Incorporating Model-based Intrusion Detection Into a
Secure Topology for Electric Power System SCADA
Networks
John W. Copeland
Columbus State University
Columbus, Georgia
copeland_john@csu.edu
Abstract— This paper describes a secure topology for electric
power system SCADA (Supervisory Control and Data
Acquisition) networks that includes a variation of the modelbased intrusion detection system described in [1]. Electric power
system SCADA systems have evolved over the past 50 years from
independent systems with no interconnectivity with other systems
to networked systems using common protocols such as IP [2].
The “security through obscurity” upon which the early
independent systems relied no longer exists, and significant
vulnerabilities now reside in this critical infrastructure.
These risks associated with these vulnerabilities are exacerbated
by several current socio-economic conditions and the widespread
availability of technology used in current SCADA systems.
Consequences of a successful attack on a SCADA network could
easily exceed those of the northeast blackout of 2003. This
incident affected an approximately 50 million people, cost
approximately $4 billion – $6 billion, and contributed to eleven
fatalities [3,4].
In the Energy Policy Act of 2005, an Electric Reliability
Organization (ERO) was created to develop and enforce
compliance with reliability standards. NERC (North American
Reliability Corporation) was designated as the Electric Reliability
Organization. It has developed cyber security standards for the
Bulk Power System and has the authority to enforce these
standards, including the ability to fine those not in compliance up
to $1 million per day. Secure SCADA systems are, therefore,
required for public health and safety and are mandated by law.
I.
data for maintenance, load control, and billing purposes and
also provide remote access to the IED’s (Intelligent Electronic
Devices) installed on the system for protection, equipment
monitoring, and metering. These systems are based upon more
standard and well-known technologies, including Windows
operating systems, Ethernet, SONET, frame relay, and FIDDI
networks, and TCP/IP-based protocols and are subject to a
wide variety of vulnerabilities associated with these
technologies. In addition, software tools (e.g., protocol test sets
for SCADA protocols that have been adapted for use with
TCP/IP) are readily available making the exploitation of these
vulnerabilities especially easy.
Moreover, several socio-economic conditions have been
identified that add to the current risks to electric power system
SCADA systems, including the increased threat of domestic
and international terrorism, industry deregulation resulting in
instability in the industry’s job market causing disgruntled
employees and ex-employees, the growing number of computer
literate people, and widely available hacker tools [5].
Possible consequences
vulnerabilities include:
exploitation
of
present

Access to corporate applications from the SCADA
network to obtain credit and personal information.

Accessing power system information to be used by an
unscrupulous competitor for unfair advantage.

Control of system devices leading to immediate
equipment damage and/or local or widespread power
system outages lasting up to several days.

Changing the settings of protective and control devices
or planting malicious code leading to delayed
equipment damage, DoS attacks, and local or
widespread power system outages lasting up to several
days.

Perturbing binary and analog data reported to real-time
control centers leading to incorrect actions by system
operators.

Reconnaissance of protective and control device
settings that could be used in a later attack.
INTRODUCTION
Early electric power system SCADA systems were
characterized by specialized hardware using proprietary
communication protocols to communicate with dedicated
mainframe computers using radio, modem, or direct serial
links. They provided two fundamental services: (1) collection
and display of real time binary and analog data describing the
current state of the system, and (2) the ability to remotely
control system devices such as switches and circuit breakers.
These systems, although not entirely secure, were protected to
a large degree by the relative obscurity of the technology used.
While some of this legacy technology remains in place today,
modern systems currently being developed and installed, in
addition to providing real-time data collection and remote
device control, are collecting large quantities of non-real-time
to

DoS attacks that disable critical monitoring and control
functions.
originate. The identification of this inconsistency could allow
the detection of the MiM attack described.
Three proposals are presented below to mitigate these risks.

The inclusion of a model-based intrusion detection
system in the SCADA network. This IDS is presented
in [1] and described in Section III.
Some
enhancements to the IDS are suggested.

Encryption of data packets transmitted over the
SCADA network, described in Section IV.

A network topology that includes the model-based IDS
and data encryption and that provides inherent security,
described in Section V.
II.
RTU
RTU
Application
Server
Data
Historian
Server
FEP
RTU
RELATED WORK
ICCP
Server
In [6], the authors present three adaptations of traditional
information technology intrusion detection methods that make
them more effective in SCADA applications.
First, the authors suggest a deep packet inspection of
network traffic combined with SCADA protocol-specific
intrusion detection signatures to detect malicious buffer
overflow exploits. Traditional IT intrusion detection detects
malformed packets, but correctly formed packets can contain
data length headers that exceed the static buffer lengths in
SCADA system devices that would not be detected by the
traditional systems. Development of signatures containing
acceptable data length headers for the SCADA system devices
combined with the suggested deep packet inspection would
allow the detection of buffer overflow exploitation attempts.
Secondly, the authors, leveraging the fact that SCADA
networks tend to be static, both in terms of network topology
and the tasks performed on the network, describe an intrusion
detection method based on network traffic flow analysis.
Because of this characteristic of SCADA networks, it is
possible to map out all network traffic flows and detect flows
that do not match the normal traffic. For example, in Figure 1,
legitimate traffic may flow between the front-end-processor
(FEP) and a remote terminal unit (RTU), but not between the
data historian server and RTU.
Finally, the authors point out that the signature analysis and
network traffic analysis intrusion detection methods are
ineffective against man-in-the-middle attacks. They suggest
that examining network data inconsistencies could be an
effective method of detecting this type of intrusion. For
example, in Figure 1, data typically flows from the RTU to the
FEP, from the FEP to the application server, and from the
application server to the data historian and ICCP server.
Control commands travel from the application server to the
FEP and then on to the RTU. A MiM attack occurring between
the FEP and RTU would allow the attacker to initiate a control
operation to a SCADA device and then report an incorrect
status (indicating that the control operation had not occurred)
to the to the application server through the FEP. This would
result, however, in an inconsistency in the per-network
database in that a control operation was sent from the FEP but
not from the application server where control commands must
Figure 2
(adapted from [6])
III.
MODEL-BASED INTRUSION DETECTION
Despite the threat of unauthorized writing to system and
protection devices that can cause severe consequences, only
about one-quarter[5] of electric power utilities are presently
using intrusion detection systems. The proposal presented in
this section is to implement a modified version of the modelbased intrusion detection system presented in [1].
Model-based intrusion detection is a scheme in which
violations of a model that characterizes the expected or
acceptable behavior of a system are detected. The primary
advantage of these model-based solutions is that, unlike
signature-based schemes, they have potential to protect against
zero day attacks.
The SCADA protocol that was selected in [1] is Modbus
TCP. The original Modbus protocol was designed for serial
asynchronous communication.
It defines two types of
messages: a request issued from the client and a response to the
client from the server. Both of these messages are made up of
two parts: a function code and the function data for a request
and a function code and response data for the response. These
two parts make up the PDU (Protocol Data Unit). In Modbus
TCP, a 7-byte header is added to the PDU to form an ADU
(Application Data Unit) [7].
In developing the model-based IDS presented in [1], the
authors used various characteristics of the Modbus protocol to
develop a rule-set for acceptable Modbus requests and
responses. For example, the function codes in Modbus ADU’s
are restricted to, at most, the values 1-127. Function codes
outside this range could indicate an intrusion attempt. The
length field in the ADU is another example of a constraint
placed on Modbus requests and responses. The length field in
the ADU indicates the number of bytes included in the
following fields. Since the maximum number bytes in the PDU
is 253, and the unit field following the length field is always 1
byte, then the length field must be between 1 and 254. A
complete set of Modbus IDS rules has been developed by
Digital Bond (http://www.digitalbond.com/)
and was
implemented by the authors in Snort (an open source signaturebased IDS).

Status changes and control operations occur more
frequently during inclement weather.

System load, reported by SCADA analog values, varies
according to a very predictable time-of-day model.
Communication-based patterns were also used to model
acceptable behavior of the network. This approach is feasible
because there is typically a small set of applications that are
running on the SCADA network as compared with general
TCP/IP networks. Acceptable communication paths were
defined using Snort rules and incorporated into the model.

Protection and control device configuration changes
are infrequent and normally occur during regular
business hours.
Finally, the authors used detection of changes in server and
service availability to detect possible intrusions. Two detectors
were used: the EMERALD Bayes sensor and EModbus. The
EMERALD Bayes sensor learns the active services on the
network and rapidly detects when the service is down. A
misuse detector in the sensor is configured to be
probabilistically less suspicious of services that appear to be
down due to failure of the client and more suspicious and more
likely to indicate a possible intrusion for sessions accessing
services which are not known to be valid. EModbus discovers
supported Modbus function codes, which vary by device, on
Modbus devices deployed on the network. Discovery of new
function codes on the network after an appropriate discovery
interval may indicate an unauthorized reconfiguration of a
Modbus device.
An intrusion detection appliance for Modbus TCP networks
was developed and tested by the authors. It included the
EMERALD intrusion detection framework, eXpert-Net (a
stateful protocol analyzer), and Snort with sensors specific to
Modbus TCP based on the rules developed by Digital Bond,
the Modbus protocol rules, communication pattern rules, and
EModbus described above. This appliance was tested on a
tested with positive results.
Several changes that could improve both the usability and
reliability of the model-based IDS are suggested below.
Modbus is a simple protocol with limited capabilities
whose primary design criteria was low bandwidth
requirements. In a 2005 survey, none of the 99 participants
reported the use of Modbus TCP, either within substations or
between substations and control centers, while nearly onequarter reported using DNP3 LAN (DNP3 embedded in
TCP/IP), and most were planning to migrate to DNP3 LAN in
the future [8]. While the simplicity of Modbus is helpful in
proof-of-concept development, a more practical and useful
choice of protocol would be DNP3 LAN, which is becoming
the de facto industry standard in North America. While a more
complex protocol, the principles developed in [1] could be
applied to DNP3 LAN to yield better results. DNP3 IDS rules
have also been developed by Digital Bond.
Typical power system operation results in predictable
communication patterns:

Status changes and control operations of power system
devices (switches, circuit breakers) occur more
frequently during regular business hours when
maintenance and construction activities are normally
performed.
These predictable patterns could be incorporated into DNP3
LAN IDS rules and/or the model of communication patterns
developed in [1]. Significant perturbations from expected
activity indicated in these regular patterns could indicate an
intrusion.
Finally, since SCADA networks can be extremely large,
incorporating thousands of remote terminals with hundreds of
data points associated with each remote terminal, distributing
the model-based IDS functions could make this solution more
scalable. The Snort application with associated DNP3 LAN
rules could be installed on remote devices.
IV.
ENCRYPTION
Surprisingly, while 43% of a 2005 survey respondents
report using public leased-line communications, only 6 of 95
respondents reported using encryption for SCADA data
transmission [8].
This seems to allow significant and
disturbing potential for eavesdropping and man-in-the-middle
and spoofing attacks. These attacks are made easier by the
commonly available protocol test sets used for SCADA
systems maintenance and testing. Therefore, in addition to an
IDS, SCADA systems should utilize encryption for
confidentiality, message and data integrity, and authentication.
In [9], the author suggests three categories of solutions to
securing SCADA communications.

Solutions that wrap SCADA protocols with existing
security protocols (SSL/TLS, IPSec) without changing
the SCADA protocol itself.

Solutions that alter the SCADA protocol.

Applying selective cryptography.
Applying selective cryptography was selected as the best
option, and an extensive investigation of this option is
presented in [9] using DNP3 protocol.
In this study, authentication is provided by the addition of
Authentication Octets to each request to a SCADA device. The
Authentication Octets contain a hash digest that is encrypted
with the SCADA master’s private key, but, to save processing
time, the remainder of the message is not encrypted. The
receiver of the message decrypts the hash digest using the
sender’s public key and compares it to its independently
calculated hash digest. This method protects against replay,
spoofing, and modification attacks, but, since the message is
not encrypted, not against eavesdropping.
A second security enhancement is also suggested:
authentication via challenge-response. This feature operates as
follows.

The authenticator sends a random challenge to the
other party.

The other party responds with a hash digest of the
challenge plus a secret.

The authenticator checks the response against its own
calculation of the hash digest.
The firewall and routers at each remote sight provide
isolation between devices on different LAN’s and also the
traffic across the WAN.
Remote patching of devices could also be accomplished via
the SCADA network. A WSUS (Windows Server Update
Services) is shown in Figure 2 for the case of patching
Windows-based devices.
This enhancement protects against man-in-the-middle attacks.
VI.
External Network
AV Server
WSUS Server
Corporate Network
Two-factor
Authentication
DMZ Network
Encryption
IDS
Remote Access User
SCADA Master
Remote Access
Management
and Monitoring
Remote LAN
Data Concentrator (SCADA Slave)
Host-based IDS
AV Protection
Encryption
CONCLUSION
The electric power system is a key part of the nation’s
critical infrastructure, and SCADA systems play a central role
in their operation and protection. These systems have evolved
from independent systems with little connectivity to networked
systems based on well-known protocols, operating systems,
and hardware, and this evolution has introduced significant
security vulnerabilities. This paper outlines a layered “defense
in depth” SCADA network topology that includes encryption,
anti-virus protection, firewalls, strong authentication, and
intrusion detection. The intrusion detection system proposed
was adapted from the system described in [1].
The DNP3 Technical Committee has considered the
addition of a Message Authentication Object (MAO) to the
DNP3 protocol [9]. This object would contain the results of a
hash function performed on the concatenation of the message
and a secret. Due the widespread use of DNP3 protocol in
North America, research into the practical application of this
potential enhancement could yield valuable security
enhancements to SCADA networks in the future.
REFERENCES
Remote LAN
[1]
Figure 2
[2]
[3]
V.
SCADA NETWORK TOPOLOGY
Figure 2 shows a network topology that incorporates the
model-based IDS presented in [1] with the changes suggested
in this paper. Along with the IDS, additional security features
not typically found in existing SCADA networks are added.
Modern SCADA networks, in addition to the usual data
collection and control functions, can provide remote access to
devices on the SCADA networks. In Figure 2, this remote
access is supervised by two-factor authentication and managed
by a server which logs user sessions. The model-based IDS
could also monitor this access when configured with an
appropriate rule set.
Two remote LAN’s are shown in Figure 2. However, since
there is typically one LAN per electric substation, there could
be hundreds ore even thousands of LAN’s in a large control
area. On each LAN is a data concentrator. This device collects
data from all local IED’s and provides a single slave for the
SCADA master to poll. This device could also provide
encryption services and anti-virus protection, and could host
the local IDS.
[4]
[5]
[6]
[7]
[8]
[9]
Chung, S., Dutertre, B, Fong, M, Lindqvist, U, Skinner, Keith, “Using
model-based
intrusion
detection
for
SCADA
networks”,
<http://www.csl.sri.com/papers/scadaIDS07/SCADA-IDS-S4-2007.pdf>
“SCADA.” Wikipedia, The Free Encyclopedia. 6 November 18:34
UTC. <http://en.wikipedia.org/wiki/SCADA>
“Northeast Blackout of 2003.” Wikipedia, The Free Encyclopedia. 8
November 13:16 UTC
<http://en.wikipedia.org/wiki/2003_North_America_blackout>
“Probe to Shed Light on Blackout.”, CBS/AP.
<http://www.cbsnews.com/stories/2003/08/14/national/main568409.sht
ml>
Oman, P., Schweitzer, E., Roberts, J., “Safeguarding IEDS, Substations,
and SCADA Systems Against Electronic Intrusion.”
<http://www.selinc.com/techpprs/6118.pdf>
Verba, J. and Milvich, M., “Idaho National Laboratory Supervisory
Control and Data Acquisition Intrusion Detection System (SCADA
IDS), 2008 IEEE Conference on Technologies for Homeland Security,
pp. 469-473, May 2008.
“Understanding Modbus Protocol”,
http://jamod.sourceforge.net/kbase/protocol.html
“The World Market for Substation Integration and Automation Programs
in Electric Utilities: 2005 – 2007”, Newton-Evans Research Company,
Inc.,
<http://www.trianglemicroworks.com/documents/DNP_UG_Report_Su
mmary_from_Substation_A&I_Study.pdf>
Patel, S., “Secure Internet-based communication protocol for SCADA
networks”, DAI-B 67/08, Feb 2007,
http://proquest.umi.com/pqdlink?did=1208148131&Fmt=7&clientI
d=79356&RQT=309&VName=PQD