Premium Membership ♕

Save 50% on all EEP Academy courses with Enterprise Membership Plan and study specialized LV/MV/HV technical articles & guides.

Home / Technical Articles / Responding to Cyber Intrusion in SCADA System
Responding to Cyber Intrusion in SCADA System
Responding to Cyber Intrusion in SCADA System

Continued from technical article: Detecting Cyber Intrusion in SCADA System

The Three R’s As Response

The “three R’s” of the response to cyber intrusion are:

  1. Recording,
  2. Reporting, and
  3. Restoring.

Theoretically, it would be desirable to record all data communications into and out of all substation devices.

In that manner, if an intruder successfully attacks the system, the recordings could be used to determine what technique the intruder used, in order to modify the system and close that particular vulnerability. Secondly, the recording would be invaluable in trying to identify the intruder.

In addition, if the recording is made in a way that is demonstrably inalterable, then it may be admissible as evidence in court if the intruder is apprehended.

Alstom and Cisco to Develop Secure Digital Substation Automation Solution
Alstom and Cisco to Develop Secure Digital Substation Automation Solution

However, due to the high frequency of SCADA communications, the low cost of substation communications equipment, and the fact that the substations are distant from corporate security staff, it may be impractical to record all communications.

Yes, but…

In practice, although theoretically desirable, system owners will probably defer any attempts to record substation data communications until:

  1. Storage media are developed that are fast, voluminous, and inexpensive or
  2. SCADA-oriented IDSs are developed, which can filter out the non-suspicious usual traffic and record only the deviant patterns.

But even if the communications sequence responsible for an intrusion is neither detected nor recorded when it occurs, nevertheless it is essential that procedures be developed for the restoration of service after a cyber attack.

It is extremely important that the utility maintain backups of the software of all programmable substation units and documentation regarding the standard parameters and settings of all IEDs (Intrusion Detection Systems). These backups and documentation should be maintained in a secure storage, not normally accessible to the staffs who work at the substation.

It would appear advisable that these backups be kept in a location other than the substation itself to lower the amount of damage that could be done by a malicious insider.

Simatic WinCC Scada V6 and V11
Simatic WinCC Scada V6 and V11 with equipment such as motor, pump, VFD, valve, auto-manual station, and etc.

After the utility concludes that a particular programmable device has been compromised (indeed, if it just suspects a successful intrusion), the software should be reloaded from the secure backup.

If the settings on an IED had been illicitly changed, the original settings must be restored.

Unless the nature of the breach of security is known and can be repaired, the utility should seriously consider taking the device off-line or otherwise making it inaccessible to prevent a future exploitation of the same vulnerability.

Resource: Electric Power Substations Engineering – J. D. McDonald (Get it from Amazon)

Premium Membership

Get access to premium HV/MV/LV technical articles, electrical engineering guides, research studies and much more! It helps you to shape up your technical skills in your everyday life as an electrical engineer.
More Information

Edvard Csanyi

Electrical engineer, programmer and founder of EEP. Highly specialized for design of LV/MV switchgears and LV high power busbar trunking (<6300A) in power substations, commercial buildings and industry facilities. Professional in AutoCAD programming.

Leave a Comment

Tell us what you're thinking. We care about your opinion! Please keep in mind that comments are moderated and rel="nofollow" is in use. So, please do not use a spammy keyword or a domain as your name, or it will be deleted. Let's have a professional and meaningful conversation instead. Thanks for dropping by!

two  ×    =  12

Learn How to Design Power Systems

Learn to design LV/MV/HV power systems through professional video courses. Lifetime access. Enjoy learning!

Subscribe to Weekly Newsletter

Subscribe to our Weekly Digest newsletter and receive free updates on new technical articles, video courses and guides (PDF).
EEP Academy Hand-Crafted Courses
Smart Grid Forums Events