Security Issues in SCADA based Industrial Control
Systems
Bijoy Babu1, Thafasal Ijyas2, Muneer. P2, Justin Varghese3
1
Department of Computer Engineering, King Khalid University, Saudi Arabia
2
Department of Electrical Engineering, King Khalid University, Saudi Arabia
3
Department of Computer Science, King Khalid University, Saudi Arabia
bbabu@kku.edu.sa, ithafasal@kku.edu.sa, mparayangat@kku.edu.sa, justin_var@yahoo.com
AbstractOngoing research and developments in
modern information and communication technologies have
revolutionized the design of industrial control systems (ICS).
There is a major domain transition from traditional
electromechanical systems to network based digital systems,
which has indeed created a powerful interface between state-of
the-art computing technologies/paradigms and physical
processes sought to be controlled. ICS play a critical role in the
industrial and manufacturing sector. Major infrastructures like
petrochemical industries, waste water treatment facilities,
nuclear power plants, pharmaceuticals, food and beverage
industries etc. cannot run properly without ICS. Real-time
processing, reliability and advanced distributed intelligence are
some of the core characteristics of ICS which are incorporated
with the help of state-of-the-art internet communication and
computing technologies. The complex embedded coupling of
hardware and software components such as actuators, sensors
and the physical processes are all monitored and manipulated
by the communication and network protocol based controllers
like supervisory control and data acquisition (SCADA) systems,
programmable logic controllers (PLC), distributed control
systems (DCS) etc. The integration of these technologies makes
the access to ICS from the external world much easier. On the
other hand, this has led to many critical cyber-security issues
also. These issues are of such a nature that they may sometimes
pose a serious threat to the safety of humans and the
environment as well. Unless managed properly, these can have
adverse implications for the national economy also, in terms of
production losses. In this paper, we attempt to give a
comprehensive review of the unique aspects of cyber-security
issues in ICS. Specifically, we delve upon the issues of security
assessment and architectural reviewing of ICS. We also give a
brief survey on different threat attacks on ICS.
Keywords Industrial Control; Cyber-attacks; SCADA;
I.INTRODUCTION
Current industrial control systems (ICS) are the
result of augmenting several state-of-the-art information
technology and telecommunication features to ordinary
electromechanical physical systems [1]. This has led to the
emergence of 'smart trends' like smart buildings, smart
transportation systems, smart production lines etc. ICS is a
generic term for many control system configurations and
978-1-5090-5814-3/17/$31.00 2017 IEEE
architectures like distributed control systems (DCS),
supervisory control and data acquisition systems (SCADA),
programmable logic controllers (PLC), industrial automation
and control systems (IACS) etc. In ICS, the combined activities
of all the physical control elements (electromechanical,
hydraulic, pneumatic) result in the accomplishment of diverse
industrial goals[2]. A typical ICS comprises of remote
troubleshooting facilities, maintenance tools, a human machine
interface (HMI), and various control loop configurations. All
these are designed to work with standard network protocols.
The critical nature of ICS systems with the accompanying
networking and communication features demand the
deployment of adequate security mechanisms[4].
SCADA based control systems makes use of a
centralized data acquisition mechanism to supervise the field
targets which are distributed unevenly. The integration of
precise data acquisition, data transmission and HMI software
aids provide monitoring and centralized control over numerous
physical processes in the field, which in fact makes SCADA
systems the most popular choice from among the ICS
configurations. SCADA systems are widely used in waste
water treatment plants, petrochemical pipelines, electrical
transmission lines and public transportation systems including
railways[6-9].
II.SECURITY CONCERNS IN INDUSTRIAL CONTROL SYSTEMS
An ICS may be characterized by many different
types of security issues. The operation of an ICS requires
transfer of critical data over the internet. Here, we encounter
many issues. One is the capability of legacy control systems to
deal with the sophisticated cyber threats of our times[3]. Many
of the systems have been developed and installed without
giving adequate concern to these recent security issues. Also,
it is difficult to incorporate the necessary security mechanisms
in these systems. To characterize the security model for a
SCADA-based ICS it is necessary to first identify the different
types of security threats that are relevant to such systems.
One important characteristic of cyber attacks in
general is that the techniques of attack become more
sophisticated with the proliferation of the systems connected the set-points and to set the controller parameters. The HMI
to a network. For example, collaborative attack models based has the additional task of logging and displaying the process
on botnets, worms, advanced persistent threats (APT) etc. status data. The troubleshooting and maintenance mechanisms
have become lethal now. This scenario is important for ICS as are there for prevention, identification, and recovery from
well. Recent studies reveal that there are over one million system malfunctioning and system failures.
ICS/SCADA systems connected to the internet with unique IP
addresses. It is said that this figure is rising every day by an
amount of 2000 to 8000 new systems [5]. This has created a
significant pool for which sophisticated attacks can be built.

Metadata based search engines like Shodan and its

various clones have demonstrated the capability to easily
detect and connect to critical control systems. This has
brought to light the serious vulnerabilities of such systems.
Shodan specifically focuses on SCADA systems. Botnets are
also a serious alternative to hack ICS [6]. The crux of the
problem is that many of the communication protocols used in
ICS does not require authentication.

III. ICS- AN OVERVIEW

Fig. 1. ICS Operation Layout
Table.1 shows the world percentage of different types
In figure 2, we have given the physical layer
of ICS components. The major share is contributed by
architecture of an ICS system. This architecture of ICS
SCADA/HMI based systems followed by the PLC and
network consists of seven layers that are used mainly to define
hardware based systems.
the security controls and patterns in the system. ICS can no
more be considered as stand-alone, independent, self-made
TABLE.1 ICS COMPONENTS DISTRIBUTION PERCENTAGE systems with application-specific hardware and software
embedded parts.
TYPE GLOBAL PERCENTAGE Rather, they have evolved as networked multilevel
SCADA/HMI 31 systems running on technical, enterprise and business
SCADA 12 applications. In order to boost up the remote terminal
PLC 27 accessibility and industrial connectivity, ICS has adopted
HMI 27 many advanced communication and information technology
solutions.
HARDWARE 3

A typical layout of an ICS system is depicted

in figure 1. The system has many components like control
system loops, remote station monitoring & maintenance tools,
and machine interfaces. These are all built around specific
network protocols over layered network architectures. The
process variables are manipulated by the ICS
using transducers/sensors, programmable logic
controllers, actuators etc. [3].
The sensors measure the input physical
quantities and then give the corresponding outputs in terms of
electrical or nonelectrical quantities. This data is sent as
control variables to the controller. Upon receiving this data,
the controller makes use of a process algorithm and set-points
to generate the manipulated variables. Further, it is transmitted
to the actuators. There are various control valves, motors,
Fig. 2. ICS Physical Layer Architecture
switches etc. in the constitution of actuators. The process is
controlled by making use of these components. The process
control is implemented based on the instructions from the Layer 1 comprises of end terminal devices like data
control. acquisition modules, programmable logic controllers (PLC),
The control personnel interact through means of sensors, line protection devices etc. Layer 2 interfaces the
the human machine interfaces (HMI) to monitor and adjust layer 1 devices to field terminal units (FTU).
 IV. VULNERABILITIES IN ICS attacks are reported by major ICS vendors as shown in figure
As mentioned earlier, ICS systems are affected by 4.
many vulnerabilities. The types of vulnerabilities have
increased drastically during recent years from 1997 in 2010 to
189 in 2015[7]. The increase in the vulnerabilities is plotted
in figure 3.

Fig. 4. Threats vs. Vendors (2015)

(Source: ICS-CERT Report-2015)

V. CHALLENGES IN SCADA SECURITY

Fig. 3. ICS cyber-attacks by year
(Source: ICS-CERT Report-2016)
This drastic increase is due to two important reasons:
i. The hectic research activity by security experts and
hackers to determine and patch up the potential
vulnerabilities in industrial control systems.
ii. Increase in the number of ICS with TCP/IP
connectivity as is mentioned earlier.
Now we will examine some important types of
vulnerabilities that may affect an ICS, especially SCADA-
based systems.
Memory overflow is an important issue in
SCADA systems. When the data overruns the allocated
memory space, it will corrupt other data and program sections.
This is a high-risk flaw. Overflow can be created by a
malicious agent through a denial-of-service (DoS) attack. This
is possible due to the lack of authentication in ordinary
TCP/IP connections. A remote attacker can bypass the hard-
coded cryptographic keys[10-12]. This is also a high-risk
vulnerability.
A general layout of a SCADA system is shown in
figure 4. The control center comprises of the control server,
routers, HMI, data archiving server and control work stations.
The data from the remote field instruments are collected by the
control center and presented to the HMI[14]. The control center
initiates the required actions based on the detected events. Field
sites are connected to the control center by means of a WAN or
dial-up modem connection. Field sites have control
mechanisms for actuators and have the capability to capture
information from the sensors/transducers in the required
format.
The connection between the SCADA and the remote
terminal units (RTU's) are established by different means for
eg. wired, wireless RF and even by satellite communication
systems. Sensors as well as actuators which are commonly
referred as RTU's plays vital roles in gathering the physical
information and feeding that to the master controller like
PLC's and other controllers

Another threat is through malware scripts injected by

an attacker in the code of the client websites. An attacker can
also masquerade as a client with a genuine request. Legacy
ICS in general do not have a mechanism to verify the
authenticity of such requests. Since data is transmitted as clear
text, sensitive information can be sniffed. This is all the more
severe due to lack of proper encryption techniques. The
human-machine interfaces (HMI) in ICS are vulnerable to
password stealing also. SQL injection attack is another
prominent threat in which attacker data is injected to corrupt
query strings and variables used in SQL commands. All these Fig.5. SCADA - General system schematics
 Attacks on a SCADA system can be conducted in
many ways. The network connections between the control
center and the field sites are potential locations for attacks.
Critical information can be spoofed, sniffed or modified by
attackers [15]. As mentioned earlier, the communication
protocols used do not have any authentication mechanism in
general. Security has to be overlaid as specific
implementations on these protocols.
Fig. 6. Different topologies of SCADA system
There are many SCADA communication topologies,
viz., point-to-point, series, series-star, and multi-drop [5].
These are shown in Figure 6. The point-to-point topology,
though simplest in its functionality and commonly-used, is not
economically viable due to the requirement of individual
channels for each connection. The number of channels is
significantly less in the series topology. However the
efficiency of the systems is compromised due to the sharing of
channels. Series-star and multi-drop configurations employ
one channel for each connected device results. This increases
the overall complexity of the system.
The functionality of these topologies will have to be
augmented with dedicated components for managing
communication, message switching and buffering tasks. In
large systems, the primary server will be assisted by sub-
servers in controlling the operation of the numerous RTUs.
We will go into the specific threats faced by SCADA
system in the following section.
VI. MAJOR THREATS TO SCADA SYSTEMS
A. Zero Day Vulnerabilities: The term zero day
implies that the developer does not get enough time to develop
and deploy a patch to overcome the flaw. Before that, an
attacker exploits the flaw and/or creates and deploy malwares
to attack the SCADA system. There are many zero-day flaws
that may affect a SCADA system.
Stack overflow is one of them. This attack can occur
on the field devices as well as the servers. The stack buffer in
the memory can be corrupted by a malicious player, leading to
injection of dangerous executable code into the running
program and thus usurping the control of the industrial
process. The WellinTech KingView 6.53 HistorySvr
vulnerability reported in China is a well-known example. Zero
day attacks can also occur in the form of DoS attacks that
overload computer resources.
B. Non-prioritization of Tasks: This is a serious
flaw in many industrial control real-time operating systems.
For example, in embedded operating systems like VxWorks
there is no prioritization of tasks. Memory sharing between
the equally privileged tasks lead to serious security issues.
Accessibility to create OEP (Object Entry Point) in the kernel
domain is a feature of VxWorks, which can lead to loopholes
in security. Non-kernel tasks may be protected from overflows
using guard pages. However, typically the guard pages are of
small size in many implementations and thus not provide
stringent protection.
C. Database Injection: Database injection also
exploits the vulnerabilities in a SCADA system. Harmful
query statements can be created when the client inputs are not
properly filtered. This is widely reported for SQL-based
databases. Similar attacks are possible for the widely-deployed
MongoDB systems also. In SQL injection, the attacker sends a
command to SQL server through the web server and attempt
to reveal critical authentication information.
D. Communication Protocol Issues: Even though,
the recent developments in encryption and authentication are
at par with the sophisticated cyber-attacks and threats
encountered, they are not adopted in an adequate manner in
ICS and SCADA as is done in the case of the general client-
server secure communication scenario. This is due to many
reasons, the major one being that during the development and
installation of these legacy systems, security was not a major
concern. Hence communication protocols did not give
sufficient importance to authentication. This does not mean
that authentication and encryption methods cannot be used
with these systems.
It should be noted that encryption is effective only in
an authenticated commincation between entities. For secure
TCP/IP communication, Internet Protocol Security (IPsec)
framework can be employed. It will help create a secure
channel of communication for industrials systems as well.
IPsec uses two protocols for authentication and encryption:
Encapsulating Security Payload (ESP) and Authentication
Header (AH). APT attacks can be effectively dealt with
protocols like Syslog that keeps security logs which provide a
means for detecting stealthy attempts to gather information
prior to building sophisticated attacks by malicious players.
CONCLUSIONS
In this study, we have analyzed the security
vulnerabilities of industrial control systems in general with a
special emphasis on SCADA systems. Attempt has been made
to highlight the recent security risks. The different categories
of threats are listed. The study will provide a necessary
background to delineate the threats/ risks associated with the
communication protocols used in SCADA systems. Through
and overlay of additional digital security mechanisms and
techniques, it is possible to achieve competent security in ICS
and SCADA systems.
REFERENCES
[1] M. Cheminod, L. Durante, A. Valenzano, "Review of Security Issues
in Industrial Networks," IEEE Trans. Ind. Informatics, vol.9,
February 2013,pp.277-293.
[2] D. Dzung, M. Naedele, T. P. von Hoff, and M. Crevatin,Security
for Industrial control systems, Proc. IEEE, vol. 93, no. 6, Jun. 2015,
pp. 11521177.
[3] ICS-CERT year in review2015, 2015. [Online]. Available:
https://ics-cert.us-cert.gov/sites/default/files/" Annual Reports Year
in Review FY2015 Final.pdf".
[4] R. J. Robles and M.-K. Choi, ``Assessment of the vulnerabilities of
SCADA, control systems and critical infrastructure systems,'' Int. J.
Grid Distrib. Comput. vol. 2, no. 2, March 2009, pp. 27-34.
[5] J. D. Fernandez and A. E. Fernandez, ``SCADA systems:
Vulnerabilities and remediation,'' J. Comput. Sci. Colleges Arch., vol.
20, no. 4,Apr. 2005, pp. 160-168.
[6] Y. Cherdantseva et al., ``A review of cyber security risk assessment
methods for SCADA systems,'' Comput. Secur., vol. 56, Feb. 2015, pp.
1-27.
[7] S. Hong and M. Lee, Challenges and Direction toward Secure
Communication in the SCADA System, in 2010 8th Annual
Communication Networks and Services Research Conference. IEEE,
2010, pp. 381386.
[8] A. M. Grilo, J. Chen, M. Diaz, D. Garrido, and A. Casaca, An
Integrated WSAN and SCADA System for Monitoring a Critical
Infrastructure, IEEE Transactions on Industrial Informatics, vol. 10,
no. 3, Aug 2014, pp. 17551764.
[9] R. Johnson, Survey of SCADA security challenges and potential attack
vectors, in Internet Technology and Secured Transactions (ICITST),
2010 International Conference for, 2010, pp. 15.
[10] A. Giani, G. Karsai, T. Roosta, A. Shah, B. Sinopoli, and J. Wiley, A
testbed for secure and robust SCADA systems, ACM SIGBED
Review,vol. 5, no. 2, pp. 14, July 2008.
[11] Kaspersky, Cyperthreats to ICS systems, 2016. [Online]. Available:
http://media.kaspersky.com/en/business-security/critical-infrastructure-
protection /Cyber_A4_Leaflet_eng_web.pdf.
[12] N. Leall, Lessons from an insider attack on SCADA systems, 2009.
[Online].Available: http://blogs.cisco.com/security.
[13] K. Stouffer, J. Falco, and K. Scarfone, Guide to Industrial Control
Systems (ICS) Security, NIST SP 800-82, 2008.
[14] S. A. Boyer " SCADA: Supervisory Control and Data Acquisition"
International Society of Automation 2009.
[15] B. Miller and D. Rowe, A Survey of SCADA and Critical
Infrastructure Incidents, in Proceedings of the 1st Annual conference
on Research in information technology - RIIT 12. New York, New
York, USA: ACMPress,2012,p.51.