Search

Premium Membership ♕

Save 50% on all EEP Academy courses with Enterprise Membership Plan and study specialized LV/MV/HV technical articles, guides and courses.

Home / Technical Articles / Detecting Cyber Intrusion in SCADA System

How to recognize intrusion?

One of the axioms of cyber security is that although it is extremely important to try to prevent intrusions into one’s systems and databases, it is essential that intrusions be detected if they do occur. One of the axioms of cyber security is that although it is extremely important to try to prevent intrusions into one’s systems and databases, it is essential that intrusions be detected if they do occur.

Detecting Cyber Intrusion in SCADA System
Detecting Cyber Intrusion in SCADA System

An intruder who gains control of a substation computer can modify the computer code or insert a new program. The new software can be programmed to quietly gather data (possibly including the log-on passwords of legitimate users) and send the data to the intruder at a later time.

It can be programmed to operate power system devices at some future time or upon the recognition of a future event. It can set up a mechanism (sometimes called a “backdoor”) that will allow the intruder to easily gain access at a future time.

Scada intrusion prevention
Scada intrusion prevention

If no obvious damage was done at the time of the intrusion, it can be very difficult to detect that the software has been modified.

For example, if the goal of the intrusion was to gain unauthorized access to utility data, the fact that another party is reading confidential data may never be noticed. Even when the intrusion does result in damage (e.g., intentionally opening a circuit breaker on a critical circuit), it may not be at all obvious that the false operation was due to a security breach rather than some other failure (e.g., a voltage transient, a relay failure, or a software bug).

For these reasons, it is important to strive to detect intrusions when they occur. To this end, a number of IT security system manufacturers have developed intrusion detection systems (IDS).

These systems are designed to recognize intrusions based on a variety of factors, including primarily:

  1. Communications attempted from unauthorized or unusual addresses and
  2. An unusual pattern of activity.

They generate logs of suspicious events. The owners of the systems then have to inspect the logs manually and determine which represent true intrusions and which are false alarms.

Photo by Cryptango - securing industrial communications
Photo by Cryptango – securing industrial communications

Unfortunately, there is no easy definition of what kinds of activity should be classified as unusual and investigated further. To make the situation more difficult, hackers have learned to disguise their network probes so they do not arouse suspicion.

In addition, it should be recognized that there is as much a danger of having too many events flagged as suspicious as having too few. Users will soon learn to ignore the output of an IDS that announces too many spurious events.

(There are outside organizations however that offer the service of studying the output of IDSs and reporting the results to the owner. They will also help the system owner to tune the parameters of the IDS and to incorporate stronger protective features in the network to be safeguarded.)

Making matters more difficult, most IDSs have been developed for corporate networks with publicly accessible internet services. More research is necessary to investigate what would constitute unusual activity in a SCADA=SA environment.

In general, SA and other control systems do not have logging functions to identify who is attempting to obtain access to these systems. Efforts are underway in the commercial arena and with the National Laboratories to develop intrusion detection capabilities for control systems.


Summary

In summary, the art of detecting intrusions into substation control and diagnostic systems is still in its infancy. Until dependable automatic tools are developed, system owners will have to place their major efforts in two areas:

  1. Preventing intrusions from occurring, and
  2. Recovering from them when they occur.

Resource: Electric Power Substations Engineering – J. D. McDonald

Copyright Notice

This technical article is protected by U.S. and international copyright laws. Reproduction and distribution of PDF version of this technical article to websites such as Linkedin, Scribd, Facebook and others without written permission of the sponsor is illegal and strictly prohibited.

© EEP-Electrical Engineering Portal.

Premium Membership

Get access to premium HV/MV/LV technical articles, electrical engineering guides, research studies and much more! It helps you to shape up your technical skills in your everyday life as an electrical engineer.
More Information
Edvard Csanyi - Author at EEP-Electrical Engineering Portal

Edvard Csanyi

Hi, I'm an electrical engineer, programmer and founder of EEP - Electrical Engineering Portal. I worked twelve years at Schneider Electric in the position of technical support for low- and medium-voltage projects and the design of busbar trunking systems.

I'm highly specialized in the design of LV/MV switchgear and low-voltage, high-power busbar trunking (<6300A) in substations, commercial buildings and industry facilities. I'm also a professional in AutoCAD programming.

Profile: Edvard Csanyi

3 Comments


  1. Zark Bedalov
    Nov 29, 2019

    Hi Edvard,
    I like the image of SCADA in this article, the first one from the top.
    My name is Zark Bedalov., electrical engineer. We seem to be in a similar business.
    I was requested by Wiley ( Publisher) to write an engineering book.
    The book is called Practical Power Plant Engineering on 26 chapters. It is supposed to be published early 2020.
    Chapter 17 Plant Automation and Networking briefly mentions SCADA.
    I was wondering if you would let me reproduce the above SCADA image for my book. The image would be referenced in the chapter references with your name and also under the illustration.
    The book is intended for students and young engineers.
    I’d like to hear from you soon.
    Greetings and Thank you.
    Zark


  2. akraps
    Apr 09, 2013

    Hello, great article. In the sentence: ‘intrusion selection systems (IDS).’ – should it not be ‘detection’? Cheers.


    • Edvard
      Apr 09, 2013

      Thanks for the sharp eye Akraps!!

Leave a Comment

Tell us what you're thinking. We care about your opinion! Please keep in mind that comments are moderated and rel="nofollow" is in use. So, please do not use a spammy keyword or a domain as your name, or it will be deleted. Let's have a professional and meaningful conversation instead. Thanks for dropping by!

  +  eighty three  =  88

Learn How to Design Power Systems

Learn to design LV/MV/HV power systems through professional video courses. Lifetime access. Enjoy learning!

EEP Hand-Crafted Video Courses

Check more than a hundred hand-crafted video courses and learn from experienced engineers. Lifetime access included.
Experience matters. Premium membership gives you an opportunity to study specialized technical articles, online video courses, electrical engineering guides, and papers written by experienced electrical engineers.