Cybersecurity of SCADA Systems:

Vulnerability Assessment and Mitigation

Chen-Ching Liu, Fellow, IEEE, Chee-Wooi Ten, Student Member, IEEE, Manimaran Govindarasu, Member, IEEE

only the steady state but also dynamic behaviors. As a result,

I. INTRODUCTION the development of a cyber power system vulnerability
assessment and mitigation tool is a complex task. Research in

T
here has been a growing concern over the cyber security
of Supervisory Control and Data Acquisition (SCADA) this field is emerging but in an early stage.
Systems due to the fast increasing connectivity of power In this panel presentation, we will discuss our proposed
grids with the information and communication systems. framework for cyber security vulnerability assessment and
Although energy control centers are normally highly secured, mitigation based on our recent work [1-3]. We will
the cyber-power network is large and complex. Potential demonstrate how a probabilistic cyber security index can be
intrusions can be launched from many different places in calculated for a cyber-power system. A risk measure is
many different ways. Therefore, the complexity of the overall determined using an integrated SCADA model and the steady
cyber-physical system vulnerability assessment and state power flow program. Future research needs in this area
mitigation is very high. will be discussed.
Today, cyber security technologies, such as firewalls, are
widely available and some test facilities for cyber security of II. VULNERABILITY ASSESSMENT
SCADA systems have been established, e.g., test beds It may not be practical to enumerate specific intrusion
developed by national labs. However, there is not a steps as intrusion methods are dependent on the security
commonly-adopted set of models for the cyber-power system holes of platform and applications that evolve over time. To
simulation or evaluation. These models include the control detect an anomaly of intrusion attempts, modeling of the
centers, substations, power plants and their associated malicious packets flowing through boundary perimeters and
computer and communication systems. For security reasons, failed logon records toward the computer systems are
the information tends to be confidential, making the essential. This provides a high level of abstraction for the
comparison and validation more difficult. power infrastructure cyber system.
With the test beds, it is feasible to simulate the potential We introduce a vulnerability assessment framework that
impact of various cyber attack scenarios. Since the number of encompasses the sequential steps to evaluate the
possible scenarios is very large, it is not practical to conduct vulnerability level of cyber systems deployed in the power
an exhaustive search. From a system’s point of view, it would infrastructure. This involves modeling of intrusion behaviors,
be desirable to derive a measure of the power system’s which can be extracted from the cyber system. We first
vulnerability with respect to cyber intrusion scenarios. This is identify the critical cyber asset that may have control over the
similar to the concept of the existing power system security power systems, i.e., generation control system [4], substation
index, on line or off line. An ideal on-line cyber security automation system, and energy management systems. These
assessment methodology should be able to provide online control systems may exchange data protected by
information on the on-going intrusion(s) and determine the firewalls and authentication mechanisms with different user
appropriate mitigation actions. Conceptually it is similar to credentials. In this framework, we also assume that only
the present security assessment framework. However, the authorized users have the logon credentials. That is, we do
cyber system modeling remains to be developed. not consider stolen passwords, or any other means, that can
Furthermore, the SCADA model will have to be integrated be used to log on to the cyber system without logon attempts.
with the power system simulation capabilities. It is even more Intrusion attempts can be launched from outside or within
challenging to attempt to model the different behaviors of the control networks. An intrusion from outside the control
intruders. network may require numerous attempts leading to a
A cyber attack can lead to breaker operations, loss of successful intrusion into one of the control networks. First,
communications, and / or loss of computer and software identification of access points through VPN or dial up
capabilities. The impact on the power grids will involve not network is required. This will be the access point where an
intrusion into a private network can be launched. A
successful intrusion into any control network may lead to
C.-C. Liu and C.-W. Ten are with the School of Electrical, Electronic and future intrusions into the control center network. We define
Mechanical Engineering, University College Dublin, National University of
Ireland, Belfield, Dublin 4, Ireland (e-mails: [email protected] and
the system vulnerability, Vs, as the maximum quantitative
[email protected]). measure among all substation-level networks that may lead
G. Manimaran is with the Electrical and Computer Engineering Department, to intrusion attempts toward the control center network.
Iowa State University, Ames, IA, 50010 USA (e-mail: [email protected]). These are the widespread IP-based communication points

978-1-4244-3811-2/09/$25.00 ©2009 IEEE

Authorized licensed use limited to: Intel Corporation via the Intel Library. Downloaded on September 26, 2009 at 23:23 from IEEE Xplore. Restrictions apply.
 that are constantly polled from the geographically dispersed Each scenario is evaluated based on two components, i.e., (1)

Fig. 1: Intrusion Models

substation networks to the control center network. The credible evidences from the cyber system, and (2) impact on
system vulnerability is defined as the power system. These are described in (3)
VS = max(V ( I ) ) (1) V (i ) = ∑ π j × γ j (3)
where I is a set of scenarios from each IP-based j∈S

substation-level network. Each scenario is based on one or The symbol πj is the steady-state probability of computer
more substation-level networks that provide the first step systems, j, connected to SCADA in cyber-net. A scenario
where an intrusion into control center network is initiated. vulnerability is the weighted-sum that measures how much it
Eq. (2) defines the set of scenario vulnerability for K would impact the power system by removing the substation
substations.
V ( I ) = {V (i1 ),V (i2 ), K,V (i K )} (2)
from the power system, γ j , that is under attack. Credible
evidences are malicious attempts that can be extracted from
The scenarios depend on the number of substations that are
computer systems. This is constructed in accordance with the
installed with IP-based communication systems.
way it links a network to others.
The following is a description of each intrusion scenario
model for power infrastructure that has supervisory control
IV. MITIGATION APPROACH
privileges:
• Case 1: Substation with no load or generator, only We separate the mitigation strategies into 2 aspects: 1)
the substation network and control center network. preventive approach, and 2) remedial approach. Preventive
• Case 2: Substation with load. Possible connections approach is implemented in the cyber system where it is
of the substation network with the distribution intended to prevent potential intrusion in the control
system and control center network. networks. Two models we proposed can be enhanced.
• Case 3: Substation with load and generator. Possible 1. Firewall model: Additional block can be included in the
connections of the substation network with the model to reject or delay the packet flowing through the
distribution system or power plant networks. firewall. This would require some intelligent mechanism to
For information exchange within networks in close vicinity, determine if a packet from unknown source may be
connections can be made by strict policies for the boundary considered malicious. This can be implemented with
protection. Fig. 1 illustrates the intrusion models for the dynamic firewall rules with anomaly detection scheme.
above cases. The possible intrusion models in Fig. 1a are 2. Password model: A strict password policy will impact
those models for control center intrusion through a substation the numerical results on the vulnerability assessment. A
network. Fig. 1b and 1c illustrate the possible intrusion higher vulnerability level on a scenario arises from a lower
scenarios from the power plant network, or distribution network, password threshold.
to a control center network. The combination of the access points and Besides, remedial approach is to address the system
their connectivity will result in different scenario vulnerabilities. resiliency against intelligent attacks. Since the insiders have
the limited ability to covertly change the critical application
III. EVALUATION OF PROBABILISTIC INDICES settings, it is important to implement a software agent to
extract inconsistent settings from substation-level network.
Access points at each substation-level network are the
By acquiring credible information, determination of
starting points for the evaluation of scenario vulnerability.

Authorized licensed use limited to: Intel Corporation via the Intel Library. Downloaded on September 26, 2009 at 23:23 from IEEE Xplore. Restrictions apply.
 reconfiguration on power grid can be based on probable
events inferred by anomaly detection scheme.

REFERENCES
[1] C.-W. Ten, C.-C. Liu, and G. Manimaran, “Vulnerability
assessment of cybersecurity for SCADA systems,” To
appear in IEEE Trans. Power Syst., 2008.
[2] C.-W. Ten, C.-C. Liu, and G. Manimaran, “Vulnerability
assessment of cybersecurity using attack trees,” IEEE
PES General Meeting 2007, Tampa.
[3] C.-W. Ten, G. Manimaran, and C.-C. Liu,
“Cybersecurity for electric power control and
automation systems,” IEEE Systems, Man, Cybernetics
Conference Workshop, Oct. 4, 2007, Montreal.
[4] N. Liu, J. Zhang, and W. Liu, “A security mechanism of
web services-based communication for wind power
plants,” IEEE Trans. Power Del., vol. 23, no. 4, oct.
2008, pp. 1930-1938.

Authorized licensed use limited to: Intel Corporation via the Intel Library. Downloaded on September 26, 2009 at 23:23 from IEEE Xplore. Restrictions apply.