Computer Communications 155 (2020) 1–8

Contents lists available at ScienceDirect

Computer Communications
journal homepage: www.elsevier.com/locate/comcom

Review

Industrial Control Systems: Cyberattack trends and countermeasures

Tejasvi Alladi a , Vinay Chamola a ,∗, Sherali Zeadally b
a
Department of Electrical and Electronics Engineering, BITS-Pilani, Pilani Campus, India
b
College of Communication and Information, University of Kentucky, Lexington, USA

ARTICLE INFO ABSTRACT

Keywords: It is generally understood that an attacker with limited resources would not be able to carry out targeted
Industrial Control Systems (ICSs) attacks on Industrial Control Systems. Breaking this general notion, we present case studies of major attacks on
Cyberattack Industrial Control Systems (ICSs) in the last 20 years. The attacks chosen are the most prominent ones in terms
Cybersecurity
of the economic loss inflicted, the potential to damage physical equipment and to cause human casualties. For
Supervisory Control and Data Acquisition
each of these attacks, we describe the attack methodology used and suggest possible solutions to prevent such
(SCADA)
attacks. We analyze each case study to provide a better insight into the development of future cybersecurity
techniques for ICSs. Finally, we suggest some recommendations on the best practices for protecting ICSs.

Contents

1. Introduction ....................................................................................................................................................................................................... 2
2. Case studies of ICS attacks .................................................................................................................................................................................. 2
2.1. DoS attack on the servers at Davis-Besse nuclear power plant ..................................................................................................................... 2
2.1.1. Goal of the attack ..................................................................................................................................................................... 2
2.1.2. Description of the attack............................................................................................................................................................ 2
2.1.3. Consequences............................................................................................................................................................................ 3
2.1.4. Solution.................................................................................................................................................................................... 3
2.2. Stuxnet attack on Natanz nuclear facility .................................................................................................................................................. 3
2.2.1. Goal of the attack ..................................................................................................................................................................... 3
2.2.2. Description of the attack............................................................................................................................................................ 4
2.2.3. Consequences............................................................................................................................................................................ 4
2.2.4. Solution.................................................................................................................................................................................... 4
2.3. German steel mill attack .......................................................................................................................................................................... 5
2.3.1. Goal of the attack ..................................................................................................................................................................... 5
2.3.2. Description of the attack............................................................................................................................................................ 5
2.3.3. Consequences............................................................................................................................................................................ 5
2.3.4. Solution.................................................................................................................................................................................... 5
2.4. Cyberattack on the Ukrainian power grid .................................................................................................................................................. 5
2.4.1. Goal of the attack ..................................................................................................................................................................... 5
2.4.2. Description of the attack............................................................................................................................................................ 5
2.4.3. Consequences............................................................................................................................................................................ 5
2.4.4. Solution.................................................................................................................................................................................... 5
2.5. Chemical mix changed at a water treatment plant ..................................................................................................................................... 6
2.5.1. Goal of the attack ..................................................................................................................................................................... 6
2.5.2. Description of the attack............................................................................................................................................................ 6
2.5.3. Consequences............................................................................................................................................................................ 6
2.5.4. Solution.................................................................................................................................................................................... 6
2.6. Watershed attack on Saudi Arabian petrochemical plant ............................................................................................................................. 6
2.6.1. Goal of the attack ..................................................................................................................................................................... 6
2.6.2. Description of the attack............................................................................................................................................................ 6
2.6.3. Consequences............................................................................................................................................................................ 6

∗ Corresponding author.
E-mail address: [email protected] (V. Chamola).

https://doi.org/10.1016/j.comcom.2020.03.007
Received 16 December 2019; Received in revised form 15 February 2020; Accepted 3 March 2020
Available online 9 March 2020
0140-3664/© 2020 Elsevier B.V. All rights reserved.
T. Alladi, V. Chamola and S. Zeadally Computer Communications 155 (2020) 1–8

2.6.4. Solution.................................................................................................................................................................................... 6
2.7. Notpetya cyberattack ............................................................................................................................................................................... 7
2.7.1. Goal of the attack ..................................................................................................................................................................... 7
2.7.2. Description of the attack............................................................................................................................................................ 7
2.7.3. Consequences............................................................................................................................................................................ 7
2.7.4. Solution.................................................................................................................................................................................... 7
3. Lessons learned and protection measures for ICS ................................................................................................................................................... 7
3.0.1. Lessons learnt ........................................................................................................................................................................... 7
3.0.2. Protection measures for ICS ....................................................................................................................................................... 7
4. Conclusion ......................................................................................................................................................................................................... 7
Declaration of competing interest ......................................................................................................................................................................... 7
Acknowledgments ............................................................................................................................................................................................... 8
References.......................................................................................................................................................................................................... 8

i. Financial loss (e.g., the Notpetya attack caused a cumulative

1. Introduction financial loss of 10 billion dollars to some of the major industries
worldwide).
Industrial Control Systems (ICSs) monitor and control industrial ii. Capability to damage physical equipment (e.g., the German steel
processes. Supervisory Control and Data Acquisition (SCADA) is a mill attack created unfavorable conditions in the steel plant by
type of ICS that uses Graphical User Interface (GUI), communication preventing the furnace from being shut down properly).
channels and computers to provide control of remote equipment. The iii. Potential for causing human casualties (e.g., the Triton malware
Programmable Logic Controllers (PLCs) have been developed to control attack crippled the safety systems of a petrochemical plant in
the industrial processes which require high reliability. If any of these Saudi Arabia putting the lives of many people at risk).
components are compromised, the consequences can be disastrous and
We discuss the most relevant case studies in this paper based on
put the safety of many people at immediate risk. To safeguard ICSs,
the above three criteria. This study will highly benefit future initia-
governments and research institutions all over the world have been
tives of securing ICSs with state-of-the-art software technologies. We
focusing on various security aspects of ICSs and their vulnerabilities
summarize the major contributions of this work as follows:
to various types of attacks.
Most of the attacks on ICSs are launched by using Remote Access i. We present and discuss case studies of major cybersecurity at-
Trojans (RATs) such as 𝑆𝑡𝑢𝑥𝑛𝑒𝑡. These attacks are done in various tacks on ICS infrastructures carried out in the last 20 years.
ways such as by exploiting open USB ports which allow worms to ii. This consolidated list of attacks demonstrates to the research
penetrate the internal networks and through targeted spear-phishing community working in the area of ICSs the need to address
(email spoofing attacks). A significant number of these attacks also ex- common security vulnerabilities and deploy security solutions
ploit buffer overflow vulnerabilities when a process/program attempts that protect ICSs.
to store data in a temporary location beyond which it exceeds the iii. While the other surveys and reviews listed in Table 1 provided
allocated storage space. A buffer overflow usually results in a Denial an overview of the attacks carried out on ICSs and suggested
of Service (DoS), but in some scenarios, it may also allow arbitrary many generic solutions, in contrast, in this survey, we describe
code execution, which can enable a hacker to take over a vulner- in detail each of the selected attacks in terms of the goal of the
able process (e.g. an attacker can take control of critical industrial attack, description of the attack, and the consequences of the
infrastructure). Currently, one of the greatest concerns associated with attack. We also recommend potential solutions to mitigate each
many traditional ICSs is that they use outdated software and Operating attack in this survey. Table 1 presents a detailed comparison of
Systems (OSs) which have many vulnerabilities and most of them have this study with other past studies on cyberattacks on ICSs. We
autorun features, which can be easily targeted by malware. The Internet describe the case studies in the next section.
is the most preferred choice of attackers with emails delivering 92%
of the malware through phishing. Recent attack trends have shown 2. Case studies of ICS attacks
that the average impact of an attack on a company’s ICS costs the
company around $5 million and 50 days of system downtime and IT 2.1. DoS attack on the servers at Davis-Besse nuclear power plant
losses. Additionally, it takes around 191 days for an organization to
fully recover from such an attack. Based on the 2017 report on the 2.1.1. Goal of the attack
state of industrial cybersecurity, around 54% of organizations in the The 𝑆𝑙𝑎𝑚𝑚𝑒𝑟 worm malware was responsible for the DoS attack
world have experienced an ICS security breach in 2017 [1]. Despite that took place in 2003 on Davis–Besse nuclear power plant, USA [31].
the negative impact of these attacks, only 28% of these organizations Though not specifically intended to target the power plant, a backdoor
consider their security strategy to be of utmost importance. With the entry into the plant’s network from the Internet provided an entry point
integration of legacy industrial systems with IoT and the development for the attack on the plant.
of digital solutions, the risk of cyberattacks is likely to increase [2–
4], especially in the ICS sector. The inability to maintain security and 2.1.2. Description of the attack
privacy in Industrial IoT applications can lead to huge business and The plant had a safety monitoring system called the Safety Parame-
financial losses. In the existing literature, several works are available ter Display System (SPDS) to monitor and control the safety equipment
which provide a broad outline of ICS attacks and recommend various at the plant. The plant’s network to which the SPDS was connected had
defense solutions [5–8]. Table 1 presents an overview of the various a firewall protecting it from the threats originating from the external
past surveys on cyberattacks on ICSs. networks. However, one of the consultants providing an application for
Furthermore, Table 2 presents a list of various cyberattacks on the the plant had a T1 bridge connection between them and the plant’s
ICS infrastructure carried out in the last 20 years. In this work, we network bypassing the firewall. The 𝑆𝑙𝑎𝑚𝑚𝑒𝑟 worm entered the plant’s
discuss seven out of these listed twelve attacks which had the largest network through this T1 route by penetrating the consultant’s insecure
impact characterized by the following specific criteria: network. It exploited a buffer overflow in the Microsoft SQL engine to

2
T. Alladi, V. Chamola and S. Zeadally Computer Communications 155 (2020) 1–8

Table 1
Comparison with other studies on cyberattacks on ICSs.
S. No. Year Study Feature Ref.
1 2004 The Myths and Facts behind Cyber Security Risks Summarizes various types of incidents collected in the Industrial [9]
for Industrial Control Systems Security Incident Database (ISID) of the British Columbia Institute
of Technology (BCIT). It describes events that directly affected the
process control systems and discusses the lessons learned from them.
2 2011 A Taxonomy of Cyber Attacks on SCADA Systems Highlights the difference between SCADA systems and standard IT [10]
systems and presents a set of security property goals. It also
classifies cyber-induced cyber–physical attacks on SCADA systems.
3 2012 A Survey of SCADA and Critical Infrastructure Selected set of attacks on ICSs which have been classified by factors [11]
Incidents such as source sector, impact, and so on, to understand their nature
and how they can be mitigated in the future.
4 2013 Industrial control systems security: What is Presents a broad overview of ICS security research with a focus on [12]
happening? process control systems.
5 2015 A survey of cyber security management on Surveys approaches for measuring and managing ICS security and [13]
industrial control systems provides an agenda for future research on risk management
activities in ICSs.
6 2015 Analysis of cyber security for industrial control Presents an overview and analysis on ICS architectures and [14]
systems communication protocols and what makes them different from IT
and focuses on different threats and vulnerabilities.
7 2015 A survey of approaches combining safety and Comprehensive review of methods and techniques that consider [15]
security for industrial control systems both safety and security concerns that have been proposed in the
literature, and provide a comparative analysis of these different
approaches.
8 2015 A Survey of Industrial Control System Testbeds Surveys ICS testbeds that have been proposed for scientific research [16]
to facilitate vulnerability analysis, education and tests of defense
mechanisms.
9 2016 The Cybersecurity Landscape in Industrial Control Surveys general ICS cyber security landscape and discusses attacks [17]
Systems and defenses at various levels of abstraction in an ICS from the
hardware level to the process level.
10 2018 A survey on security control and attack detection Surveys cyber-attack schemes and defense strategies in industrial [18]
for industrial cyber-physical systems CPSs from the perspective of control theory and proposes several
open research issues.
11 2018 Designing Safe and Secure Industrial Control Reviews current research trends in ICSs and presents a tutorial on [19]
Systems: A Tutorial Review the design of safe and secure ICSs.
12 2019–20 This paper Analyzes attacks on ICSs in last 20 years and discusses each attack
in terms of its goal, description, impact, and potential solution to
mitigate it.

slow down the servers, resulting in a DoS attack on the host servers.
Microsoft had already released a patch for the issue six months before
the attack but the plant’s servers were not updated. The attack is
depicted pictorially in Fig. 1.

2.1.3. Consequences
After the worm penetrated the computer network at the plant, it
disabled the SPDS for almost 5 h. Even though this attack did not pose
any safety hazard (as the plant was offline), it demonstrated the fact
that the computerized Nuclear Control and Monitoring Systems (NCMS)
once compromised could have devastating consequences.

2.1.4. Solution
The 𝑆𝑙𝑎𝑚𝑚𝑒𝑟 worm penetrated an unsecured network of one of Fig. 1. DoS attack on the servers at Davis-Besse nuclear power plant.

the contractors and tunneled through a T1 bridge into the plant’s

corporate network. To prevent this, ICS should be kept isolated from the
corporate network using firewalls. While it is understood that complete 2.2. Stuxnet attack on Natanz nuclear facility
isolation of the ICS is impossible, one solution is to limit the number
of entry points into the ICS from the corporate network and keep them 2.2.1. Goal of the attack
monitored. The worm spread to the plant’s network and entered one of The 𝑆𝑡𝑢𝑥𝑛𝑒𝑡 malware was responsible for destroying the centrifuge
the unpatched Windows servers. This server was not updated with the tubes at the Uranium enrichment facility of Natanz, Iran in 2010 [32].
patch that fixed a Microsoft SQL vulnerability exploited by the 𝑆𝑙𝑎𝑚𝑚𝑒𝑟 The main purpose of the attack was to reduce the lifecycle of cen-
worm. It is recommended to update and run maintenance checks on the trifuges to cripple Iran’s nuclear program. It was carried out on the
servers regularly to limit the possibility of such attacks. After this event, physical layer of the plant’s control system by exploiting the vulner-
all the Microsoft SQL servers’ software in the power plant was updated abilities of the centrifuge rotors by altering the rotor speed and the
and had patches installed. centrifuge pressure.

3
T. Alladi, V. Chamola and S. Zeadally Computer Communications 155 (2020) 1–8

Table 2
History of major ICS attacks.
Year ICS Attack vector Consequences
2003 Davis–Besse nuclear power Slammer worm Safety monitoring system was disabled for 5 h.
plant, US [11]
2005 DaimlerChrysler automobile Zotob worm Stopped production at several sites.
plants, US [20]
2010 Natanz nuclear facility, Iran Stuxnet malware via USB Destruction of centrifuge tubes at the Uranium
[21] drive enrichment facility.
2014 German steel mill, Germany Email phishing/malware Blast furnaces were inappropriately shutdown
[22] leading to Loss of Control (LoC) [22] for the plant
operators which caused physical damage to the
system and process interruption.
2014 Energy companies in US and Havex malware Attackers compromised a number of strategically
Europe [23] important organizations like energy grid operators,
major electricity generation companies, petroleum
pipeline operators for spying purposes and had
capacity to disrupt the energy supplies in affected
countries.
2015 Kemuri Water treatment plant, SQL injection and phishing Personal information of 2.5 million customers
US [24] leaked.
2015 Power grid, Ukraine [25] Spear phishing/ Power outage for around 225 thousand users,
BlackEnergy3 malware credentials stolen.
2016 Power grid, Ukraine [26] Industroyer malware 20% of Ukraine’s capital, Kiev was disconnected
from the grid for 1 h.
2017 Multiple businesses worldwide Notpetya ransomware Starting from a Ukranian software firm it spread
[27] to the pharmaceutical company Merck, the snack
company Mondelez and some other big industries
worldwide, leading to a combined financial loss of
over 10 billion dollars.
2017 Petrochemical plant, Saudi Triton malware Cripples safety systems in the plant
Arabia [28]
2018 Taiwan chipmaker TSMC [29] WannaCry ransomware Shuts down several iPhone production plants.
2019 Eyeglass lens manufacturer Unnamed virus Partial shutdown of its factory.
Hoya, Thailand [30]

the valves of a single-stage, resulting in many centrifuges breaking at

once. The Supervisory Control and Data Acquisition (SCADA) software
gets its information from the memory in the controllers which can
be altered by the logic code. The operators working with the SCADA
interface were thus unable to identify any problem with the rotor
speeds. Fig. 2 shows the attack vectors.

2.2.3. Consequences
These attacks on CDS and CPS were repeated to disrupt the cen-
Fig. 2. Attack vectors in Stuxnet attack on Natanz facility.
trifuge system through overpressure and by altering the rotor speeds.
The 𝑆𝑡𝑢𝑥𝑛𝑒𝑡 malware disrupted the nuclear program of Iran and demon-
strated the impact of cyber-physical attacks.
2.2.2. Description of the attack
After injecting the malware into the plant’s network layer through 2.2.4. Solution
an infected USB drive, it took over the Programmable Logic Controllers By intercepting the interactions among the various entities such as
(PLCs). It had a control logic implemented to record and replay the sensors, PLCs, SCADA systems and the operators, the plant was ren-
sensor values of the rotor vibration and pressure. The valves of the first dered vulnerable to the attack. The control loops among these entities
and the last stage centrifuges were shut off along with the exhaust valve should be properly authenticated and the results of their feedback
through a re-calibration of pressure sensors of the respective valves by loops verified. To launch such an attack, they needed information
the malware. A second vector was then used to attack the Centrifuge regarding plant architecture. The attackers seem to have been engaged
Drive System (CDS), which controlled the rotor speeds of the centrifuge in reconnaissance and data collection about the plant’s systems through
system. The malware used copies of stolen digital certificates and posed the data released by the Iranian government. This information was
as a legitimate driver software for the Windows Operating System (OS). revealed through footage of the plant’s monitoring software which
The rotors are critical systems and when their operating speed is above was broadcasted on a local news network. Such sensitive information
the critical speed, the harmonics (distortions in power systems) are should be safeguarded in the first place. Although network segregation
triggered which can damage the rotor walls. The centrifuges used for using firewalls and air gaps helps prevent unauthorized access to the
enrichment were fragile and their failure was tolerated by the in-built plant’s system, the attackers used a workaround method to bypass
protection system called Cascade Protection System (CPS). The CPS such solutions by infecting personal computers of the people who have
helped in isolating the troubled centrifuge tubes through the vibration legitimate physical access to the plant’s system. Personal hardware
sensors, leading to an increase in pressure caused by the shutting-off of devices such as USB drives should be sanitized before allowing them
multiple isolated tubes. Once the rotors were damaged, the CPS isolated to connect to the plant’s ICS. Antivirus software cannot always be
the centrifuges. Multiple rotor damages resulted in shutting down all trusted to prevent custom made malware because they work based on

4
T. Alladi, V. Chamola and S. Zeadally Computer Communications 155 (2020) 1–8

identifying and removing malware which is already present in their

signature databases. The plant’s physical components should also be
monitored to detect any unusual behavior of any component so that
any compromise of the plant’s ICS can be detected as early as possible.

2.3. German steel mill attack

2.3.1. Goal of the attack

In December 2014, a German steel mill was targeted by hackers
who maliciously took control of the production software resulting in
significant infrastructure damages to the mill’s production line [22].
BSI (the German Federal agency for digital security) had classified this
attack as an Advanced Persistent Threat (APT), a highly targeted attack
with strong funding and skilled personnel (as described by the National
Institute of Standards and Technology (NIST)). Most APTs recorded
in the past were associated with groups funded by sovereign states.
The intention of the attack did not seem to be financial, i.e., neither
to acquire confidential information nor to disrupt the production line Fig. 3. Cyberattack on the Ukrainian power grid.

because the damage caused by their malware could have been a lot
worse, but instead, it was a warning to the business proprietors.
2.4.2. Description of the attack
2.3.2. Description of the attack It was a spear-phishing attack in which emails with Microsoft
The adversary infiltrated into the facility’s corporate network via Word documents containing macros (tools used to automate frequently
phishing emails. The victims were sent fraudulent emails containing executed tasks) as attachments were sent out to the recipients, with
attached PDF files from spoofed email addresses. A malware had been the intention of installing the 𝐵𝑙𝑎𝑐𝑘𝐸𝑛𝑒𝑟𝑔𝑦3 (BE3) malware on the
inserted into these PDF files, which infected the corporate network recipients’ computers, as shown in Fig. 3. BE3 was then used to gather
software upon downloading and opening the files. The adversaries then information about the network, thus providing a foothold for the
worked their way up to the management software and into the ICS attackers into the corporate network. Using the collected information,
network of the plant, thereby taking control of its control systems. Once the attackers were able to gain access to the corporate user accounts’
they had access to the control systems, they strategically destroyed the credentials. They used these credentials to directly log into the ICS
Human Machine Interface (HMI) components. Furthermore, they pre- network from the external network through an encrypted tunnel. Fur-
vented the operation of the mill’s blast furnace by disabling the security thermore, the attackers launched a Telephony Denial of Service (TDoS)
settings and caused severe damage to the industrial infrastructure. attack that flooded the call centers to block the real customer calls from
getting through. They also disabled the Uninterruptible Power Supplies
2.3.3. Consequences (UPSs) and corrupted the firmware of several Remote Terminal Units
The blast furnaces were shut down leading to significant damages (RTUs), which were meant to transmit data to the SCADA systems.
to the system. This attack serves as an eye-opener to the ICS businesses. Finally, they executed the 𝐾𝑖𝑙𝑙𝐷𝑖𝑠𝑘 utility to wipe out the control
The cyberattack survived by the German steel mill shows that the ad- centers’ Human Machine Interface (HMI) systems and several other
versaries can cause significant damage to the industry’s production-line important workstations.
infrastructure. The attackers have demonstrated their abilities.
2.4.3. Consequences
2.3.4. Solution It was a large scale attack that was directed at the distribution
Attackers gained entry into the ICS by using a connection between systems of six energy companies but was successful only in three of
the corporate network and the Operational Technology (OT) network. them. The attackers managed to penetrate the other three but were not
To safeguard against such intrusions, the interconnections between the able to compromise their operations. Approximately 225,000 customers
corporate network and the OT network should be protected by using were affected by this power outage. It was also reported that thousands
tools such as firewalls and defense systems. Furthermore, the number of user credentials were stolen during this attack.
of connection interfaces between the OT network and the corporate
network should be minimized [33]. This would create checkpoints 2.4.4. Solution
which can be monitored easily with Network Security Monitoring This attack involved email phishing, in which emails with malicious
(NSM) utilities. NSM allows security personnel to actively monitor attachments were sent to different people within the organization. It
network communications to discover network anomalies. Along with is recommended to include user awareness training and whitelisting
creating checkpoints, certificate-based signature schemes and encryp- applications to prevent malware. Attackers can still use different types
tion schemes can also be deployed for interaction between the OT and of social engineering methods to target the organization. Since these
corporate IT networks [34,35]. attacks use targeted emails and Internet-connected assets, communica-
tions with these assets should be segmented, monitored and controlled.
2.4. Cyberattack on the Ukrainian power grid Sandboxing technology can be used to test documents and emails com-
ing into the network. Proxy systems can be deployed to control inbound
2.4.1. Goal of the attack and outbound communication paths. This attack used a malware called
The cyberattack that occurred on the Ukranian power grid took 𝐵𝑙𝑎𝑐𝑘𝐸𝑛𝑒𝑟𝑔𝑦3 for establishing a foothold into the network and to steal
place in 2015. In this attack, the attackers caused a temporary mal- credentials. Organizations can acquire YARA rules [37] (YARA rules
function of the power distribution system, leading to a power outage in are a way of identifying malware by creating rules that look for specific
three provinces in Ukraine [36]. It is believed that this attack was part characteristics) for the latest indicators of compromise to counter the
of a larger espionage operation carried out worldwide with the support malware. To prevent attackers from getting remote access to ICS,
of the Russian government, to destabilize the political atmosphere in there is a need for strong authentication and encrypted communication
Eastern Europe. during remote access. In case the control system is compromised, we

5
T. Alladi, V. Chamola and S. Zeadally Computer Communications 155 (2020) 1–8

2.5.4. Solution
According to reports published by the security firm Vericlave [39]
and other sources [40] the primary attack vectors used in the security
breach of KWC’s internal AS/400 system could have been a Structured
Query Language (SQL) injection attack and email phishing. The at-
tackers hacked into the company’s system by exploiting a vulnerability
on the company’s payment portal connected to the Internet. Executing
basic network hygiene and best practices would lower the risk of such
attacks being successful, but will not really prevent access to the critical
systems if the attacker still figures out how to penetrate the business
network. To address this situation, the Operational Technology systems
(OT) must be separated from the external network. To ensure that OT-
related applications are in an isolated zone we need to use a Firewall
between the corporate network and the OT network. Regardless of
whether the attacker figures out how to get access to the corporate
network, the OT system would be unreachable to him/her because
access to the OT system would be given to the users only after cor-
rect validation. Cybersecurity could be further improved by following
the International Electrotechnical Commission (IEC) 62443 which is a
global standard for the security of ICS networks. When ICS and OT net-
Fig. 4. Chemical mix changed at water treatment plant by hackers. works co-exist in an enterprise, this standard suggests segmenting the
networks into zones based on accessibility criterion. It also recommends
steps to be followed by the industry operators for gathering data to be
should quickly isolate the control system so that remote access can be secured, assessment of network security, building countermeasures and
temporarily disabled. Backups should be taken at regular intervals so solutions and deploying them in a phased manner.
that systems can be easily restored even after a utility such as 𝐾𝑖𝑙𝑙𝐷𝑖𝑠𝑘
2.6. Watershed attack on Saudi Arabian petrochemical plant
is used to wipe the disks clean.
2.6.1. Goal of the attack
In 2017, the safety system for industrial control units (known as
2.5. Chemical mix changed at a water treatment plant
Triconex industrial safety technology) was targeted by hackers at a
petrochemical plant in Saudi Arabia [41]. Although the attackers in-
2.5.1. Goal of the attack tended to cause physical damage to the plant, a defect in their malware
A water treatment plant in the USA was hacked in 2015 by a code inadvertently led to a shutdown of the operations.
suspected Syrian hacktivist group [38]. As the plant’s specific location
and name were not released due to safety reasons, we will use the 2.6.2. Description of the attack
The hackers used a malware called Triton for gaining remote access
pseudonym Kemuri Water Company (KWC) for the utility. The inten-
to the Safety Instrumented System (SIS) and to alter its codebase, as
tion behind this attack is still unclear. Although personal data of the
shown in Fig. 5. SIS is responsible for maintaining operational safety in
customers was exposed, there is no evidence that this information was the industrial plant, with each controller having fallback failsafe modes.
misused. When the attack occurred, the devices went into the failsafe mode,
causing operations to pause at multiple facilities and hence triggering
a shutdown. Security alerts were sent to all the 𝑇 𝑟𝑖𝑐𝑜𝑛𝑒𝑥 users, thus
2.5.2. Description of the attack helping in detecting the attack.
KWC’s plant had an old IBM AS/400-based SCADA system for
managing the PLCs to regulate the flow of water and chemicals by 2.6.3. Consequences
managing valves and ducts in the plant. The attackers extracted login This attack is often called a Watershed attack, indicating possible
credentials for the system from the front-end web server to access the future attacks on the ICS infrastructure across the globe. The attackers
plant’s water control software which was also running on the same would learn the working of the safety systems to possibly launch large
scale attacks in the future intended to disrupt or damage the plant’s
AS/400 system. As this system was central to most IT operations in this
operations.
plant, access to this control system allowed hackers to control most of
the other equipment in the plant. Fig. 4 shows the details of the attack. 2.6.4. Solution
One approach to prevent the above attack is to isolate the safety
system networks from other networks such as the process control
2.5.3. Consequences network and the information system networks. Workstations that are
At least two instances were identified where hackers were able used for working with SIS, should have a single channel communication
to use the PLC’s web interface to alter the quantity of some of the with the Distributed Control System (DCS) so that any vulnerability
chemicals that were used in treating water, which in turn hampered cannot be introduced into SIS using this channel. DCS is a specially
the plant’s production and thus increased the recovery time to replenish designed computerized control system for the plant. Blockchain tech-
the water supplies. Even though the attackers were able to manipulate nology which is being widely adopted for distributed and decentralized
the valves that control the chemical flow, there was no impact on the applications can also be leveraged for control and data management in
DCS [42]. Hardware features that provide the physical capability to
plant’s operation. The attackers did not seem to have much knowledge
program safety features on 𝑇 𝑟𝑖𝑐𝑜𝑛𝑒𝑥 controllers should not be left in
of the SCADA systems, else it could have been a critical security breach,
programming/debug mode when not in use [43]. Access control and
leading to serious consequences to the plant as well as the surrounding application whitelisting must be implemented on any server that can
areas which rely on water from this plant. Personal information of reach the SIS system through the network. ICS network traffic must
about 2.5 million customers was also reported to have been leaked from be regularly monitored for unpredictable communication streams and
their database. other anomalous activity.

6
T. Alladi, V. Chamola and S. Zeadally Computer Communications 155 (2020) 1–8

updating the OS and setting up antivirus and antimalware utilities. If

the system is infected by the malware, we can use decrypting tools
for decrypting the MFT to recover files affected by the attack. Another
good practice would be to perform regular backups of the system. In
case of irreparable damage to the OS, we can safely revert back to the
previously saved version.

3. Lessons learned and protection measures for ICS

3.0.1. Lessons learnt

From the various case studies reviewed above, we observe that there
are several types of attacks possible on ICS systems. Most of them
involve injecting some kind of malware or ransomware into the control
systems, hacking outdated networks and systems, and exploiting their
inherent vulnerabilities. In most cases, the malware made its way into
the core ICS network via phishing emails, insecure connections to the
Internet or via untrusted and unsanitized USB drives. In the attack on
KWC’s water treatment plant, the hackers exploited the non-isolation
of OT/IT networks to gain access to the plant’s control system.

3.0.2. Protection measures for ICS

Based on the review of the above case studies, we recommend the
following future protection measures for the ICSs:

i. Regular updates to the firmware and software on the industry-

grade computers should be carried out. Most vulnerabilities
found in the above use cases were due to old and buggy versions
Fig. 5. Watershed attack cripples safety systems in Saudi Arabian petrochemical plant. of firmware or software.
ii. We need to use at least two-factor authentication when logging
into private ICS servers and SCADA systems. Password protec-
tion being the primary authentication factor should be used
2.7. Notpetya cyberattack
in conjunction with at least a secondary factor. In this regard,
Physically Unclonable Functions (PUFs) are being extensively
2.7.1. Goal of the attack
explored for using as a second factor of authentication [45].
Ukraine was hit by a series of cyberattacks in 2017 that disrupted
iii. We need to ensure that the passwords of critical systems are
many websites including those belonging to electricity firms and var-
changed at regular intervals.
ious Ukranian ministries [44]. Attackers used a variant of 𝑃 𝑒𝑡𝑦𝑎 mal-
iv. Employees who oversee and manage ICS servers must be trained
ware called 𝑁𝑜𝑡𝑃 𝑒𝑡𝑦𝑎 to carry out the attack. It was found out later that
on a regular basis to recognize phishing attacks.
the attack began with an update of a tax accounting software, 𝑀𝑒𝐷𝑜𝑐.
v. There should be a provision for manual overrides and fail-safe
Although Ukraine was the initial target in this politically-motivated
modes so that detection and shutdown of the system can occur
attack, many other countries were also in the grip of this attack later
as soon as the system is tampered with. This will prevent the
on. ICSs from further damage.
vi. We should not allow the use of USB drives on critical systems
2.7.2. Description of the attack without stringent antivirus checks. State-of-the-art object detec-
𝑁𝑜𝑡𝑃 𝑒𝑡𝑦𝑎 is a type of ransomware that encrypts the whole system so tion techniques to detect suspicious objects can be implemented
that it is not accessible by any means. It encrypts the Master File Table in the industrial sites [46].
(MFT), reboots the computer and makes the Master Boot Record (MBR)
unusable. MFT is a database containing information about every file 4. Conclusion
and directory in the NTFS file system, while MBR is a type of boot sector
responsible for locating and booting the operating system. As a result, Based on the above case studies we conclude that ICS security
the whole system including the operating system becomes inaccessible. remains a challenging issue around the world. ICS is a vital component
of many critical infrastructures that manage and provide basic services
2.7.3. Consequences (such as electricity, water, gas and so on) to the society. As the
From hospitals to manufacturers, a number of machines were in- influence of technology deepens in our lives, more and more industries
fected around the world within hours of its appearance. This attack such as pulp and paper mills, herbicides, petrochemicals, etc. which
resulted in damages costing over 10 billion dollars. This attack has deal with hazardous chemicals are becoming equipped with software
shown that organizations across the globe are not well prepared to solutions. They need to be protected and equipped with the latest
software security solutions. If gone unnoticed, these attacks can cause
tackle attacks from ransomware like 𝑁𝑜𝑡𝑃 𝑒𝑡𝑦𝑎.
serious damages to many critical infrastructures which may lead to
life-threatening situations and impact the lives of many citizens. After
2.7.4. Solution
analyzing all the cases, we recommend that the owners of ICSs monitor
𝑃 𝑒𝑡𝑦𝑎 uses 𝐸𝑡𝑒𝑟𝑛𝑎𝑙𝐵𝑙𝑢𝑒𝑒𝑥𝑝𝑙𝑜𝑖𝑡 (an exploit in the Server Message
and improve their security so that they can be protected against such
Block protocol of multiple Windows operating systems) of Microsoft
attacks.
Windows which was discovered and patched in its March 2017 update.
It is recommended to update the OS with the latest patches to fix Declaration of competing interest
this issue. The malware was modified to use a variation of 𝑀𝑖𝑚𝑖𝑘𝑎𝑡𝑧
(an open-source credential dumping tool), which demonstrates that The authors declare that they have no known competing finan-
user passwords are stored in the computer memory, to spread across cial interests or personal relationships that could have appeared to
the network. The effects of 𝑁𝑜𝑡𝑝𝑒𝑡𝑦𝑎 can be limited by frequently influence the work reported in this paper.

7
T. Alladi, V. Chamola and S. Zeadally Computer Communications 155 (2020) 1–8

Acknowledgments [23] Dragonfly: Western energy companies under sabotage threat, 2014,
[Online]; https://www.symantec.com/connect/blogs/dragonfly-western-energy-
We thank the anonymous reviewers for their valuable comments companies-under-sabotage-threat. (Accessed 30 Jun 2014).
[24] K. Kimani, V. Oduol, K. Langat, Cyber security challenges for IoT-based smart
which helped us improve the content and presentation of this paper.
grid networks, Int. J. Crit. Infrastruct. Prot. 25 (2019) 36–49.
[25] R. Khan, P. Maynard, K. McLaughlin, D.M. Laverty, S. Sezer, Threat analysis of
References blackenergy malware for synchrophasor based real-time control and monitoring
in smart grid, in: ICS-CSR, Vol. 16, 2016, pp. 1–11.
[1] The state of industrial cybersecurity 2017, 2017, [Online]; https://go.kaspersky. [26] A. Cherepanov, R. Lipovsky, Industroyer: Biggest Threat to Industrial Control
com/rs/802-IJN-240/images/ICS%20WHITE%20PAPER.pdf. (Accessed 12 April Systems Since Stuxnet, Vol. 12, WeLiveSecurity, ESET, 2017.
2019). [27] M. McQuade, The Untold Story of NotPetya, The Most Devastating Cyberattack
[2] T. Alladi, V. Chamola, R.M. Parizi, K.-K.R. Choo, Blockchain applications for in History, Wired, 2018.
industry 4.0 and industrial IoT: A review, IEEE Access 7 (2019) 176935–176951. [28] N.H.C. Guzman, M. Wied, I. Kozine, M.A. Lundteigen, Conceptualizing the key
[3] A. Jindal, A. Schaeffer-Filho, A. Marnerides, P. Smith, A. Mauthe, L. Granville, features of cyber-physical systems in a multi-layered representation for safety
Tackling Energy Theft in Smart Grids through Data-driven Analysis, IEEE, 2019. and security analysis, Syst. Eng. (2019) 1–22.
[4] T. Alladi, V. Chamola, J.J. Rodrigues, S.A. Kozlov, Blockchain in smart grids: A [29] M. Kumar, TSMC chip maker blames wannacry malware for production halt,
review on different use cases, Sensors 19 (22) (2019) 4862. 2018, The Hacker News. Disponible en: https://thehackernews.com/2018/08/
[5] H. Xu, W. Yu, D. Griffith, N. Golmie, A survey on industrial internet of things: tsmc-wannacry-ransomware-attack.html. (Consultado 28 August 2018).
A cyber-physical systems perspective, IEEE Access 6 (2018) 78238–78259. [30] Hoya cyberattack, 2019, [Online]; https://www.cyberscoop.com/hoya-
[6] C. Alcaraz, S. Zeadally, Critical infrastructure protection: Requirements and cyberattack-cryptojacking-thailand/. (Accessed 13 February 2020).
challenges for the 21st century, Int. J. Crit. Infrastruct. Prot. 8 (2015) 53–66. [31] Slammer worm and David-Besse nuclear plant, 2015, [Online]; http://large.
[7] A. Jindal, A.K. Marnerides, A. Scott, D. Hutchison, Identifying security challenges
stanford.edu/courses/2015/ph241/holloway2/. (Accessed 12 April 2019).
in renewable energy systems: a wind turbine case study, in: Proceedings of
[32] A. Nourian, S. Madnick, A systems theoretic approach to the security threats
the Tenth ACM International Conference on Future Energy Systems, 2019, pp.
in cyber physical systems applied to stuxnet, IEEE Trans. Dependable Secure
370–372.
Comput. 15 (1) (2015) 2–13.
[8] G.S. Aujla, A. Singh, N. Kumar, AdaptFlow: Adaptive flow forwarding scheme
[33] V. Hassija, V. Chamola, V. Saxena, D. Jain, P. Goyal, B. Sikdar, A survey on
for software defined industrial networks, IEEE Internet Things J. (2019).
IoT security: application areas, security threats, and solution architectures, IEEE
[9] E. Byres, J. Lowe, The myths and facts behind cyber security risks for industrial
Access 7 (2019) 82721–82743.
control systems, in: Proceedings of the VDE Kongress, Vol. 116, 2004, pp.
213–218. [34] G.K. Verma, B. Singh, N. Kumar, V. Chamola, CB-CAS: Certificate-based efficient
[10] B. Zhu, A. Joseph, S. Sastry, A taxonomy of cyber attacks on SCADA systems, signature scheme with compact aggregation for industrial internet of things
in: 2011 International Conference on Internet of Things and 4th International environment, IEEE Internet Things J. (2019).
Conference on Cyber, Physical and Social Computing, IEEE, 2011, pp. 380–388. [35] G. Deep, R. Mohana, A. Nayyar, P. Sanjeevikumar, E. Hossain, Authentication
[11] B. Miller, D.C. Rowe, A survey SCADA of and critical infrastructure incidents, protocol for cloud databases using blockchain mechanism, Sensors 19 (20) (2019)
RIIT 12 (2012) 51–56. 4444.
[12] M. Krotofil, D. Gollmann, Industrial control systems security: What is happen- [36] Y. Xiang, L. Wang, N. Liu, Coordinated attacks on electric power systems in a
ing? in: 2013 11th IEEE International Conference on Industrial Informatics, cyber-physical environment, Electr. Power Syst. Res. 149 (2017) 156–168.
INDIN, IEEE, 2013, pp. 670–675. [37] S. Kim, J. Kim, S. Nam, D. Kim, WebMon: ML-and YARA-based malicious
[13] W. Knowles, D. Prince, D. Hutchison, J.F.P. Disso, K. Jones, A survey of cyber webpage detection, Comput. Netw. 137 (2018) 119–131.
security management in industrial control systems, Int. J. Crit. Infrastruct. Prot. [38] O. Andreeva, S. Gordeychik, G. Gritsai, O. Kochetova, E. Potseluevskaya, S.I.
9 (2015) 52–80. Sidorov, A.A. Timorin, Industrial Control Systems Vulnerabilities Statistics,
[14] Z. Drias, A. Serhrouchni, O. Vogel, Analysis of cyber security for industrial Report, Kaspersky Lab, 2016.
control systems, in: 2015 International Conference on Cyber Security of Smart [39] Vericlave – the kemuri water company hack, 2018, [Online]; https:
Cities, Industrial Control System and Communications, SSIC, IEEE, 2015, pp. 1–8. //www.vericlave.com/wp-content/uploads/2018/10/Vericlave_WhitePaper_
[15] S. Kriaa, L. Pietre-Cambacedes, M. Bouissou, Y. Halgand, A survey of approaches KemuriWater_1018_F.pdf. (Accessed 12 April 2019).
combining safety and security for industrial control systems, Reliab. Eng. Syst. [40] S. Adepu, V.R. Palleti, G. Mishra, A. Mathur, Investigation of cyber attacks on
Saf. 139 (2015) 156–178. a water distribution system, 2019, arXiv preprint arXiv:1906.02279.
[16] H. Holm, M. Karresand, A. Vidström, E. Westring, A survey of industrial control [41] N. Perlroth, C. Krauss, A cyberattack in Saudi Arabia had a deadly goal. Experts
system testbeds, in: Nordic Conference on Secure IT Systems, Springer, 2015, fear another try, N.Y. Times 15 (2018).
pp. 11–26. [42] M. Zhaofeng, W. Xiaochang, D.K. Jain, H. Khan, G. Hongmin, W. Zhen, A
[17] S. McLaughlin, C. Konstantinou, X. Wang, L. Davi, A.-R. Sadeghi, M. Maniatakos,
blockchain-based trusted data management scheme in edge computing, IEEE
R. Karri, The cybersecurity landscape in industrial control systems, Proc. IEEE
Trans. Ind. Inf. (2019).
104 (5) (2016) 1039–1057.
[43] T. Alladi, V. Chamola, B. Sikdar, K.-K.R. Choo, Consumer iot: Security vulner-
[18] D. Ding, Q.-L. Han, Y. Xiang, X. Ge, X.-M. Zhang, A survey on security control
ability case studies and solutions, IEEE Consum. Electron. Mag. 9 (2) (2020)
and attack detection for industrial cyber-physical systems, Neurocomputing 275
17–25.
(2018) 1674–1683.
[44] S. Furnell, D. Emm, The ABC of ransomware protection, Comput. Fraud Secur.
[19] D. Serpanos, M.T. Khan, H. Shrobe, Designing safe and secure industrial control
2017 (10) (2017) 5–11.
systems: a tutorial review, IEEE Des. Test 35 (3) (2018) 73–88.
[20] S. McLaughlin, Securing control systems from the inside: A case for mediating [45] G. Bansal, Naren, V. Chamola, B. Sikdar, N. Kumar, M. Guizani, Lightweight
physical behaviors, IEEE Secur. Priv. 11 (4) (2013) 82–84. mutual authentication protocol for V2G using physical unclonable function, IEEE
[21] J.P. Farwell, R. Rohozinski, Stuxnet and the future of cyber war, Survival 53 (1) Trans. Veh. Technol. (2020).
(2011) 23–40. [46] D.K. Jain, et al., An evaluation of deep learning based object detection strategies
[22] R.M. Lee, M.J. Assante, T. Conway, German steel mill cyber attack, Ind. Control for threat object detection in baggage security imagery, Pattern Recognit. Lett.
Syst. 30 (2014) 62. 120 (2019) 112–119.