion Scenario
TO APPEAR IN IEEE TRANSACTIONS ON POWER SYSTEMS 11

ACKNOWLEDGMENT [21] S. Su, W.-L. Chan, K.-K. Li, X. Duan, and X. Zeng, “Context
information-based cybersecurity defense of protection system,” IEEE
The authors gratefully acknowledge the contributions of Trans. on Power Del., vol. 22, no. 3, pp. 1477–1481, Jul. 2007.
Srdjan Pudar, Mohammad Fraiwan, and Iowa State University. [22] Computer Emergency Response Team / Coordination Center
(CERT/CC) Statistics, Carnegie Mellon University. [Online]. Available:
The useful discussion with Mr. David Batz, Alliant Energy, is http://www.cert.org/stats/fullstats.html.
acknowledged. [23] F. Bause and P. S. Kritzinger, “Stochastic Petri Nets: An introduction to
the theory,” Vieweg & Sohn Verlagsgesellschaft mbH, Braunschweig/
Wiesbaden, Second Edition, Aug. 2002.
R EFERENCES [24] G. Ciardo, J. Muppala, and K. Trivedi, “User manual for
SPNP: stochastic Petri net package.” [Online]. Available:
[1] “Supervisory control and data acquisition (SCADA) systems,” Na- http://www.ee.duke.edu/∼chirel/MANUAL/manual.pdf.
tional Communications System, Technical Information Bulletin 04-
1, Oct. 2004. [Online]. Available: http://www.ncs.gov/library/tech bul-
letins/2004/tib 04-1.pdf.
[2] G. Ericsson, “Toward a framework for managing information security
for an electric power utility - CIGRÉ experiences,” IEEE Trans. on
Power Del.,vol. 22, no. 3, pp. 1461–1469, Jul. 2007.
[3] CNN U.S. Edition, “Sources: Staged cyber attack reveals vul-
nerability in power grid,” Sep. 26, 2007. [Online]. Available: Chee-Wooi Ten (S’00) received his BSEE and
http://www.cnn.com/2007/US/09/26/power.at.risk/index.html. MSEE at Iowa State University, Ames, in 1999 and
[4] M. Amin, “Security challenges for the electricity infrastructure,” IEEE 2001 respectively. He is currently a Ph.D. candidate
Security and Privacy Mag., vol. 35, no. 4, pp. 8–10, Apr. 2002. at Iowa State University. Mr. Ten was an application
[5] “Twenty-one steps to improve cybersecurity of SCADA networks.” engineer with Siemens Energy Management and
[Online]. Available: http://www.tswg.org/tswg/ip/21 Steps SCADA.pdf. Information System (SEMIS) in Singapore from
[6] Members of the CIGRÉ Joint Working Group D2/B3/C2-01, “Security 2002 to 2005. His research interests include inter-
for information systems and intranets for electric power systems,” dependency modeling and applications for power
ELECTRA Technical Brochure, vol. 231, no. 317, pp.70–81, Apr. 2007. infrastructure.
[7] Government Accountability Office (GAO) Report to Congres-
sional Requesters, “Information security: technologies to secure
federal systems,” GAO-04-467, Mar. 2004. [Online]. Available:
http://www.gao.gov/cgibin/getrpt?GAO-04-467.
[8] G. Dondossola, G. Deconinck, F. D. Giandomenico, S. Donatelli, M.
Kaaniche, and P. Verissimo, “Critical utility infrastructural resilience,”
Proc. Complex Network and Infrastructure Protection, Rome, Italy, Mar.
28–29, 2006.
[9] Z. Xie, M. Govindarasu, V. Vittal, A. G. Phadke, and V. Centeno, Chen-Ching Liu (F’94) received his Ph.D. degree
“An information architecture for future power system and its reliability from the University of California, Berkeley. He
analysis,” IEEE Trans. on Power Syst., vol. 17, no. 3, pp. 857–863, is currently Palmer Chair Professor of Electrical
Aug. 2002. and Computer Engineering at Iowa State University.
[10] K. Schneider, C.-C. Liu, and J.-P. Paul, “Assessment of interactions During 1983-2005, he was a Professor of Electrical
between power and telecommunications infrastructures,” IEEE Trans. Engineering at the University of Washington, where
on Power Syst., vol. 21, no. 3, pp. 1123–1130, Aug. 2006. he also served as an Associate Dean of Engineering
[11] C. M. Davis, J. E. Tate, H. Okhravl, C. Grier, T. J. Overbye, and D. from 2000-2005. Dr. Liu received an IEEE Third
Nicol, “SCADA cybersecurity test bed development,” Proc. 38th North Millennium Medal in 2000 and the IEEE Power
American Power Symposium, pp. 483–488, Sep. 2006. Engineering Society Outstanding Power Engineering
[12] J. Tang, R. Hovsapian, M. Sloderbeck, J. Langston, R. Meeker, Educator Award in 2004. He served as Chair of the
P.G.McLaren, D. Becker, B. Richardson, M. Baca, J. Trent, Z. Hartley, Technical Committee on Power System Analysis, Computing and Economics
R. Parks, and S. Smith, “The CAPS-SNL power system security test (PSACE), IEEE Power Engineering Society. Professor Liu is a Fellow of the
bed,” Proc. CRIS, 3rd Intl. Conf. on Critical Infrastructures, Alexandria, IEEE.
VA, Sep. 2006.
[13] R. E. Carlson, J. E. Dagle, S. A. Shamsuddin, and R. P. Evans,
“Nation test bed: a summary of control system security standards
activities in the energy sector,” Oct. 2005. [online]. Available:
http://inl.gov/scada/publications/d/a summary of control system security
standards activities in the energy sector.pdf.
[14] R. A. León, V. Vittal, and M. Govindarasu, “Application of sensor
network for secure electric energy infrastructure,” IEEE Trans. on Power Manimaran Govindarasu (M’99) is currently an
Del., vol. 22, no. 2, pp. 1021–1028, Apr. 2007. Associate Professor in the Department of Electrical
[15] D. M. Nicol, W. H. Sanders, and K. S. Trivedi, “Model-based evaluation and Computer Engineering at Iowa State University
from dependability to security,” IEEE Trans. on Dependable and Secure (ISU). He received his Ph.D. in Computer Science
Computing, vol. 1, no. 1, pp. 48–65, Jan.–Mar. 2004. and Engineering from Indian Institute of Technology
[16] N. Ye, J. Giordano, and J. Feldman, “A process control approach to (IIT) Madras, India in 1998. He received Young
cyber attack detection,” Commun. the ACM, vol. 44, no. 8, pp. 76–82, Engineering Research Faculty Award at ISU in 2003.
Aug. 2001. His research expertise is in the areas of resource
[17] F. Cleveland, “IEC TC57 security standards for power system’s infor- management in real-time systems and networks,
mation infrastructure - beyond simple encryption,” Proc. IEEE PES overlay networks, network security, and their ap-
General Meeting, Tampa, Florida, 2007. plications to critical infrastructures such as electric
[18] R. E. Carlson, J. E. Dagle, S. A. Shamsuddin, and R. P. Evans, “A grid. Dr. Govindarasu has published over 100 peer-reviewed research pub-
summary of control system security standards activities in the energy lications. He is co-author of the text Resource Management in Real-Time
sector,” DOE office of electricity delivery and Energy Reliability, Oct. Systems and Networks, MIT Press, 2001. He has given tutorials on Internet
2005. infrastructure security in conferences, such as IEEE Infocom 2004 and IEEE
[19] C.-W. Ten, C.-C. Liu, and M. Govindarasu, “Vulnerability assessment ComSoc Tutorials Now (2004), and served as workshops co-chair, symposium
of cybersecurity for SCADA systems using attack trees,” Proc. IEEE co-chair, and session chair on many occasions.
PES General Meeting 2007, pp. 1–8, June 24-28, 2007.
[20] S. McClure, J. Scambray, and G. Kurtz, Hacking Exposed: Network
Security Secrets and Solutions. 4th ed. McGraw-Hill/Osborne, 2003.