See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/271515016

Cyber Attacks on Critical Infrastructure: Review and Challenges (draft)

Chapter · January 2015

DOI: 10.4018/978-1-4666-6324-4.ch001

CITATIONS READS

2 1,474

2 authors, including:

Ana Kovacevic
University of Belgrade
17 PUBLICATIONS   84 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Ana Kovacevic on 29 January 2015.

The user has requested enhancement of the downloaded file.

Cyber Attacks on Critical Infrastructure: Review and Challenges
(draft)

Ana Kovacevic*, Dragana Nikolic**

* University of Belgrade, Faculty of Security Studies

** University of Belgrade, Vinca Institute of Nuclear Science

Keywords :critical infrastructure, SCADA systems, information security, malware,

cyber attacks, SCADA security testbed, stuxnet

ABSTRACT:
Today we are facing the expansion of cyber incidents, and they becoming more severe. This
results in the necessity to improve security, especially in the vulnerable field that critical infrastructure is.
One of the problems in the security of critical infrastructures is the level of awareness related to the effect
of cyberattacks. The main reason for the escalation of cyberattacks in the field of critical infrastructure
(CI) may be that most control systems used for CI do not utilise propriety protocols and software any
more, but standard solutions. As a result, critical infrastructure systems are more than ever before
becoming vulnerable and exposed to cyber threats. It is important to get an insight into what attack types
occurred, as this may help direct cyber security efforts. Threat to critical infrastructure is real, so it is
necessary to be aware of it, and anticipate, predict and prepare against a cyber attack.

1. INTRODUCTION
In recent years cyberspace has been expanded significantly and evolved into a large, dynamic,
and tangled web of computing devices. This situation has also influenced critical infrastructure systems.
Besides positive effects of technological expansion, there are also drawbacks. Critical infrastructure is the
backbone of everyday lives in modern society, and thus a proper functioning of it is essential. For a long
time most critical infrastructure systems have been considered immune to cyberattacks because of their
reliance on proprietary networks and hardware. However, recent experiences and cyber attacks indicate
that this is unsustainable – the move to open standards and web technologies is making critical
infrastructure systems more vulnerable.
Unintentional or malevolent actions taken in cyberspace have consequences on critical
infrastructures in the physical world. After a few sporadic attacks it became clear that attacks in
cyberspace are not limited to government activities for intelligence purposes, but any part of critical
infrastructure may be subject to attacks, from the banking system and utilities to the transport or supply
of essential goods and commodities. The modes of these attacks on critical infrastructure are diverse and
include direct or anonymous access to protected networks via the Internet and Supervisory Control and
Data Acquisition (SCADA), or breach of the employees who do not follow security procedures leading to
malware propagation inside the firewall. The problem with analyzing cyber attacks in the field of critical
infrastructure is that some cyber attacks remain unnoticed; and also some organizations are extremely
unwilling to report incidents, because they are viewed as potential embarrassments. Furthermore, the
appearance of new complex malware, such as Stuxnet, with unpredictable features, is creating new
dimensions in cyber security. One of the most pernicious problems with cyberspace is that the fight is so
unbalanced that it takes huge resources to protect critical infrastructure, but just one infected computer
drive to launch an attack. Therefore, cyber defence has become one of the most important issues in
national defence strategies. This paper presents an overview of the cyber attacks on critical infrastructure.
The remainder of this paper is organized as follows: Section 2 presents Critical Infrastructure.
Section 3 presents SCADA systems that are used for Critical Infrastructure and vulnerabilities of
SCADA systems against cyber attacks. Section 4 analyzes and classifies cyber attacks on SCADA
systems for critical infrastructure. Section 5 discusses future directions to achieve better security of
Critical infrastructure sectors using SCADA systems. Section 6 provides the concluding remarks.

1
 2. CRITICAL INFRASTRUCTURE
There is a slight difference between countries concerning their definition of critical infrastructure
(CI) sectors. CIs are defined as those systems, assets, or part thereof which are essential for the
maintenance of vital societal functions, security and economic security, and the disruption or destruction
of which would have a significant impact on the state/nation as a result of the failure to maintain those
functions (European Commission, 2008). The US approach is more comprehensive and inclusive, and it
has been particularly evolving since the attacks of September 11, 2001.The U.S. Patriot Act defined CIs
as “systems and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction
of such systems and assets would have a debilitating impact on security, national economic security,
national public health or safety, or any combination of those matters” (USA- PA, 2001). Homeland
Security Act of 2002 (P.L. 107-296 , Sec. 2(4)) established the Department of Homeland Security (DHS)
and also formally introduced the concept of “key resources” (Congress U.S., 2002). “Key resources” are
defined as “publicly or privately controlled resources essential to the minimal operations of the economy
and government” (Sec. 2(9)). Without articulating exactly what they are, the act views key resources as
distinct from critical infrastructure, albeit worthy of the same protection.
The most conventional list of critical infrastructure sectors includes: agriculture and food, water,
public health and safety, emergency services, government, defense industrial base, information and
telecommunications, energy, transportation, banking and finance, industry/manufacturing, postal and
shipping.
Each of these sectors has its own infrastructures such as highways, electric power generation and
distribution, etc. In any of these, a critical infrastructure system is a great public investment. A minor
disruption in the functioning of these systems may degrade the system’s performance and incur big
economic losses. The identification and designation of state's critical infrastructures is established by
prioritizing particular infrastructure sectors, and specific assets within those sectors, on the basis of
national importance.
Critical infrastructure (CI) sectors are not isolated islands; there are interdependencies among
them. For example, if the energy sector is attacked, this will have consequences on other sectors as well,
as illustrated in Figure 1. Dependencies and interdependencies among sectors of critical infrastructures
must be taken into account in protective programs because the impact of the disruption of one sector can
propagate to other sectors.

2
 Figure 1. Cascading consequence example (adapted from Rinaldi et al., 2001)

In order to improve CI protection, it is necessary to monitor incidents in each of the infrastructure

sectors, maintain a database of vulnerabilities and integrate the database with threat analyses. Such
measures are introduced in countries with extensive infrastructures, such as the US, where the federal
government is required to interact with each critical infrastructure and support their implementation. It is
very important to record and analyze attacks on critical infrastructure, as well as their consequences, in
order to be better prepared for any further attacks.

3. SCADA SYSTEMS FOR CRITICAL INFRASTRUCTURES

The first control networks were simple point-to-point networks connecting a monitoring or
command device to a remote sensor or actuator, while nowadays they have evolved into complex
networks that support communication between a central control unit and multiple remote units on a
common communication bus (Igure et al., 2006). Supervisory Control and Data Acquisition systems
(SCADA) are often used for critical infrastructures, e.g. electric power distribution, oil and natural gas
distribution, water and waste-water treatment, transportation systems, etc. SCADA systems perform
basically two main tasks: centralized monitoring of the system and control of it. Data is collected, stored
and interpreted in terms of different set points that have been set by human operators. When the system
detects any unusual action, it sends commands or alert human operator. Systems may consist of thousand
of assets capable of measuring and/or controlling the process. The nodes on these networks are usually
3
special-purpose embedded computing devices such as sensors, actuators and Programmable Logic
Controllers (PLCs) (Igure et al., 2006). Typical SCADA system is composed of the following
components (GAO, 2004):
 Human-machine interface (HMI) responsible for data presentation to a human operator
for monitoring and controlling the process.
 Remote terminal units (RTUs) are microprocessor-controlled electronic devices that
interface the sensors to SCADA by transmitting telemetry data.
 The supervisory system is responsible for data acquisition and for control activities on
the process.
 Programmable logic controllers (PLCs) are the final actuators used as field devices.
 Communication infrastructure connecting the supervisory system to the remote terminal
units.
 Various process and analytical instrumentation.

In the plant, sensors are monitored and controlled over the SCADA network by either PC or a
Programmable Logic Controller (PLC). Usually, there is a dedicated control centre to screen the entire
plant, mainly located in a separate physical part of the factory and it has advanced computation and
communication facilities (Igure et al., 2006). The attacker has several entry points to compromise the
system.
SCADA networks are usually connected to an outside corporate network and/or Internet through
specialized gateways (providing the interface between IP-based network and filed bus protocol-based
SCADA networks on the factory floor).

In recent years SCADA systems are increasingly becoming targets of cyber attacks. Today, many
of the current SCADA networks are also connected to a company’s corporate networks and the Internet.
Although improved connectivity is essential for reducing costs and efficiency, it also causes SCADA
networks to become more vulnerable because of the security problems of the Internet. Specifically, the
sophistication of new malware attacking SCADA systems, as Stuxnet, shows difficulties in preventing
and detecting this attack when they are based only on IT system information.
SCADA systems have many similarities with IT systems, but they also have some specific
requirements where the usual security solutions are not applicable to SCADA systems, e.g. because of
time requirements, they have a higher demand on availability and are often more difficult to upgrade.

3.1. SCADA systems and administrative IT systems

Although SCADA systems have specific operational requirements, they are nowadays very
similar to administrative IT systems. During the last decade, when SCADA systems were using standard
protocols and hardware/software as in administrative IT systems, differences between SCADA systems
and IT systems were reduced. Also, the connectivity between SCADA systems and other systems
increased (Stouffer et al., 2007). The result of this is that SCADA systems have become more similar to
administrative IT systems in regard to their vulnerabilities.
Generally, the main aim of IT security is to obtain:
 Confidentiality (protect information from disclosure)
 Integrity (protect information form unauthorized change)
 Availability (it is possible to use the data and/or resources of the system when it is requested).
Confidentiality, Integrity and Availability is usually referred to as CIA. The requirements of IT
security are prioritized as CIA (Confidentiality, Integrity, Availability), while in SCADA systems they
might instead be prioritized as AIC (Stouffer et al., 2007). The reason for this is that SCADA systems
work with actual physical processes and the loss of availability may have a real serious impact on
physical processes (such as human life, environment, damage of equipment etc.), while the typical IT
system has no interaction with physical processes.
The example of an attack on confidentiality may be sniffing the data transmitted across the
network. Since many of SCADA protocols do not use cryptography, sniffing communication on the
network is possible if the attacker succeeds in intruding into the network. The example of an attack on
integrity of SCADA systems is when the attacker changes control signals to cause a device malfunction,
which might ultimately affect the availability of the network.
4
 SCADA systems are time-critical and delay is not allowed, while the throughput may not be as
high; the situation is opposite in a typical IT system. In SCADA system the operator may respond to the
event immediately, so it is important that security measures do not slow down these processes (e.g. using
passwords for executing critical commands). Real-time availability provides a stricter operational
environment than most traditional IT systems.
System software patching and frequent updates can not be easily performed for SCADA
systems e.g. upgrading a system may require months of previous planning to put a system
offline, while system patches and other changes need to be thoroughly tested before they can be
applied. It is economically difficult to justify suspending the operation of an industrial computer
on a regular basis to install new security patches (Cardenas et al., 2011). Sometimes there are
problems with security patches, such as violating certification or causing accidents to control
systems. Usually, vendors of SCADA system do not permit the installation of a third party
application, e.g. antivirus softer, or it may lead to the loss of support on the system.
Some conditions are less demanding to SCADA systems than to administrative IT
systems, e.g. server changes rarely, fixed topology, stable user population, regular
communication patterns, and a limited number of protocols. Accordingly, implementing network
intrusion detection systems, anomaly detection, and white listing may be easier than in
traditional enterprise systems (Cheung et al., 2007). A major distinction of SCADA systems
with respect to other IT systems is the interaction of SCADA systems with the physical world
(Cardenas et al., 2011).

3.2 Vulnerabilities of SCADA systems

Critical infrastructure relies on SCADA systems, so vulnerabilities affecting SCADA systems
may be a threat to critical infrastructure e.g. disruption of critical services.
At the onset of using SCADA systems, the goal was to achieve good performance, and network
security was hardly a concern, as the dominant concern was for physical security. Until recently these
networks were isolated, so that an attacker could not access them. But today there is a high demand for
interconnectivity between SCADA systems and corporate networks. There are multiple access points to
SCADA systems (Figure 3) and physical isolation does not guarantee network security. Therefore, the
concern for the security of SCADA networks is rising.
With the evolution of SCADA systems, propriety standards for SCADA communication were
moved to open international standards and now it is easy for an attacker to gain in-depth knowledge
about the functioning of SCADA networks (Igure et al., 2006). A factor for the decreasing security of
SCADA networks is the use of COTS (short for commercial off-the-shelf) hardware and software to
develop devices for operating in the SCADA network. COTS-based design saves cost and reduces design
time, but it also raises concerns about the overall security of the end product. Using COTS equipment has
led to the development of a number of SCADA protocols that can operate on traditional Ethernet
networks and the TCP/IP stack (Igure et al., 2006).
Besides direct financial consequences of a cyber incident on critical infrastructure, there are also
other negative impacts. Some of them may be easily quantifiable financially, but other consequences are
not so explicit (e.g. reputation, impact on health, safety, environment, even human life etc.). These
attacks may also be politically motivated or state-sponsored, which is a great concern for governments
and enterprises that are involved in the critical infrastructure sector. Accordingly, the security of SCADA
networks is becoming more and more important to the whole society.
Frei (2013) stated in his report that vulnerabilities in SCADA systems have almost doubled from
72 in 2011 to 124 in 2012. These 124 vulnerabilities in SCADA systems affect the products of 49
vendors.
The vulnerability analysis proposed by the Department of Homeland Security’s Industrial
Control Systems Cyber Emergency Response Team (ICS-CERT) and carried out for the fiscal year 2012
shows that 171 unique vulnerabilities affecting ICS products were tracked. ICS-CERT coordinated the
vulnerabilities with 55 different vendors. The total number of different vulnerabilities increased from
fiscal 2011 to fiscal 2012. The most vulnerable sector in 2012 was energy (41% of reported events),
followed by water with 15% (ICS-CERT, 2013).

5
4. Cyber attacks on Critical Infrastructure

Cyber-attacks are a progression of physical attacks: they are cheaper, less risky for the attacker,
not constrained by distance, easier for replication and coordination.
Cyber-attacks on SCADA systems may generally be classified as:
 NON-targeted attacks: incidents caused by the same attacks that any computer connected to the
Internet may suffer (e.g. the Slammer worm infecting the Davis Davis-Besse nuclear power
plant).
 Targeted attacks: attacks tailored to damage the physical system under control of the attacked
SCADA system (e.g. Attack on Maroochy Water System, Stuxnet, etc).
Targeted attacks are especially dangerous for critical infrastructure because they are tailored to
affect a specific organization, usually within the critical infrastructure sector where a huge impact of
disruption can be expected.
Attacks against SCADA systems escalate constantly. To get a more accurate picture of the
attacks on SCADA systems, British Columbia Institute of Technology in Canada created a database of
SCADA security incidents: the BCIT Industrial Security Incident Database (ISID). It is interesting that
prior to 2000 most incidents (70%) were either due to accidents or disgruntled insiders acting maliciously.
Between 2001 and 2004 almost 70% of the incidents were attacks from outside SCADA systems (Byres
& Lowe, 2004). Hardly had the number of internal attacks lowered when the number of external attacks
rose so much as to generate these figures.

Firstly, data for ISID are collected from publicly known incidents and from private reporting by
member companies that wish to access database. In the second step incidents are investigated and rated
according to reliability. According to traditional business crime reporting, less than one in ten of the
actual incidents is collected, since most organisations are not willing to report security incidents because
of the negative impact they may have (Byres & Eng, 2004). Hiding attacks is especially the case with
cyber incidents.
Turk (2005) in his report presented 120 cyber security incidents involving control systems and
concluded that the majority of incidents came from the Internet by malicious codes, and there were also a
large number of incidents which were direct acts of sabotage. There is a problem with reporting cyber
attacks because of the potential financial repercussions for a company. Also, there is another problem
with available information about cyber incidents i.e. the lack of availability of detailed data. Just 30% of
contributors provide a financial measure of the impact of the cyber attack; it shows that almost half of
those incidents have sizeable financial losses (Turk, 2005). Incidents show loss of the ability to view
and/or control the process or system, causing an increased resilience of emergency and safety systems
(41% reported loss of production, while 29% reported a loss of ability to view or control the plant). Also,
he concluded that there is a lack of awareness about cyber attacks, i.e. there is indication that only 13% of
the users of PLC configured and used the Web service, while the others left the Web servers in the PLCs
active with default passwords deployed (Turk, 2005).
Industrial Security Incident Database, which provides a comprehensive search engine for
SCADA incidents, is presented by Hentea (2008). In this database, incidents are categorized according to
their severity, consequences, entry point, etc. He concluded that attacks are getting more frequent and
becoming more externally than internally oriented.
In the next section we analyze and classify several Critical Infrastructure attacks.

4.1 Classification of attacks on Critical Infrastructure

For the purposes of this paper we have used the modified taxonomy proposed by
Kjarelnad (2006) and classified CI attacks according to that taxonomy. Kjarelnad (2006)
categorized cyber attacks based on four categories: Method of operation, Impact, Source and Target.
Kjaerland uses these facets to compare commercial versus government incidents, focusing on the motive
of attacker and where attacks originated, highlighting cyber-criminals and victims.
We used Method and Impact of operation as in Kjarelnad taxonomy (or Miller&Rowe, 2012) and
instead of Source and Target facets, we include new categories Perpetrators and Critical Infrastructure
Sectors, to have better picture of motives of attacks, and specific Critical Infrastructure Sector, as shown
in Table 1.

6
 Table 1. Proposed taxonomy

Method of operation Impact Perpetrators Critical Infrastructure Sector

(MO)
Misuse of Resources Disrupt Hackers Agriculture and food
User Compromise Distort Terrorists Water
Root Compromise Destruct Disgruntled Public health and safety
Web Compromise Disclosure employees/inside attacks Emergency services,
Social Engineering Death Hobbyists/Script kiddies Government
Malicious code (Virus, Trojan, Unknown Hacktivists Defense industrial base
Worm, Spyware, Arbitrary code Unknown Information and
execution) telecommunications
Denial of Service Energy
Others Transportation
Banking and finance
Industry/manufacturing
Postal and shipping.

Methods of operation used by a perpetrator to carry out an attack include the following
(Kjaerland, 2006; Simmons et al., 2009; Miller&Rowe, 2012):
 Misuse of Resources – Unauthorized use of IT resources.
 User Compromise – attacker gaining unauthorized use of user privileges on a host, as a user
compromise.
 Root Compromise – a perpetrator gains unauthorized administrator privileges on a host.
 Web Compromise – using website vulnerabilities to attack further.
 Social Engineering – gaining unauthorized access to privileged information through human
interaction and targeting people’s minds rather than their computers.
 Malicious code installed on a system can allow an adversary to gain full control of the
compromised system leading to the exposure of sensitive information or remote control:
o Virus – a piece of code that will attach itself through some form of infected files, which
will self-replicate upon execution of program.
o Trojan –a program that seems benign to the user but that allows unauthorized backdoor
access to a compromised system.
o Worm – a self-replicated program.
o Spyware – a program that is covertly installed and infects its target by collecting
information from a computing system without the owner’s consent.
o Arbitrary code execution – involves a malicious entity that gains control through some
vulnerability injecting its own code to perform any operation for which the overall
application has permission (Douligeris, & Mitrokotsa, 2004)
 Denial of Service: an attack in which victim is denied access to a particular resource or service.
 Others (e.g. unintentional accidents)

Impact represents the effect of an attack and include the following (Kjaerland, 2006;
Miller&Rowe, 2012):
 Disrupt – the least invasive nature of an attack; denying legitimate user’s access to data; e.g.
Denial of Service attack.
 Distort – data modification
 Destruct – Deletion of a file, removal of information from the victim. Destruct would be seen as
the most invasive and malicious, and may include Distort or Disrupt.
 Disclosure – illegitimate access to or disclosure of sensitive, confidential information (data) that
may lead to further compromise; ex. Download of a password file.
 Death – Loss of human life
 Unknown – Insufficient information to classify.

Classification of Critical Infrastructure’s perpetrators:

 Hackers:
7
 o State hackers: may be hackers hired by governments to join specialised task forces.
Stuxnet was first publicly documented attack on SCADA systems which is
considered to have been made by state hackers (Nicholas et al, 2012).
o Non-state hackers/organized crime: Organized crime is motivated by money and
the idea of blackmailing a company to avoid an attack on SCADA system may be
the way to achieve it. Organised criminals are likely to have access to funds,
meaning that they can hire skilled hackers or buy tools to attack a SCADA system
from the underground economy. Numerous SCADA-based automated attack tools
have been created in the form of Metasploit add-ons (Goodin, 2008).

 Terrorists are among the most worrying groups. There are suggestions that terrorists are
interested in attacks on critical infrastructure, although they still have not acquired sufficient
skills (Blau, 2004).
 Disgruntled employees/inside attacks are the most common internal perpetrators. Insider
attackers usually have authorized access to network and in that way they bypass the typical
“castle wall” security that an external offender must past; insider attackers may insert an
infected USB device into a machine to compromise it (Nicholas et al, 2012)..
 Hobbyists/Script kiddies (Nicholas et al, 2012).:
o Hobbyists look for a thrill or challenge. It may seem that their intention is harmless,
but sometimes it may be destructive to critical infrastructure. Hobbyists usually do
not have enough money or adequate motivation to purchase zero-day exploits or
similar products, which may be found on the underground market.
o Script kiddies are usually defined as low-life hackers who use free easy-to-
configure tools that mostly irritate other PC users. Script kiddies should be stopped
by general security practises, e.g. patch management, policy enforcement, AV
software, intrusion detection systems and firewalls.
 Hacktivists or activist hackers are based on political reasoning, and they may make attacks
on SCADA systems.
 Unknown (e.g. Security/vulnerability incident)

Attacks are represented in chronological order and a brief description is given for each
attack.

4.1.1 Attacks on critical infrastructure

For each attack on critical infrastructure a short description is given, followed by a classification
using the previously mentioned taxonomy.

Siberian Pipeline Explosion (1982) is the first well-known cyber security incident on critical
infrastructure. The attacker planted a Trojan in the SCADA system that controls the Siberian Pipeline. A
consequence of this was an explosion equivalent to 3 kilotons of TNT (Daniela, 2011).
Method of operation: Installed malware: Trojan
Impact: Distort
Critical Infrastructure Sector: Energy
Perpetrator: Unknown

Chevron Emergency Alert System (1992). A former Chevron employee disabled its emergency
alert systems in 22 states in the USA (Denning, 2000). This was not discovered until an emergency that
needed alerting happened.
Method of operation: Misuse of resources, User Compromise
Impact: Disrupt
Critical Infrastructure Sector: Emergency services
Perpetrator: Disgruntled employ

Salt River Project (1994) An attacker gained access to the network of the Salt River Project and
installed a back door. Data vulnerable during the intrusions included water and power monitoring and
8
delivery, financial, and customer and personal information. The hacker altered/taken login and password
files, computer system log files and administrator’s privileges (Turk, 2005).
Method of operation: Installed malware: Trojan, Root Compromise
Impact: Disclosure
Critical Infrastructure Sector: Water
Perpetrator: Hacker

Worcester, MA Airport (1997). A hacker penetrated and disabled the telephone company
computer of Worcester Airport in Massachusetts in 1997 (Denning, 2000). Telephone services to the
Federal Aviation Administration control tower, the airport fire department, airport security, the weather
service and various private airfreight companies were cut off for six hours. The consequences were
financial losses and threatened public health and public safety.
Method of operation: Root Compromise, Denial of Service
Impact: Disrupt
Critical Infrastructure Sector: Communications, Transportation
Perpetrator: Hacker

Gazprom (1999). Hackers broke into a gas company in Russia, Gazprom. The hackers used
Trojans to gain control of the central switchboard, which controlled gas flow in pipelines (Denning,
2000).
Method of operation: User Compromise, Installed malware
Impact: Disrupt
Critical Infrastructure Sector: Energy
Perpetrator: Hackers

Bellingham, Gas Pipeline (1999). The gas pipeline in Bellingham (WA) was exacerbated by a
control system not being able to perform the control and monitoring functions. One of the key causes of
the accident was performing database development work on the SCADA system while the system was
being used to operate the pipeline. Although this is not technically an attack, the loss of human life in this
incident shows the danger of any type of failure in a critical infrastructure system (Turk, 2005).
Method of operation: Misuse of Resources
Impact: Disrupt, Death
Critical Infrastructure Sector: Energy
Perpetrator: Employee

Maroochy Water System (2000). In Maroochy Shire, Queensland (Australia) a disgruntled

employee wreaked havoc by causing millions of litters of raw sewage to spill out into local parks and
rivers (Smith, 2001). He gained access by installing company software on his laptop and infiltrating the
company’s network at least 46 times to take control of the waste management system. (He was sentenced
to two years in prison)
Method of operation: User Compromise, Misuse of Resources
Impact: Disrupt
Critical Infrastructure Sector: Water
Perpetrator: Disgruntled employee

Davis-Besse Nuclear Power Plant (2003). Ohio Davis-Besse Nuclear Power Plant was infected
by a worm (Slammer) through network by a contractor of the company. The worm then managed to crash
the power plant’s display panel and monitoring system for 5 hours (Poulsen, 2003). Luckily, at that time
the plant was not in use (it had been shut down months before), but the employees using the corporate
network segment faced a performance issue. In 2003 the Slammer worm managed to infect 90% of its
75000 victims on the Internet in 10 minutes.
Method of operation: Installed malware
Impact: Disrupt
Critical Infrastructure Sector: Energy
Perpetrator: Unknown

9
 CSX Corporation (2003). In 2003, a computer virus named Sobig shut down train signaling
systems in the CSX Corporation in Florida (Niland, 2003). The consequences of this attack were that
trains were delayed, but luckily there were no major incidents caused by the Sobig virus.
Method of operation: Installed malware
Impact: Disrupt
Critical Infrastructure Sector: Transportation
Perpetrator: Unknown

Browns Ferry Nuclear plant (2006). Browns Ferry Nuclear plant in Alabama (U.S.) was
manually shut down because of the failure of a number of recirculation pumps (Nuclear Regulatory
Commission, 2007). The failure had occurred due to an overload of network traffic. It is assumed that the
overload of network traffic was caused by a DOS attack, and maid system unresponsive.
Method of operation: Denial of Service
Impact: Disrupt
Critical Infrastructure Sector: Energy
Perpetrator: State hackers

Tehama Colusa Canal Authority (2007). A former electrical supervisor installed unauthorised
software on SCADA systems at Tehama Colusa Canal Authority. The disgruntled employee is reported
to have installed it on the day he was dismissed, having worked for the company for 17 years. There were
no publicly available technical analyses of whether any damage had been caused. However, he was
charged with installing unauthorised software and computer damage, and got 10 years in prison and a
$250,000 fine (Goodin, 2007).
Method of operation: Misuse of Resources
Impact: Unknown
Critical Infrastructure Sector: Water
Perpetrator: Disgruntled employee

US electric power grid (2009). Chinese and Russian spies penetrated the US electrical power
grid, leaving potentially disruptive software (Gorman, 2009). It is assumed that the main idea was to map
US critical infrastructure using network mapping tools. The US Government has not given any technical
details, but other countries have responded, e.g. UK minister Lord West has stated that the UK asked
Russian and Chinese governments to cease their probing against UK critical infrastructure (BBC News,
2009).
Method of operation: Installed malware
Impact: Disclosure
Critical Infrastructure Sector: Energy
Perpetrator: State hackers

Hospital Dallas, USA (2009). A hospital security guide (Jessie William McGraw, aka
GhostExodus) took advantage of his position to install malware on hospital machines and also control the
heating, ventilation and air conditioning (HVAC) system (Walsh, 2009). McGraw boasted about his
hacking activities on forums and downloaded videos and pictures, which led to his conviction.
Method of operation: Distributed Denial of Service
Impact: Disrupt
Critical Infrastructure Sector: Public Health
Perpetrator: Hobbyists

Stuxnet is considered to be the first malware that attacked critical infrastructures of foreign
governments. This was the idea used in the attack on the nuclear plant in Natanz, in order to interfere
with the Iranian nuclear program.
Stuxnet is one of the most expensive and most complicated malicious programs ever. It is
assumed that creating the code took several years (Zetter, 2010). Stuxnet is highly-sophisticated malware
that has characteristics of a worm, virus and Trojan, extremely hard to detect because it uses zero-day
vulnerabilities. There is evidence that Stuxnet kept evolving since its initial deployment, since attackers
upgraded the infections with encryption and exploits, apparently adapting to conditions they found on the

10
way to their target (Cardenas et al., 2011). The ultimate goal of Stuxnet is to sabotage that facility by
reprogramming controllers to operate, most likely out of their specified boundaries, and without the
operator of the PLC ever realizing it (Falliere et al., 2010). In addition, victims attempting to detect
modifications to their embedded controllers would not see any rogue code as Stuxnet hides its
modifications with sophisticated PLC rootkits, and validates its drivers with trusted certificates (Cardenas
et al., 2011)
Stuxnet is targeted malware, designed to propagate itself as widely as possible, and to attack
automatically once it comes into contact with the target system. It may infect only SCADA configuration
and particularly attacks devices which are connected to Siemens S7-300.
It is assumed that the engineer brought Stuxnet to an isolated network through a USB stick. The
idea was to achieve propagation by LAN, while propagation through removable drives was used to reach
PCs not connected to other networks. This proves that being isolated from the Internet or other networks
is not a complete defense. The malware that targeted Iran's uranium-enrichment program, particularly
centrifuges at the Natanz plant, contained a set of codes. In Symantec they reported that in August 2010,
60% of infected computers were in Iran (Symantec, 2010). Subsequent to infecting the Siemens software
in the facility’s supervisory control and data-access control systems, the malware took over the control
systems of frequency converters. After monitoring motor frequency, Stuxnet only attacks systems that
spin between 807Hz and 1,210Hz. It changes the speed of the centrifuge motor by sporadically speeding
up the machines to 1,410Hz, then slowing them back down to 2Hz. Finally, it restores the machines to a
frequency of 1,064Hz, the normal operating speed. Such a change in frequency imposes severe stress on
the machinery and causes higher crash rates. Reportedly, the working capacity of centrifuges in Natanz
was reduced by 30% over the previous year because of Stuxnet's effects (Melman, 2010).
Method of operation: Installed malware, Root Compromise
Impact: Disrupt, Distort
Critical Infrastructure: Energy
Perpetrator: State hackers

Night Dragon: In 2011, five global energy and oil firms were targeted by a combination of attacks
including social engineering, Trojans and Windows-based exploits. The attack was named “Night Dragon”
and has been ongoing for two years and there is an assumption that they have been of Chinese origin. The
corporate network segments belonging to companies that operate SCADA infrastructure were attacked,
but no SCADA systems were directly attacked (Nicholson et al, 2012).
Method of operation: Social Engineering, User Compromise, Root Compromise
Impact: Disclosure
Critical Infrastructure: Energy
Perpetrator: State hackers

Duqu is malware similar to Stuxnet, containing part of codes almost identical to Stuxnet. It is
assumed to be designed to conduct reconnaissance of an unknown industrial control system (Zetter,
2011).
Method of operation: Installed malware
Impact: Disclosure
Critical Infrastructure: Energy
Perpetrator: State hackers

Flame has been appearing in the Middle East and North Africa for at least two years. It is
assumed that this malware is sponsored by the same group which sponsored Stuxnet. There is indication
that it is primarily designed to spy on the users of infected computers and steal data and open a back door
to infected systems to allow the attacker to add new functionality It was discovered that the Iranian
National Oil Co. had been hit with malware which were stealing and deleting information from the
systems (Miller&Rowe, 2012).
Method of operation: Installed malware
Impact: Disclosure, Destruct
Critical Infrastructure: Energy
Perpetrator: State hackers

11
 4.1.2. Analysis of incidents
Figure 4 shows number of attacks according to impact they made based on previously identified findings.
While this is 17 publicly known incidents on Critical Infrastructure, we are aware that attacked
companies are not willing to publicly acknowledge attacks and results are provided with the best
available knowledge.

Figure 2. Method of Operations

The impact of these attacks is shown in the Figure 4. The majority of the attacks (10) caused
disruption of operations, others lead to disclosure of data (5), distortion of data (2), and in one case data
were destructed. There was also one death recorded, while the impact of one attack remained unknown.

Figure 3. Impact of attack

5. FUTURE DIRECTIONS

In order to improve analysis of SCADA systems and discover their vulnerabilities that are
present, a test-bed method is developed. SCADA security testbed is used to model real system and
analyse the effects of attacks on them. The method enables detection of vulnerabilities within SCADA
protocols in order to find out how easy it is to bypass security measures in such protocols (Luders, 2005;

12
Chunlei et al., 2010; Giani et al.,2008;) or perform an attack on the SCADA network (Oman&Phillips,
2007, Beresford, 2011; Udassin, 2008; Queiroz et al,, 2009).
The general conclusion is that SCADA protocols and components are very vulnerable, and that it
is very important to find an immediate solution to these vulnerabilities. Because of a similarity in
technology between enterprise IT systems and Industrial Control Systems, many of the security practices
used for IT systems apply to ICS and can be used to efficiently secure these systems with minimal
additional costs.
Until recently, most of the efforts for protecting SCADA systems have focused on safety and
reliability, not on intentional actions or systematic failures. After some attacks, there has been a growing
concern for protecting control systems against malicious cyber attacks (Turk, 2005, Igure et al., 2006,
US-CERT, 2008; GAO, 2007; Byres&Low, 2004; Cardenas et al., 2011). There are initiatives for
improving security of control systems, and several sectors of critical infrastructure are developing
programs for securing their infrastructure (NERC-CIP, 2008; Stouffer et al., 2006; INL, 2008; NIST 800-
82).
It is important that future standards address shortcomings of current problems in SCADA
systems architecture, administrative policies and platform security mechanisms, where both vendors and
end users conform standards (Nicholson et al., 2012).
Cardenas et al. (2011) believe that to understand interactions of the control system with the
physical world, it is necessary to develop a general and systematic framework for securing control
systems in three fundamental new areas:
1. Better understanding of the consequences of an attack for risk assessment.
2. Design of a new attack-detection algorithm
3. Design of new attack-resilient algorithms and architectures: need to design and operate control
systems to survive an intentional cyber assault with no loss of critical functions.

6. CONCLUSION

Cyber attacks on critical infrastructure have become everyday reality and it is necessary to
respond and provide adequate protection.
The risk to the critical infrastructure that uses SCADA systems is exposed to high risk that
system may be damaged or compromised.
The particular attention has to be given to protection of the SCADA systems, since they are at the
centre of many critical infrastructure sectors' functions. Failures of SCADA systems can be safety-critical;
they may cause irreparable harm to physical systems being controlled in national critical infrastructures,
such as electric power distribution, oil and natural gas distribution, water and waste-matter treatment and
transportation systems, etc. Interruption in the SCADA systems may have significant consequences on
public health, safety and economic losses.
Because new malware is becoming more and more sophisticated, there is a significant problem of
detecting attacks on critical infrastructure, based only on IT system information. Therefore, the growing
concern for the whole society is to protect critical infrastructure against malicious attacks and improve
the security of critical infrastructure. There is a strong commitment of governments to invest in cyber
security. On the other hand, the lack of investments in the security of control systems that are privately
owned creates the optimal conditions for the attackers.

Acknowledgement

This work was financially supported by the Ministry of Education, Science and Technology Development
of the Republic of Serbia under projects: 47017 and TR37012.

13
 REFERENCES
BBC News (2009) UK has cyber attack capability. Retrieved from:
http://news.bbc.co.uk/1/hi/uk_politics/8118729.stm.
Beresford, D. (2011). Exploiting Siemens Simatic S7 PLCs. Black Hat USA.
Blau J. The battle against cyber terror. Computer World.
http://www.computerworld.com/s/article/97953/The_battle_against_cyberterror; December 2004.
Byres, E., & Eng, P. (2004). The Myths and Facts behind Cyber Security Risks for Industrial
Control Systems The BCIT Industrial Security Incident Database ( ISID ). Security, 116(6), 1-6. VDE
Association for Electrical Electronic Information Technologies.
Cárdenas, A. A., Amin, S., & Lin, Z.-syun. (2011). Attacks Against Process Control Systems :
Risk Assessment , Detection , and Response Categories and Subject Descriptors. Security, 355-366.
ACM. Retrieved from http://portal.acm.org/citation.cfm?id=1966959
Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., & Valdes, A. (2007, January).
Using model-based intrusion detection for SCADA networks. In Proceedings of the SCADA Security
Scientific Symposium (pp. 1-12).
Chunlei, W., Lan, F., & Yiqi, D. (2010, March). A simulation environment for SCADA security
analysis and assessment. In Measuring Technology and Mechatronics Automation (ICMTMA), 2010
International Conference on (Vol. 1, pp. 342-347). IEEE.
Congress, U. S. (2002). Homeland Security Act of 2002, Public Law (107).
Daniela, T. (2011, June). Communication security in SCADA pipeline monitoring systems. In
Roedunet International Conference (RoEduNet), 2011 10th (pp. 1-5). IEEE.
Denning, D.E. (2000) Cyberterrorism: The Logic Bomb versus the Truck Bomb - Centre for
World Dialogue. Global Dialogue. 2, 4.
Douligeris, C., & Mitrokotsa, A. (2004). DDoS attacks and defense mechanisms: classification
and state-of-the-art. Computer Networks, 44(5), 643-666.
European Commission (2008). Council Directive 2008/114/EC of 8 December 2008 on the
identification and designation of European critical infrastructures and the assessment of the need to
improve their protection. Official Journal L,345(23), 12.
Falliere, N., Murchu, L. O., & Chien, E. (2011). W32. stuxnet dossier. White paper, Symantec
Corp., Security Response.
Frei, S. (2013) Vulnerability threat trends, NSS Labs. Retrieved from
https://www.nsslabs.com/reports/vulnerability-threat-trends
GAO (2004): United State Government Accountability Office Report. GAO-04-354. Retrived
from http://www.gao.gov/new.items/d04354.pdf
GAO (2007) Critical infrastructure protection. Multiple efforts to secure control systems are
under way, but challenges remain. Technical Report GAO-07-1036, Report to Congressional
Requesters, September 2007.
Giani, A., Karsai, G., Roosta, T., Shah, A., Sinopoli, B., & Wiley, J. (2008). A testbed for
secure and robust SCADA systems. SIGBED Review, 5(2), 4.
Goodin, D. (2007). Electrical supe charged with damaging California canal system. The
Register. Retrieved from: http://www.theregister.co.uk/2007/11/30/canal_system_hack/.
Goodin, D. (2008) Gas refineries at defcon 1 as scada exploit goes wild. The Register. Retrieved
from http://www.theregister.co.uk/2008/09/08/scada_exploit_released/.
Gorman, S. (2009). Electricity grid in U.S. penetrated by spies. The Wall Street Journal.
Retrieved from: http://online.wsj.com/article/SB123914805204099085.html.
Hentea, M. (2008). Improving security for SCADA control systems. Interdisciplinary Journal
of Information, Knowledge, and Management, 3(12), 4.
ICS-CERT (2013)ICS-CERT Monthly Monitor Oct-Dec 2012. Retrieved from http://ics-
cert.us-cert.gov/monitors/ICS-MM201210
Igure, V., Laughter, S., & Williams, R. (2006). Security issues in SCADA networks. Computers
Security, 25(7), 498-506. Elsevier. Retrieved from
http://linkinghub.elsevier.com/retrieve/pii/S0167404806000514
INL (2008) Idaho National
Laboratory,National SCADA Test Bed Program http://www.inl.gov/scada.
Kjaerland, M. (2006). A taxonomy and comparison of computer security incidents from the
14
commercial and government sectors. Computers & Security,25(7), 522-538.
Lüders, S. (2005). Control systems under attack? (No. CERN-OPEN-2005-025).
Melman, M. (2010). “Computer virus in Iran actually targeted larger nuclear facility, 28
September 2010, Retrieved from
http://www.haaretz.com/print-edition/news/computer-virus-in-iran-actually-targeted-larger-nuclear-
facility-1.316052
Miller, B., & Rowe, D. (2012, October). A survey SCADA of and critical infrastructure
incidents. In Proceedings of the 1st Annual conference on Research in information technology (pp. 51-
56). ACM.
NERC-CIP (2008). Critical Infrastructure Protection. North American Electric Reliability
Corporation, http://www.nerc.com/cip.html, 2008.
Nicholson, A., Webber, S., Dyer, S., Patel, T., & Janicke, H. (2012). SCADA security in the
light of Cyber-Warfare. Computers & Security, 31(4), 418-436.
Niland, M. (2003) Computer virus brings down train signals. InformationWeek. Retrieved
from:
http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID¼13100807.
Nuclear Regulatory Commission. (2007). NRC information notice:
2007e15: effects of ethernet-based, non-safety related controls on the safe and continued operation of
nuclear power stations. Retrieved from: http://www.nrc.gov/reading-rm/doc-collections/gen-comm/info-
notices/2007/in200715.pdf.
Oman, P.,& Phillips, M. (2007). "Intrusion detection and event monitoring in SCADA
networks." Critical Infrastructure Protection. Springer US, 161-173.
Poulsen, K. (2003) Slammer worm crashed Ohio nuke plant net. The
Register.Retrieved from: http://www.theregister.co.uk/2003/08/20/slammer_worm_crashed_ohio_nuke/.
Queiroz, C., Mahmood, A., Hu, J., Tari, Z., & Yu, X. (2009, October). Building a SCADA
security testbed. In Network and System Security, 2009. NSS'09. Third International Conference on (pp.
357-364). IEEE.
Rinaldi, S. M., Peerenboom, J. P., & Kelly, T. K. (2001). Identifying, understanding, and
analyzing critical infrastructure interdependencies. Control Systems IEEE. IEEE. Retrieved from
http://ieeexplore.ieee.org/lpdocs/epic03/wrapper.htm?arnumber=969131
Simmons, C., Shiva, S., Dasgupta, D., & Wu, Q. (2009). AVOIDIT: A cyber attack
taxonomy. University of Memphis, Technical Report CS-09-003.
Smith, T. (2001) Hacker jailed for revenge sewage attacks. The Register. Retrieved
from:http://www.theregister.co.uk/2001/10/31/hacker_jailed_for_revenge_sewage/;
Symantec (2010) Symantec Intelligence Quarterly Report: October - December, 2010, Targeted
Attacks on Critical Infrastructures.
Stouffer, K., Falco, J., Scarfone, K. (2007) Guide to Industrial Control Systems (ICS) Security
Special Publication 800-82 SECOND PUBLIC DRAFT. National Institute of Standards and
Technology.
Turk, R. (2005) Cyber incidents involving control systems. Technical Report INL/EXT-05-
00671, Idao National Laboratory.
Udassin, E. (2008). Control system attack vectors and examples: field site and corporate
network. In Proc. S4 SCADA security conference.
USA-PA (2001). UNITED STATES CONGRESS, “U.S.A. Patriot Act”, 2001,
http://www.epic.org/privacy/terrorism/hr3162.html.
US-CERT (2008) Control Systems Security Program. US, Department of Homeland Security,
http://www.us-cert.gov/control_systems/index.html, 2008.
Walsh, S. (2009). "Dallas security guard facing charges for installing malware on hospital
computers". Retrieved from http://www.technologytell.com/gadgets/48623/dallas-security-guard-facing-
charges-for-installing-malware-on-hospital-com/
Zetter, K. (2010). "Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were
Target". Wired. Retrieved from http://www.wired.com/threatlevel/2010/09/stuxnet/
Zetter, K. (2011). How digital detectives deciphered stuxnet, the most menacing malware in
history. Retrieved from: http://www.wired.com/threatlevel/2011/07/how-digital-detectives-
decipheredstuxnet/all/1;
Zhu, B., & Sastry, S. (2010, April). SCADA-specific intrusion detection/prevention systems: a

15
 survey and taxonomy. In Proceedings of the 1st Workshop on Secure Control Systems (SCS).

16

View publication stats