Simulation and Impact Analysis of
Denial-of-Service Attacks on Power SCADA
Rajesh Kalluri, Lagineni Mahendra
R.K. Senthil Kumar , G.L. Ganga Prasad
Center for Development of Advanced Computing,
C-DAC Knowledge Park, No 1, Old Madras Road
Byappanahalli, Bangalore, INDIA
rajeshk@cdac.in, laginenim@cdac.in
Center for Development of Advanced Computing,
C-DAC Knowledge Park, No 1, Old Madras Road
Byappanahalli, Bangalore, INDIA
senthil@cdac.in, gpr@cdac.in
Abstract—with ever growing threat of cyber terrorism,
vulnerability of the Supervisory Control and Data Acquisition
(SCADA) systems is the most common subject for most security
researchers now. Attacks on SCADA systems are increasing and
its impact needs to be studied to implement proper counter
measures. Many of the SCADA systems are relatively insecure
with chronic and pervasive vulnerabilities. This paper explains
possible vulnerabilities present in SCADA systems and also
present the impact analysis of Denial of Service (DoS) by
modeling attack using influence diagram. Simulation of DoS
attacks will help in analyzing and accessing the security of
SCADA system and also used to analyze the impact.
Experiments have been conducted on RTU by targeting
“availability” of the system, results have been analyzed and
impact has been studied.
Keywords—Supervisory Control and Data Acquisition
(SCADA); Denial of Service (DOS); Remote Telemetry Unit (RTU);
Master Terminal Unit (MTU); Attack Trees
I. INTRODUCTION
Supervisory Control and Data Acquisition (SCADA)
systems are used to control and monitor the power system on
real time basis. SCADA system consists of various
measurement (power, reactive power, voltage, current,
frequency etc.) transducers, which collects the real world
parameters as electrical signal ranges (like 4-20mA, 0-5V DC,
0-10V DC,+/-20mA,+/-40mA etc.). Transducers signals are
connected to RTU’s/IED’s. RTU convert received analog
signals to digital format and send to control center using IEC
60870-5-101/104[1][2] , IEC 61850[3] , MODBUS and DNP
(Distributed Network Protocol) v3 protocols[4]. RTUs are
connected to master terminal unit (MTU) using various
communication infrastructure like leased line, wide area
network etc. MTU provide data to Human machine interface
(HMI) for needful monitoring and control purposes [9].
Control actions will start from HMI via MTU and RTU to
field.
The threats caused by the attackers/hackers at all the levels
of SCADA system architecture should be first figured out.
Performing threat detection on the live system is not feasible
due to its critical nature. Threat detection at all levels need to
be done by performing the risk analysis over the entire system.
Risk analysis is used as a means by which one can know about
the security level of the particular industry and can incorporate
978-1-4799-5141-3/14/$31.00 ©2016 IEEE
new ways to intensify the security level to eradicate
the specific loop holes in that industry, which if present may
cripple down the entire industry.
One more advantage of using the risk analysis is that, a
particular industry may decide to completely implement the
security to all the devices or apply it to particular selected
critical areas to balance the implementation cost and the
benefits of implementing it.
Approaches involved in performing the risk analysis are
mainly classified into two types i.e. Quantitative approach
and Qualitative approach. But, in real time systems like
SCADA systems a maximum usable approach is the
quantitative approach. Following are some of the techniques
by which quantitative approach can be performed.
• Attack trees
• Defense trees
• Defense graphs
• Influence diagrams
The rest of the paper is organized as follows: Section-II,
illustrates power system possible vulnerabilities and
countermeasures. Section-III will give the glimpse of various
types of DoS attacks using Influence diagram. Section-IV
highlights the DoS experiments conducted on RTU. Section-V
illustrates the impact of those attacks on SCADA systems and
section-VI ends with conclusion.
II.
POSSIBLE VULNERABILITIES AND COUNTER MEASURES
Every system whether it’s IT (Information Technology) or ICS
(Industrial Control System) have possibility of cyber attack and
systems might have their own vulnerabilities that will lead to
attack. Loss of access to or misuse of these systems could
result in severe physical damage, disruption and financial loss
to a company. Therefore, SCADA system’s security is having
high priority.
Traditionally, SCADA networks have been segregated from
other corporate networks to minimize exposure to unsecure
areas, such as the Internet. Through internet, possibilities of
attacks will get increased and zero day vulnerabilities for all
the components of SCADA also get the higher percentage of
security mechanism.
MTU or RTU not to communicate each other. This denial-ofservice effect is achieved by sending messages to the target
that interfere with its operation, and make it hang, crash,
reboot, or do useless work. Denial of service (DoS) is easy to
launch, but hard to prevent.
Fig. 1. Basic SCADA architecture mapping possible vulnerabilities and
counter measures
In SCADA systems, vulnerabilities can impact three main
components namely Master Station (MTU), remote telemetry
unit (RTU) and Communication Networks (ref. Fig.1). Since
RTUs are spreading out over large areas, they are more
vulnerable than others and are at higher security risks. The
vulnerability of Internet and TCP/IP protocol can be extended
to SCADA systems. As a result, SCADA systems are subjected
to cyber attacks with major consequences.
Fig.1 describes about the possible vulnerabilities and counter
measures at each level. At RTUs level, critical vulnerabilities
are malicious configurations, denial of service and malwares.
When RTU is updated with malicious configuration or
malware, even operator may not aware that particular RTU is
infected. When RTU and MTU communicate over plain text
protocols over communication channel, vulnerabilities include
man in the middle attacks, replay attacks. By exploring the
protocol details and using coordinated attack approach the
attack can be more effective. Counter measures at
communication channel include hardening the plain text
protocols. At control centre, possible vulnerabilities include
malwares, DoS attack, sabotage etc.
III. DENIAL OF SERVICE ATTACKS
There are three primary components to security:
confidentiality, integrity, and availability. Denial of Service
(DoS) [5][6][7] attack targets availability. The goal of a DoS
attack is to disrupt some legitimate activity, such as making
Fig. 2. Influence diagram for DoS attacks on RTU
When attackers could not access network, they use DoS as a
last effort. When attackers could not access MTU or RTU, they
make sure that, no one else could not access the same.
Attackers may also conduct this attack to prove that, systems
are vulnerable. DoS attack is also a way of making RTU or
MTU unavailable for operations.
Some of the symptoms for DoS are :
• Unusually slow network performance
• Unavailability of a targeted MTU/ RTU
• Inability to access RTU from MTU
• Dramatic increase in the delay of communication
• Disconnection of a wireless or wired internet
connection
A. Influence diagram for Denial of Service attacks
Successful attack on RTU or MTU may lead to data loss and
commands can be ignored by RTU which are initiated from
MTU to RTU. Possible way of DoS attacks on RTU have been
modeled using influence diagram [10] and are as shown in
fig.2. Influence diagrams are useful for understanding the
attack methodology and also useful for preparing counter
measures.
DoS attacks on RTU can be categorized into three broad
categories[8]:
• Bandwidth Consumption
• Resource starvation
• Programming flaws
In all experiments, the target is to attack RTU which is
communicating over IEC 60870-5-104 protocol. The intention
of carrying out the Denial of Service (DoS) attack on IEC
60870-5-104 RTU was to practically prove that such attack can
happen, and RTU can be hit performance-wise and can also
malfunction. It was necessary to be able to come out with a
mechanism to measure the tolerance limit (or threshold) of an
RTU vis-à-vis a DoS attack to behave normally.
Denial of service attack targets network bandwidth and
resources of the target machine. This attack can be carried out
by targeting three different layers viz., network layer, transport
layer and application layer. The network bandwidth can be
starved by flooding random IP packets at network layer and the
resource starvation can be done by either flooding SYN
packets at transport layer or some user data packets at
application layer.
A. Experiment1#Network layer (IP packet flood):
The experiment has been conducted by generating a packet (of
length 1514 bytes) flood starting at the rate of 10000kbits/sec
and the impact has been observed at the MTU end (ref. Fig.3).
The MTU started to experience an abnormal behavior from the
RTU when the attacker tool generated the packet flood at
35209kbit/sec.
9000
8000
7000
6000
5000
4000
3000
2000
1000
0
10000
12000
14000
16000
18000
20000
22000
24000
26000
28000
30000
32000
34000
Making the system unavailable is the target for conducting
DoS attack. Sending request for the same data or resource
without any fail will lead to DoS attack and after a particular
time, system will not be able to handle the request. Attacker
can do this type of attack using ICS specific malwares or
Distributed Denial of Service (DDoS) also to hide its own
identity.
Fig. 3. Attack on Network Layer
Response(millisec)
IV. EXPERIMENTS
Packet Flood (Kbits/sec)
Fig. 4. IP Packet flood vs Response Time
B. Experiment2#Transport layer (TCP SYN flood):
Here, SYN request packets have been flooded starting at the
rate of 500 packets per second. Each SYN request packet is of
length 60 bytes. This will leave so many half-open connections
at the RTU, saturating the number of available connections it is
able to make, keeping it from responding to legitimate requests
(from MTU) until after the attack ends (see Fig.5).
Fig. 5. Attack on Transport Layer
40
20
0
Packet Flood (Kbits/sec)
Fig. 6. TCP SYN flood vs Response Time
C. Experiment3#Application layer (104APCI packet flood):
After an attacker established a TCP connection with the RTU,
flooding it with a valid packet of IEC 60870-5-104 protocol
forms an attack at application layer (see Fig.8). The total
packet length is 72 bytes with the following user data(Fig.7)
in the application layer.
0x07
0x00
Packet Flood (Kbits/sec
Fig. 9. IEC 60870-5-104 application protocol packet flood vs Response Time
The impact on RTU, as observed at MTU, is at 850 SYN
request packets per second. At this rate, the RTU is not able to
respond to the MTU’s requests.
0x68 0x04
160
140
120
100
80
60
40
20
0
100
120
200
250
300
350
380
410
450
480
520
570
100
80
60
Response(millisec)
140
120
500
520
550
580
600
650
680
700
720
750
800
840
Response(millisec)
160
0x00
0x00
Fig. 7. One of the IEC 60870-5-104 protocol APCI Packet
V.
IMPACT OF DOS ATTACKS
This section will describe the impact of the above discussed
attacks (DoS) on the SCADA system in detail. Each attack is
characterized, its possibility is analyzed, and its impact is
studied.
When analyzing the impact of the attacks, we have to consider
the three information security components: Confidentiality,
Integrity and Availability. Analyzing each type of attack
regarding these three characteristics will make it easier to
identify the consequences of each attack. The impacts of
attacks are analyzed on both RTU and MTU side.
In a SCADA network, an attacker could be trying to disrupt the
communications between RTU and MTU by sending spurious
packets in the network. If the attacker is mounting DoS attack
on RTUs, there will not be any possibility of communication.
As the communication is disrupted, the higher level of
networks like[11] Process Control Network and Corporate
Network will also be affected.
when MTU not be able to acquire data from multiple RTUs its
impact will show up on Data archival server/ Data historian
(used to generate reports) and Human machine interface (used
for visualization of data). When RTU is affected due to DoS
attack, commands initiated from HMI/ MTU may not be able
to reach RTU and this may lead to improper functionality.
Attacks on RTU or MTU may affect critical functionalities
such as scheduling, state estimation, islanding etc.
Fig. 8. Attack on Application Layer
RTU response time is observed with respect to user data
packets in Fig.9. Response time becoming poor as IEC 608705-104 packet flood increases. The user data packet has been
flooded starting at the rate of 100 packets per second and the
RTU stopped responding to MTU requests at the rate of 580
packets per second.
The attacker can also flood the MTU (similar way like RTU)
with ‘n’ number of data packets resulting abnormal behavior
and may get down. Every system has some limit to accept the
packets in particular time interval, if that limit will get
exceeded then the problem will occur. Lots of data at a
particular time will make MTU to perform some abnormal
activity and it can shutdown the system also. MTU abnormal
behavior will affect the RTU and may affect other SCADA
network also. In this scenario, MTU can’t get data from RTUs
and not able to provide for monitoring and further decision
making.
VI.
CONCLUSION
This paper addresses simulation and impact of DoS attacks on
SCADA systems at network layer, transport layer and
application layer. It is very clear and apparent that the cyber
threat and attack is possible in control system. The impact can
be very dangerous. It is important to safe guard the critical
infrastructure in our country as the critical infrastructure
becomes easy target and the hackers may target control system
more in comparison to IT systems. Threats like various types
of denial of service were simulated and their impacts on the
SCADA systems have been determined.
[8]
[9]
[10]
[11]
[12]
[13]
REFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
IEC 60870: Telecontrol equipment and systems - Part 5-101:
Transmission protocols - Companion standard for basic telecontrol tasks
IEC 60870: Telecontrol equipment and systems - Part 5-104:
Transmission protocols - Network access for IEC 60870-5-101 using
standard transport profiles
IEC 61850: Communication networks and systems for power utility
automation
Gordon R. Clarke et al, Practical modern SCADA protocols: DNP3,
60870.5 and related systems, Newnes, 2004
M. Long, C.-H. Wu, and J. Y. Hung, “Denial of service attacks on
network-based control system: Impact and mitigation,” IEEE Trans. Ind.
Inf., vol. 1, no. 2, pp. 85–96, May 2005.
DoS:https://developer.mozilla.org/enUS/docs/Glossary/Distributed_Denial_of_Service
DoS:http://www.eukhost.com/blog/webhosting/ddos-attack-denial-ofservice/
[14]
[15]
[16]
Michael Gregg “Certified Ethical Hacker Exam Prep“,2011
What’s SCADA got to do with your IT department? By By Rob
Livingstone [http://rob-livingstone.com/2013/10/whats-scada-got-to-dowith-your-it-department/]
Teodor Sommestad, Mathias Ekstedt, Lars Nordström, Modeling
security of power communication systems using defense graphs and
influence diagrams, IEEE Transactions on power delivery, vol.24, No.4,
oct 2009
ANSI/ISA–99.00.01–2007 - Security for Industrial Automation and
Control Systems
Soumitra K. Ghosh, "Changing Role of SCADA in Manufacturing Plan"
Industry Applications Conference 31st lAS Annual Meeting, lAS '96,
1999.
Dong-Joo Kang l, Hak-Man Kim, “Development of Test-bed and
Security Devices for SCADA Communication in Electric Power
System”, 'Korea Electro-technology Research Institute, Incheon City
College.
Ghosh, Soumitra K. "Changing role of SCADA in manufacturing
plant."Industry Applications Conference, 1996. Thirty-First IAS Annual
Meeting, IAS'96., Conference Record of the 1996 IEEE. Vol. 3. IEEE,
1996.
Kang, Dong-Joo, et al. "Analysis on cyber threats to SCADA
systems."Transmission & Distribution Conference & Exposition: Asia
and Pacific, 2009. IEEE, 2009.
Durga Samanth Pidikiti , Rajesh Kalluri,R. K. Senthil Kumar, B. S.
Bindhumadhava “SCADA Communication Protocols: Vulnerabilities,
Attacks and Possible Mitigations” CSI Journal, 2013 published by
springer