Premium Membership ♕

Limited Time Offer: Save 15% on Pro Plan with discount coupon: MX15. Study specialized LV/MV/HV technical articles and studies.

Home / Technical Articles / Detecting Cyber Intrusion in SCADA System

How to recognize intrusion?

One of the axioms of cyber security is that although it is extremely important to try to prevent intrusions into one’s systems and databases, it is essential that intrusions be detected if they do occur. One of the axioms of cyber security is that although it is extremely important to try to prevent intrusions into one’s systems and databases, it is essential that intrusions be detected if they do occur.

Detecting Cyber Intrusion in SCADA System
Detecting Cyber Intrusion in SCADA System

An intruder who gains control of a substation computer can modify the computer code or insert a new program. The new software can be programmed to quietly gather data (possibly including the log-on passwords of legitimate users) and send the data to the intruder at a later time.

It can be programmed to operate power system devices at some future time or upon the recognition of a future event. It can set up a mechanism (sometimes called a “backdoor”) that will allow the intruder to easily gain access at a future time.

Scada intrusion prevention
Scada intrusion prevention

If no obvious damage was done at the time of the intrusion, it can be very difficult to detect that the software has been modified.

For example, if the goal of the intrusion was to gain unauthorized access to utility data, the fact that another party is reading confidential data may never be noticed. Even when the intrusion does result in damage (e.g., intentionally opening a circuit breaker on a critical circuit), it may not be at all obvious that the false operation was due to a security breach rather than some other failure (e.g., a voltage transient, a relay failure, or a software bug).

For these reasons, it is important to strive to detect intrusions when they occur. To this end, a number of IT security system manufacturers have developed intrusion detection systems (IDS).

These systems are designed to recognize intrusions based on a variety of factors, including primarily:

  1. Communications attempted from unauthorized or unusual addresses and
  2. An unusual pattern of activity.

They generate logs of suspicious events. The owners of the systems then have to inspect the logs manually and determine which represent true intrusions and which are false alarms.

Photo by Cryptango - securing industrial communications
Photo by Cryptango – securing industrial communications

Unfortunately, there is no easy definition of what kinds of activity should be classified as unusual and investigated further. To make the situation more difficult, hackers have learned to disguise their network probes so they do not arouse suspicion.

In addition, it should be recognized that there is as much a danger of having too many events flagged as suspicious as having too few. Users will soon learn to ignore the output of an IDS that announces too many spurious events.

(There are outside organizations however that offer the service of studying the output of IDSs and reporting the results to the owner. They will also help the system owner to tune the parameters of the IDS and to incorporate stronger protective features in the network to be safeguarded.)

Making matters more difficult, most IDSs have been developed for corporate networks with publicly accessible internet services. More research is necessary to investigate what would constitute unusual activity in a SCADA=SA environment.

In general, SA and other control systems do not have logging functions to identify who is attempting to obtain access to these systems. Efforts are underway in the commercial arena and with the National Laboratories to develop intrusion detection capabilities for control systems.


In summary, the art of detecting intrusions into substation control and diagnostic systems is still in its infancy. Until dependable automatic tools are developed, system owners will have to place their major efforts in two areas:

  1. Preventing intrusions from occurring, and
  2. Recovering from them when they occur.

Resource: Electric Power Substations Engineering – J. D. McDonald (Get it from Amazon)

Premium Membership

Get access to premium HV/MV/LV technical articles, electrical engineering guides, research studies and much more! It helps you to shape up your technical skills in your everyday life as an electrical engineer.
More Information

Edvard Csanyi

Electrical engineer, programmer and founder of EEP. Highly specialized for design of LV/MV switchgears and LV high power busbar trunking (<6300A) in power substations, commercial buildings and industry facilities. Professional in AutoCAD programming.


  1. Zark Bedalov
    Nov 29, 2019

    Hi Edvard,
    I like the image of SCADA in this article, the first one from the top.
    My name is Zark Bedalov., electrical engineer. We seem to be in a similar business.
    I was requested by Wiley ( Publisher) to write an engineering book.
    The book is called Practical Power Plant Engineering on 26 chapters. It is supposed to be published early 2020.
    Chapter 17 Plant Automation and Networking briefly mentions SCADA.
    I was wondering if you would let me reproduce the above SCADA image for my book. The image would be referenced in the chapter references with your name and also under the illustration.
    The book is intended for students and young engineers.
    I’d like to hear from you soon.
    Greetings and Thank you.

  2. akraps
    Apr 09, 2013

    Hello, great article. In the sentence: ‘intrusion selection systems (IDS).’ – should it not be ‘detection’? Cheers.

    • Edvard
      Apr 09, 2013

      Thanks for the sharp eye Akraps!!

Leave a Comment

Tell us what you're thinking. We care about your opinion! Please keep in mind that comments are moderated and rel="nofollow" is in use. So, please do not use a spammy keyword or a domain as your name, or it will be deleted. Let's have a professional and meaningful conversation instead. Thanks for dropping by!

twenty two  −    =  eighteen

Learn How to Design Power Systems

Learn to design LV/MV/HV power systems through professional video courses. Lifetime access. Enjoy learning!

Subscribe to Weekly Newsletter

Subscribe to our Weekly Digest newsletter and receive free updates on new technical articles, video courses and guides (PDF).
EEP Academy Courses - A hand crafted cutting-edge electrical engineering knowledge