Enhancing SCADA System Security
Moustapha Fall, Chris Chuvalas, Nolan Warning, Max Rabiee, and Carla Purdy
Department of Electrical Engineering and Computer Systems
University of Cincinnati
Cincinnati, OH, USA
[email protected],[email protected],[email protected],[email protected],[email protected]
Abstract- Today’s Supervisory Control and Data
Acquisition (SCADA) networks manage power grids, water
and sewer systems, automated factories, and many other
complex systems. As these systems have evolved, so have the
security challenges they face. We describe our research in
strengthening SCADA security through development of a
test bed for experimentation, formal system modeling,
efficient implementation of security protocols, and
consideration of human factors impacting system security.
Keywords: cyber-physical security, automated
manufacturing, automated resource management, SCADA
systems, human factors impacting security, trusted
systems.
I. INTRODUCTION
A typical supervisory control and data acquisition
(SCADA) network contains sensors, conversion units,
interfaces, and network communications. Sensors collect data,
which conversion units then convert into digital information.
The most common conversion units are remote terminal units
(RTUs) and programmable logic controllers (PLCs). An RTU
is a microprocessor-controlled device that interfaces with
sensors and sends data to the master unit, typically using
telemetry. A PLC is a hardened industrial computer that is
specialized for processing outputs. Interfaces can be either
software programs or human machine interfaces (HMIs) that
allow the user to interact with collected and processed data.
Common HMIs include graphical user interfaces, computer
monitors, and touchscreens. The final part of a typical
SCADA system is the communications network. This is the
method of communication between other parts in the system.
Communication networks can be broken up into two groups:
wired (Ethernet, telephone lines) or wireless (radio, cellular,
satellite). In 1993 MacDonald described the advantages of
SCADA management [1], which can include improved
efficiency and response time. Today’s SCADA networks can
perform many additional tasks, including managing
performance degradation in electrical distribution during
power outages or severe weather, smart resource allocation,
and scheduled maintenance tasks. With added AI capabilities,
SCADA networks can also manage “smart” allocation of
resources in a network such as the electrical grid, for example,
contributing to reduced use of resources and improving the
978-1-7281-8058-8/20/$31.00 ©2020 IEEE
Authorized licensed use limited to: MEHRAN UNIV OF ENGINEERING AND TECHNOLOGY. Downloaded on October 04,2021 at 17:54:51 UTC from IEEE Xplore. Restrictions apply.
environment. However, as systems become more complex,
managing system security also becomes more difficult.
Figure 1 [2] shows an example of a SCADA network.
From this figure, we can clearly see that there are
opportunities, both human and cyber, for network intrusions.
A system could be attacked through the business enterprise
network, at some vulnerable point on the shop floor,
wirelessly through an email or web link, going, for example,
to an HMI or PLC, or even through a WAN or through a side
channel attack from a van outside of a building. A famous
early example of such an intrusion was the STUXNET attack
launched on the supposedly secure air-gapped Iranian
centrifuge facility in 2007 [3], where the malicious code was
introduced via a flash drive carried into the facility. This
attack eventually infected many similar systems in other
facilities around the world. Another widely studied successful
attack is the December 2015 attack on the Ukrainian power
grid, which used multiple entry points and relied on a number
of common computer hacking tools, including some targeting
the enterprise software, as well as others targeting the SCADA
infrastructure itself. [4].
Fig. 1. Part of a SCADA network [2].
The continuing possibility of attacks on SCADA systems
managing infrastructure and manufacturing motivate our
multi-pronged approach to enhancing security for these
systems. Our approach includes developing a database of
known attacks, formal system modeling, efficient
implementation of security protocols, and research into human
factors (as described by Stewart [5]). All of these components
are critical for building secure, trustworthy SCADA systems.
In this paper we focus on the system infrastructure and the
830
 testbed we are building to enable protection of the SCADA
network itself. We outline some of the work that has been
done in this area and we describe the work in progress on our
testbed. The testbed also provides training and research
projects for our graduate and advanced undergraduate students
in the areas of security and trust for cyber-physical systems.
II. PREVIOUS WORK
In 2008 Ten et al. [2] proposed an automated probabilistic
approach that recurrently tests a SCADA system at 3 levels--
overall system, scenarios, and access points. This method,
which would be especially useful when a system is being
designed or modified, provides an assessment of security
needs but does not give specific ways to address those needs.
In 2009 Queiroz et al. [6] described a modular testbed design,
which can be configured to mimic different architectures,
protocols, and attacks, including DoS and DDoS attacks.
Their system includes a variety of devices common to
SCADA systems at that time. The testbed we are building
will be similar to this one but will include up-to-date
components and communication paths and will also consider
additional attack scenarios that are continually being
developed by today’s clever hackers. In the last few years,
many researchers have considered the issues involved in
guaranteeing security in SCADA systems. Examples of
attacks and/or method for defending against attacks are given
in [7-23]. Projects using model checking, machine learning,
and game theory are described in [24-28]. These typically try
to build in defenses as the SCADA system is developed, as
recommended for system development in general by Kocher et
al. [29]. In the system we are building we are aiming to
incorporate many of the techniques described in these earlier
papers, including design for security, use of formal system
specification, and AI techniques for detecting malicious
attacks. Unlike some of the work done previously, we are
aiming to develop general modeling and security techniques in
order to provide general defense strategies that can be applied
to any SCADA system.
III. A TESTBED FOR SCADA RESEARCH
To explain our current system we use a simple example of
a SCADA system, based on a dishwasher. Upon start up, soap
is released using a solenoid. Next water is added by opening
the hot water valve. Then the washer impeller is activated to
mix the soap with hot water. After that the rainwater valve is
opened to rinse off the dishes. Next, the drain pump is turned
off to remove all the water from the system. Finally, the
heating element is activated during the drying cycle.
Typically, a panel displays the current dishwasher status to the
user. This simple example can be turned into a SCADA
system. Sensors could be used to monitor the system, but to
keep it simple the electric outputs to the devices will be
monitored. Simple outputs include the solenoid, valves, and
heating elements that require a signal to activate. Monitoring
of these outputs is displayed as on when given a signal and off
without one. These devices can be represented by a simple
831
Authorized licensed use limited to: MEHRAN UNIV OF ENGINEERING AND TECHNOLOGY. Downloaded on October 04,2021 at 17:54:51 UTC from IEEE Xplore. Restrictions apply.
light bulb turning on and off. The water impeller and drain
pump require more than just an on or off signal. They also
need an operating frequency to control the motor’s speed. This
signal is supplied by a variable frequency drive (VFD) and is
used to control the motors. These outputs can connect to a
PLC which will manage and monitor the entire process.
What’s the purpose of creating such a small SCADA
system like this dishwasher example? The answer is testing.
SCADA systems are used in both industrial processes
(manufacturing, fabrication, refining), and infrastructure
processes (water treatment, oil and gas pipelines, power
generation and distribution). Down time in these systems can
result in profit loss, physical damage, and even loss of life.
This means that some SCADA systems have little to no down
time after installation. And, even if a system does have
downtime, that time is used for maintenance instead of
upgrading and security testing. This is where a SCADA
testbed comes in handy. A testbed is an accurate model of a
real-world process and is modular, reconfigurable, and able to
simulate a large network with few hardware devices.
Important uses for a SCADA test bed are vulnerability
assessment and penetration testing. [4] Penetration testing is
an authorized simulated cyber-attack against a computer
system to check for exploits and vulnerabilities.
In building our SCADA testbed, we broke up the
construction into several different parts to ease the learning
process along the way. First, we set up our hardware, and
installed the latest version of firmware. Specifically, we used
an Allen-Bradley 1756-A7 PLC, and an Allen-Bradley
PanelView 5310 HMI. Once both systems were up to date, we
integrated them together using Ethernet on a simple LAN
network. Next a basic program was programmed into the PLC,
using Studio 5000 Logix Designer, to demonstrate the
connection. This setup is shown in Figure 2. In this case we
used the dishwasher example from above and had the outputs
displayed on a custom HMI screen, as shown in Figure 3.
The network setup is show in Figure 4.
Fig 2. PLC/HMI Network Fig. 3. HMI Output Screen
Lockheed-Martin has created a “Cyber Kill Chain”, which
is a model to demonstrate how an intruder would attack a
system or process in the digital realm, and actions that can be
taken to prevent them. [30] The kill chain phases include
reconnaissance, weaponization, delivery, exploitation,
installation, command and control, and action on objective.
For this example we are going to execute the reconnaissance
phase. The goal of this phase is to research and identify
vulnerabilities of the target. Using Nessus Essentials by
Tenable Inc. we were able to identify important information
about the testbed we set up that could be used for further
exploitation. By default, the PLC is set up to supply the end
 user with as much information as possible. This is extremely
helpful for PLCs set up in remote locations where physical
access is limited after installation. With the default
configurations, the PLC responds to ARP request, service
scans, TCP port scans, and ping request. This provides
information like MAC address, applications running on the
PLC, and the devices operating system. In addition, from the
scan we learned that the PLC is also hosting a website that has
information about the program running, firmware version,
controller mode, controller status, and fault status, as shown in
Figure 5. This is all valuable information that could be used to
further exploit the system, either internally, through the MAC
address, or externally, through the website itself.
Fig. 4. Network diagram of final SCADA testbed setup
Fig. 5. Homepage of local server hosted by the PLC.
IV. EXAMPLE EXPERIMENTS
To access the PLCs in the system, we used Pycomm,
which is available at https://pypi.org/project/pycomm/. This
version works with Python 2.7 and has a module ab-comm
which can interface with our Allen Bradley PLCs using the
Ethernet/IP protocol.
We downloaded the Pycomm software in one laptop, we
plugged the laptop to the switch and gave it access to the local
network so that it can communicate with the PLC. This type
of connection or wireless connection is exactly how an
engineer would communicate with his PLC controller in a real
832
Authorized licensed use limited to: MEHRAN UNIV OF ENGINEERING AND TECHNOLOGY. Downloaded on October 04,2021 at 17:54:51 UTC from IEEE Xplore. Restrictions apply.
production environment. So this test is simulated what is
happening in real life. The code allows us to read and write
the state of the tag from the Allen Bradley 1756-L81ES
ControlLogix 5580 controller. This demonstrates that
someone with bad intentions could have access to this code
from the local network and could change some values inside
the code. We list some potential values that could be changed
and their impact:
• Changing a value of a motor could stop a motor from
running or start a motor that was not supposed to be
running.
• Changing the frequency value or the speed of a
variable frequency drive (VFD) could accelerate a
motor or accelerate a motor while in the middle of
production.
• Changing a value of any digital output to a zero or to
a one while the system is running can be damaging if
the initial plan was to let the system run without
changing anything.
We can now write Pycomm code to do the following:
1) Open communication to the PLC controller using the IP
address
2) Read the tag value of the word
3) Print that value
4) Write a value to the PLC tag
5) Close the connection
This will now allow us to easily create malware to cause
our dishwasher example to act incorrectly. We use the
system’s Sequencer Output (SQO) to simulate correct and
incorrect (hacked) dishwasher operation.
Correct operation: Create operation scheme for using
output matrix in sequencer--Ladder Logic Summary:
Output Labels: Solenoid (soap release), Input Valve (hot
water), Washer Impeller, Rainwater Valve, Drain Pump and
Heating Element.
a. Rung01: Timer_SQO is used and it is triggered by
the My_Control.EN bit and the Timer_SQO.DN bit.
b. Rung02: Test_Bit to Control the first SQO on
Rung03.
c. Rung04: Second SQO is being controlled by the
Timer_SQO.DN bit
d. Rung05: Both sequencer output control bits reset
e. Timer_SQO.ACCUM and Timer_SQO.PRE values
change according to what output is being triggered.
Now we can define a Data Array to properly sequence the
dishwasher activities and define the length of each:
1. Energize the soap solenoid first for four seconds
2. Energize the input valve for hot water for five minutes
3. Energize the washer impeller for twelve seconds
4. Open the rainwater valve for one second
5. Open the drain for three seconds
6. Turn on the heat for six seconds.
But it is easy for a hacker to write Pycomm code. Using
the Pycomm code, it is possible to change the event orders by
simply changing the values on the Data_Array tags, so that the
dishwasher functions are done in the wrong order, and thus the
dishwasher will not work corrrectly. This is only one simple
 example of how a hacker could disrupt the system functions.
This could be prevented by requiring authentication of
messages, e.g. Similarly, a hacker could change the VFD
speed, since the PLC will accept unauthenticated messages.
V. CONCLUSIONS
These simple examples illustrate the need for better
security in our system. Currently we are unable to implement
specific security options due to losing access to our lab during
the ongoing pandemic. Once we regain access, we will apply
one or more of the strategies outlined in the references to fix
this problem. We will also examine additional examples of
security problems in this and similar systems.
VI. FUTURE WORK
The work outlined here forms the basis for our continued
efforts to improve SCADA security. Our program for future
work includes:
• continued development of our testbed platform once lab
work is again permitted at our university;
• development of a database of SCADA attacks and methods
to prevent these attacks. Many of the papers cited in the
section on previous work provide examples that can be
included in our database;
• construction of efficient AI-based tools to detect and
protect against attacks. We will use methods similar to
those in [31] to develop these tools;
• use of formal and practical methods to model SCADA
systems and to further enhance our ability to detect and
defend against attacks. Here we will use tools such as
UML, SysML, and TLA+ [32]
• identification of strategies to reduce malicious behavior by
users of SCADA systems, starting with the methods
suggested in [26] and [32].
ACKNOWLEDGMENT: The authors would like to thank
Rockwell Automation for providing equipment and guidance
and Automation Plus for for assistance in this project.
REFERENCES
[1] J.D. McDonald, “Developing and defining basic SCADA system
concepts,” 1993 Rural Electrical Power Conference, April 1993.
[2] C.-W. Ten, C.-C. Liu. And G. Manimaran, “Vulnerability assessment of
cybersecurity for SCADA systems,”, IEEE Transactions on Power Systems
23 (4), November 2008.
[3] R. Langner, “STUXNET: discussing a cyberwarfare weapon,” IEEE
Security and Privacy 9 (3), May-June 2011.
[4] ICS-CERT, Cyber-Attack Against Ukrainian Critical Infrastructure (IR-
ALERT-H-16-056-01), 2016.
[5] A. Stewart, The Community Defense Approach: A Human Approach to
Cybersecurity for Industrial and Manufacturing Systems, M.S. Thesis,
University of Cincinnati, 2019.
[6] C. Queiroz, A. Mahmood, J. Hu, Z. Tari, and X. Yu, “Building a SCADA
security testbed,”, Third IEEE International Conference on Network and
Systems Security, 2009.
[7] G.P.H. Sandaruwan, P.S. Ranaweera, and V.A. Oleschuk, “PLC security
and critical infrastructure protection,” Eighth IEEE International conference
on Industrial and Information Systems, December 2013.
[8] Y. Wang, J. Liu, C. Yang, L. Zhou, S. Li,, And A. Xu, “Access control
attacks on PLC vulnerabilities,” Journal of Computers and Communications
6, pp. 311-325, Nov. 2018.
833
Authorized licensed use limited to: MEHRAN UNIV OF ENGINEERING AND TECHNOLOGY. Downloaded on October 04,2021 at 17:54:51 UTC from IEEE Xplore. Restrictions apply.
[9] Z. El Mrabet, N. Kaabouch, H. El Ghazi, and H. El Ghazi, “Cyber-
security in smart grid: Survey and challenges,” 2018.
[10] A. Ghaleb, S. Zhioua, and A. Almulhem, “On PLC network security,”
Int. J. Crit. Infrastruct. Prot., vol. 22, pp. 62–69, 2018.
[11] T. Alves and T. Morris, “OpenPLC: An IEC 61,131–3 compliant open
source industrial controller for cyber security research,” Comput. Secur. vol.
78, pp. 364–379, 2018.
[12] E. N. Ylmaz, B. Ciylan, S. Gönen, E. Sindiren, and G. Karacayilmaz,
“Cyber security in industrial control systems: Analysis of DoS attacks against
PLCs and the insider effect,” Proc. 6th Int. Istanbul Smart Grids Cities
Congr. Fair, ICSG 2018, pp. 81–85, 2018.
[13] J. Stranahan, T. Soni, and V. Heydari, “Supervisory control and data
acquisition testbed for research and education,” 9th Annual CCWC, 2019.
[14] R. L and P. Satyanarayana, “Vulnerability analysis and enhancement of
security of communication protocol in industrial control systems,” HELIX
vol. 9, no. 4, pp. 5122–5127, Aug. 2019.
[15] H. Hui, P. Maynard, and K. McLaughlin, “ICS interaction testbed: a
platform for cyber-physical security research,” 6th International Symposium
for ICS & SCADA Cyber Security Research, 2019.
[16] H. Lan, X. Zhu, J. Sun, and S. Li, “Traffic data classification to detect
man-in-the-middle attacks in industrial control system,” 6th Int. Conference
on Dependable Systems and Their Applications (DSA), 2020, pp. 430–434.
[17] A. A. Letichevsky, O. O. Letychevskyi, V. G. Skobelev, and V. A.
Volkov, “Finger printing for cyber-physical systems,” Cybern. Syst. Anal. vol.
53, no. 6, pp. 821–834, 2017.
[18]S. Adepu, N. K. Kandasamy, and A. Mathur, “EPIC: An electric power
testbed for research and training in cyber physical systems security’”,
Computer Security, 2018, Springer.
[19] J. M. Hamamreh, H. M. Furqan, and H. Arslan, “Classifications and
applications of physical layer security techniques for confidentiality: a
comprehensive survey,” IEEE Commun. Surv. Tutorials, vol. 21, no. 2, pp.
1773–1828, Apr. 2019.
[20] R. Negi, P. Kumar, S. Ghosh, S. K. Shukla, and A. Gahlot,
“Vulnerability assessment and mitigation for industrial critical infrastructures
with cyber physical test bed,” Proceedings 2019 IEEE International
Conference on Industrial Cyber Physical Systems, (ICPS 2019), pp. 145–152.
[21] Y. Li, W. Huo, R. Qiu, and J. Zeng, “Efficient detection of false data
injection attack with invertible automatic encoder and long-short-term
memory,” IET Cyber-Physical Syst. Theory Appl 5 (1), pp. 110–118, M2020.
[22] J.-M. Lee and S. Hong, “Keeping host sanity for security of the SCADA
systems,” IEEE Access, March 2020.
[23] A. Bichmou, J. Chiocca, L. Hrnandez, R.W. Hoffmann, B. Horsham, H.
Lam, V. McKinsey, and S Bibyk, “Physical cybersecurity of SCADA
systems,” IEEE NAECON, 2019.
[24] R. Shrestha, H. Mehrpouyan, and D. Xu, “Model checking of security
properties in industrial control systems (ICS),” Proc. 8th ACM Conf. Data
Appl. Secur. Priv., pp. 164–166, 2018.
[25] T. Alves, R. Das, and T. Morris, “Embedding encryption and machine
learning intrusion prevention systems on programmable logic controllers,”
IEEE Embed. Syst. Lett., vol. 10, no. 3, pp. 99–102, 2018.
[26] H. Zhang, S. Merz, and M. Gu, “Specifying and verifying PLC systems
with TLA +:A case study,” Comput. Math. with Appl. 60, pp. 695–705, 2010.
[27] L. Reuter, O. Jung, and J. Magin, “Neural network based anomaly
detection for SCADA systems,” 23rd Conf. Innov. Clouds, Internet Networks,
pp. 194–201, 2020.
[28] T. Zheng, Q. Hong, L. Xi, S. Yizheng, and D. Jie, “A security defense
model for SCADA system based on game theory,” ICMTMA 020.
[29] P. Kocher, R. Lee, G. Mcgraw, and A. Raghunathan, “Security as a new
dimension in embedded system design,” Proc. 41st Annual Design Automation
Conference, June 2004, pp. 753-76.
[30] E.M. Hutchins, M.J. Cloppert, and R.M. Amin, “Intelligence-driven
computer network defense informed by analysis of adversary campaigns and
intrusion kill chains”, Lockheed Martin Corporation, 2011.
[31]K. Al Rawashdeh, Toward a Hardware-Assisted Online Intrusion
Detection system Based on Deep Learning Algorithms for Resource-Limited
Embedded Systems, Ph.D. Dissertation, University of Cincinnati, 2018.
[32] N. Obeidat and C. Purdy, “Modeling a smart school building system
using UML and TLA+,” 3rd Internatioa Conference on Information and
Computer Technologies, 2020.