See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/286570733

Petri net model of insider attacks in SCADA system

Conference Paper · September 2014

DOI: 10.1109/ISCISC.2014.6994022

CITATIONS READS

10 163

2 authors:

Payam Mahmoudi-Nasr A. Yazdian Varjani

University of Mazandara Tarbiat Modares University
8 PUBLICATIONS   39 CITATIONS    139 PUBLICATIONS   2,647 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

PHD Thesis View project

herbicide dose and weed density effects on crop:weed competition View project

All content following this page was uploaded by Payam Mahmoudi-Nasr on 27 May 2020.

The user has requested enhancement of the downloaded file.

Petri Net Model of Insider Attacks in SCADA System
Payam Mahmoudi Nasr
Electronic and Computer Engineering Dep.
Tarbiat Modares University
Tehran, Iran
[email protected]
[email protected]
Abstract—This paper investigates the use of Petri nets for
modeling insider attacks on the Supervisory Control and Data
Acquisition (SCADA) system. Insider attacks are one of the most
dangerous threats for Critical Infrastructures (CIs). An insider
attacker, by sending legitimate control commands, can bring
catastrophic damages to CIs at the national level. Therefore, it is
important to develop new model to study the sequence of the
operator actions in the CIs. Many CIs are monitored and
controlled by SCADA systems. This paper proposes a new
modelling approach of operator behavior, for resolving alarms
and insider attacks, in electric power SCADA. In order to study
operator behavior, several attack scenarios have been studied to
evaluate offered model. The proposed model is based on Colored
Petri Nets (CPNs).
Insider attack; SCADA; colored petri net
I. INTRODUCTION
Supervisory Control and Data Acquisition (SCADA) systems
are used in many CI applications such as power, water, oil and
gas distribution systems, transport monitoring (e.g., railway,
airports), and production systems. SCADA reliability and its
security operations are important for national security and
economic activity. In the past, SCADA systems relied on
Proprietary networks and non-standard protocols to protect
against attacks [1], whereas today SCADA architectures have
taken advantage of high speed networking that uses
standardized open protocols such as Ethernet over TCP/IP. This
allows sharing of real-time data processing and remote access
capabilities for operations and services. These changes have
increased the vulnerabilities of SCADA. According to Rantala
[2], CI businesses have been affected by 13 million cybercrime
incidents (nearly two-thirds of the total) in U.S.A., with
suffering $288 million of financial loss and around 152,200 h
of system downtime in 2005.
One of the major threats of SCADA is when an insider
attacker sends legitimate control commands to create
catastrophic damages [3]. An insider attack is a malicious attack
on a computer system or network by an operator with
authorized access control. Insider attack can be deliberately or
inadvertently. Operators or contractors, with extensive internal
knowledge of the SCADA architecture and system policies/
procedures, can cause insider attacks. Also an intruder, with
insider role, could use valid SCADA control application to
perform undesirable actions. According to the computer Crime
and Security Survey, insider attacks accounted for 33% of the
Ali Yazdian Varjani
Electronic and Computer Engineering Dep.
Tarbiat Modares University
Tehran, Iran
total incidents reported in 2010 [4]. Ben Salem et al. [5] by
distinguishing between intruders and traitors as two cases of
insider attacker, have provided proposed solutions for insider
attack detection in the computer security research literature.
Petri nets (PNs) are well-known tools for studying and
modeling attacks in vulnerable systems. A CPN based attack
model of malicious insider attacks is described in [6]. Chen et
al. [7] have used Petri nets for modeling coordinated cyber-
physical attacks on the smart grid. Henry et al. [8] have used
Petri net analysis to clear the potential for attacker control of
resources for quantifying the risk of computer network
operations against SCADA systems. Bouchti et al. [9] have
presented a CPN based approach to model the cyber-attack for
SCADA systems. Petri net as a modelling technique for
SCADA systems under cyber-attacks is presented in [10].
Baracaldo et al. [11] have used a formulation of CPN to identify
when an insider attacker may infer unauthorized permissions.
Allen et al. [12] are proposed a solution to the anomaly
detection problem, based on resource-based Petri net model, for
event-based systems that use shared resources to interact
between processes.
Based on our studies, although alarms are a main factor in
SCADA system, there is no alarm-driven model for insider
attacks in SCADA. In this paper, we aim to show that alarms
can be used to model insider attacks on the SCADA system.
The main contribution of this paper is a new alarm based CPN
model for electric power SCADA operations. Our CPN model
consist of operator behavior in two parts: (i) resolving alarms
(ii) operator attacks. To demonstrate proposed CPN model,
experimental scenarios for studying intensity of operator
attacks are offered.
The remaining of this paper is organized as follows. Section
II provides an overview of the SCADA system. Section III
proposes our Petri net models for SCADA insider attacks.
Section IV describes the validation of the models and simulation
results. Section V gives the conclusion.
II. SCADA SYSTEM
Modern industrial facilities such as power generation plants,
potable water systems, wastewater treatment facilities, oil and
gas production and transportation/distribution networks often
involve components that are geographically distributed. To
continuously monitor and control the different sections of the
plant in order to ensure its appropriate operation leads to the use
SCADA systems.
SCADA refers to the combination of telemetry and data
acquisition. Fig. 1 shows Structure of SCADA system. SCADA
includes the collecting of the information via Remote Terminal
Units (RTUs), Programmable Logic Controllers (PLCs) and
Intelligent Electronic Devices (IEDs), transferring it back to the
central site, carrying out any necessary analysis and control and
then displaying that information on a number of operator
screens. Four of the most important part of a SCADA system
are Human Machine Interface (HMI) and Historian servers in
master station, remote terminal (RTU, PLC, IED) in substations
and the communication between them. The HMI is where data
are processed and presented to be viewed and monitored by a
human operator [13]. Control room operator using the HMI can
make supervisory decisions to adjust or override normal RTU
controls. SCADA data may also be fed to a Historian, often
built on a commodity Database Management System, to allow
trending and other analytical auditing [14]. SCADA event logs
on historian server provide a complete high-level view on the
industrial process that is continuous over time and captures
information about user activities, system changes in the field as
well as system status updates [15].
As most SCADA controls CI, it affects the daily lives of
millions and so, its security is very important. SCADA systems
are vulnerable to both cyber and physical attacks. Cyber
vulnerabilities includes attacks by worms, spam, virus and more
others which cause inauspicious degrees of harm to the CIs
ranging from the controllable to the severe attacks. On the other
hand, physical vulnerabilities which include electricity
blackouts, floods, earthquakes and hurricane which are although
great disasters can be resisted with a strategic protection and
exploiting the vulnerabilities of a SCADA systems so as to
generate a more efficient protective measures.
A. SCADA Attacks
The following targets can be attacked in SCADA system:
HMI, Data historian, RTUs, communication links, sensors
threshold values and actuators normal settings [16]. Like any
industrial control system, SCADA attacks can be divided into
two groups: (i) Outsider attacks (ii) Insider attacks. Outsider
attacks are initiated from outside the perimeter, by an
unauthorized or illegitimate user(s), such as hackers, organized
crime groups, or enemy nation states. Outsider attacks are
usually opportunistic, deliberate and malicious.
Insider Attacks are one of the most dangerous threats
organizations face today [11]. Insider attacks occurs when an
individual or a group within an organization seeks to disrupt
operations or exploit organizational assets. An insider attack
occurs when an authorized operator decides to abuse the trust,
and harm the process(es). Therefore, it is difficult to predict and
protect against insider attacks. Although insider attacks may not
occur as frequently as outsider attacks, but they have great
impact and higher success rate. So insider attacks seem a much
greater risk than outsider attacks [17]. In general, insider attack
scenarios do not include any exploit of a software
implementation vulnerability (e.g., protocol implementation)
and because all the operator commands are legal, traditional
Historian
Events/
Alarms
Server (Logs) RTU_1
Events/
Alarms/ Events/Alarms
Commands Commands
Communication
HMI Server
Commands
Commands
Events/
Alarms Commands Events/
Alarms
RTU_n
Operators
Fig. 1. Structure of SCADA System.
security countermeasures such as intrusion detection systems,
cannot detect them.
B. SCADA INSIDER ATTACKS
There are two kinds of SCADA users [1]: (i) engineers and
(ii) operators (or dispatcher). An engineer is responsible for
managing object libraries and user interfaces, setting grid
topology, normal states and setting parameters of devices,
defining process set points, writing automation scripts, etc. An
operator monitors the system status in HMI server, and reacts
to alarms and some events, so that the process runs correctly.
Typical operator actions, include commands for resolving
alarms, decisions about to increase or decrease power
generation, and load transfer by changing grid topology and
using backup path, to prevent the creation of new alarms. So,
although an engineer is a more powerful system user than an
operator but the transmission network is controlled by the
operators. Any wrong decision or delay could outage part of
neighborhood and in critical condition blackout the total grid.
Accordingly, the insider attacks by the operator should be
considered in two parts:
a. When operator is in resolving state of incoming alarms,
has two selections:
(1) Delay attack: No response, or delayed response.
(2) Incorrect or Incomplete attack: Sending incorrect or
incomplete commands/responses to the alarm, which
make it not resolved perfectly, or become more
severe.
In these conditions, there is likely to create cascading
failures.
b. When operator tries to create misConfiguration or new
alarms, in two ways:
(3) Overload attack: Wrong changing topology and load
transfer, which could cause overload or a power
failure in a large area.
(4) Outage attack: Opening the output feeders.
III. PETRI NET MODELING FOR SCADA INSIDER ATTACKS
A petri network is a graphical and mathematical tool to
model synchronization process, asynchronous events,
sequential operations, concurrent operations, conflicts and
resources management [18]. Petri net models can be readily
used to describe the system behavior by means of causal
relationships between conditions and events in a sequential
way. For that reason, Petri nets are very useful for the analysis
 From RTU Substations
To RTU

Fig. 3. Petri network for resolving alarms.

Incorrect/Incomplete no Response or Delay TABLE I

Response Attack model Atta ck model PLACES FOR THE PN R EPRESENTATION OF RESOLVE ALARMS

misConfiguration Corr ect Response Place Description

Atta ck model model
P1 Alarms in control center (HMI Server)
P2 Acknowledged alarms
Control Center P3 Operator commands/responses
P4 RTU input ports
Fig. 2. Structure of the proposed PN modeling.

of various industrial processes such as production facilities, TABLE II

TRANSITIONS FOR THE PN REPRESENTATION OF RESOLVE ALARMS
modeling of electrical systems, and computational systems.
A CPN model is defined by nine-tuple, CPN = (P, T, A, ∑ , Transient Description
V, C, G, E, M0), where P = {p1, p2, ...pm} represents a set of
T1 Processing alarms by operator
places, T = {t1, t2, ...tn} represents a set of transitions, A ⊆ (P x
T2 The correct commands/responses of operator
T ) ∪ (T x P) is a set of directed arcs, ∑ is a set of non-empty T3 Send to RTU
types (called color sets) , V is a finite set of typed variables such T4 The alarm disappear
that Type[v] ∈ ∑ , C: P→ ∑ is a color set function that assigns
a color set to each place, G is a guard function that assigns a
guard to each transition t such that Type[G(t)] = Boolean, E is an
arc expression function that assigns an arc expression to each arc
a such that Type[E(a)] = C(p), where p is the place connected to
the arc a, M0 is an initialization function that assigns an initial
expression to each place p such that Type[I(p)] = C(p).
Transitions and arcs can also have inscriptions (expressions) to
control the execution of the model. A transition can occur if and
only if, for all input places, sufficient tokens exist that satisfy the Fig. 4. Petri network for misConfiguration attack.
input arc inscriptions, and the transition inscription evaluates to TABLE III
true. There is two types of transitions: immediate transitions are PLACES FOR THE PN R EPRESENTATION OF MISCONFIGURATION ATTACK
represented as black bars, and timed transitions are represented
as empty bars. Place Description Initial Value
Proposed model is based on CPN and representing operator P5 misConfiguration attack exponential(λ)
behavior (commands or attacks) in control center. Fig. 2 shows P6 Out of normal state equipment such as --
Structure of the proposed Petri net modeling. Circuit Breaker

A. Modeling of Resolve Alarms TABLE IV

TRANSITIONS FOR THE PN REPRESENTATION OF MISCONFIGURATION ATTACK
The Petri net for resolving alarms by skill operator is
presented in Fig. 3. As well, place and transition descriptions Transient Description
are in Tables I and II. Making a decision to remove alarms is T5 Sending misConfiguration command
time consuming so T1 and T2 are timed transients. First, alarms T6 Topology attack
are generally acknowledged, then the commands will be issued T7 Equipment parameter setting attack
to resolve them. T8 Overload attack
As any token in place P1 is an alarm, and the correct decision T9 Outage attack
of operator will remove them, so the number of tokens in place
P1 is the number of unresolved alarms. Changing switches from normal state, maybe create outage
attack or overloading attack that cause a new alarm in
B. Modeling of misConfiguration Attack substation. Fig. 4 displays the Petri net model developed for
We can use the Poisson distribution for the number of misConfiguration attack and Tables III and IV describe its
misConfiguration operator attacks with parameter 1⁄λ , and places and transitions.
exponsential distribution with mean value of λ for the time
between them. We can simulate intensity of misConfiguration C. Modeling of Unresolved Alarms Attack
attack by changing of λ parameter. In the Control Center, when alarms were received, the
MisConfiguration attacks include: (i) changing improper operator can make the following methods of attack: (1) no
topology, by bringing out switches from normal state (ii) response (2) delayed response (3) incorrect response (4)
changing improper equipment settings, such as tap changer. incomplete response. Any of these actions could cause to
remain alarm, and a long alarm may lead to a new cascade alarm

Fig. 5. Petri network for Unresolved Alarms attacks.
TABLE V
PLACES FOR THE PN R EPRESENTATION OF UNRESOLVED ALARMS ATTACKS
Place Description
P7 d% of alarms- Delayed or no response
P8 m% of remaining alarms- Incorrect or
Incomplete response
P9 Long alarm or intensive alarm
TABLE VI
TRANSITIONS FOR THE PN REPRESENTATION UNRESOLVED ALARMS ATTACKS
Transient Description
T10 Delay attack, holding alarm
T11 Incorrect or Incomplete attack, holding alarm
and send incorrect command to RTU
T12 Create a new cascade alarm
at the same substation or other substations. Fig. 5 displays the
Petri net model developed for all four attack types. Table V and
Table VI describe all places and transitions that constitute the
Petri net model of Fig 5.
In addition, and in the worst case, the attacker for hide the
attacks, maybe resolve some alarms. In this situation, we can
simulate attacker behavior with two parameters: (i) d: is the
percent of attack types (1), (2) and (ii) m: is the percent of attack
types (3) and (4) for remaining alarms, and so (100- m) is the
percent for resolving remaining alarms.
D. Modeling of Total System
Fig. 6 shows total system model by CPNTOOLS. Place P5
has timed colorset with exponential distribution. Only T1, T2
are timed transitions and others are immediate transitions. Table
VII shows all three control parameters for total system. Poisson
distribution is used for the number misconfiguration attack.
IV. VALIDATION AND EXPRIMENTAL SCENARIOS
As a validation of our models, we present some attack
scenarios. The control parameters λ, 𝑑, 𝑚 simulate attacker
behavior. By changing them, several types of operator attack
can be studied. The values of the control parameters are shown
in Table VIII. For all scenarios, the models are analyzed by
using simulation, state space, and monitoring tools in
CPNTOOLS. We have also used ‘message sequence charts’ to
know about step-by-step transitions and places, in addition to
notifications, when transitions are executed. The number of
TABLE VII
CONTROL PARAMETERS OF THE MODEL FOR TOTAL SYSTEM
Parameter Description
λ The mean interval between misConfiguration attacks
d The percent of no response or delayed response
attacks
m The percent of incorrect or incomplete response
attacks
TABLE VIII
CONTROL PARAMETERS OF THE ATTACK SCENARIOS
Cascade
Attack Type λ d m Probability
misConfiguration 24 5% 5% 5%
Unresolved 8760 80% 80% 5%
Combined 24 60% 60% 5%
tokens in place P1 is the number of substation alarms in HMI
server. We have counted them using the ‘write in file
monitoring’ tool.
A. misConfiguration Attack Scenario
In this scenario, misConfiguration attack is carried by the
attacker on average once a day. The values of parameters d and
m are assumed 5% as normal human mistake. In addition, since
the creation of a cascade alarm depends on many factors such
as the amount of power generation, power plant status, network
load and etc., and because this topic is beyond the scope of this
paper, we assume a fixed low probability (5%) for it. Although
this amount could be higher in real terms. The number of alarms
at substation are measured and is shown in Fig. 7. It can be seen
that, although the number of alarms are increased but all of them
have been resolved.
B. Unresolved Alarms Attack Scenario
In this scenario, the values of parameters d and m are
assumed 80%. Therefore, 80% of alarms would have no
response or delayed response, and 80% of remaining alarms
would have incorrect/incomplete response, and only 20% of
their remaining alarms would be timely and correctly
responded. MisConfiguration attack is carried by the attacker
on average once a year as normal human mistake. A fixed low
probability is considered for cascading alarms (5%). The
number of alarms at substation are measured and is shown in
Fig. 8.
C. Combined Attack Scenario
In this scenario, both attacks are carried by the operator. The
number of alarms at substation are measured and is shown in
Fig. 9. We see that, substation conditions is highly critical.
V. CONCLUSIONS
This paper has proposed a new CPN modeling for SCADA
operator behavior in electric power grid. Three model for
resolving alarms, misconfiguration attack and unresolved
alarms attacks are presented. CPN is used to analyze insider
threats that occur in the computer systems, used in CIs. Such
threats take place when an attacker manages to gain valid user
credentials and performs actions to alter/disrupt a targeted
 Fig. 6. Total System of CPN model.

1.2 3.5
Number of Unresoled

Number of Unresolved Alarms

1
3
0.8
Alarms

2.5
0.6
2
0.4
1.5
0.2

0 1
1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49
0.5
Events
0
73
17
25
33
41
49
57
65

81
89
97
1
9

161
105
113
121
129
137
145
153

169
177
Fig. 7. misConfiguration attack scenario.
Events
industrial process, or when a legitimate user makes an
operational mistake or delay and causes a process failure. Fig. 8. unresolved Alarms attack scenario.
In this paper, we have shown how an unresolved alarm could
create a new cascade alarm. Also we were able to study effects 10
Number of Unresolved Alarms

of various types of operator attacks on the SCADA s by 9

8
changing the control parameters.
7

REFERENCES 6
5
[1] B. Miller, D. C. Rowe, “A Survey of SCADA and Critical Infrastructure 4
Incidents”, Proc. of the 1st Annual conf. on Research in information 3
technology, pp. 51-56, 2012. 2
[2] R. Rantala, “Cybercrime against businesses”, Technical report, U.S. Dept.
1
of Justice, Office of Justice Programs, Bureau of Justice Statistics, Special
0
Report, Sep. 2008.
15
22
29
36
43
50
57
64
71
78
85
92
99
1
8

106
113
120
127
134
141
148
155
162
169
176
183

[3] C. W. Ten, C. C. Liu and M. Govindarasu,“ Vulnerability Assessment of

Cybersecurity for SCADA Systems”, ,” IEEE Trans. Power Systems, vol. Events
23, no. 4, pp. 1836-1846, Nov. 2008.
Fig. 9. Combined attack scenario.
[4] R. Richardson, “Computer crime and security survey”, 15th CSI survey,
2010/2011.
[5] M. B. Salem, S. Hershkop,S. J. Stolfo, “A Survey of Insider Attack
Detection Research”, Insider Attack and Cyber Security, Advances in
Information Security, vol. 39, pp. 69-90, Springer US, 2008.
[6] A. E. Bouchti, A. Haqiq, “Malicious Insider Attacks Based Colored Petri
Nets Approach”, Int. Jour. of Engineering & Technology Sciences (IJETS),
vol. 1, no. 4, pp. 177-191, 2013.
[7] T. M. Chen, J. C. S. Aarnoutse, and J. Buford, “Petri Net Modeling of
Cyber-Physical Attacks on Smart Grid”, IEEE Trans. on Smart Grid, vol.
2, no. 4, pp.741-749, Dec. 2011.
[8] M. H. Henry, R. M. Layer, K. Z. Snow, D. R. Zaret, “Evaluating the Risk
of Cyber Attacks on SCADA Systems via Petri Net Analysis with
Application to Hazardous Liquid Loading Operations”, IEEE Conf. on
Technologies for Homeland Security, 2009.
[9] A. E. Bouchti, A. Haqiq, “Modeling Cyber-Attack for SCADA Systems
Using CoPNet Approach”, Inter. Conf. on Complex Systems (ICCS), pp.
1-6, Nov. 2012.
[10] E. Ciancamerla et al., “Overview of modelling techniques and tools for
SCADA systems under cyber attacks”, cockpit ci, 2012.
[11] N. Baracaldo, J. Joshi, “An adaptive risk management and access control
framework to mitigate insider threats”, Computer & Security, vol.39, part
B, pp. 237-254, Nov. 2013.
View publication stats
[12] L. V. Allen, and D. M. Tilbury, “Anomaly Detection Using Model
Generation for Event-Based Systems Without a Preexisting Formal
Model”, IEEE Trans. On Systems, Man, and Cybernetircs- Part A:
Systems and Humans, vol. 42, no. 3, pp. 654-668, 2012.
[13] R. J. Robles, M. Choi, “Assessment of the Vulnerabilities of SCADA,
Control Systems and Critical Infrastructure Systems”, Int. Jour. of Grid
and Distributed Computing, vol.2, no.2, June 2009.
[14] J. Fiaidhi, Y. E. Gelogo, "SCADA Cyber Attacks and Security
Vulnerabilities: Review", ACN, ASTL, vol. 14, pp. 202-208, 2012,
SERSC.
[15] D. Hadziosmanovic, D. Bolzoni, P.H. Hartel, “A Log Mining Approach
for Process Monitoring in SCADA”. International Journal of Information
Security, vol. 11, no. 4, pp. 231-251, 2012.
[16] Bonnie Zhu, Shankar Sastry, “SCADA-specific Intrusion Detection/
Prevention Systems: A Survey and Taxonomy”, Proc. of the First
Workshop on Secure Control Systems (SCS’10), 2010.
[17] R. Chinchani, D. Ha, A.Iyer, H.Q. Ngo, and S. Upadhyaya, “Insider Threat
Assessment: Model, Analysis and Tool”, Network Security, pp. 143-174,
Springer, 2010.
[18] A. Valdes, S. Cheung, B. Dutertre, et al, “Using model-based intrusion
detection for SCADA networks”, Proceedings of the SCADA Security
Scientific Symposium, Jan. 2007.