Menu
Search
Responding to Cyber Intrusion in SCADA System
Responding to Cyber Intrusion in SCADA System

Continued from technical article: Detecting Cyber Intrusion in SCADA System


The Three R’s As Response

The “three R’s” of the response to cyber intrusion are:

  1. Recording,
  2. Reporting, and
  3. Restoring.

Theoretically, it would be desirable to record all data communications into and out of all substation devices.

In that manner, if an intruder successfully attacks the system, the recordings could be used to determine what technique the intruder used, in order to modify the system and close that particular vulnerability. Secondly, the recording would be invaluable in trying to identify the intruder.

In addition, if the recording is made in a way that is demonstrably inalterable, then it may be admissible as evidence in court if the intruder is apprehended.

Alstom and Cisco to Develop Secure Digital Substation Automation Solution
Alstom and Cisco to Develop Secure Digital Substation Automation Solution

However, due to the high frequency of SCADA communications, the low cost of substation communications equipment, and the fact that the substations are distant from corporate security staff, it may be impractical to record all communications.

Yes, but…

In practice, although theoretically desirable, system owners will probably defer any attempts to record substation data communications until:

  1. Storage media are developed that are fast, voluminous, and inexpensive or
  2. SCADA-oriented IDSs are developed, which can filter out the non-suspicious usual traffic and record only the deviant patterns.

But even if the communications sequence responsible for an intrusion is neither detected nor recorded when it occurs, nevertheless it is essential that procedures be developed for the restoration of service after a cyber attack.

It is extremely important that the utility maintain backups of the software of all programmable substation units and documentation regarding the standard parameters and settings of all IEDs (Intrusion Detection Systems). These backups and documentation should be maintained in a secure storage, not normally accessible to the staffs who work at the substation.

It would appear advisable that these backups be kept in a location other than the substation itself to lower the amount of damage that could be done by a malicious insider.

Simatic WinCC Scada V6 and V11
Simatic WinCC Scada V6 and V11 with equipment such as motor, pump, VFD, valve, auto-manual station, and etc.

After the utility concludes that a particular programmable device has been compromised (indeed, if it just suspects a successful intrusion), the software should be reloaded from the secure backup.

If the settings on an IED had been illicitly changed, the original settings must be restored.

Unless the nature of the breach of security is known and can be repaired, the utility should seriously consider taking the device off-line or otherwise making it inaccessible to prevent a future exploitation of the same vulnerability.

Resource: Electric Power Substations Engineering – J. D. McDonald (Get it from Amazon)

About Author //

author-pic

Edvard Csanyi

Edvard - Electrical engineer, programmer and founder of EEP. Highly specialized for design of LV high power busbar trunking (<6300A) in power substations, buildings and industry fascilities. Designing of LV/MV switchgears.Professional in AutoCAD programming and web-design.Present on

Leave a Comment

Tell us what you're thinking... we care about your opinion!


Get PDF