ORIGINAL RESEARCH

SCADA security: a review and enhancement for DNP3 basedsystems

Peeyush Jain • Paritosh Tripathi

Received: 30 October 2012 / Accepted: 16 August 2013 / Published online: 3 October 2013

� CSI Publications 2013

Abstract Supervisory control and data acquisition

(SCADA) systems are large-scale industrial control sys-

tems often spread across geographically dispersed locations

that let human operators control entire physical systems,

from a single control room. Early multi-site SCADA sys-

tems used closed networks and propriety industrial com-

munication protocols like Modbus, DNP3 etc to reach

remote sites. But with time it has become more convenient

and more cost-effective to connect them to the Internet.

However, internet connections to SCADA systems build in

new vulnerabilities, as SCADA systems were not designed

with internet security in mind. This can become matter of

national security if these systems are power plants, water

treatment facilities, or other pieces of critical infrastructure.

Compared to IT systems, SCADA systems have a higher

requirement concerning reliability, latency and uptime, so

it is not always feasible to apply IT security measures

deployed in IT systems. This paper provides an overview

of security issues and threats in SCADA networks. Next,

attention is focused on security assessment of the SCADA.

This is followed by an overview of relevant SCADA

security solutions. Finally we propose our security solution

approach which is embedded in bump-in-the-wire is

discussed.

Keywords SCADA security � Vulnerabilities �IDS � Key management

1 Introduction

Critical infrastructure is basically cyber-physical systems

(CPS) with embedded computing systems and communi-

cation capabilities at one side and the physical system at

the other. SCADA is a communication technology scheme

for collecting data from distant facilities and also control-

ling them. SCADA system allows an operator to make set

point changes on distant process controllers, to monitor

alarms and to gather measurement information from a

remote location. SCADA systems are composed of three

components, remote terminal units (RTU) to collect data

from remote sensors and devices, Master station with

human machine interface (HMI) for monitoring and con-

trolling and communication Infrastructure for connecting

the various components of the SCADA.

The benefits of using the Internet technology to carry

SCADA communications come at the cost of compromised

security since the data over the Internet can be an easy target

for an attack [1–6]. To make the situation more challenging,

industrial communication protocols like DNP3 [7], and most

other SCADA protocols [8, 9], have no built-in security

feature such as message authentication, which assures that a

party to some computerized transaction is not an impostor.

Various threats that these protocols face include eaves-

dropping, man-in-the-middle attack (in which a malicious

hacker not only listens to the messages between two

unsuspecting parties but can also modify, delete, and replay

the messages), spoof and replay (an attack that attempts to

trick the system by retransmitting a legitimate message),

unauthorized access either by human (intentionally or acci-

dentally) or by specialized software. The other possibilities

of attacks are due to the fact that function codes and mes-

sage flags in different SCADA protocols can be manipulated

[10]. This causes violation of integrity, confidentiality and

P. Jain (&) � P. Tripathi

Centre for Development of Advanced Computing, Gulmohar

Cross Road No. 9, Juhu, Mumbai, India

e-mail: peeyushj@cdac.in

P. Tripathi

e-mail: paritosh@cdac.in

123

CSIT (December 2013) 1(4):301–308

DOI 10.1007/s40012-013-0024-2

improper commands for RTUs, etc. Anybody can control a

SCADA device with injection of malicious packets into the

network. Denial of service (DoS) attacks, deleting system

files, planting a trojan to control the system, modifying any

logged data in remote database system and IP Spoofing are

other possible threats to SCADA systems [11]. These threats

may lead to shutting down operations, data loss, gaining

complete control and defaming etc [6, 12].

The security models developed for IT systems may not

suit the security requirements of SCADA systems. SCADA

systems have many characteristics that differ from IT

systems, including different risks and priorities. Some of

these include performance, availability, time-critical

responses, resource constraints, communication, system

operation, access to components. For SCADA systems,

availability is top most priority followed by confidentiality

and integrity. For IT systems, confidentiality is top most

priority followed by integrity and availability. The key

technical challenges revolve around the limitations of what

can be installed and configured on the SCADA systems and

the technical limitations of other components within the

SCADA environment [13]. These constraints should be a

basic consideration for applying a security mechanism.

– Limited computational capacity: The RTUs have very

low computational power.

– Limited space capacity: Memory of RTUs is usually

quite low.

– Low bandwidth: The data transmission rate for SCADA

systems is low.

– Real-time processing: Transmission and processing of

data in SCADA systems should be timely. Otherwise it

may cause latency problems.

2 Related work

Lot of work has been reported in the scientific community

about SCADA security [14, 15]. Some of them have

explored cryptographic primitives while others have

explored intrusion detection or a combination of these two.

There have been many guidelines laid down for securing

SCADA systems from agencies like NIST, NERC etc on

things like secure access control, network security policy

etc for critical infrastructure. Sandia National Laboratories

proposed a cryptographic key management and key

establishment approach for SCADA (SKE) [16] in 2002.

This scheme uses CA for handling key management and

distribution in an automatic fashion. All keys used are of

128 bit in length. RTU to RTU communication is not

possible in this mechanism. Also it does not support

broadcast and multicast communication. Information

Security Institute [17] proposed architecture for SCADA

systems (SKMA) where a new entity ’key distribution

center (KDC)’ came into picture, which is used to maintain

long term keys for every node. KDC also contains infor-

mation regarding the system structure, and allows or denies

the key establishment requests; while doing this role; it

supports the distribution of keys. Donghyun Choi and co-

authors [18] also proposed his approach which supports

multicast and broadcast with an additional computation at

run time at MTU side. The approach provides multicasting

in a limited fashion. For distribution of key, the approach

uses a KDC, which constructs logical key structure and

uses Iolus framework. Simple public key infrastructure

(SPKI) was developed starting in 1995. Simple distributed

security infrastructure (SDSI) is a new design for a public

key infrastructure, designed by members of LCS’s Cryp-

tography and Information Security research group [11].

The wireless sensor networks (WSN) have intelligent

distributed control capabilities, and the capability to work

under severe conditions, so some of the schemes of this

area may be useful for securing SCADA systems, as PKI. It

uses public key encryption only for some specific tasks as

session key setup between the base station and sensors

giving the network an acceptable threshold of confidenti-

ality and authentication. PKI only implements a subset of a

PKI services.

A number of key establishment protocols based on pre-

distribution are explored, but they do not scale effectively

to large networks. For a given level of security each pro-

tocol incurs a linearly increasing overhead in either com-

munication cost per node or memory per node or both.

These symmetric key based schemes are computationally

efficient; the trade-off has to be paid for complicated key

pre-distribution and key management. In particular, the

public key cryptography, symmetric key encryption and the

addition of SKE-based key management will likely make

strong security a more realistic expectation in the future.

We also expect that the hardware of SCADA will be

improved so that it can be suitable for the application of

cryptography.

Intrusion detection is defined as the process of moni-

toring the events occurring in a computer system or net-

work and analyzing them for signs of possible incidents,

which are violations or imminent threats of violation of

computer security policies, acceptable use policies or

standard security practices [19, 20]. Two major approaches

of intrusion detection are signature based and anomaly

based. The signature detection matches traffic to a known

misuse pattern while the anomaly detection works on the

abnormalities in the observed data. There are other meth-

ods which fall between the two approaches like probabi-

listic based and specification based [21]. One embeds

probabilistic modelling while the other allowable system

traffic patterns. Misuse based detection methods have

302 CSIT (December 2013) 1(4):301–308

123

reached a saturation point, most of the current research has

been in writing signatures or enhancements of signature

matching using state machines (regex). Generating good

signatures requires extensive study and in-depth vulnera-

bility assessment of the system which is a tedious task in

itself. We have come across [22] which provide signatures

for SCADA specific IDS though. Lot of research has been

going on in anomaly based detections [23, 24]. Zhu and

Sastry [21] give a very detailed outlook of IDS for SCA-

DA. Recently it has been observed that two types of

approaches state based intrusion detection and its

enhancements [25, 26] and model based security [27, 28] is

what the research community is majorly focusing on. Both

the approaches require the real system to be represented

and updated as per changes that take place in the real

network. In state based approach, the representation is in

form of tag, value pairs for each PLC/RTU which these

units are sensing. The idea is to define critical state on

predicates of these tag value pairs. One of most important

advantage that has been suggested is to identify critical

state even if licit commands are sent but their combined

effect is catastrophic. In the model based approach the real

system is represented as cyber-physical system. To depict

such a system, researchers use available simulator [29] for

the physical part and protocol adaptors for the cyber part.

This CPS can then be used to observe effect of commands

on real network by first executing them on the simulated

environment and if found threatening, generating alerts.

Most of work that has been explored does not provide

clarity on how bad data injection [30] would be tackled. As

obvious signature based approaches are too dependent on

regular update of signatures and anomaly based on training

data for intrusion detection. In case of model based

approach defining accurate models and false alarms may

become challenging.

3 Security solution

To meet the challenges discussed in the previous section, we

propose an integrated security framework for power sys-

tems. The proposed solution is a bump in the wire which

consists of key distribution, encryption–decryption, and

intrusion detection. This solution caters to data security at

communication channel and an independent method of

verification of the responses from power system for intrusion

detection. The proposed security solution architecture is

shown in the Fig. 1 and implementation of our bump-in-the-

wire solution in SCADA system is shown in Fig. 2. As

shown in Fig. 2 the key will be distributed at the time of

installation of bump-in-the-wire between the MTU and RTU

at both sides, then it will be automatically revoked period-

ically using our key distribution protocol (Sec-KeyD). To

explain the data flow through our security solution we

consider data flow from MTU to RTU. When MTU has to

send some commands it will pass through bump-in-the-wire

at MTU side. Bump-in-the-wire contains a protocol hard-

ening solution i.e. Flexi-DNPSec [31], which converts

DNP3 packets into new format, called as Flexi-DNPSec

packets. This conversion helps to integrate our key man-

agement solution with it because DNP3 doesnt provide such

facility. Now Flexi-DNPSec protocol have the key man-

agement features i.e. key generation, key distribution, stor-

age, automatic key revocation and encryption/decryption

using our key distribution and key management scheme.

When data passes through bump-in-the-wire device,

encryption of the coming data will take place using the same

key that has been exchanged initially. Then encrypted data

will traverse the network and will be captured at the RTU

side and decrypted using the same key. Once the data is

decrypted, it will re-converted into DNP3 packets. A copy of

it will be passed to the IDS. IDS uses an extended finite state

machine (EFSM) for state transition and event recognition

for DNP3, based on the specifications developed. The

specifications are developed for function codes, object

headers, qualifiers etc part of the DNP3 protocol header to

characterize the expected behavior of network under pur-

view. In the proposed approach the specifications developed

is used for validation in a given message so as to extract any

anomaly in the message. In case of any anomaly detected,

the IDS will respond with an alert message to its corre-

sponding substation. The same will be communicated to

MTU. For encryption–decryption we are using Blowfish.

The detail working of components of our security solution

will be discussed in subsequent sections.

3.1 Security solution components

3.1.1 Intrusion detection

Sekar et al. [32] introduced a category of specification-

based intrusion detection. Specification-based approach

takes the manual development of a specification that

captures legitimate system behaviour and detects any

deviation thereof. This approach can detect unknown

attacks with low false alarm rate. In a narrow sense,

specification-based anomaly detection means looking for

behaviour in network traffic that is peculiar in terms of the

specification for the protocol the traffic is using. In this

case, detection is interested in syntax violation. In a

broader sense, the term could mean applying anomaly

detection on the semantics of traffic as expressed using

the protocol [33–36]. FSM and EFSM based techniques

have been applied in intrusion detection in fields like

sensor networks etc [37–39]. The proposed Intrusion

detection system (IDS) is based on the protocol anomaly

CSIT (December 2013) 1(4):301–308 303

123

based detection technique which combines both the pro-

tocol syntax and semantics. The approach uses an exten-

ded finite state machine (EFSM) for state transition and

event recognition for DNP3, based on the specifications

developed. The specifications are developed for function

codes, object headers, qualifiers etc part of the DNP3

protocol header to characterize the expected behavior of

network under purview. In the proposed approach the

specifications developed is used for validation in a given

message to extract any anomaly in the message.

In a conventional finite state machine, the transition is

associated with a set of input Boolean conditions and a set

Fig. 1 Overall security architecture

304 CSIT (December 2013) 1(4):301–308

123

of output Boolean functions. In an EFSM model, the

transition can be expressed by an if statement consisting of

a set of trigger conditions. If trigger conditions are all

satisfied, the transition is fired, bringing the machine from

the current state to the next state and performing the

specified data operations. Thus EFSM can test memory

variables and set them whereas finite state machines do not

have the concept of variables [16]. So for example a state

machine for a MTU will look something like:

– S = startup, FirstUR, Idle, AwaitFirst, Assembly

– I = all the messages that are going from MTU to RTU

– O = all messages that are coming from RTU to MTU

– V = address, function code, sequence number, object

group, object variation, qualifier, range

– D = all possible legal combinations of sequence

number, object group, object variation, qualifier, range

– T = all possible transitions supported by network under

purview

The transition relation T is specified using rules of the

form:

Eventðvar1; var2; varnÞjconditionaction ð1Þ

Here E is an event name, and the variables var1, var2, etc

denote the arguments of this event. The expression con-

dition should evaluate to a boolean value, and can make

use of common arithmetic and relational operators. It

involves the variables in V, the event arguments, and the

distinguished variable state that refers to the current control

state of the EFSA.

We assume that the IDS and the SCADA system start

functioning together and that the IDS have the information

about the topology of the network. In the IDS at the MTU

side, as many instances of the state machine are created as

there are RTUs in the topology under purview. Once an

instance is created, it is in the startup state. Then the MTU

does an integrity poll for each of the RTUs switching its

state from startup to firstUR for each instance of state

machine and waits for an unsolicited response from the

RTUs. An IDS which is monitoring all the traffic also

updates each of the corresponding state machines. Once

first unsolicited message is received from each RTU, IDS

updates the corresponding instance of the state machine

and moves to idle state [7]. Now each message exchange

can be monitored based on the EFSM between RTU and

MTU for any malicious activity. The EFSM is based on the

principal that for a given request Req in request, the

intrusion detection checks whether it is a allowable request

from the source it is coming from and also verifying cor-

responding reply Rep in the response message against the

allowable limits for this response. This will act like a

verifier and hence will be able to detect and verify the

given request/response.

Case study The residential property has a smart-meter,

dispersed generation such as solar or wind, and an elec-

tricity storage device such as fuel cells for uninterruptible

power supply (UPS) and electricity back-up operations.

The smart-meter, generator, and electricity storage device

are part of a single logical DNP3 device that is connected

Fig. 2 Implementation of

security solution

CSIT (December 2013) 1(4):301–308 305

123

to the Internet as shown in Fig. 3. The DNP3 device has

Internet connections to the distribution system owner, the

electricity retailer, and the residential consumer as shown

in Fig. 3.

The distribution system owner in this example requires

full access to all of the DNP3 devices point types and data

points to ensure reliable distribution system operation, for

control, protection and monitoring operations. The elec-

tricity retailer requires access to the residential consumers

consumption records for billing purposes. The residential

consumer requires access to the device for monitoring their

electricity consumption, which allows them to control their

electricity usage and minimize their electricity costs [40].

Based on the above scenario we can have a set of

security rules (allowed function code, allowed object

headers and within them the allowed index) associated with

each of the stakeholders. We can also have a set of critical

formulas [41] to precisely define based on a topology as to

what combinations of object header and their correspond-

ing values are allowed (given a RTU/PLC what set of

comp, value pairs are allowed). We feel that these rules can

be incorporated in an EFSM to detect intrusions.

For example a residential consumer will have limited

function codes allowed like read, confirm, select etc and

within these function codes there are set of objects that this

stakeholder can have access to. So for a read function code

the residential consumer can access binary output point to

determine if the device is on or off, likewise analog point

type maybe required for meter reading/consumption [40].

In addition to this a set of rules defined for what values

certain components can take given a certain topology and

state information of the network can also be pre-defined

[41]. For example, in a power network for a given load

across a line the value of voltage, powers etc. are known

and can be verified in the response. So now when an EFSM

detects an event rather than just checking the sequence

number, it also does a check on the vector and domain

values defined for a given stakeholder and picks up any

anomaly.

3.1.2 Key management

One critical security requirement is that communication

channels need to be secured. To provide confidentiality on

open channel, encryption and decryption is needed. After

considering security issues of confidentiality, authentica-

tion and integrity of data we can not ignore the role of key

management. Strength of encryption and decryption is

dependent on encryption algorithm and key which is used

for encryption and decryption. Secure keys need to be

established before cryptographic techniques can be used to

secure communications. Managing keys at one node solves

problem of storage only but distribution of keys is another

major issue. The main challenges in key distribution are

authentication of receiver and maintaining the secure path

for key transmission. Schemes like SKE approach are

available for key distribution. Using these schemes there is

a need of involving third party like CA for distribution of

keys but in this case security might be compromise from

third party. Manual storing of keys at each node is also a

big issue. For automatic storing of keys at each node we

can use Diffie–Hellman key exchange method, but for this,

one time extra computation cost at both side and extra

storage for one algorithm is needed. In Diffie–Hellman key

exchange, there is always a chance of man in middle

attack. By using challenge response, protocol authenticity

of recipient might be confirmed for distribution of key but

in this case, key can be obtained by attacker by replay

attack.

Considering limited memory capacity and processing

power, it is necessary to store minimum number of keys

and efficient algorithm without compromising with

required constraint. Number of keys is proportional to

desired functionality like broad casting, multi casting. The

efficiency of memory space also ought to be considered

because thousands of keys and data needs to be manage

and maintain in a limited memory space. Many efforts have

been done in recent years to secure the SCADA commu-

nication including the key management issues. We propose

an efficient key distribution scheme (Sec-KeyD) [42]

keeping in view the present constraints with following

features:

– Based on challenge-response mechanism

– Secure mutual authentication of client and server

– No transfer of session key on open channel nor

installed manually

– Distribution key is generated at both end nodes

– Ensures the freshness of message

Fig. 3 Case study scenario

306 CSIT (December 2013) 1(4):301–308

123

– Symmetric key is passed from server to client by using

session key

– Automatic key updation (revocation)

– No third party is involved

Our key distribution scheme overcome shortcomings

present in the current approaches and fulfills the SCADA

constraints, performance, availability, time-critical

responses, system operation, and access to components

efficiently with following advances:

– Ensures the authenticity of both end nodes (server as

well as client)

– Enhances the confidentiality

– Eliminates the issue of trustiness of third party

– Eliminates replay attack

– Eliminates the man-in-middle attack

– No false server attack

– Automatic revocation of symmetric key

3.1.3 SCADA protocol hardening

We choose DNPSec as a communication protocol and have

done some changes in the header of the protocol to make it

useable as per our requirements and to integrate our key

management scheme. Following modifications are pro-

posed in the DNPSec protocol. Size of the DNPSec packet

was fixed at 292 irrespective of the size of the DNP packet.

The payload, if lesser than that, is padded with dummy data

so that payload size can be of 256 bytes. And with DNPSec

header and the authentication data, it comes to 292.

DNPSec packet is identified from DNP3 and other packets

on network by finding sync bytes 0x0564 at byte position

8–9 of the DNPSec packet. Consequently only payload

data (256 bytes) is encrypted instead of encrypting payload

and original LH header. This scheme provides the same

confidentiality level as the original DNPSec scheme. The

original DNPSec protocol has key sequence number. When

KSN reaches maximum and is re-cycled to 0, the MTU sets

SK bit and send the new session key. Instead of this

arrangement, we reserve the SK bits and instead use our

key distribution protocol to negotiate the key and freshness

number between BITWs of MTU and RTU. And, this

negotiation of keys can be done after a configurable

number of data exchanges [31].

3.1.4 Evaluation

It is important to analyze the security risks and develop

appropriate security solutions to protect SCADA systems.

However, a key problem is accessibility to a SCADA test-

bed. As widely accepted in academic and industrial com-

munities, it is impractical to conduct security experiments

on live systems. A test-bed which comprises of a simulated

SCADA network wrapped with protocol stack/s, will

enable testing different attack and security solutions.

However, these tools are either proprietary, used by

researchers within the organization, and the software is not

released for external use or is not generic enough to support

different architectures, protocols, and systems, exception

being a recent work SCADASim [43]. There are test case

archives available for power systems from University of

Washington [44], Queen Mary University of London [19]

and others but these are of little use to people working in

the cyber world without a proper tool, which can interpret

these values of physical/electrical world into cyber world

in terms of protocol packets.

4 Future work

Currently we are working on the evaluation of our security

solution. As this evaluation will require SCADA traffic, we

are in the stage of generating the traffic in a test environ-

ment. Soon we will come with evaluation results.

5 Conclusion

As SCADA is opening up to standards it has become

vulnerable to cyber-attacks. Due to the possibility of cyber

attacks and its impact on critical infrastructure it is nec-

essary to develop a protection system mitigating such type

of severe threats. Lot of work has been done by different

research communities but we feel that still there are

shortcomings which need to be overcome. We proposed a

security framework for SCADA that covers an efficient key

management and distribution for SCADA, encryption–

decryption and an EFSM based intrusion detection to fill

the gap. We are trying to generate traffic for power system

to evaluate our work.

References

1. Tsang R (2010) Cyberthreats, vulnerabilities and attacks on

SCADA Networks. University of California, Berkeley

2. Zhu B, Joseph A, Sastry S (2011) A taxonomy of cyber attacks on

SCADA system In: Proceedings of CPSCom 2011: the 4th IEEE

international conference on cyber, physical and social computing,

Dalian, China, October 19–22

3. Meserve J (2007) Sources: staged cyber attack reveals vulnera-

bility in power grid. CNN, Washington, DC

4. Greenberg A (2008) Hackers Cut Cities’ Power. http://www.

Forbes.com. Accessed Feb 2012

5. http://unix.nocdesigns.com/aurora_white_paper.htm. Accessed

Feb 2012

6. Stamp J, Dillinger J, Young W, Depoy J (2003) Common vul-

nerabilities in critical infrastructure control systems. Sandia

National Laboratories, Albuquerque

CSIT (December 2013) 1(4):301–308 307

123

7. DNP User Group. http://www.dnp.org. Accessed Dec 2011

8. Makhija J, Subramanyan LR (2003) Comparison of protocols

used in remote monitoring: DNP 3.0, IEC 870-5-101 and Modbus

9. Cleveland F (2005) IEC TC57 security standards for the power

systems info infrastructure: beyond simple encryption, IEC TC57

WG15 security standards ver5

10. IT Security Advisory Group (2005) SCADA security: advice for

CEOs. Department of Communications, Information Technology

and the Arts, Canberra

11. East S, Butts J, Papa M, Shenoi S (2009) A taxonomy of attacks

on the DNP3 protocol, crtical infrastructure protection III. IFIP

Adv Inf Commun Technol 311:67–81

12. Ballman J (2003) The great blackout of 2003 Aug. 14 power

outage largest in U.S. history. Disaster Recovery J 16(4)

13. NCS (2004) Technical information bulletin 04-1, SCADA sys-

tems. NCS, Arlington

14. Fovino IN, Coletta A, Masera M (2010) Taxonomy of security

solutions for the SCADA sector, version 1.1

15. Ten CW, Manimaran G, Liu CC (2010) Cybersecurity for critical

infrastructures: attack and defence modelling. IEEE Trans Syst

Man Cybern 40(4):853–865

16. Beaver CL, Gallup DR, NeuMann WD, Torgerson MD (2002)

Key management for SCADA (SKE). Sandia Lab, Albuquerque

17. Dawson R, Boyd C, Dawson E, Nieto JMG (2006) SKMA-A key

management architecture for SCADA systems. In: Proceedings of

the grid computing

18. Lee S, Choi D, Park C, Kim S (2008) An efficient key man-

agement scheme for secure SCADA communication. In: Pro-

ceedings of world academy of science, engineering and

technology, vol 35

19. elec.qmul.ac.uk/resources/electricitydata/pages/elec-

tricitydata.html. Accessed Feb 2012

20. Patel A, Qassim Q, Wills C (2010) A survey of intrusion detec-

tion and prevention systems. Info Manage Comput Secur

18(4):277

21. Zhu B, Sastry S (2010) SCADA-specific intrusion detection/

prevention systems: a survey and taxonomy, secure control sys-

tems (SCS). Team for Research in Ubiquitous System Technol-

ogy, Stockholm

22. http://www.digitalbond.com. Accessed Nov 2011

23. Verba J, Milvich M (2008) Idaho national laboratory supervisory

control and data acquisition intrusion detection system (SCADA

IDS) IEEE conference on technologies for homeland security

24. Dayu Y, Alexander U, Hines JW (2006) Anomaly-based intrusion

detection for SCADA systems, 5th international topical meeting

on nuclear plant instrumentation, controls, and human machine

interface technology

25. Fovino IN, Coletta A, Carcano A, Masera M, Trombetta A (2010)

Modbus/DNP3 state-based intrusion detection system 24th IEEE

international conference on advanced information networking

and applications

26. Cheung S, Dutertre B, Fong M, Lindqvist U, Skinner K, Valdes A

(2007) Using model-based intrusion detection for SCADA net-

works SCADA security scientific symposium

27. Liu CC, Stefanov A, Hong J, Panciatici P (2012) Intruders in the

grid IEEE power and energy magazine

28. http://www.vikingproject.eu. Accessed April 2012

29. http://www.uclm.edu/area/gsee/Web/Federico/psat.htm. Accessed

March 2012

30. Liu Y, Ning P, Reiter MK (2009) False data injection attacks

against state estimation in electric power grids. In: Proceedings of

the 15th ACM conference on computer and communications

security, pp 21–32

31. Bagaria S, Prabhakar SB, Saquib Z (2011) Flexi-DNP3:flexible

distributed network protocol version 3 (DNP3) for SCADA

security. ReTIS, Kolkatta

32. Sekar R, Gupta A, Frullo J, Shanbhag T, Tiwari A, Yang H, Zhou

S (2002) Specification based anomaly detection: a new approach

for detecting network intrusions. In: Proceedings of the 9th ACM

conference on computer and communications security

33. NCS (2004) DNP3 (Distributed Network Protocol version 3.0) ,

and Modbus NCS Technical Information Bulletin 04-1, SCADA

Systems

34. Shahzad AA, Musa S (2012) Securing SCADA communication

using hybrid cryptography ICUIMC. In: Proceedings of the 6th

international conference

35. Carcano A, Coletta A, Guglielmi M, Masera M, Nai Fovino I,

Trombetta A (2011) A multidimensional critical state analysis for

detecting intrusions in SCADA systems. IEEE Trans Ind inform

7(2):179–186

36. Fovino IN, Coletta A, Carcano A, Masera M (2012) Critical state-

based filtering system for securing SCADA network protocols.

IEEE Trans Ind Electron 59:10

37. Orset JM, Alcade B, Cavalli A (2005) An EFSM based Intrusion

detection system for ad hoc networks, automated technology for

verification and analysis, LNCS 3707, pp 400–413

38. Smith R, Estan C, Jha S (2008) XFA: faster signature matching

with extended automata IEEE symposium on security and privacy

39. Barry BIA, Chan HA (2007) A hybrid, stateful and cross-protocol

intrusion detection system for converged applications. In: Lecture

notes in computer science, vol 4804. pp 1616–1633

40. Garcia Teodoro P, Diaz Verdejo J, Macia Fernandez G, Yazquez

E (2009) Anomaly-based network intrusion detection: techniques,

systems and challenges. Comput Secur 28:18–28

41. Mander T, Cheung R, Nabhani F (2010) Power system DNP3 data

object security using data sets. Computer and Security 29:487–500

42. http://164.100.176.38/patentsearch/search/index.aspx. Accessed

July 2012

43. Queiroz C, Mahmood A, Tari Z (2011) SCADASim a framework

for building SCADA simulations. IEEE Trans Smart Grid2(4):589-597

44. http://www.ee.washington.edu/research/pstca. Accessed Feb 2012

308 CSIT (December 2013) 1(4):301–308

123