Detecting Cyber Intrusion in SCADA System

Detecting Cyber Intrusion in SCADA System

How to recognize intrusion?

Scada intrusion prevention

Scada intrusion prevention

One of the axioms of cyber security is that although it is extremely important to try to prevent intrusions into one’s systems and databases, it is essential that intrusions be detected if they do occur.

An intruder who gains control of a substation computer can modify the computer code or insert a new program. The new software can be programmed to quietly gather data (possibly including the log-on passwords of legitimate users) and send the data to the intruder at a later time.

It can be programmed to operate power system devices at some future time or upon the recognition of a future event. It can set up a mechanism (sometimes called a ‘‘backdoor’’) that will allow the intruder to easily gain access at a future time.

If no obvious damage was done at the time of the intrusion, it can be very difficult to detect that the software has been modified.

For example, if the goal of the intrusion was to gain unauthorized access to utility data, the fact that another party is reading confidential data may never be noticed. Even when the intrusion does result in damage (e.g., intentionally opening a circuit breaker on a critical circuit), it may not be at all obvious that the false operation was due to a security breach rather than some other failure (e.g., a voltage transient, a relay failure, or a software bug).

For these reasons, it is important to strive to detect intrusions when they occur. To this end, a number of IT security system manufacturers have developed intrusion detection systems (IDS).

These systems are designed to recognize intrusions based on a variety of factors, including primarily:

  1. Communications attempted from unauthorized or unusual addresses and
  2. An unusual pattern of activity.

They generate logs of suspicious events. The owners of the systems then have to inspect the logs manually and determine which represent true intrusions and which are false alarms.

Photo by Cryptango - securing industrial communications

Photo by Cryptango - securing industrial communications


Unfortunately, there is no easy definition of what kinds of activity should be classified as unusual and investigated further.

To make the situation more difficult, hackers have learned to disguise their network probes so they do not arouse suspicion.

In addition, it should be recognized that there is as much a danger of having too many events flagged as suspicious as having too few.

Users will soon learn to ignore the output of an IDS that announces too many spurious events.

(There are outside organizations however that offer the service of studying the output of IDSs and reporting the results to the owner. They will also help the system owner to tune the parameters of the IDS and to incorporate stronger protective features in the network to be safeguarded.)

Making matters more difficult, most IDSs have been developed for corporate networks with publicly accessible internet services. More research is necessary to investigate what would constitute unusual activity in a SCADA=SA environment.

In general, SA and other control systems do not have logging functions to identify who is attempting to obtain access to these systems. Efforts are underway in the commercial arena and with the National Laboratories to develop intrusion detection capabilities for control systems.

Summary

In summary, the art of detecting intrusions into substation control and diagnostic systems is still in its infancy. Until dependable automatic tools are developed, system owners will have to place their major efforts in two areas:

  1. Preventing intrusions from occurring, and
  2. Recovering from them when they occur.

Resource: Electric Power Substations Engineering – J. D. McDonald (Get it from Amazon)


About Author //

author-pic

Edvard Csanyi

Edvard - Electrical engineer, programmer and founder of EEP. Highly specialized for design of LV high power busbar trunking (<6300A) in power substations, buildings and industry fascilities. Designing of LV/MV switchgears. Professional in AutoCAD programming and web-design. Present on



3 Comments


  1. akraps
    Apr 09, 2013

    Hello, great article. In the sentence: ‘intrusion selection systems (IDS).’ – should it not be ‘detection’? Cheers.

  2. [...] Responding to Cyber Intrusion in SCADA System Continued from technical article: Detecting Cyber Intrusion in SCADA System The Three R’s As Response [...]

Leave a Comment

Tell us what you're thinking... we care about your opinion!
and oh, not to forget - if you want a picture to show with your comment, go get a free Gravatar!


2 − two =

FOLLOW EEP!

Subscribe to Weekly Download Updates:
(free electrical software, spreadsheets and EE guides)

EEP's Android Application
Electrical Engineering Daily Dose
Daily dose of knowledge and news from
Electrical Engineering World
Get
PDF