2015 International Conference on Cyber Security of Smart cities, Industrial Control System and Communications (SSIC)

Overview of Cyber-security of Industrial Control System

Xiaohe Fan1, Kefeng Fan 2,Yong Wang1,Ruikang Zhou2

1 School of Computer Science and Engineering, Guilin University of Electronic Technology, Guilin,
China 541004
2 Research Center of Information Security，China Electronics Standardization Institute
Beijing, China 10007
E-mail: kefengfan@163.com

Abstract-With the development of information and so on. ICS has become an important part
technology, the network connection of industrial of national critical infrastructure. Its security
control system (ICS) and information technology is related to our national strategic security. In
(IT) is becoming more and more closely. What’s recent years, some security incidents were
more, the security issues of traditional IT systems
in industrial control system are also more caused due to viruses in domestic electricity,
prominent. Early industrial control system mainly transportation, municipal administration,
uses physical isolation approach to protect petroleum and other industries. And they
security. In this paper, we review the caused certain economic losses. So, the
characteristics and reference models of industrial authorities and users pay more attention to
control system and analyze the current security
these security incidents.
status of industrial control system. Moreover, we
propose a defense-in-depth system, security While the domestic research about
policies of active protection and passive monitoring industrial control system security has just
for these security issues. Besides, we also discuss begun, the importance of intelligent industrial
the key technologies and summarize the full text. control system in electricity, transportation,
petroleum, municipal administration,
Keywords: Industrial Control System (ICS); manufacturing and other fields is becoming
Information security; Risk assessment; Anomaly more and more prominent. The security
detection
threats from information network will
I. INTRODUCTION gradually become the biggest security
challenges for industrial control system. They
A. Introduction of industrial control system are also major problems that we urgently need
The industrial control system (ICS) is to study and solve.
composed of various automation control B. Structure model of Industrial Control
components and process control components for System
real-time data collection and monitoring. The Figure 1.1 describes the reference model
ICS is a management and control system which of industrial control system. It consists of four
can ensure that the industrial technical facilities logical layers which are operation and
run automatically, control and monitor the management, centralized monitoring, on-site
business processes. The core components of ICS equipment and production process. According
are Supervisory Control And Data Acquisition to the different functions and sizes, different
(SCDA), Distributed Control System (DCS), industrial control system contains different
Programmable Logic Controller (PLC), Remote logical layers. The logical layers of production
Terminal Unit (RTU), Intelligent Electronic process, on-site equipment and centralized
Device (IED) and the interface technology which monitoring must be contained in ICS, while
is to ensure the communication of components[1]. the layer of operation and management is
The ICS is commonly used in some areas optional.
such as petroleum, nuclear power plants,
chemical industry, transportation, electricity

978-1-4673-7977-9/15/$31.00 ©2015 IEEE

2015 International Conference on Cyber Security of Smart cities, Industrial Control System and Communications (SSIC)

Figure 1.1 Industrial Control System Reference Model

Production process layer can implement unauthorized persons and systems from
continuous or discrete industrial production. modifying the software and its data, and
Typical production process equipment of preventing them from accessing to system,
industrial control system includes switches while allowing authorized persons and
and regulators and other actuators, sensors and systems to do these things; Avoiding illegal or
industrial instrumentation and so on. harmful invasion of industrial control system
.The main function of on-site equipment is or interfering with the correct and planning
to achieve measurement, control and operation.”
protection in the independent part of the D. Difference between ICS safety and IT
production process. On-site equipment security
receives operating data of industrial processes Initially, the ICS was an isolated system,
from transformers, switching devices and and we used proprietary control protocols and
industrial instrumentation, and then does specialized hardware and software. With the
logical computing. After that, on-site development of ICS, we gradually adopt IT
equipment sends control commands to solutions to promote the overall connectivity
switching devices or combination instrument. and interactivity, and improve the ability of
C. Security type of Industrial control remote access. This new application reduces
system the isolation between ICS and external greatly.
Generally, the security of industrial However, it also brings some new security
control system can be divided into three areas: issues. Although we have taken a lot of
functional security, physical security and security measures for traditional IT systems,
information security [2,3]. many of these measures can’t be applied
z Functional security is in order to achieve directly to the ICS environment. So we must
safety functions of equipment and factory. take special preventive measures. [4-6]
Safety-related parts which are protected and Because of the time-sensitive, high
control equipment must perform its function reliability, high availability and high security
properly. What’s more, when the failure or of the industrial control network, the
malfunction occurs, devices or systems must differences between ICS security features and
be able to maintain the security conditions or IT systems are showed as following:
access to a safe state. z Functional requirements. Industrial
z Physical security is to reduce harm which control system focuses on the production
is caused by the electric shock, fire, radiation, process. Particularly, a lot of equipments or
mechanical hazards, chemical hazards and products of ICS are embedded. So, many
other factors. previous IT solutions can’t be directly applied
z The definition of information security of to the production. From the perspective of risk,
industrial control system in IEC62443 is confidentiality is more important in the IT
“Measures which are taken to protect system; environment. For example, some documents
the system state which is achieved by taking do not want to be seen by unauthorized people.
measures of establishing and maintaining This is the requirement of confidentiality. But
system; avoiding unauthorized access to availability is the highest demands in
system resources and unauthorized or production environment. It requires that the
accidental change, damage or loss; Based on production is sustainable.
the ability of computer system, preventing z Resource requirements. The ICS real-
2015 International Conference on Cyber Security of Smart cities, Industrial Control System and Communications (SSIC)

time operating system is often limited by nation's critical infrastructure. However, the
resources, while it generally does not include security research of ICS only began in recent
the typical IT security function. There may not years, the safety indicators and assessment
be available computing resources to update methods are not yet ripe. Also, because the
the security features of these systems on the ICS security attacks are mostly large-scale,
ICS components. multi-party cooperation and long duration
z Security consequences. The information (advanced persistent threat) APT attacks,
security of common IT systems does not security assessment methods in traditional
involve industrial processes. It is relatively information systems are not entirely
simple. The most likely scenario is the loss of applicable in this case. Safety indicators which
confidential information, but it will not cause are related with ICS are scarce not only in
direct loss of personnel, equipment and domestic but also in the international. It is not
environment. The information security of easy to form comprehensive and systematic
industrial control system is linked to the safety regulations to assess the safety and
production process. Several situations will guidance for ICS. In addition, with the limit of
occur once the production process is hacked, less data and low objectivity and other factors,
and confidential information will be stolen. it is very difficult to build the quantitative
Whether it is malicious or unintentional, models of ICS safety assessment.
information will be stolen and leaked. If it is C. Lack of security testing technology
malicious, it may damage the production There are significant differences in the
process. performance and security objectives between
ICS systems and traditional IT systems. The
II Security Status of Industrial control intrusion defense strategy on traditional IT
system systems is not effective on the ICS systems.
For ICS systems, intrusion detection is a kind
A. Malicious code and Unauthorized access of network behavior through the collection
In 2010, the Stuxnet virus attacked Iranian and analysis. It detects whether there is
nuclear facilities. It was a wake-up call for the invasion against ICS systems by comparing
whole world. The virus spread through U disk with known intrusion model or making
and other equipment in the local area network decision and analysis for the unknown
and hided in the industrial facilities[7,8]. Finally, intrusion model.
it controlled the normal operation of the Since the research on ICS system intrusion
centrifuge system using the vulnerabilities of detection is still in its infancy at the
operating system. international level, there are a few research
"21 measures to improve SCADA network institutions for the ICS system intrusion
security" which was released by the US detection researches. In this regard the United
Department of Energy requires suppliers of States is in a relatively leading position, while
equipments and systems to provide security the domestic research on ICS system intrusion
functions [9]. What’s more, it required them to detection is basically in a relatively empty
put a patch on the old SCADA system, and stage.
build strong control to anything that might D. Lack of behavior audit
become a SCADA system network backdoor The relatively closed environment in
media. At present, industrial control system in domestic ICS easily let the staff from internal
our country still has potential threat of large- system make mistakes, abuse or intentional
scale cyber attacks. destructive actions in the application system
In addition, because of the traditional level. This is a major security risk faced by
industrial network and network are physical industrial control system. Therefore, it is very
isolation, the communication protocol in necessary to do monitoring, management and
industrial control network didn’t include auditing for the production network access
access control policy such as authentication. behavior, specific control protocol content and
So that attackers can counterfeit legal identity authenticity and integrity of database data. But
to send error information and malicious in the real world, there is usually lack of
command easily. security log audit and configuration changes
B. Lack of risk assessment system management for ICS. This is because some
In recent years, the related security parts of the ICS system may not have the audit
incidents of ICS occurred repeatedly. They function or it can not open the results caused
impacted on various industrial sectors and the by the audit function. At the same time, the
2015 International Conference on Cyber Security of Smart cities, Industrial Control System and Communications (SSIC)

current security audit products can not be

directly used for ICS system due to the lack of
analysis about industrial control system
communication protocol capability. It requires
special customization. Since the industrial
control system communication protocol is lack
of uniform standards, this custom work is
costly and is not universal. This is also one of
the reasons for the lack of behavior audit
about illegal operations in ICS system[10].

III. Security Policies And Technology of

Industrial control system

Industrial control system are widely used

in the field of critical infrastructure. The Figure 3.1 Industrial control system security defense
malicious attacks on Industrial control system in depth model
can cause serious consequences. Therefore, Commercial firewalls mainly insulate the
the secure control system is an important office network to external network. The
factor to protect the national critical security gateway mainly insulates work area
infrastructure. Recently, effects of an attack on to control area. In addition to the security
industrial control system have become a hot equipment for boundary isolation, we need to
research in critical infrastructure. There are protect the security of industrial PC and field
two basic strategies about analysis of the devices. What’s more, reliability, safety
safety control system. Firstly, increasing monitoring for operation log and data backup
tolerance and robustness of the control system is needed for us to ensure the safe of industrial
can enable it to run normally after being production activities.
attacked. This is passive safety. Secondly, B. Active Security Defense
increasing the security of the system can 1). Model checking technology
enable it to avoid being attacked. This is With the industrial control system in
active safety [11,12]. safety-critical national infrastructure applying,
A. Depth defense system in Industrial analysis and verification of control systems
control system become an important aspect of defense
The information security issue in industrial mechanisms. In recent incident, Stuxnet,
control system has a certain complexity. asophisticated software worm that targets
Overall system security can not be achieved SCADA in critical infrastructure companies
only relying on single security technologies has been found to upload the Programmable
and solutions. Therefore, we must integrate a Logic Controllers (PLC) that control industrial
variety of security technologies and take automation processes. In addition, this
various security measures hierarchically in malware also enables attackers to gain control
order to improve the overall defense capability of critical plant operations from remote
of the system. US Department of Homeland locations. Velagapalli and Ramkumar [14]
Security (DHS) proposes industrial control proposed a method to secure SCADA systems
system "defense in depth" strategy. It divided by relying on the trusted simple non-
industrial control network into different programmable hardware chips called STCB.
security zones. By deploying firewall, The low complexity of STCB chips enables
intrusion detection, vulnerability scanning and verification and building block of complex
other security measures can form an integral trusted functionalities of system controllers.
protection[13]. Figure 3.1 shows industrial However, their approach assumes that all data
control system security defense in depth from sensors and actuators are not
model based on the different security partition impersonated by malicious attacks. Most of
of industrial control system network. the above efforts are based on quantitative
mathematical models using optimization and
control theories that have been successfully
applied to physical systems. While these
approaches are useful, most of them rely on
assumptions that do not hold in cyber security
contexts.
2015 International Conference on Cyber Security of Smart cities, Industrial Control System and Communications (SSIC)

Rattikorn Hewett and Phongphun 4). Security risk assessment technology

Kijsanayothin[15] proposed an approach that IEC 62443 introduces the conception of
facilitates a semi-automated security system Security Assurance Level (SAL), which try to
verification of control systems by a novel measure the security of an area with the norm
application of model checking, a technique methods. It can be used by product and user of
traditionally used for automated software the ICS. According to the different stages of
verification. The proposed approach is the information security, it defines the target
different from typical model-checking SAL, design SAL, achieved SAL and
applications in that it has the ability to capability SAL which can be used to achieve
uncover missing safety and security properties the security of the prospective design. Figure
that should be specified to prevent 3.2 shows the typical industrial control system
catastrophes caused by malicious acts. information security risk assessment system.
2). Security testing platform technology
In recent years, proliferation of cyber-
attacks to ICS revealed that a large number of
security vulnerabilities exist in ICS. Excessive
security solutions are proposed to remove the
vulnerabilities and improve the security of
ICS. However, to the best of our knowledge,
none of them presented or developed a
security test-bed which is vital to evaluate the
security of ICS tools and products. Mahdi
Azimia etc.[16] proposed a test-bed for
evaluating the security of industrial
applications by providing different metrics for
static testing, dynamic testing and network Figure 3.2 ICS information security risk evaluation
testing in industrial settings. Compared with system
other detection platform, this platform covers The information security protection of ICS
all parts of the ICS completely and provides measures by managers as an investment.
metrics for evaluations. However, only a few approaches exist which
Based on existing and current SCADA/ support the process of cost estimation of
DNP3 security issues, AAmir Shahzad etc.[17] information security. They include I-CAMP
proposed security solutions (using and SQUARE etc. Practically, all of them aim
cryptography implementations ) to protect the at estimating the cost of a security breach,
communication (SCADA/DNP3 protocol which means that they focus on the benefit
communication), and attack (abnormal) side of the cost–benefit equation. But the
scenarios have been created within each test- precision of their estimations is far from
bed implementation. The scheme effectively sufficient and they usually use hidden
compensate for the shortage of performance of algorithms. With such a limited set of tools
the firewall, DMZs, and IPsec SSL/TLS. and methods it is very difficult or sometimes
3). Access Control And Authentication even impossible to provide costing figures and
Technology to defend security costs before senior
Peng Jie etc.[18] proposed a kind of management in order to persuade them to
distributed firewall which adds a protective invest in information security. According to
layer among internal subnet compared with our research, the set of tools which could
traditional boundary firewall. It can make support the estimation of these costs is very
different configuration for each service object, limited and practically consists of one method.
and fully consider the running applications In order to address this lack of support tools,
and network processing load when set Rafał Leszczyna[19] developed a new method,
configure. Firewall rule configuration uses the which is designed to facilitate estimation of
white list mechanism, which makes dynamic the cost of activities involved in the cyber-
judgments of behavior between control security lifecycle. The method was developed
network and information network. Except that in the following steps: selection and
we should do our best to functional isolation adaptation of a costing system, preparation of
and prevent the spread of malicious code to the list of activities, assignment of cost centres
other production equipment by limiting inter- and activity cost drivers, specification of input
subnet communication strictly. data, output data.
2015 International Conference on Cyber Security of Smart cities, Industrial Control System and Communications (SSIC)

Risk assessment can find potential allowed – IDS recorded – command brings the
vulnerabilities in industrial control system, virtual image of the system into a critical state
Abhishek Rakshit and Xinming Ou[20] an alert is raised. In this way, complex
presented an architecture for host-based SCADA attacks will be identified as well.
security analysis, which is not only addresses 2). Incident Response and the
the above stated concerns but also supports Troubleshooting Process
other high level security analysis tools. This Improving the level of industrial control
architecture includes two parts: scanner and system of emergency response and fault
analyzer. diagnosis ability helps the further protection
C. Passive security testing of industrial of the safety of industrial control system.
control system Masatoshi TAKANO[25] proposed ICS network
1). Intrusion Detection Technology security incident response and troubleshooting
Industrial Control System has used to be process. In this approach, Masatoshi
isolated but is now being connected to the TAKANO provided a defense strategy called
outside world. Anomaly detection based “Defense in Depth”, and described the
network monitoring and intrusion detection configuration of each layer in detail. The
systems could be capable of discerning normal multilayered defense with safety functions can
and aberrant traffic in industrial control perform certain emergency actions before the
system, detecting security incidents in an early exploitation of zero-day attack can affect the
phase. Matti Mantere etc.[21] think that which system. In addition, having minimal software
feature best differentiate between anomalous installation and network connections also
and normal behavior is one of the challenges contributes to being robust against an
for a monitoring system. The method used is unknown cyber incident.
machine learning combined with passive D. Comparison of Related Technology
monitoring and a priori knowledge of At present, there are many new types of
protocols used. Matti Mantere and Mirko attack, and the existing technology still has
Sailio [22] proposed a new method which uses many deficiencies. Table 1 is a comparison
self-organizing maps algorithm, and provides table of some methods to deal with common
implement method for the initial features of security attacks.
self-organizing map. TABLE I THE COMPARISON OF
The Modbus protocol is one of the most DIFFERENT SOLUTIONS
commonly used protocols in industrial control
system, but it is vulnerable to flooding attacks.
Sajal Bhatia etc.[23] believed that an anomaly-
based detection algorithm and signature-based
Snort threshold module were capable of
detecting Modbus flooding attacks. The
change detection technique used in this paper
is a variant of the moving average technique
called Exponentially Weighted Moving
Average (EWMA).EWMA examines the
value of the observed parameter and
determines whether it has exceeded a IV. CONCLUSIONS
particular threshold value. EWMA was chosen
because of its simplicity, flexibility, robustness Industrial control system security is a
and effectiveness, especially in detecting high major strategic issue in the national economy
intensity attacks. and people's livelihood. How to protect ICS
Igor Nai Fovino etc.[24] presented a new and prevent it from internal and external
approach on intrusion detection in SCADA security threats and malicious attacks is a
systems, based on the concept of system great challenge of ICS security domain. In this
knowledge base and system state analysis. In paper, we analyze the present situation of the
this approach, by the use of an already current industrial control system domestic and
developed and consolidated system overseas after further study of industrial
description methodology, the system control system network architecture. Then we
knowledge is decomposed in terms of put forward the corresponding security
components, information flows, critical states strategy, and expound the key technology in
and vulnerabilities associated with the detail.
components. In this way, every time an Based on the current analysis, we make a
2015 International Conference on Cyber Security of Smart cities, Industrial Control System and Communications (SSIC)

brief description of outlook in the industrial n, D.C., USA. 2005.

[10] M. Swanson: Security Self-Assessment Guide for I
control system information security research. nformation Technology Systems. National Institute of Sta
As security audit products can’t be unified for ndards and Technology, Technology Administration, U.S.
ICS, we should cost much to customize. So DoC, Tech. Rep., November 2001.
[11] Amin, S., Cardenas, A. A., and Sastry, S. S: Safe
developing a common ICS security audit and Secure Networked Control Systems under Denial-of-
system is essential. This system combines Service Attacks, in Hybrid Systems: Computation and C
techniques such as data acquisition, anomaly ontrol. Lecture Notes in Computer Science. Springer Ber
lin/Heidelberg, pp. 31–45.
detection, incident response and [12] Giannakopoulou, D., Pasareanu, C. S. and Barringer,
troubleshooting, so that it can further improve H.,2002. Assumption generation for software component
the safety level of industrial control system. verification. In Proceedings of Automated Software Eng
Nowdays, there are more and more ineering, IEEE Computer Society, pp. 3-12.
[13] P. Ning, Y. Cui, and D.S. Reeves: Constructing Att
malicious code and APT in industrial network, ack Scenarios through Correlation of Intrusion Alerts. In
and because of the secure fundamentals of ICS Proceedings of the ACM Conference on Computer and
are so week, traditional physical isolation Communications Security, pages 245-254, Washington,
D.C., November 2002.
measures can’t meet the needs of the [14] Velagapalli, A. and M. Ramkumar, 2011: Minimizin
functional and security of ICS. Besides that g the TCB for Securing SCADA Systems. In Proceedin
communication protocol vulnerability of ICS gs of the 7th Annual Workshop on Cyber Security and
Information Intelligent Research (CSIIRW'11, October 12
is one of the most serious problems, so we -14, Oak Ridge,Tennessee, USA). ACM, New York,DOI
should take security reform of fieldbus =http://dx.acm.org/10.1145/2179298.2179320.
protocols as the future research direction. [15] Rattikorn Hewett and Phongphun Kijsanayothin: Se
curing System Controllers in Critical Infrastructures. Pro
ceedings of the Eighth Annual Cyber Security and Infor
V. ACKNOWLEDGMENT mation Intelligence Research Workshop.
[16] Azimi M, Sami A, Khalili A: A Security Test-Bed
This work was supported in part by a grant for Industrial control system. //MoSEMInA 2014 Procee
dings of the 1st International Workshop on Modern Soft
from the National Natural Science Foundation of ware Engineering Methods for Industrial Automation, Ne
China (No.61172053, No. 61202266), Special w York, NY, USA: ACM , 2014-05-31:Pages 26-31
Project of Public Industry R&D of [17] Shahzad A, Musa S, Aborujilah A: Industrial contr
aqsiq,China(No.201510213-02 ， No.201310209- ol system (ICSs) Vulnerabilities Analysis and SCADA S
03). ecurity Enhancement Using Testbed Encryption. //ICUIM
C'14The 8th International Conference on Ubiquitous Inf
ormation Management and Communication Siem Reap,
VI. REFERENCES New York, NY, USA: ACM, 2014-01-09.
[18] Jie P, Li L: Analysis of Information Security for I
ndustrial Control System. PROCESS AUTOMATION IN
[1] STOUFFER K，FALCE J，SCARFONE K: Guide t
STRUMENTATION, December 2012, 33(12):36-39.
o Industrial control system (ICS) Security[EB/OL] . [201
[19] Rafał Leszczyna: Approaching secure industrial cont
1-6-22}.http://www.securityvibes.com/docs/DOC-1347.
rol system. IET Information Security, 2015, 9(1):pp.81-8
[2] C.-W. Ten, G. Manimaran, and C.-C. Liu: Cybersec
9.
urity for critical infrastructures: Attack and defense mod
[20] Rakshit A, Ou X: A HOST-BASED SECURITY A
eling, Systems, Man and Cybernetics, Part A: Systems a
SSESSMENT ARCHITECTURE FOR INDUSTRIAL CO
nd Humans, IEEE Transactions on, vol. 40, no. 4, pp. 8
NTROL SYSTEM. //Resilient Control Systems, 2009. IS
53–865, 2010.
RCS '09. 2nd International Symposium on, IEEE, 2009:
[3] Zhihong R: Information security protection of industr
13 - 18.
ial control system. Information security and communicati
[21] Mantere M, Uusitalo I, Sailio M, etal: Challenges
on security, 2014(12).
of Machine Learning Based Monitoring for Industrial C
[4] NIST SP800-82: Guide to Industrial control system(I
ontrol System Networks. //Advanced Information Networ
CS) Security. Gaithersburg, USA: National Institute of S
king and Applications Workshops (WAINA), 2012 26th
tandards and Technology (NIST), 2011.
International Conference on, IEEE, 2012:968 - 972.
[5] Daid A: Multiple Efforts to Secure Control Systems
[22] Mantere M, Sailio M, Noponen S: A Module for
are Under Way, but Challenges Remain, GAO-07-1036
Anomaly Detection in ICS Networks. //HiCoNS '14 Proc
[r], Washington DC, USA: US Government Accountabili
eedings of the 3rd international conference on High con
ty Office (US GAO), 2007.
fidence networked systems, New York, NY, USA: ACM,
[6] Department of Homeland Security (DHS): Cyber Sec
2014-04-15:49-56.
urity Assessments of Industrial Control System . Washin
[23] Bhatia S, Kush N, Djamaludin C, etal: Practical
gton Dc, USA: Department of Homeland Security(DHS)
Modbus Flooding Attack and Detection. //AISC '14 Proc
, 2010.
eedings of the Twelfth Australasian Information Security
[7] The European Network and Information Security Ag
Conference-Volume 149, Darlinghurst, Australia, Austral
ency(ENISA): Protecting Industrial control system, Reco
ia: Australian Computer Society, Inc, 2014-01-20:57-65.
mmendations for Europe and Member States[R]. Herakli
[24] Fovino I N, Carcano A, Murel T D L, etal: Modb
on, Greece: Recommendations for Europe and Member
us/DNP3 State-based Intrusion Detection System. //24th
States, 2011.
IEEE International Conference on Advanced Information
[8] Byres EJ, Kay J, Carter J: Myths and facts behind
Networking and Applications, IEEE, 2010:729 - 736.
cyber security and industrial control (2003) [Z/OL]. (201
[25] TAKANO M: ICS Cybersecurity Incident Response
0-02-12), http://www.pimaweb.org/conference/april 2003/p
and the Troubleshooting Process. //SICE Annual Confer
dfs/Myths And Facts Behind Cyber Secuity.pdf.
ence 2014, Sapporo, Japan: Hokkaido University, 2014:8
[9]Department of Energy. 21 steps to improve Cyber Secur
27-832.
ity of SCADA Networks. Department of Energy. Washingto