Control systems in the energy sector (e.g., supervisory control and data acquisition (SCADA) systems) involve a hierarchy of sensing, monitoring and control devices connected to centralized control stations or centers. The incorporation of commercial off-the-shelf technologies in energy control systems makes them vulnerable to cyber attacks. A taxonomy of cyber attacks against control systems can assist the energy sector in managing the cyber threat. This paper takes the first step towards a taxonomy by presenting a comprehensive model of attacks, vulnerabilities and damage related to control systems. The model is populated based on a survey of the technical literature from industry, academia and national laboratories.
Chapter PDF
Similar content being viewed by others
References
K. Birman, J. Chen, E. Hopkinson, R. Thomas, J. Thorp, R. van Rennesse and W. Vogels, Overcoming communications challenges in software for monitoring and controlling power systems, Proceedings of the IEEE, vol. 93(5), pp. 1028–1041, 2005.
A. Brown, SCADA vs. the hackers, Mechanical Engineering, vol. 124(12), pp. 37–40, 2002.
E. Byres, M. Franz and D. Miller, The use of attack trees in assessing vulnerabilities in SCADA systems, Proceedings of the International Infrastructure Survivability Workshop, 2004.
E. Byres and J. Lowe, The myths and facts behind cyber security risks for industrial control systems, Proceedings of the VDE Congress, pp. 213–218, 2004.
R. Carlson, Sandia SCADA Program: High-Security SCADA LDRD Final Report, Technical Report SAND2002-0729, Sandia National Laboratories, Albuquerque, New Mexico, 2002.
J. Eisenhauer, P. Donnelly, M. Ellis and M. O'Brien, Roadmap to Secure Control Systems in the Energy Sector, Technical Report, Energetics Inc., Columbia, Maryland, 2006.
J. Falco, J. Gilsinn and K. Stouffer, IT security for industrial control systems: Requirements specification and performance testing, presented at the National Defense Industrial Association Homeland Security Conference and Exposition, 2004.
R. Fink, D. Spencer and R. Wells, Lessons Learned from Cyber Security Assessments of SCADA and Energy Management Systems, Technical Report INL/CON-06-11665, Idaho National Laboratory, Idaho Falls, Idaho, 2006.
J. Howard and T. Longstaff, A Common Language for Computer Security Incidents, Technical Report SAND98-8667, Sandia National Laboratories, Livermore, California, 1998.
R. Lemos, “ Data storm ” blamed for nuclear plant shutdown, SecurityFo-cus, May 18, 2007.
U. Lindqvist and E. Jonsson, How to systematically classify computer security intrusions, Proceedings of the IEEE Symposium on Security and Privacy, pp. 154 –163, 1997.
R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K. Kratkiewicz, M. Artz and R. Cunningham, Validating and restoring defense in depth using attack graphs, Proceedings of the Military Communications Conference, pp. 1 –10, 2006.
R. McMillan, Admin faces prison for trying to axe California power grid, PC World, December 15, 2007.
M. McQueen, W. Boyer, M. Flynn and G. Beitel, Quantitative cyber risk reduction estimation methodology for a small SCADA control system, Proceedings of the Thirty-Ninth Annual Hawaii International Conference on System Sciences, p. 226, 2006.
J. Mirkovic and P. Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communication Review, vol. 34(2), pp. 39 –53, 2004.
P. Oman, A. Risley, J. Roberts and E. Schweitzer, Attack and defend tools for remotely accessible control and protection equipment in electric power systems, presented at the Fifty-Fifth Annual Conference for Protective Relay Engineers, 2002.
P. Oman, E. Schweitzer and J. Roberts, Protecting the grid from cyber attack, Part I: Recognizing our vulnerabilities, Utility Automation & Engineering T &D, vol. 6(7), pp. 16 –22, 2001.
P. Oman, E. Schweitzer and J. Roberts, Protecting the grid from cyber attack, Part II: Safeguarding IEDs, substations and SCADA systems, Utility Automation & Engineering T &D, vol. 7(1), pp. 25 –32, 2002.
K. Poulsen, Sparks over power grid cybersecurity, SecurityFocus, April 10, 2003.
K. Poulsen, Slammer worm crashed Ohio nuke plant network, SecurityFo-cus, August 19, 2003.
K. Poulsen, Software bug contributed to blackout, SecurityFocus, February 11, 2004.
R. Schainker, J. Douglas and T. Kropp, Electric utility responses to grid security issues, IEEE Power and Energy, vol. 4(2), pp. 30 –37, 2006.
B. Schneier, Attack trees, Dr. Dobb 's Journal, vol. 24(12), pp. 21 –29, 1999.
F. Sheldon, T. Potok, A. Loebl, A. Krings and P. Oman, Managing secure survivable critical infrastructures to avoid vulnerabilities, Proceedings of the Eighth IEEE International Symposium on High Assurance Systems Engineering, pp. 293 –296, 2004.
O. Sheyner, J. Haines, S. Jha, R. Lippmann and J. Wing, Automated generation and analysis of attack graphs, Proceedings of the IEEE Symposium on Security and Privacy, pp. 273 –284, 2002.
J. Stamp, J. Dillinger, W. Young and J. DePoy, Common Vulnerabilities in Critical Infrastructure Control Systems, Technical Report SAND2003-1772C, Sandia National Laboratories, Albuquerque, New Mexico, 2003.
K. Stouffer, J. Falco and K. Scarfone, Guide to Industrial Control Systems Security, Second Public Draft, NIST Special Publication 800–82, National Institute of Standards and Technology, Gaithersburg, Maryland, 2007.
C. Taylor, P. Oman and A. Krings, Assessing power substation network security and survivability: A work in progress report, Proceedings of the International Conference on Security and Management, pp. 281 –287, 2003.
D. Watts, Security and vulnerability in electric power systems, Proceedings of the Thirty-Fifth North American Power Symposium, pp. 559 –566, 2003.
N. Ye, C. Newman and T. Farley, A system-fault-risk framework for cyber attack classification, Information-Knowledge-Systems Management, vol. 5(2), pp. 135 –151, 2005.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 IFIP International Federation for Information Processing
About this paper
Cite this paper
Fleury, T., Khurana, H., Welch, V. (2008). Towards A Taxonomy Of Attacks Against Energy Control Systems. In: Papa, M., Shenoi, S. (eds) Critical Infrastructure Protection II. ICCIP 2008. The International Federation for Information Processing, vol 290. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-88523-0_6
Download citation
DOI: https://doi.org/10.1007/978-0-387-88523-0_6
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-88522-3
Online ISBN: 978-0-387-88523-0
eBook Packages: Computer ScienceComputer Science (R0)