A Review of SCADA Anomaly Detection Systems

  • Iñaki Garitano
  • Roberto Uribeetxeberria
  • Urko Zurutuza
Part of the Advances in Intelligent and Soft Computing book series (AINSC, volume 87)


The security of critical infrastructures is decreasing due to the apparition of new cyber threats against Supervisory Control and Data Acquisition (SCADA) systems. The evolution they have experienced; the use of standard hardware and software components or the increase of interconnected devices in order to reduce costs and improve efficiency, have contributed to this. This work reviews the research effort done towards the development of anomaly detection for these specific systems. SCADA systems have a number of peculiarities that make anomaly detection perform better than in traditional information and communications technology (ICT) networks. SCADA communications are deterministic, and their operation model is often cyclical. Based on this premise, modeling normal behavior by mining specific features gets feasible.


Intrusion Detection Anomaly Detection Intrusion Detection System Critical Infrastructure Prototype Verification System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    McMillan, R.: Siemens: Stuxnet worm hit industrial systems (2010), (accessed September 14, 2010)
  2. 2.
    Richmond, R.:Malware hits computerized industrial equipment (2010), (accessed September 24, 2010)
  3. 3.
    Christiansson, H., Luiijf, E.: Creating a European SCADA Security Testbed. Critical Infrastructure Protection, 237-247 (2007)Google Scholar
  4. 4.
    Byres, E., Creery, A.: Industrial cybersecurity for power system and SCADA networks. In: Petroleum and Chemical Industry Conference, 303-309 (2005)Google Scholar
  5. 5.
    Barbosa, R., Pras, A.: Intrusion Detection in SCADA Networks. Mechanisms for Autonomous Management of Networks and Services. 163-166 (2010)Google Scholar
  6. 6.
    D’Antonio, S., Oliviero, F., Setola, R.: High-speed intrusion detection in support of critical infrastructure protection. Critical Information Infrastructures Security, 222–234 (2006)Google Scholar
  7. 7.
    Barbara, D., Wu, N., Jajodia, S.: Detecting novel network intrusions using bayes estimators. In: First SIAM Conference on Data Mining (2001)Google Scholar
  8. 8.
    Lane, T., Brodley, C.: An application of machine learning to anomaly detection. In: Proceedings of the 20th National Information Systems Security Conference, pp. 366–377 (1997)Google Scholar
  9. 9.
    Valdes, A., Cheung, S., Lindqvist, U., et al.: Securing Current and Future Process Control Systems. In: International Federation for Information Processing Digital Library, pp. 99–115 (2007)Google Scholar
  10. 10.
    Valdes, A., Cheung, S., Dutertre, B., et al.: Using model-based intrusion detection for SCADA networks. In: Proceedings of the SCADA Security Scientific Symposium (2006)Google Scholar
  11. 11.
    Salvi, D., Mazzariello, C., Oliviero, F., D’Antonio, S.: A Distributed multi-purpose IP flow monitor. In: 3° International Workshop on Internet Performance, Simulation, Monitoring and Measurement IPS-MoMe 9 (2005)Google Scholar
  12. 12.
    Rrushi, J., Campbell, R.: Detecting Cyber Attacks On Nuclear Power Plants. Critical Infrastructure Protection, 41–54 (2009)Google Scholar
  13. 13.
    Düssel, P., Gehl, C., Laskov, P., et al.: Cyber-Critical Infrastructure Protection Using Real-time Payload-based Anomaly Detection. Critical Information Infrastructures Security, 85–97 (2010)Google Scholar
  14. 14.
    Lawrence Berkeley National Laboratory Bro intrusion detection system (2010), (accessed September 17, 2010)
  15. 15.
    Papa, M., Gonzalez, J.: Passive Scanning in Modbus Networks. International Federation for Information Processing Digital Library, 175–187 (2007)Google Scholar
  16. 16.
    Cucurull, J., Asplund, M., Nadjm-Tehrani, S.: Anomaly detection and mitigation for disaster area networks. Recent Advances in Intrusion Detection, 339–359 (2010)Google Scholar
  17. 17.
    Porras, P.A., Neumann, P.G.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: Proceedings of the 20th National Information Systems Security Conference, pp. 353–365 (1997)Google Scholar
  18. 18.
    Bigham, J., Gamez, D., Lu, N.: Safeguarding SCADA systems with anomaly detection. Computer Network Security, 171–182 (2003)Google Scholar
  19. 19.
    Yang, D., Usynin, A., Hines, J.W.: Anomaly-based intrusion detection for SCADA systems. In: 5th Intl. Topical Meeting on Nuclear Plant Instrumentation, Control and Human Machine Interface Technologies, pp. 12–16 (2005)Google Scholar
  20. 20.
    Valdes, A., Cheung, S.: Communication pattern anomaly detection in process control systems. In: IEEE Conference on Technologies for Homeland Security, pp. 22–29 (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Iñaki Garitano
    • 1
  • Roberto Uribeetxeberria
    • 1
  • Urko Zurutuza
    • 1
  1. 1.Electronics and Computing DepartmentMondragon UniversityArrasate-MondragonSpain

Personalised recommendations