Aerospace and Electronic Systems Magazine May 2017 - 34

Security of SCADA Systems against Cyber-Physical Attacks
three categories [35]: cyber attacks on the supervisory control
layer, cyber attacks on the communication network, and physical
attacks on the technical (physical) processes.

Cyber Attacks on a Control Center

According to previous analysis, there are three main backdoors for
the attacker to enter the control center:
C

Attack point A1: Modern SCADA systems use Web-based
applications to be flexible in terms of their management.
However, Web-based applications have drawbacks, especially in terms of cyber security. An attacker can gain unauthorized access to the control center through these applications.
Attack point A2: A disgruntled employee of a company plugs
a universal serial bus (USB) key containing a virus into a
computer in the corporate network. The virus can break
through misconfigured firewalls between the business network and the SCADA network and take control of system
operation. For example, powerful computer worms such as
Stuxnet or Flame are able to bypass a traditional intrusion
detection system (IDS) designed for software efficiency as
opposed to robustness and security.
Attack point A3: In some scenarios, a USB key containing
malicious software can be plugged directly into a computer
of the control center. Once in the network, the malware can
propagate and work its mischief.

The control center hosts the SCADA server, the communication
server, the builder server, the diagnostic server, the database server,
the human-machine interface, and the application server. Because
these servers are critical to system operation, an attack on a single
element could cause severe consequences.

Cyber Attacks on a Communication Network
The attackers could begin their malevolent activities through the
following vulnerable points on the automatic control layer and the
communication network (see also [35]):
C

to take control of field devices. An attack has been carried
out successfully by the vendor network, causing real physical damage [45].

Attack points A4-A6: By exploiting the vulnerabilities of
communication protocols such as Modbus, DNP3, Ethernet/
IP, or wireless-based protocols, the attacker can get access
to communication channels between the control center and
the substations (i.e., attack point A4). Once this channel has
been breached, the intruder may introduce fake control commands to the MTUs, send back false data to the control center, or even jam the communication channels by launching a
DoS attack. An attack on the communication links between
the MTUs and the PLCs or RTUs (i.e., attack points A5 and
A6) can be carried out in the same manner.
Attack points A7 and A8: To be flexible in maintenance and
update services, modern SCADA systems support communication links between field devices and vendor networks
(i.e., attack point A7) or local terminals (i.e., attack point
A8). This flexibility leaves a backdoor for malicious hackers

Attack points A9 and A10: Communication between local
controllers (e.g., RTUs or PLCs) and field devices (e.g., actuators or sensors) is sometimes implemented by nonsecure
technologies (e.g., wireless, satellite, or radio). As a result,
the control signals sent from the controllers to the actuators
(i.e., attack point A9) and the feedback signals transmitted
from the sensors to the controllers (i.e., attack point A10)
are susceptible to cyber attack. These vulnerabilities may be
exploited for designing coordinated attacks, causing catastrophic damage.

Physical Attacks on Technical Processes
Because of their geographic dispersal, it is difficult to protect
SCADA systems from physical attacks (i.e., attack point A0),
such as severing a communication cable or directly compromising
a sensor or actuator. Sometimes, malicious adversaries integrate
both physical and cyber activities into a coordinated attack to cause
even greater damage.

CLASSIFICATION BY ATTACK TYPES
Cyber attacks on SCADA systems can be broadly classified into
two types [6], [7]: DoS attacks and integrity attacks. The DoS attacks are attempts and efforts that aim to disrupt temporarily or
indefinitely the exchange of data among entities in the network, for
instance, by jamming communication channels or compromising
routing protocols [6]. Integrity attacks compromise the integrity
of data packets, and they are performed by altering the behavior of
actuators and sensors or by breaking into the communication channels between the physical layer and the control center [7]. Integrity
attacks can be subdivided into simple integrity attacks and stealthy
integrity attacks.
Let zk and zk be, respectively, signals sent from a transmitter
and targeted signals arriving at a receiver. The targeted signals may
be different from the sourced signals (i.e., zk ≠ zk) because of malicious attacks. Let also τa = [k0, k0 + L − 1] be the attack period,
where k0 is an unknown attack instant and L is an unknown attack
duration.

DoS Attacks
Over the last few years, research has studied the negative impact
of DoS attacks on NCSs. For example, the authors in [66] studied
robust feedback control design against DoS attacks, and the impact
of random packet drops on controller and estimator performance
was investigated in [67] and [68].
The first mathematical model of DoS attacks was proposed
in [58], where the targeted signals zk are considered zero if the
sourced signals zk do not arrive at the receiver. Such an attack strategy can be modeled as follows:
z
zk =  k
0

IEEE A&E SYSTEMS MAGAZINE

if k ∈/ τ a
.
if k ∈ τ a

(1)
MAY 2017

Table of Contents for the Digital Edition of Aerospace and Electronic Systems Magazine May 2017