Cyber Security in Industrial Control Systems: Analysis

of DoS Attacks against PLCs and the Insider Effect

Ercan Nurcan Ylmaz, Bünyamin Ciylan Serkan Gönen Erhan Sindiren,
Gazi University, Faculty of Technology, Gazi University, Institute of Gökçe Karacayılmaz
Ankara, Turkey Natural and Applied Sciences, Gazi University, Institute of
Ankara Turkey Informatics, Ankara, Turkey

Abstract—Industrial Control Systems (ICS) are vital for • Not changing default usernames and passwords and
countries’ smart grids and critical infrastructures. In addition to therefore leaving backdoors,
the advantages such as controlling and monitoring
geographically distributed structures, increasing productivity • Using communication protocols developed for
and efficiency, ICS have brought some security problems. commercial purposes that security is not considered at all
Specific solutions are needed to be produced for these security or rarely handled [5].
issues. The most important information security component for
ICS is availability and the most devastating threat to this ICS are responsible for controlling and monitoring many
component is Denial of Service (DoS) attack. For this reason, critical infrastructures. For this reason, security vulnerabilities
DoS attacks carried out on Programmable Logic Controllers in systems under control, the entire infrastructure can become
(PLC), an important component of ICS, have been analyzed in ICS cause these systems to become potential targets for
the paper. In the test environment where attack scenarios were attackers. If the attackers deactivate these systems, this may
implemented, real PLC devices were used in order to get the result not only in economic harm but also in the fact that
most accurate results. The destructive effects of insiders, citizens cannot receive important services in their lives [6].
particularly in the case of cyber attacks against ICS, in Thus, it is crucial to analyze in depth to reveal existing
bypassing the system security measure and discovery phase also vulnerabilities of components (PLC, HMI, RTU, MTU, etc.)
emphasized in the paper. and the protocols (ModBUS, Profinet, DNP3, etc.) used in
ICS [7]. It will only be possible to take precautions against
Index Terms-- Denial of service, industrial control systems, these vulnerabilities and prevent them from being exploited
insider attacks, PLC security, vulnerability analysis. again by the attackers [8-10].
Vulnerabilities in ICS can cause intruders to infiltrate the
I. INTRODUCTION
network, gain access to control software, and lead to undesired
Industrial Control Systems (ICS); are used in the major damages with changing the operating conditions of the
management and maintenance of critical infrastructures, system. DoS attacks are the types of attacks that can
which are usually geographically distributed, such as gas, eventually be noticed by the victims. However, it is important
water, production, transportation and power distribution to detect these attacks as soon as possible, without hampering
systems. Most of the ICS consist of several sub-components, the use of services or creating a flood impact [11]. While DoS
such as Programmable Logic Controller (PLC), Human attacks seem often less dangerous than other attacks, they can
Machine Interface (HMI), Master Terminal Unit (MTU) and become more dangerous in some cases for ICS and for critical
Remote Terminal Unit (RTU) [1]. However, in old generation infrastructures these systems manage. For example, in the
ICS, private internal networks which were independent from event of preventing to close the gate of a dam in an urgent
the external networks were used for communication of these occasion or disabling the systems that control the temperature,
components. In order to control and monitor geographically such as in nuclear power plants, the denial of service attack
distributed structure and to increase productivity and can lead to major disasters.
efficiency, Internet or intranet connection was required in ICS
[2-4]. Along with this process, new vulnerabilities that could ICS are an integral component of the production and
not be identified beforehand have emerged. These control process. The management of the majority of modern
vulnerabilities are; infrastructures is based on these systems. However, when they
are evaluated in terms of cyber security, it is seen that the
• Generally using open system source codes, PLCs, which are important components of ICS, are in an open
architecture to external networks and especially internet based
• Permitting remote access (VPN, etc.),
constructions. Despite the security breaches in ICS, until
• Beyond security, ICS have a design that primarily focuses recently, there has not been enough interest and study in the
on the effectiveness of the system, such as critical timing scientific area of the security of PLC-managed automation
needs, tight performance definitions, and task priorities, systems. Only after the detection of Stuxnet malware in 2010,
researches to identify security vulnerabilities in PLC-based
• Not using security systems that should be used to protect systems have begun to attract interest of PLC suppliers and
ICS from other networks or from threats that may arise users. Subsequent virus findings such as DuQu, Flame /
from the network because of commercial concerns, sKyWIper, Night Dragon, Shamoon, Havex and Sandworm /
• Not controlling privileged accounts of authorized IT staff, Black Energy 2 also indicate the presence of an increasing
tendency in critical infrastructure attacks. Despite these

978-1-5386-4478-2/18/$31.00 ©2018 IEEE

2018 6th International Istanbul Smart Grids and Cities Congress and Fair (ICSG) 81
events, security awareness of ICS environments is still not a create patterns related to attack via intrusion detection systems
top priority in many institutions [12]. Because the security for detecting similar attacks.
objectives for ICS are based on accessibility, integrity and
confidentiality, respectively [13,14]. The testbed consisted of one S-7 1200 (2.2 firmware) PLC
hardware, one management computer on which remote
In this context, the test environment (Testbed) was command and control of the PLC was performed with TIA
established to determine how to bypass the security Portal management software, and a personal computer with
precautions of the PLC, which is a significant component of Kali Linux operating system for implementing attacks. A
ICS, by exploiting the security vulnerabilities of hybrid ICS separate computer with SmoothSec installed was used to
protocols (Profinet-TCP/IP, etc.). In the test environment, the detect the attacks. DoS attacks were carried out on PLCs and
vulnerabilities of PLCs were evaluated through Denial of TIA Portal application in the network topology shown in
Service (DoS) attacks. Subsequently attacked packets were Fig. 2 by using Hping, SmootSec IDS and Wireshark tools.
captured and analyzed in order to obtain the patterns of the
attacks. Furthermore, the importance of managing privileged
accounts for cyber attacks against ICS and the effects of
insiders with these accounts were discussed. In this respect, it
is aimed to rescue ICS from attacks with minimal damage and
to prevent from similar attacks.
Some of the studies on the security of ICS have focused on
analysis based on simulation systems [14-17]. The weakest
points of studies based on simulation systems are the difficulty
of accurately projecting the real system and the possibility that
the analyzes may not give the same results in the real system.
Another part of the studies carried out within the scope of the
security of ICS focus on confidentiality [18,19]. Solutions
proposed above are usually based on cryptographic
techniques. However, given the fact that today's ICS networks
cover hundreds of installations with millions of equipment, the Figure 2. Testbed network topology
difficulty of implementing these solutions in practice can be
better understood.
III. DENIAL OF SERVICE ATTACK (DOS)
II. TESTBED One of the important threat to ICS is Denial of Service
In the majority of researches on the security of ICS, no attack. The aim of Denial of Service attack is to block the
implementation has been done to a real system. Thus, this system to access to authorized resources or preventing to use
study focuses on the detection of the vulnerabilities of the these resources in its intended manner [20,21].
PLC device and TIA Portal application and the identification
of the solution proposals by carrying out security analysis on a
testbed where a real control system is involved.

Figure 1. DoS attack reconnaissance, attack and detection steps for PLCs

As shown in Fig. 1, the analysis of the DoS attack carried

out on PLC and TIA Portal applications consist of three
phases. At first phase, attacks were carried out and the effects
on the system were evaluated. The second phase is the
observation phase, which is based on the analysis of captured
packets as a result of attacks. In the last stage, it was aimed to
Figure 3. DoS attack reconnaissance, attack and detection phases

2018 6th International Istanbul Smart Grids and Cities Congress and Fair (ICSG) 82
 In the analysis of the attack, Service Denial attack was
carried out first, and the changes in the system were examined.
Subsequently the rule sets created by analyzing the captured
attack packets according to the phases indicated in Fig. 3 were
entered into the Snort based library. Detecting attacks, the
ultimate goal, was achieved through these rules.
PLC protocols responds to all query packets from any
IP / MAC address or node points and this situation is also
another important vulnerability in PLCs. It is determined that
DoS attack can be carried out successfully even if it is in a
different network as long as the IP address of the target is
detected, because DoS attack is a kind of directly IP-oriented
attack. Any port scan tool like Nmap tool can be used for Figure 6. Event packets detected after DoS attack
detecting the IP address of a PLC. In this respect, DoS attack
was carried out to the PROFINET port (102) which is used Despite the attack was carried out with a few attacker
mostly by PLC devices for network communication. computers, it was detected that network became ineffective.
Hping program was used for DoS attack and as long as According to the delay standard of the IEEE 1646-2004 The
the attack continued, the ping response time of the PLC device Automation Communication of Substations, high-speed
increased considerably. When the DoS attack was stopped, the messages must be transmitted between 2 ms and 10 ms [22].
ping response time measured as 1212 ms as shown in Fig. 4. In this context, when the needs of instant reaction of PLC
is considered, latency occurs in the network traffic of the
control systems due to DoS attack may lead to significant
problems. It is easy to detect IP address of attacker when DoS
attack is carried out from a single source. However, it is more
difficult to detect DoS attacks from different IP addresses by
performing IP spoofing. Thus, attackers use IP spoofing
method to hide the IP addresses and uses bogon IP adresses
such as the attack scenario handled in this paper (Fig. 7).

Figure 4. DoS attack effects on PLC

The DoS attack was also carried out to the TIA Portal, the
control computer. As long as the attack continued, ping
response time increased from about 2ms to 5280 ms.
Additionally, all of the control buttons of the TIA Portal
became inactive and the PLC could not be controlled via the
TIA Portal as shown in Fig. 5.

Figure 7. Source IP addresses of DDoS attack packets

When the rule information of a listed event shown in Fig. 6

is examined, it can be understood that event packets are the
distributed denial of service (DDoS) attack packets described
in Fig. 8.

Figure 5. TIA Portal management screen after DoS attack

DoS attack packets carried out on PLC were detected as

medium severity spam as shown in Fig. 6. Figure 8. The signature acquired after DoS attack

2018 6th International Istanbul Smart Grids and Cities Congress and Fair (ICSG) 83
 IV. ANALYSIS RESULT systems. One of the goals of the attackers to achieve their
In the vulnerability analysis DoS attacks were carried out ultimate goal is the privileged accounts and their passwords
on PLC, one of the most important component of ICS, and used in the system. The seizure of one of these account's
results of attacks indicated that PLCs were vulnerable to these password by the attackers can cause the whole system to be
attacks. seized.

The detection phase of attack analysis results have shown The Maroochy Water Service Breach incident, one of the
that needed precautions for possible attacks can be taken by attacks on ICS implemented by the insiders, was derived from
monitoring the PLC communication traffic continuously. the fact that the user account of a discarded employee was not
Although, signature based prevention systems (antivirus, IPS, removed from authorized accounts [29]. Ukrainian Power
etc.) are believed to have a great success against the known Grid Attack also was stemmed from careless and untrained
cyber attack, they are not effective enough against new users. Attackers gained privileged accounts from these users
malicious payloads emerging in every second, especially the and causing about 225,000 people to be affected. Stuxnet is
zero day vulnerabilities. For this reason, adjusting network one of the most well-known target driven attack carried out on
traffic norms and thresholds with continuous monitoring ICS. Although it is not known exactly how this attack was
provides constituting attack patterns for alerting network carried out, majority of the researchers think that the attackers
administrators / security experts. Thus, it will be possible to got help from an insider for carrying out such a complicated
prevent malicious packets from infiltrating and harming the attack. The main reason of this opinion is that ICS, the target
system, while ensuring that the legal packets are not delayed of the attack, have an air gap structure isolated from the
and prevented in the context of the continuity dimension of outside [30].
ICS. The control and management of privileged accounts, one
When the phases of the attacks in the testbed are of the most important causes of ICS attacks, is an important
examined, it is understood that the network topology and the information security issue that needs to be assessed. Many
determination of the target are vital factors for implementing measures and procedures have been proposed by researchers
successful attacks. However, in the event that the attacker is to solve this problem. Although the objectives of the solutions
an insider within the organization and has privileged proposed by the researchers are the same, they involve
authorization over ICS systems, the success rate and different approaches [31-34].
destructive effects of the attack will increase. For this reason, A control mechanism should be developed on the basis of
it is very important to monitor the operations performed by the issues discussed above to prevent exploitation of
employees with privileged authorization on ICS and to privileged accounts during insider attacks. The developed
regulate their authority. control mechanism should involve;

V. INSIDERS EFFECTS AND SOLUTION SUGGESTIONS • Prevention unauthorized access to components of the ICS
Some studies investigating the causes of information • Increasing ICS resistance to password attacks
security threats suggest that careless or malicious personnel • Training and expanding awareness of staff on cyber
with Access authorization are more hazardous and destructive security
than hackers, malicious software and troubled hardware
[23,24]. In other studies, it is estimated that the abuse of • Regulation of access control to ICS components
privileged accounts is at high risk during insider attacks and
• Keeping logs to follow up transactions performed by
this kind of attacks will increase in the coming period [25, 26].
authorized personnel
Such risks are also prevalent for ICS and if the necessary
security measures are not taken for insider threat, the effects • Clearly defining the limits of responsibility within the ICS
for ICS will be much more devastating. Because, the detection
• Ensuring to include organizational managers in the IT
and prevention of an attack will be so difficult in the event that
security process.
an insider has the knowledge of the network topology and
components of the ICS.
Protection from insider attacks requires specific solutions.
However, when organizations' cyber security solutions are
examined, it appears that most of them focus on external
threats [27]. Security solutions to be used for internal and
external threats should not be considered separately on the
contrary they should be carried out in an integrated manner
[28]. In order to prevent internal threats, not only
technological solutions but also human factors should be
evaluated.
In addition to ordinary user accounts, ICS also has
administrator accounts that are owned by IT staff with
privileged authorization within the system. These accounts are
mostly used for management, maintenance and repair of Figure 9. The position of control mechanism within ICS

2018 6th International Istanbul Smart Grids and Cities Congress and Fair (ICSG) 84
 The control mechanism to be established in accordance [14] E. Byres, D. Hoffman, and N. Kube, "On Shaky Ground – A Study of
with the specified points should run integrated with ICS. The Security Vulnerabilities in Control Protocols," in Proc. 2006 5th Int.
Topical Meeting on Nuclear Plant Instrumentation, Controls, and
control mechanism must be located between the ICS and the Human Machine Interface Technology vol. 1, pp. 782-788.
authorized personnel as an additional layer of security in [15] A. Giani, G. Karsai, T. Roosta, A. Shah, B. Sinopoli, and J. Wiley, "A
accessing the components of the ICS infrastructure (Fig. 9). testbed for secure and robust SCADA systems," SIGBED Rev., vol. 5,
no. 2, pp. 1-4, July 2008.
VI. CONCLUSION [16] B. Genge, F. Graur, and P. Haller, "Experimental assessment of
network design approaches for protecting industrial control systems,"
Many critical infrastructures managed by ICS do not have Int. Journal of Critical Infrastructure Protection, vol. 11, pp. 24-38,
adequate security assessment against cyber attacks. These Dec. 2015.
critical systems can face many threats, unless the security [17] N. Sayegh, A. Chehab, I. H. Elhajj, and A. Kayssi, "Internal security
vulnerabilities of the ICS are determined and the necessary attacks on SCADA systems," in Proc. 2013 3rd Int. Conf. on
Communications and Information Technology, pp. 22-27.
measures are taken to overcome them. [18] H. Li, R. Mao, L. Lai, and R. C. Qiu, "Compressed Meter Reading for
Delay-Sensitive and Secure Load Report in Smart Grid," in Proc. 2010
In this context, critical ICS components need to be First IEEE Int. Conf. on Smart Grid Communications, pp. 114-119.
monitored in real time so that ICS, which significantly affect [19] E. Shi, A. Perrig, and L. V. Doorn, "BIND: a fine-grained attestation
our social lives, can survive with minimal damage from service for secure distributed systems," in Proc. 2005 IEEE Symposium
potential cyber threats and can be activated as soon as on Security and Privacy, pp. 154-168.
possible. As a result of analysis, it has been seen that detection [20] A. Silberschatz, P. B. Galvin, and G. Gagne, "Security," in Operating
based solutions including continuous quality monitoring and System Concepts, 9th ed., Hoboken, NJ: John Wiley & Sons, 2013, pp.
673-674.
behavior based testing are more effective than security [21] P. Varalakshmi and S. T. Selvi, "Thwarting DDoS attacks in grid using
measures based on preventing due to new malware emerging information divergence," Future Generation Computer Systems, vol.
every second. Furthermore, organizations with critical 29, no. 1, pp. 429-441, Jan. 2013.
infrastructure to prevent Insider attacks should develop and [22] K. C. Budka, J. G. Deshpande, T. L. Doumi, M. Madden, and T. Mew,
implement a control mechanism for staff with privileged "Communication network architecture and design principles for smart
grids," Bell Lab. Tech. J., vol. 15, no. 2, pp. 205-227, Sep. 2010.
authority over ICS and other employees. The operations on [23] J. Shropshire, M. Warkentin, and S. Sharma, "Personality, attitudes, and
ICS of all employees who are likely to become an insider intentions: Predicting initial adoption of information security behavior,"
should be monitored and recorded. It should not be forgotten Computers & Security, vol. 49, pp. 177-191, Mar. 2015.
that attacks aimed ICS may carry out not only from outside [24] M. Leitner and S. Rinderle-Ma, "A systematic review on security in
but also from a trusted staff with privileged account. Process-Aware Information Systems-Constitution,challenges, and
future directions," Inf. Softw. Technol., vol. 56, no. 3, pp. 273-293, Mar.
2014.
REFERENCES [25] R. Pilling, "Global threats, cyber-security nightmares and how to
protect against them," Computer Fraud & Security, vol. 2013, no. 9, pp.
[1] H. Farhangi, "The path of the smart grid," IEEE Power and Energy
14-18, Sep. 2013.
Magazine, vol. 8, no. 1, pp. 18-28, Dec. 2010.
[26] W. R. Claycomb, C. L. Huth, L. Flynn, D. M. McIntire, and T. B.
[2] P. Motta Pires and L. H.g. Oliveira, "Security Aspects of SCADA and
Lewellen, "Chronological Examination of Insider Threat Sabotage:
Corporate Network Interconnection: An Overview," in Proc. 2006 Int.
Preliminary Observations," Journal of Wireless Mobile Networks,
Conf. on Dependability of Computer Systems, pp. 127-134.
Ubiquitous Computing, and Dependable Applications (JoWUA), vol. 3,
[3] V. M. Igure, S. A. Laughter, and R. D. Williams, "Security issues in
no. 4, pp. 4-20, Dec. 2012.
SCADA networks," Computers & Security, vol. 25, no. 7, pp. 498-506,
[27] T. El Maliki and J.-M. Seigneur, "A Survey of User-centric Identity
Oct. 2006.
Management Technologies," in Proc. 2007 Int. Conf. Emerging
[4] M. Hentea, "Improving Security for SCADA Control Systems,"
Security Information, Systems, and Technologies, pp. 12-17.
Interdisciplinary Journal of Information, Knowledge, and Management,
[28] S. De Capitani di Vimercati, S. Paraboschi, and P. Samarati, "Access
vol. 3, pp. 073-086, 2008.
control: principles and solutions," Software: Practice and Experience,
[5] S. Rautmare, "SCADA system security: Challenges and
vol. 33, no. 5, pp. 397-421, Apr. 2003.
recommendations," in Proc. 2011 Annual IEEE India Conf., pp. 1-4.
[29] J. Slay and M. Miller, "Lessons Learned from the Maroochy Water
[6] S. Clements and H. Kirkham, "Cyber-security considerations for the
Breach," in Critical Infrastructure Protection, Boston,MA: Springer,
smart grid," in Proc. 2010 IEEE PES General Meeting, pp. 1-5.
2008, pp. 73-82.
[7] R. E. Johnson, "Survey of SCADA security challenges and potential
[30] R. M. Lee and M. J. Assante. (2015, Oct. 15). The Industrial Control
attack vectors," in Proc. 2010 Int. Conf. for Internet Technology and
System Cyber Kill. SANS Institute. [Online]. Available:
Secured Transactions, pp. 1-5.
https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-
[8] A. Nicholson, S. Webber, S. Dyer, T. Patel, and H. Janicke, "SCADA
system-cyber-kill-chain-36297
security in the light of Cyber-Warfare," Comput. Secur., vol. 31, no. 4,
[31] K. Padayachee, "An assessment of opportunity-reducing techniques in
pp. 418-436, June 2012.
information security: An insider threat perspective," Decision Support
[9] G. P. H. Sandaruwan, P. S. Ranaweera, and V. A. Oleshchuk, "PLC
Systems, vol. 92, pp. 47-56, Dec. 2016.
security and critical infrastructure protection," in Proc. 2013 IEEE 8th
[32] N. Baracaldo and J. Joshi, "An adaptive risk management and access
Int. Conf. on Industrial and Information Systems, pp. 81-85.
control framework to mitigate insider threats," Computers & Security,
[10] M. Jensen, C. Sel, U. Franke, H. Holm, and L. Nordström, "Availability
vol. 39, pp. 237-254, Nov. 2013.
of a SCADA/OMS/DMS system - A case study," in Proc. 2010 IEEE
[33] I. Agrafiotis, J. R. C. Nurse, O. Buckley, P. Legg, S. Creese, and M.
PES Innovative Smart Grid Technologies Conf. Europe, pp. 1-8.
Goldsmith, "Identifying attack patterns for insider threat detection,"
[11] T. Peng, C. Leckie, and K. Ramamohanarao, "Survey of network-based
Computer Fraud & Security, vol. 2015, no. 7, pp. 9-17, July 2015.
defense mechanisms countering the DoS and DDoS problems," ACM
[34] Y. L. Wang and S. C. Yang, "A Method of Evaluation for Insider
Comput. Surv., vol. 39, no. 1, pp. 1-42, Apr. 2007 2007, Art. no. 3.
Threat," in Proc. 2014 Int. Symposium on Computer, Consumer and
[12] E. Byres, "Defense-In-Depth: Reliable Security To Thwart Cyber-
Control, pp. 438-441.
Attacks," Pipeline & Gas Journal, vol. 241, no. 2, Feb. 2014.
[13] D. Kushner, "The real story of stuxnet," IEEE Spectrum, vol. 50, no. 3,
pp. 48-53, Mar. 2013.

2018 6th International Istanbul Smart Grids and Cities Congress and Fair (ICSG) 85