SCADA Testbed for Vulnerability Assessments,

Penetration Testing and Incident Forensics

Abstract—Industrial control systems are critical assets as they threats. In a written testimony from the NPPD office Assistant
interact with real-life aspects of our daily life. These systems Secretary [2], external actors are targeting government entities
often run 24/7 to control and monitor critical industrial and and businesses in the energy, nuclear, water, aviation, and
infrastructure processes. The demand to integrate them with
the Internet has opened them up for cyber-attacks. The need critical manufacturing sectors. In reality, there is still an
for skilled expertise starting at the academic level in defending increasing gap of skilled expertise in Industrial cyber-security
and investigating these critical assets is ever growing. In this starting at the academic level. A National Audit Office survey
paper, the authors design and deploy a Supervisory Control and [3] in 2015 highlights the gap in cyber-security skills. Securing
Data Acquisition (SCADA) lab at Sam Houston State University Critical Infrastructure is a specialized branch of traditional
(SHSU) with a limited budget. The lab is designed to stimulate
a near-world industrial setting specifically for Industrial cyber- Cyber-security largely following the Critical Security Controls
security research (penetration testing, vulnerability analysis and as prescribed by the Center for Internet Security (CIS) [4]. Few
incident forensics) as an accompaniment to the digital forensics CIS controls for cyber defense preparedness are Penetration
education curriculum at the University. Tests and Red Team Exercises (CIS control #20) and Incident
Response and Management (CIS control #19). Attackers often
I. I NTRODUCTION
identify and exploit a gap between good defensive architecture
Computer systems have outgrown in the last decades such and their implementation or maintenance.
that they connect all aspects of an enterprise IT ecosystem. In this paper, the authors describe the build of a low-
Industrial control systems have always been designed for budget, near-world, Supervisory Control and Data Acquisition
safety purposes as they interact with real-life aspects of the (SCADA) testbed (laboratory) specifically designed for Indus-
world with emphasis to safety rather than security. The demand trial cyber-security research and industrial incident forensics
to integrate industrial control system networks of an enterprise research at SHSU.
to the Internet have led to heterogeneous system designs and
complex architectures, thereby, creating security vulnerabili- II. BACKGROUND
ties that are easy targets of cyber-attacks. Furthermore, if not
properly deployed, they can be susceptible to attacks due to Existing ICS/SCADA testbeds are usually full-scale func-
their legacy protocols and proprietary technology. tional or small-scale physical models or primarily software-
Industrial systems are part of the critical infrastructure of a simulated models. The SCADA testbed program at Idaho
nation and the US government has acknowledged their security National Laboratories (INL) [5] is a large scale design dedi-
risk. In 2001, as part of the ”Uniting and Strengthening cated for ICS cyber security learning and trainings. Mississippi
America by Providing Appropriate Tools Required to Intercept State University [6] and University of New Orleans [7] have
and Obstruct Terrorism” Act of 2001 (USA PATRIOT Act), built a small-scale physical testbeds for academic learning
the US Congress passed the Critical Infrastructures Protec- around Industrial Systems with a dual use for cyber-security.
tion Act of 2001 ( (CIPA) 42 US Code § 5195c Critical infras- Thiago et al [8] examine the fidelity of a virtual SCADA
tructures protection ) [1] directing the National Infrastructure testbed to a physical testbed wherein a study of the effects of
Simulation and Analysis Center (NISAC) to support for the cyber-attacks on both the systems is undertaken. Methods to
activities of the President’s Critical Infrastructure Protection gather information and utilize available tools and techniques to
and Continuity Board. The Act directed the NISAC to perform increase situational awareness to survive a malicious electronic
modeling, simulation and analysis of cyber and/or physical attack on SCADA systems have also been highlighted [9].
systems on the critical infrastructures to understand their com- Ahmed et al [10] discuss the challenges faced in protecting
plexity thereby assisting in suitable modifications to mitigate SCADA systems and conducting forensic investigations on
them. Nicholson et al [11] had surveyed ongoing research
and provide a coherent overview of the threats, risks and
978-1-7281-2827-6/19/$31.00 2019
c IEEE mitigation strategies in the area of SCADA security. In a
classroom setting, Conklin et al [12] outline the types of Computer hardware was requested from the Computer Sci-
SCADA laboratory designs. A learning approach for students ence Department (SHSU). The HMI software “Indusoft Web
on SCADA systems’ vulnerabilities through experiments and Studio V7.1, SP3” was procured from Indusoft [18] through an
hands-on exercises was discussed by Sitnikova et al [13]. educational license. The SCADA automation hardware units
For a game based approach on such exercises, Hewett et al were procured through vendor donations from Automationdi-
[14] present an analytical game approach to analyze cyber- rect [19] and Eaton [20]. A Eaton XC100 PLC and Direct06
attacks on smart-grid SCADA systems. However, a literature PLC from Automationdirect were used in the ICS lab’s design.
vacuum exists around a playbook for SCADA testbed (lab- The SCADA protocols simulators were available online for
oratory) design framework coupled with laboratory exercises free downloads [24], [26]. Wireless access points, security
specifically focusing on cyber-security readiness (penetration camera and other hardware were acquired by the project team
assessment and testing, SCADA protocols analysis, vulnerabil- Fig. 2.
ity assessments), defensive and offensive security, risk analysis The HMI screens Fig. 3 were designed to implement an
and Industrial/SCADA incident forensics. In this paper, the industry process. The concept of the HMI screen was about a
authors propose a laboratory design by incorporating many of fictious chemical manufacturing company ”KAT Engineering
the CIS [4] controls including incident forensics. The authors and Chemicals” that used a periodic and timed manufacturing
use a gaming approach for the teams as part of the laboratory processes that if went awry, could cause a potential environ-
exercises similar to the ICS cyber-security (301) trainings [15] mental disaster. The start and stop of process (batch processing
conducted by ICS-CERT. of chemicals) was triggered with HMI programming. Even
after a period of time, if the Red team finds it unsuccessful in
III. P ROBLEM S TATEMENT AND NEED FOR A LAB penetrating the network and systems of ”KAT Engineering and
Chemicals”, random tag values aligned to a certain defined
In an industrial setup, SCADA and process control sys-
timed logic would cause an environmental disaster visible
tem vulnerabilities can increase from poor communications
on the HMI screen. This fictitious disaster caused by pre-
between enterprise IT and engineering teams leading to a lack
programmed logic would stop the plant’s functioning trigger-
of cyber security preparedness in industrial process sensors
ing incident response analysis steps by the forensic team. The
[16], [17]. This situation usually arises due to lack of cross-
logic with building such a design was to introduce a gaming
domain knowledge between these teams. This communication
concept for red teams, blue teams and the forensic teams. The
gap can be addressed by honing defensive security skills,
same forensic team would also need to be involved when an
awareness of SCADA and process control systems, knowledge
environment disaster takes place to ascertain if the incident
of engineering designs involved and incident forensics for
was related to a security breach. The ICS lab’s architecture is
the IT team. In this paper, the authors primarily focus on
designed such that it can be scaled up or down in equipment
the framework to design and construct an Industrial Control
depending on the Industry needs and the proposed trainings.
Systems Laboratory (ICS lab) for the purposes of cyber-
security and incident forensic research on Industrial Systems A. Security Architecture
and automation. Another reason for the ICS lab was accom- The overall security architecture design of the ICS lab was
panying security and digital forensic courses and education planned to mimic real-world design as found in many indus-
provided at Sam Houston State University (SHSU). This ICS trial enterprise IT ecosystem with industrial control systems.
lab would thus help students and researchers practice various The network design involves hardware as below;
red team, blue team and incident forensic exercises. A key goal
• Network Hardware: Palo Alto Firewall, Cisco and Tenda
of the ICS lab’s design was to mimic a real-world industrial
Router/Switches
engineering design on a low budget.
• Honeypot toolbox for the lab instructors

IV. L AB D ESIGN All passwords were set to weak strength and were easy to
crack. Files were randomly scattered on systems that gave
SCADA systems are often viewed as a specialty subject of away design details and other sensitive data. The security
industrial engineers and technicians rather than IT engineers. camera was positioned such that a hacker could view the
The ICS lab’s design was broken into three phases; conceptual HMI screen through its web interface. Passwords to machines
design, logical design and physical design. The conceptual were intentionally scribbled on paper and left around to
design focus was on real-world scenario of machine configu- mimic carelessness by real-world personnel. Keeping with ICS
rations, operating systems and the choice of protocols to con- industry security hygiene [21], operating systems were lightly
figure. The logical design focused upon the code snippets for patched. The database tables had application passwords in
the near-corporate websites, Human-Machine Interface (HMI) plaintext.
coding, programming of the programmable logic controller
(PLC) and near-corporate databases. The physical design focus B. Hardware Architecture
was on the hardware and wiring of PLCs. Fig. 1 shows the For the ICS lab’s network, the design focus was modelled
original physical design with PLCs and over-time the lab has after generally found deployments in the Industrial world.
been expanded to house additional PLCs. The design involved no dedicated computers or servers for
 Fig. 1. Original Lab setup (left) and Current Lab setup of (center, right) Systems and Network

Fig. 2. Network Design

a purpose, no or minimum network firewalls, a combination • PLC Simulation software “Communication Protocol Test
of operating systems like Windows7, Windows2000, Win- Harness” [25] for DNP3.0 and IEC 60870-5-104
dows2003 and WindowsXP [21]–[23]. This kind of design was • KepserverEx [26] for OPC
determined to exist in any random small-sized Industrial unit’s
D. Database Architecture
IT infrastructure that uses SCADA systems. For the SCADA
hardware, few vendors had donated PLC’s and accessories for Databases aid in SCADA data storage and in corporate
the ICS lab. They were programmed for use. IP based security application data storage scenarios. As databases are found at
cameras and wireless routers are also part of the architecture all industrial enterprises and are good targets for attacks, the
as they can be mostly found in the IT design of Industries addition of databases to the ICS lab design was needed. To
using SCADA systems mimic real-world cases of database versions at an enterprise,
older versions of SQL Server were used. Following are the
C. Software Architecture highlights of the database instances in the ICS lab’s design;
• SQL Server 2000 and 2008 versions were installed on
The ICS and SCADA design of the lab had the following
different Windows O/S machines.
software. Some of the software have existing licensing agree-
• DB Instances have jobs and packages.
ments with SHSU and the rest are free for general use. The
• Existence of mirror DBs and replication.
ICS protocols; MODBUS, TCP/IP, OPC-DA, OPC-UA, ARTI
• Loose database security design (for honeypots).
CODESYS, DNP3, KOYO, IEC 60870-5-104 and AB-DF1
were identified as needed after discussing with experts in the E. Corporate DMZ
ICS this industry. The addition of corporate systems and traffic helps in recre-
• Indusoft Web Studio and thin client [18] ating any enterprise using Industrial controls. The corporate
• PLC Stimulation software ”ModRSSim” [24] for MOD- and DMZ design was segregated with firewalls. Automated
BUS protocol application scripts were employed to generate network traffic.
 Fig. 3. HMI Screen

Few task scheduler driven jobs for file transfer using FTP were patching [21]. The Palo Alto Firewall and Cisco switch were
deployed. The toolkit for attack, defense and incident forensics programmed in relation to the defined firewall zones. The
are below. desktops, VMs and PLCs were integrated with the Firewall
• Penetration-testing Tools - Wireshark, Metasploit, and switch. The Wireless access point and the wireless security
SQLMap, NETCAT, HPING cameras were the last of the hardware to be integrated to
• Forensic Tools : Encase, FTK-pro the network. The SCADA protocol simulators were installed
• Use of Cyber Vulnerability Assessments Tools, Kali on the identified machines. A HMI screen was programmed
Linux O/S with drivers invoking the simulators and PLCs. The HMI
• ICS-CERT tools screen was also programmed to the SQL Server Database
on the network. A separate SQL Server database was setup
F. Teams to mirror the primary database and also serve as an ad-
The red team is a highly skilled group that assess security hoc historian. Genuine and fake SQL Data Transformation
methodologies through reconnaissance, adversarial simulation Services (DTS) jobs were setup on the database servers to
and targeted attacks. Likewise the blue team consists of mimic a corporate design. The IIS webservers were configured
resources who dedicate their time in defending, hardening for hosting corporate websites and FTP traffic. Few websites
systems (patching), monitoring and securing the enterprise. were created in classic ASP allowing SQL Injections. A few
The Incident forensic team specializes in evidence acquisition scheduled batch scripts were created to FTP files between
and management, documentation, chain-of-custody and foren- machines. A ICS lab manual and courseware was developed
sic analysis of the security incident. covering introduction to Industrial control systems, current
threats, defense tools and forensic challenges. A list of all
V. ICS L AB S ET UP
known honeypots within this ICS lab was also documented.
The ICS lab set up process started with the PLCs as they Details on the team skills needed (red, blue and forensics
were received ahead of the project schedule. The PLCs were team) were also outlined on the training guide.
wired to the DC supply, stacklights, buzzers and programmed
with tags that could be invoked from the HMI software VI. D ESIGN V ERIFICATION AND VALIDATION
(Indusoft). A few separate logic programs were also added Verification of the ICS lab functioning involved working
to the PLCs to generate random LEDs bursts so that the with a toolkit that would normally be used for vulnerability
units really looked functioning in a complicated way to testing, penetration testing and incident forensics by profes-
the nonprofessional’s eyes. Windows XP and Windows 2003 sionals. Many of these tools were open sourced or used from
were setup as VMs and host machines were on Windows- Kali Linux distro. Below are the verification and validation
7. All operating systems had a degree of minimal security tasks performed and tools used.
 • MODBUS protocol traffic - Wireshark ICS lab setting. A forensic investigation can help answer many
• OPC DA protocol traffic - Simulator logs questions such as;
• OPC UA protocol traffic - Wireshark • Was the SCADA systems compromised by a malware
• KOYO protocol traffic (KOYO is transmitted as UDP attack?
packets) - Wireshark • Did the incident have a payload involved?
• EATON’s CodeSYS ARTI protocol traffic - Simulator • Was there a command and control (C&C) traffic involved
logs in the attack?
• DNP 3.0 protocol traffic - Wireshark • Did an insider (SCADA operator) cause the incident?
• IE104 (IEC 60870-5-104) protocol network traffic - Sim- • How to contain the incident?
ulator logs • How to perform incident root-cause analysis?
• Direct06 PLC configuration - HMI alarms and logs • How to work with the engineering and security (blue)
• Eaton PLC configuration - HMI alarms and logs teams to investigate the incident?
• Password strength test - John the Ripper • How to conduct live forensics with fragile systems?
• Penetration tests against lab network - Metasploit
D. Incident management
• Windows security patches to expose backdoors - Mi-
crosoft Baseline Security Analyzer Often operations staff do not have the skills to collect and
• SQL Injection against lab corporate websites - SQL Map disseminate a cyber-incident and rely on vendor/integrators
• Open and vulnerable ports against lab network - NMap for support. This can delay incident analysis leading to loss
• Website vulnerabilities against lab network - Vega of critical real-time data. Users can engage in an exercise
• Forensic tools to acquire a disk image - Autopsy detailing an incident response team’s ability to respond to
• System and application logging - HMI Historian, Win- stimulated cyber incidents within the ICS lab. Such exercises
dows Logs, Syslog would also help students better understand the importance of
Intrusion Detection Systems (IDS), ICS-CERT and Security
VII. L AB U SE C ASES information and event management systems (SIEM).
The primary objective of this laboratory is for students E. Frameworks study and research
to conduct experiments and understand the importance of Security framework study and research by users as in the
Industrial control systems as cyber-targets. Few use cases of study of various ICS, NERC Industrial security frameworks
the ICS lab were identified for students. They were also the and understand their implementation against the near real-
driving factors during ICS lab design considerations and core world lab setting.
requirements in the project design phase. The ICS lab can be
F. Industrial cyber-security
used as below during and off-training cycles;
Students often limit their cyber defense knowledge due to
A. Defensive Security the lack of a lab as a playground. Coupling corporate-type
White Hat (blue) teams can use of the lab for practical Internet facing systems with industrial systems gives students
experiments, study defensive methods and conduct research a real-world interface of computers and the importance in de-
in areas like system hardening, implementing security industry fending them. General aspects of system behavior monitoring,
best practices, vulnerability management etc. attack estimation and prevention, insider threats, known and
unknown attack detection [29] can be studied in a lab setting.
B. Offensive Security
G. Risk Management
Black Hat teams (Red team) can use the ICS lab for Students can evaluate current risk mitigation procedures
offensive experiments, study of offensive methods and conduct related to cyber-attacks and identify critical gaps in risk
research in the areas like Attack stimulation and Offensive planning, develop appropriate risk mitigation controls and
testing (ICS lab validation). recommendations in response to the types of stimulated cyber-
C. Forensics study and research attacks on the lab.
SCADA forensic investigations are different from routine H. Vulnerability Assessments
corporate network forensics or home network forensics due to Students can use the ICS lab to conduct assessments for
the nature of industrial systems involved [10]. SCADA systems vulnerabilities. ICS-CERT’s Cyber Security Evaluation Tool
are not only dependent on safety but also on security [27]. ICS (CSET) [30] is vulnerability assessment tool that can be
are not easily configurable for any forensic activity. Often used to perform a self-assessment of the vulnerabilities found
ICS systems cannot be brought offline for forensic making on the ICS lab’s systems. This tool uses hybrid risk and
it harder to conduct live forensics during post-analysis of a standards-based approach to evaluate the cyber-security of
cyber-incident [28]. Users can conduct various live forensic an industrial control or business system to provide relevant
investigations (network, file-system, volatile memory, PLC recommendations for improvement. Care should be taken to
memory, time-synchronization) against true or staged incidents trigger less intrusive vulnerability scans as some ICS devices
during training exercises and benefit from a near real-world may exhibit abnormal behavior due to such scans.
 VIII. C ONCLUSION [11] A. Nicholson, S. Webber, S. Dyer, T. Patel, and H. Janicke,
“SCADA security in the light of Cyber-Warfare,” Computers &
The ICS lab at SHSU serves as a unique testbed for students Security, vol. 31, no. 4, pp. 418–436, jun 2012. [Online]. Available:
and researchers interested in Industrial Control Security and https://www.sciencedirect.com/science/article/pii/S0167404812000429
[12] P. J. Conklin Wm. Arthur, “Design of a SCADA laboratory to
incident forensics. The ICS/SCADA hardware was limited to support IT Classes,” in Proceedings of the 15th Colloquium for
a few PLC’s and accessories due to limited budget. Since Information Systems Security Education, Fairborn, Ohio, 2011.
the lab was initially setup, additional ICS/SCADA hardware [Online]. Available: https://www.researchgate.net/profile/Jenifer
Amla/post/How to develop SCADA in laboratory environment/
has been included to allow for a more diverse ecosystem of attachment/59d63dac79197b807799a705/AS%3A420967135367169%
industrial protocols and systems. A HTML5 browser capable 401477377794728/download/65.pdf
mobile interface was initially planned but could not make it to [13] E. Sitnikova, E. Foo, and R. B. Vaughn, “The Power of Hands-
On Exercises in SCADA Cyber Security Education.” Springer,
the final design. In future upgrades of this lab, HMI mobility Berlin, Heidelberg, 2013, pp. 83–94. [Online]. Available: http:
and industrial related Internet-of-Things (IoT) devices can be //link.springer.com/10.1007/978-3-642-39377-8 9
incorporated. [14] R. Hewett, S. Rudrapattana, and P. Kijsanayothin, “Cyber-security
analysis of smart grid SCADA systems with game models,” in
Proceedings of the 9th Annual Cyber and Information Security
IX. ACKNOWLEDGMENT Research Conference on - CISR ’14. New York, New York,
USA: ACM Press, 2014, pp. 109–112. [Online]. Available: http:
A word of thanks to Automationdirect and Eaton for do- //dl.acm.org/citation.cfm?doid=2602087.2602089
[15] “CERT - Training Available Through ICS-CERT — CISA Cyber
nating SCADA hardware. The authors thank Andre Bastos at Infrastructure.” [Online]. Available: https://ics-cert.us-cert.gov/Training-
Indusoft for his help with PLC programming, Tim McGuffin Available-Through-ICS-CERT{\#}workshop
(Ex-Information Security Officer, SHSU) for his help with [16] “Information Security Principles for Business Resilience,” Tech. Rep.,
2012. [Online]. Available: https://www.tisn.gov.au/documents/itseag+
the network configurations and Andrew Bennett (Ex-Director, secure+your+information+cio.pdf
Center of Excellence in Digital Forensics, SHSU) for his [17] J. Weiss, “A Grim Gap: Cybersecurity of Level 1 Field Devices and
support in obtaining the Indusoft Educational License. lack of appropriate OT Expertise,” 2019. [Online]. Available: https:
//www.controlglobal.com/blogs/unfettered/a-grim-gap-cybersecurity-
of-level-1-field-devices-and-lack-of-appropriate-ot-expertise/
R EFERENCES [18] “InduSoft Web Studio HMI SCADA Development Software.” [Online].
Available: http://www.indusoft.com/
[1] P. V. Domenici, “S.1407 - 107th Congress (2001-2002): Critical [19] “AutomationDirect - Home.” [Online]. Available: https://about.
Infrastructures Protection Act of 2001,” 2001. [Online]. Available: automationdirect.com/
https://www.congress.gov/bill/107th-congress/senate-bill/1407 [20] “EATON.” [Online]. Available: https://www.eaton.com/us/en-us/
[2] Assistant Secretary Jeanette Manfra, “Written testimony of company/about-us.html
NPPD for a House Homeland Security Subcommittee on [21] D. Z. Kapellmann, N. Brubaker, and R. Caldwell, “ICS
Cybersecurity & Infrastructure Protection and House Armed Services Tactical Security Trends: Analysis of the Most Frequent
Subcommittee on Emerging Threats & Capabilities hearing regarding Security Risks Observed in the Field,” 2018. [Online]. Avail-
Interagency Cyber Cooperation — Homeland Security,” 2018. able: https://www.fireeye.com/blog/threat-research/2018/10/ics-tactical-
[Online]. Available: https://www.dhs.gov/news/2018/11/14/written- security-trends-analysis-of-security-risks-observed-in-field.html
testimony-nppd-house-homeland-security-subcommittee-cybersecurity [22] B. Contos, “Security Instrumentation for Industrial Con-
[3] “The digital skills gap in government: Survey findings,” trol Systems (ICS) Environments,” 2018. [Online].
Cabinet Office, UK, Tech. Rep., 2015. [Online]. Avail- Available: https://www.verodin.com/post/security-instrumentation-for-
able: https://www.nao.org.uk/wp-content/uploads/2015/12/The-digital- industrial-control-systems-ics-environments
skills-gap-in-government-Survey-findings-December-2015.pdf [23] S. Mallur, “Demystifying Cyber Security in Industrial Control
[4] “CIS Controls.” [Online]. Available: https://www.cisecurity.org/controls/ Systems.” [Online]. Available: https://www.isaca.org/Journal/archives/
[5] “Idaho National Laboratory.” [Online]. Available: http://www.inl.gov/ 2017/Volume-4/Pages/demystifying-cyber-security-in-industrial-
[6] T. Morris, R. Vaughn, and Y. S. Dandass, “A testbed for control-systems.aspx
SCADA control system cybersecurity research and pedagogy,” in [24] “Modbus PLC Simulator.” [Online]. Available: http://www.plcsimulator.
Proceedings of the Seventh Annual Workshop on Cyber Security org/
and Information Intelligence Research - CSIIRW ’11. New York, [25] “Communication Protocol Test Harness, Triangle Microworks
New York, USA: ACM Press, 2011, p. 1. [Online]. Available: Inc.” [Online]. Available: http://www.trianglemicroworks.com/products/
http://dl.acm.org/citation.cfm?doid=2179298.2179327 downloads
[7] I. Ahmed, V. Roussev, W. Johnson, S. Senthivel, and S. Sudhakaran, [26] “KEPServerEX Connectivity Platform — OPC Server —
“A SCADA System Testbed for Cybersecurity and Forensic Research Kepware.” [Online]. Available: https://www.kepware.com/en-us/
and Pedagogy,” in Proceedings of the 2nd Annual Industrial products/kepserverex/
Control System Security Workshop on - ICSS ’16. New York, [27] M. Brändle and M. Naedele, “Security for Process Control Systems:
New York, USA: ACM Press, 2016, pp. 1–9. [Online]. Available: An Overview,” IEEE Security & Privacy Magazine, vol. 6, no. 6,
http://dl.acm.org/citation.cfm?doid=3018981.3018984 pp. 24–29, nov 2008. [Online]. Available: http://ieeexplore.ieee.org/
[8] T. Alves, R. Das, and T. Morris, “Virtualization of Industrial Control document/4753670/
System Testbeds for Cybersecurity,” in Proceedings of the 2nd Annual [28] F. Adelstein and Frank, “Live forensics,” Communications of the
Industrial Control System Security Workshop on - ICSS ’16. New ACM, vol. 49, no. 2, p. 63, feb 2006. [Online]. Available:
York, New York, USA: ACM Press, 2016, pp. 10–14. [Online]. http://portal.acm.org/citation.cfm?doid=1113034.1113070
Available: http://dl.acm.org/citation.cfm?doid=3018981.3018988 [29] Q. Chen and S. Abdelwahed, “Towards realizing self-protecting
[9] J. Pack and Jeff, “Situational awareness for SCADA systems,” in SCADA systems,” in Proceedings of the 9th Annual Cyber and
Proceedings of the Fifth Cybersecurity Symposium on - CyberSec ’18. Information Security Research Conference on - CISR ’14. New York,
New York, New York, USA: ACM Press, 2018, pp. 1–2. [Online]. New York, USA: ACM Press, 2014, pp. 105–108. [Online]. Available:
Available: http://dl.acm.org/citation.cfm?doid=3212687.3212865 http://dl.acm.org/citation.cfm?doid=2602087.2602113
[10] I. Ahmed, S. Obermeier, M. Naedele, and G. G. Richard III, [30] “Cyber Security Evaluation Tool (CSET): Performing a Self-
“SCADA Systems: Challenges for Forensic Investigators,” Computer, Assessment,” 1969. [Online]. Available: https://www.hsdl.org/?abstract&
vol. 45, no. 12, pp. 44–51, dec 2012. [Online]. Available: http: did=695539
//ieeexplore.ieee.org/document/6298895/