IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 40, NO.

4, JULY 2010 853

Cybersecurity for Critical Infrastructures:

Attack and Defense Modeling
Chee-Wooi Ten, Student Member, IEEE, Govindarasu Manimaran, Senior Member, IEEE, and
Chen-Ching Liu, Fellow, IEEE

Abstract—Disruption of electric power operations can be attacks in numbers and sophistication on electric grids and
catastrophic on national security and the economy. Due to the other critical infrastructure systems. The focus of this paper
complexity of widely dispersed assets and the interdependences is the cybersecurity of an electric power infrastructure. The
among computer, communication, and power infrastructures, the
requirement to meet security and quality compliance on opera- three modes of malicious attacks on power infrastructure are
tions is a challenging issue. In recent years, the North American as follows: 1) attack upon the system; 2) attack by the system;
Electric Reliability Corporation (NERC) established a cybersecu- and 3) attack through the system [8].
rity standard that requires utilities’ compliance on cybersecurity Physical security of the power infrastructure has been recog-
of control systems. This standard identifies several cyber-related nized by the power community as an important issue. One
vulnerabilities that exist in control systems and recommends
several remedial actions (e.g., best practices). In this paper, a
example precaution was to prevent vandalism on unmanned
comprehensive survey on cybersecurity of critical infrastructures substations [9]. Due to the growing concern over the potential
is reported. A supervisory control and data acquisition security sabotage, the focus of physical security has been broadened
framework with the following four major components is proposed: to incorporate critical substations that may result in cascading
1) real-time monitoring; 2) anomaly detection; 3) impact analy- effects, leading to a wide-area blackout [10]. The application of
sis; and 4) mitigation strategies. In addition, an attack-tree-based sensors to monitor the structural health of transmission lines is
methodology for impact analysis is developed. The attack-tree
formulation based on power system control networks is used to
also an important way to reduce the power system vulnerability
evaluate system-, scenario-, and leaf-level vulnerabilities by iden- [11]. Electronic security is as important as physical security due
tifying the system’s adversary objectives. The leaf vulnerability to the potential impact that can be made through operations
is fundamental to the methodology that involves port auditing or of critical cyberassets. Electronic security here refers to the
password strength evaluation. The measure of vulnerabilities in security of critical cyberassets of the power infrastructure. It
the power system control framework is determined based on ex- includes the supervisory control and data acquisition (SCADA)
isting cybersecurity conditions, and then, the vulnerability indices
are evaluated. systems that are widely used in the industry for monitoring
and control of the power grid. These systems include computer
Index Terms—Attack tree, cybersecurity, defense systems, and communication devices installed in power plants, substa-
power system control, security vulnerability.
tions, energy control centers, company headquarters, regional
I. I NTRODUCTION operating offices, and large load sites. Cybersecurity of crit-
ical infrastructures systems encompasses three major control

C RITICAL infrastructures are complex physical and cyber-

based systems that form the lifeline of a modern soci-
ety, and their reliable and secure operation is of paramount
systems. SCADA systems are the central nerve system of a
wide-area control network that constantly gathers the latest
status from remote units [1]. A process control system (PCS) is
importance to national security and economic vitality. In most implemented with a closed-loop control for an ongoing task. A
sense, the cyber system forms the backbone of a nation’s critical distributed control system (DCS) is the complex combinations
infrastructures, which means that a major security incident on of SCADA and PCS. Fundamental materials about SCADA are
cyber systems could have significant impacts on the reliable further detailed in [3], [12], and [13]. A variety of communica-
and safe operations of the physical systems that rely on it. tion systems are deployed on the power grid for the purpose of
The recent findings, as documented in government reports [1]– monitoring and control. The analog and status data acquired by
[7], indicate the growing threat of physical and cyber-based SCADA are utilized by an energy management system (EMS)
in the control center to perform a wide range of system func-
Manuscript received July 2, 2008. Date of publication June 3, 2010; date tions, including real-time control. The communication system
of current version June 16, 2010. This work was supported by the Elec- for wide-area protection and control of a power system can
tric Power Research Center, Iowa State University. The authors would also be weakened due to component failures or communication
like to acknowledge partial support by the Science Foundation Ireland (SFI)
and U.S. National Science Foundation (NSF). This paper was recommended delays [14]. Failure of an important communication channel
by M. Ulieru. in the operational environment could result in an inability to
C.-W. Ten and C.-C. Liu are with the School of Electrical, Electronic and control or operate important facilities, leading to possible power
Mechanical Engineering, University College Dublin, National University of
Ireland, Belfield, Dublin 4, Ireland (e-mail: cheewooi.ten@ucd.ie; liu@ucd.ie). outages. Other than the communication between the control
G. Manimaran is with the Department of Electrical and Computer Engineer- center and substations that has long been established, the inter-
ing, Iowa State University, Ames, IA 50010 USA (e-mail: gmani@iastate.edu). control center communication through the Internet serves as the
Color versions of one or more of the figures in this paper are available online
at http://ieeexplore.ieee.org. data exchange mechanism between interconnected networks
Digital Object Identifier 10.1109/TSMCA.2010.2048028 [15]. Analyzing the events at the interfaces between power and

1083-4427/$26.00 © 2010 IEEE

854 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 40, NO. 4, JULY 2010

telecommunication systems is an important way to understand The observation of computer intruder activities by the U.S.
their dependences [16]. The use of standard protocols on critical Computer Emergency Readiness Team (US-CERT) has been
systems leads to a source of vulnerability [17]. undertaken since the late 1980s. The sophistication of attack
Due to technological changes over the last decade, protocols trends has advanced from automated to highly firewall-
have been refined to become more flexible in their interoper- permeable and distributed fashions [41]. Increasingly sophis-
ability and maintainability, specifically in an open architecture ticated tools help to penetrate existing network connections
with high-speed communications [12], [18]. The evolution of [42]. Reference [7] identifies the latest cybersecurity technolo-
SCADA systems has also raised concerns about cyber-related gies for protection. The findings in a 2004 report from the
vulnerabilities [2], [13]. In addition, interdependences among Government Accountability Office (GAO) [3] highlight the
computers, communication, and power infrastructures have in- extensive plans of sabotage to disrupt the U.S. power grid.
creased the risks due to complexity of the integrated infrastruc- A survey conducted by electric utilities indicates the growing
tures [19]. Although the complex infrastructure provides great concern over the attacks on power grid through communi-
capabilities for operation, control, business, and analysis, it cation security breaches. Intrusion into the control networks
also increases security risks due to cyber-related vulnerabilities. remains the highest concern based on the survey [43]. Recent
Technological advances can help to reduce the deficiencies of computer crime and security surveys from the Computer Se-
current power and communication systems [20]. However, tech- curity Institute (CSI) indicate that the system penetration by
nological complexity can also lead to security breaches that are outsiders may cause high financial losses [44]. Specifically,
prone to electronic intrusions. A successful intrusion into the it is the third highest financial loss among other attack types
control networks can lead to undesirable switching operations based on the 2007 survey. Due to the fast-growing intrusion
executed by attackers, resulting in widespread power outages. attempts through cyberspace, the analysis of direct and indirect
Another potential scenarios are intrusion into one or more cybervulnerabilities and cyberthreats is important. The analysis
substations and alteration of the protective relay settings, which identifies the possible consequences and measures to prevent
could result in undesirable tripping of circuit breakers. The them from attacks [45]. Awareness programs about exploited
vulnerabilities of a power system include three main compo- vulnerabilities are set up to improve the control system security
nents, i.e., computer, communication, and power system [21]– [46]. Initiatives addressing the critical infrastructures have been
[24]. Attacks can be targeted at specific systems, subsystems, established by US-CERT, i.e., national SCADA test beds [47],
and multiple locations simultaneously from a remote location. [48]. Traditional IT solutions may not be well positioned to
Entities in the control center, substation automation system control systems in which CERT and national test beds are set up
(SAS) [25], [26], distribution management system, Independent for strengthening the defense for the domain-specific purpose
System Operator (ISO), and power plant process control system [49]. The initial intention of the American Gas Association
[27]–[31] are interlinked. Interdependence plays an essential 12 Task Group is to establish the protection guidelines for
role in vulnerability assessment. An enhanced authentication gas SCADA systems [50]. The guidelines have been applied
process on the critical cyberassets, such as access to certain to water and electricity SCADA systems due to technical and
control functions, should be validated through the biometric operational similarities. The compliance set by North American
features of an individual [32]. Electric Reliability Corporation (NERC) Critical Infrastructure
Security awareness for emerging technologies is critical to Protection has established permanent policies for utilities in
prevent cyberattacks. Information security in an open system the U.S. that are helpful for the reduction of risks from a
architecture, with respect to potential threats and goals (in terms compromise of critical cyberassets [51], [52]. A comparison
of confidentiality, integrity, availability, and accountability), is between compliance standards of power entity and other similar
a challenging task [33]. ISO/IEC 17779 recommends a list of SCADA systems has been reported in [6] and [53]. Research
important controls on the information security management on information security has stressed on modeling dependability
system [34]. A virtual enterprise is one way to promote a [54] and risk assessment framework [55], [56]. A new paradigm
collaborative group of managing existing network enterprises for classification of the security level using declustering in
by coordinating, controlling, and communicating remotely to database is introduced [57]. Correlation is also a technique to
the networks with different roles and user types [35]. Govern- identify intrusion into a network [58]. A game approach to
ments have responded by increasing national readiness as the modeling of response strategies for attackers and administrators
connectivity of control networks increases [4]. Vulnerability is used as a technique to enhance network security [59].
assessment for process control systems has been recognized
as an important task that has an impact on power system
operation [36], [37]. The International Electrotechnical Com- II. SCADA S ECURITY F RAMEWORK
mission Technical Council (IEC TC 57), i.e., power system A strategic roadmap framework has been developed to ad-
management and associated information exchange, has ad- dress the security issue in a proactive manner [1], [60], [61].
vanced the standard communication protocol security in To assess the information security of control systems, it is
IEC62351 with stronger encryption and authentication mecha- useful to quantify the resiliency of a power grid in terms of
nisms [38]. Such mechanisms allow verification and evaluation threats and the impact that they can make. Interdependence
of potential threats. Aside from the deficiencies of the commu- modeling with computer and communication infrastructures is
nication architecture on availability, scalability, and quality of useful for determination of the system bottleneck [62], [63].
service in real time, a new approach has been envisioned for Security system engineering deals with adversary models that
strengthening power grid in terms of security, efficiency, and describe attack objectives and relevant impact/mission based on
reliability [39], [40]. hypotheses [64]. The key is to identify the system properties.
TEN et al.: CYBERSECURITY FOR CRITICAL INFRASTRUCTURES 855

Fig. 1. Proposed SCADA Security Framework: RAIM Framework.

Understanding of the mission impact facilitates analytical eval- resource exhaustion attack, such as a packet flooding attack,
uation of the interdependences among infrastructures that can involves compromised machines sending a large number of
hinder the effectiveness of attack modeling [65]. Analysis of spurious packets to a target server(s) and/or network, which is
the economic impact helps to identify the appropriate measures the potential victim. In addition, there have been large-scale
that mitigate risks at pivotal network nodes [66], [67]. worm propagation activities in recent years that consume a
Fig. 1 shows the proposed security SCADA framework, significant amount of compute and network resources, causing
which encompasses four key components: 1) real-time moni- disruptions to information infrastructure systems. DoS attacks
toring; 2) anomaly detection; 3) impact analysis; and 4) miti- have evolved to distributed forms [70]. Building a norm profile
gation strategies (RAIM). Each of the key components will be is essential to detect various flooding attacks by identifying
elaborated next. the changes from normal activities. Information and commu-
nication infrastructures that are integral parts of the electric
power system are not exempt from this potential trend and
A. Real-Time Monitoring
the consequences. In fact, these issues are more pronounced
A variety of information networks are interconnected to the in critical infrastructure systems due to the legacy nature of
electric power grid for the purposes of sensing, monitoring, and the information/communication technologies used therein and
control [68], [69]. These information networks are closely asso- the catastrophic nature of the consequences. For example,
ciated with the SCADA system. The environment of a SCADA a DoS attack on power infrastructure elements such as the
system involves a control center, intelligent electronic devices substation, control center, or the communication network can
(IEDs) at substations, distributed sensors that measure electrical have a serious effect on the SCADA system and the associ-
and other quantities on the network, and a variety of communi- ated critical functions. These functions include state estima-
cation links between the control center and substations. These tion, alarm processing, and preventive or emergency controls.
communication links are wireline circuits, microwave channels, Resource-exhaustion-based DoS attacks could come in the
or power-line carrier channels. As mentioned, the data acquired following forms in an electric power grid environment.
through the SCADA system are utilized in the EMS for a wide
range of system operation and real-time control functions. 1) They slow down or bring down the control center
Denial-of-service (DoS) attacks are among the most detri- network, causing degradation in its real-time control
mental, which affect computer and communication perfor- performance.
mance through resource exhaustion in terms of compute 2) They slow down or bring down SASs, causing degrada-
cycles, buffers, and communication bandwidth [69]. A typical tion in real-time sensing and actuation performance.
856 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 40, NO. 4, JULY 2010

3) Congest the forward and/or backward communication periodically monitored and correlated. The system logs include
paths, causing the communication latencies to exceed the following:
the limit that can be tolerated for real-time SCADA
1) Communication systems: Status of the communication
operation.
server to all IEDs, such as communication link failure
Resource-exhaustion-based DoS attacks can be launched (temporary or permanent), or degradation of the expected
even if control centers and substations are fully secured by throughput. An idle connection that has been made over
the latest security technologies and secure versions of SCADA the allowed time frame should also be reported. Detection
protocols. Examples of secure versions are Modbus and Inter- of DoS by determining the maximum number of connec-
Control Center Communication Protocols (ICCP) [15]. tions allowed by considering the number of simultaneous
connections or at a different time frame. An irregular
frequency and volume of usage on a specific application
B. Anomaly Detection should be included.
2) Computer systems: Alarms of intrusion attempts with
Anomaly detection is based on event correlation techniques
respect to the attempt frequency to each system. The
to systematically establish the relationship between statistical
number of reset, shutdown, or stopping (dead heartbeat)
data sets from various sources. This is an approach to ex-
system applications or controllers, including timestamps
tract and analyze the audit data from power instruments and
on all relevant events. The system should alert a computer
cyber-related logs to distinguish if a threat is credible [41].
permanent failure.
Event correlations can be categorized as follows: 1) temporal;
2) spatial; or 3) hybrid. These combinations introduce a dif- The system logs for vulnerability assessment can be obtained
ferent perspective of threats that may capture local or global either from real SCADA environments or from a SCADA test-
abnormality [71], [72]. bed platform that emulates various SCADA functions.
Sources in SASs that can be correlated in the substation-level
(local) and control center (global) networks include the follow-
ing : 1) relay setting of IEDs [73], [74]; 2) user credentials and C. Impact Analysis
application logs; 3) traffic logs, such as volume within local
Impact analysis is the task to analyze the intrusion behaviors
and global networks; and 4) status of running applications. An
and evaluate the consequences of a cyberattacks on the SCADA
adaptive anomaly detection strategy to deal with the incomplete
system [76]–[79]. The proposed method is used to assess the
data is essential, particularly to identify intentional deception
vulnerability of computer networks and power systems, pos-
or data errors [75]. Threats such as actual intrusions, intrusion
sibly the potential loss of load in a power system as a result
attempts, or DoS shall be inferred through correlation analysis.
of a cyberattacks. A compromised cybersecurity of a SCADA
The correlations that may be applied to the power infrastructure
system can cause serious damage to a power system if the attack
are as follows.
is able to launch disruptive switching actions leading to a loss
1) Temporal correlation: This is a data extraction from a of load or equipment damage. This is particularly troublesome
local environment that can be learning- or rule-based by if the attack can penetrate the control center network that is
training the instrumental devices to detect the malicious connected to substations under the SCADA system. An inte-
modification in relay settings. There has been a work by grated risk modeling approach that captures both power control
Su et al. [74] that introduces the intelligence to detect if system vulnerabilities and the resulting impacts on the real-
the relay settings can be altered by amplifying the mea- time operation of the power system was proposed in [80]. The
surements from voltage or current transformers. How- methodology has the following four key steps.
ever, such an implementation has only considered limited
1) Cybernet: Network that incorporates combinations of
perspectives of abnormality, which can be refined through
intrusion scenarios into the SCADA system. The cybernet
correlations among other local sources. Extension of the
captures the system configuration, authentication, firewall
hypotheses is possible.
model, and login/password model. The transition rates of
2) Spatial correlation: This involves properties for the
the cybernet are obtained by statistical analysis of system
analysis of events occurring in multiple substations, in
logs. The steady-state analysis of cybernet provides the
control centers, or at substations and control centers. This
intrusion probability for each scenario.
is to ensure a higher security level when a system is
2) Power flow simulation: The steady-state behavior of a
under sophisticated attacks that may lead to significant
power system under a cyberattacks can be studied us-
economic losses and equipment damage.
ing intrusion models and power flow simulations. This
3) Hybrid correlation: The hybrid approach combines both
evaluation of a power system under cyberattacks can be
temporal and spatial correlations to determine and com-
performed by isolating the compromised subsystems.
pare the likelihood of the attacks’ severity. This can refine
Failure to obtain a power flow solution is an indication of
the correlation hypothesis, depending on the credibility of
a major impact that may lead to a power system collapse.
the current conditions from the various sources.
The impact of isolating a substation in the overall system
To perform anomaly detection and associated impact analy- is measured by an impact factor corresponding to the
sis, the various system logs of the SCADA network need to be substation.
TEN et al.: CYBERSECURITY FOR CRITICAL INFRASTRUCTURES 857

3) Vulnerability index calculation: The scenario vulnera-

bility index is computed as the product of steady-state
intrusion probability for the scenario (obtained through
cybernet analysis) and the impact factor of the component
(obtained through power flow simulation). The maximum
among the scenario vulnerability indices is used as the
Fig. 2. Attack leaves with “AND” and “OR.” (a) Attack leaf with logic operator
system vulnerability index. “AND.” (b) An attack leaf with logic operator “OR.”
4) Security improvements: Improve the cybersecurity of the
SCADA system based on vulnerability assessment results TABLE I
RULES FOR C ONDITIONS 1, 2, AND 3
with the available technologies. This improvement can
produce different probabilities that will be used in the
quantitative analysis.

D. Mitigation Strategies
The output of the event correlation and hypothesis formation
shows the risks. The likely scenarios will undergo an impact
analysis to study the severity of risks. If the associated risk of an attack tree is the ultimate goal with combinations of
is high in terms of the loss of load [80], equipment damages subgoals. Each attack leaf may include one or more defense
(costly devices such as generators and transformers), or other nodes that are direct successors of the attack leaf. Defense
forms of economic losses, then suitable control actions will nodes provide countermeasures. An attack leaf can be an el-
be initiated to prevent/mitigate the risks. The nature of the ement of different intrusion scenarios, depending on the node
prevention/mitigation techniques depends on the following na- connectivity associated with it. The predecessors of each attack
ture of risk: 1) intrusion attempts; 2) intruded scenario; or leaf are nodes that are attributed with logic operators “AND” or
3) ongoing DoS attack [68]. In case of an intrusion attempt, “OR.” Each predecessor node is specific for the given leaf node.
suitable security improvements need to be made at the most Fig. 2 shows attack trees with “AND” and “OR” configurations.
vulnerable components of the system that are associated with All leaves leading to an “AND” box will have to be penetrated
the identified vulnerability scenario. The most vulnerable com- in order to move up the attack tree, i.e., a subsystem has been
ponents of a scenario can be identified through tracing the path penetrated. On the other hand, in Fig. 2(b), if one of the attack
(sequence of events) in risk modeling. Implementation of the leaves is penetrated, it is sufficient to move up the attack tree.
proposed framework can be evaluated through test-bed studies
to quantify cyber-based vulnerabilities and associated risks in A. Introduction to the Methodology
power systems and to also evaluate the effectiveness of risk mit-
igation under realistic and sophisticated attack scenarios [81]– A cybersecurity vulnerability index is a measure of the
[83]. A recovery strategy helps to mitigate the cyberattacks with likelihood that an attack tree or attack leaf will be compromised
self-healing mechanisms [61]. by hackers. Each attack leaf may have weaknesses that are
prone to attacks. The vulnerability index ranges from 0 to 1,
from the most invulnerable (0 value) to the most vulnerable
III. ATTACK -T REE M ODELING
(1 value). There are separate vulnerability indices for each
The contribution of this paper is a new algorithm for eval- attack leaf and each intrusion scenario. There is also an overall
uation of cybersecurity incorporating both password policies system vulnerability index. All indices range from 0 to 1.
and port auditing. The algorithm has been implemented as a A vulnerability index is determined based on the following
software prototype. A case study of the proposed algorithm is factors: 1) evidence of attempted intrusions; 2) existing coun-
simulated and reported in Section V. As shown in the previous termeasures and improved countermeasures; and 3) password
section, impact analysis is a way to evaluate the consequences policy enforcement. The vulnerability index is evaluated with
of an attack. Attack trees are simplified methodologies for the hypothesis listed in Table I. Three conditions are defined in
impact analysis of a computer network system by identifying Table I. Condition 1 states that there is no evidence to suggest
the adversary objectives. The exploitability index introduced in that there are intrusion attempts for the system. Condition 1 is
[63] has associated a system profile with hypotheses. The risk not met when there are credible pieces of evidence of malicious
assessment methodology is based on the relevance and priority attempts based on electronic data. Condition 2 is met when there
with a list of hypothesized failures, which is formulated in are one or more countermeasures implemented for an attack
accordance with the given weight to the probable consequence leaf. Any technology that is applied to defend the attack leaf
events. The proposed methods in this paper provide a similar would satisfy condition 2. An example is a web server installed
framework to identify system dependences of SCADA systems with a firewall that monitors the access to prevent malicious
without including the outage costs. intrusions through online traffic. Password implementation for
An attack tree is a graph that connects more than one attack each attack leaf is considered for assessment. Poor password
leaf from each node [84]–[88]. An attack tree may consist of practices result in unauthorized access. A system can face the
a multilevel hierarchy in a predecessor–successor structure that risks of unauthorized access, even though it may be password
captures the possible ways to achieve subgoals. The top node protected. Conditions 2 and 3 may influence condition 1.
858 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 40, NO. 4, JULY 2010

reduce access from anonymous users. This would reduce at-

tempted intrusions and enhance system security. Detection of a
potential intrusion attempt but without reinforcing at least one
password policy results in χ = 0.67, i.e., true for conditions
1 and 3 but not for condition 2. The other example is that
condition 3, with stronger password policies, would also protect
the system from being compromised (in this case, it would be
χ = 0.33 as only condition 1 is true). However, this does not
change the number of attempts.

B. Evaluation of Vulnerability Indices

This section is concerned with the cybersecurity vulnerability
of an attack tree. There are four steps to assess the security
vulnerability: 1) identifying the intrusion scenarios; 2) evalu-
ating vulnerability indices for the system, intrusion scenarios,
and attack leaves; 3) port auditing; and 4) password strength
evaluation.
1) Identifying the Intrusion Scenarios From the Attack Tree:
Fig. 3. Procedure to evaluate vulnerability indices. First, the intrusion scenarios from the attack tree are identified.
IV. V ULNERABILITY A SSESSMENT OF C YBERSECURITY Then, the possible intrusion scenarios are enumerated. Each of
the intrusion scenarios is the combination of attack leaves that
The procedure to evaluate vulnerability indices is shown in are formed with “AND” or “OR” attributes configured in the
Fig. 3. As shown in the figure, the procedure starts with an attack tree. The leaf vulnerability index v(Gk ) of each attack
analysis of the attack objectives. Then, the attack tree and coun- leaf is evaluated once all the intrusion scenarios are determined.
termeasures are established. The system vulnerability index is The scenario vulnerability is the product of the corresponding
obtained by evaluating the scenario vulnerability and the leaf attack leaf vulnerabilities.
vulnerability for the selected scenarios and the corresponding 2) Evaluating Vulnerability Indices: There are three secu-
attack leaves. This section describes the procedure to evalu- rity vulnerability indices: 1) system vulnerability; 2) scenario
ate the vulnerability indices: 1) cybersecurity conditions and vulnerability; and 3) leaf vulnerability. The system vulnerabil-
2) evaluation of vulnerability indices. ity (VS ) is the vulnerability of an attack tree determined from
the scenario vulnerability, as shown in (1). K is the total number
A. Cybersecurity Conditions of intrusion scenarios. A vector of scenario vulnerabilities is
given in (2), where I = {i1 , i2 , . . . , iK } is a set of intrusion
This section evaluates the cybersecurity conditions (χ),
scenarios. The index VS is the maximum value over the scenario
which is a preliminary evaluation before the specific vulnera-
vulnerability set. Each intrusion scenario is a possibility that
bility indices related to leaves and scenarios are calculated. The
leads to successful penetration of the system. The vulnerability
cybersecurity condition assessment is based on technological
of a scenario is the product of leaf vulnerabilities, where
countermeasures and enforcement of the password policy.
each scenario vulnerability is formed with a different subset
The cybersecurity condition is measured by a number χ,
of S. Scenario vulnerability indices are given in (2), where
which assumes the value of 0.33, 0.67, or 1. A low value s1 , s2 , . . . , sk ∈ S and S = {1, 2, . . . , n}
indicates that the system condition is invulnerable, while the
value 1 indicates that the system is vulnerable.
Vs = max (V(I)) (1)
1) χ = 0.33: If [(Condition 1) AND (Condition 2) AND
V(I) = (V (i1 ) V (i
2) · · · V (iK ))
(Condition 3)], then = 0.33 → All conditions in Table I ⎛ ⎞
V (i1 ) = j∈s1 v(Gj )
are satisfied. Advanced countermeasures are deployed, ⎜ V (i2 ) = j∈s v(Gj ) ⎟
and comprehensive password policies are enforced. There ⎜ 2 ⎟
=⎜ .. ⎟. (2)
is no evidence that the system is subject to malicious ⎝ . ⎠
attempts. 
V (iK ) = j∈sK v(Gj )
2) χ = 0.67: If  [(Condition 1) AND (Condition 2)] OR
[(Condition 1) AND (Condition 3)] OR [(Condition 2) A leaf vulnerability is evaluated by incorporating the
AND (Condition 3)] , then = 0.67 → Any two of the strengths of the implemented countermeasures, such as auditing
conditions in Table I are satisfied. the ports vα and password combination vβ in a computer. The
3) χ = 1.00: If ([(Condition 1) OR (Condition 2) OR (Con- cybersecurity condition χ must be identified first. The basis for
dition 3)] OR (None of the conditions)], then = 1.00 → evaluation is to predetermine the leaf vulnerability condition
Only one or none of the conditions is met. with respect to the evidence of attempted intrusions, technolog-
For instance, implementation of the new technological coun- ical countermeasures, and password policy enforcement, which
termeasures can reduce the likelihood of intrusions. Applying was discussed in Section IV-A. Password policies and port
boundary protection in a firewall with a set of rules can also auditing on computer systems are important elements of the
TEN et al.: CYBERSECURITY FOR CRITICAL INFRASTRUCTURES 859

proposed analytical method. In this model, both elements are

combined for assessment of the leaf vulnerability
v(G) = χ · maxvα , vβ . (3)
The leaf vulnerability index is the maximum value between
port and password vulnerability.
3) Port Auditing: Port auditing ensures that a computer
system is free from malicious threats that can lead to a system
compromise. This includes local security checks, root access,
remote file access, default account, Trojan horse, worm, or
possible backdoor. In the vulnerability test, the vulnerability of
the port is categorized into four levels, i.e., high, medium, low,
and relevant. The high risk level indicates that the system can be
in damage, particularly if it can be used to breach the integrity Fig. 4. Piecewise between the defined si and si−1 .
of the system, or possibly resulting in a DoS attack that brings
down the system. The medium risk level has inappropriate data and password combination. The password vulnerability vβ is
or files in the system, which may be used for a subsequent defined as
attack in the system. The low risk level is typically not severe
and can only serve as a conjunction to other vulnerability vβ = max1 − rβ  (7)
risk that may lead to a security breach. The relevant level
is not classified as risky, but for informational purposes, the where rβ is the mapping of sβ between 0 and 1 representing the
system administrator should determine if there are malicious set of total accounts on a computer system. Since the mapping
indications. The weighted sum of port risk factor is defined as of rβ depends on risk classification, a piecewise linear function
for the range of each classification is derived. Supposing that a
c= ni · ωi . (4) linear function is defined in (8), where a denotes the slope of a
i∈I piece and b denotes the interception at the y-axis
Classification of risk factor is weighted in accordance with
the level of severity ωi , where each level carries a certain weight rβ = a · sβ + b. (8)
of risk factor to the number of findings ni . The port vulnerabil-
sβ is the combination of password that maps to the strength of
ity vα can be normalized by σ, which is obtained from a set of c
password defined at the y-axis (shown in Fig. 4). The symbol
c rβ is the mapping point of sβ . The slope of every piece of linear
vα = (5)
σ function can be determined as
where σ denotes the historical worst case among all audits. ri − ri−1
The weighting factors ω1 , ω2 , . . . , ω4 for each defined level are a= . (9)
si − si−1
assigned to 1, 0.75, 0.5, and 0.25, respectively.
4) Password Strength Evaluation: Password strength is de- The interception of the point b is generalized as follows:
termined by the total combination of character types and
ri − ri−1 ri−1 · si − ri · si−1
its length. The strength of password vulnerability can be ri = si + b ⇒ b = . (10)
measured as si − si−1 si − si−1

sβ = C L (6) In general, it can be expressed in (11), shown at the bottom

of the page.
where C is the combination of character types and L is the 5) Evaluating Security Improvements: Security improve-
length of a password. The strongest password strength deters or ment can be achieved by a replacement or additional coun-
prolongs the cracking process. Neither brute-force trials nor so- termeasures. The improvement for an attack leaf and intrusion
cial engineering techniques can break through in a short period. scenario can be measured with the implementation of defense
For instance, a numeric combination of ten can be improved nodes denoted as v  (G) and V  (i), respectively, for the leaf and
with additional 52 alphabetical combinations (capital and small scenario vulnerability after an improvement is implemented.
letters). This would strengthen the password to prevent the The degree of improvement for a leaf vulnerability is given by
dictionary way of password cracking. In addition, password |(v  (G) − v(G)/v(G)) × 100%| and similarly for the scenario
policies can be enforced with minimum length, password age, improvement.

⎧
⎨ 0,
 if sβ < s0
ri −ri−1 ri−1 ·si −ri ·si−1
rβ = si −si−1 sβ + si −si−1 , if si−1 ≤ sβ < si , where ri+1 > ri , r0 = 0, i = 1, 2, . . . , n − 1 (11)
⎩
1, if sβ ≥ sn , sj > sj−1 , j = 1, 2, . . . , n
860 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 40, NO. 4, JULY 2010

V. C ASE S TUDY: I NTRUSION M ODELING TABLE II

R ISK V ULNERABILITY E VALUATION AND N UMBER OF
U SING AN ATTACK T REE PASSWORDS ON C OMPUTER N ETWORK S YSTEMS
The methodology proposed in the previous section is applied
to the study cases in this section. The purpose is to identify the
access points of power system control networks and evaluate
the network vulnerability. The objective of the proposed attack
tree is focused on the ports and passwords of the computer
systems on the control networks, e.g., substation or process
control networks with virtual private network connection. The
case study is to ensure the following.
1) All of the computer ports are evaluated (to ensure that
there is no worm, Trojan horse, or spyware).
2) The strength of password is high with a good combination
of character types to prevent intrusions.
3) System vulnerability is within the reasonable range rela-
tive to each scenario vulnerability.
The case study is based on the computer networks set up at
Iowa State University. A total of 43 computer systems orga-
nized in five subnets, emulating subnets of electric power con-
trol networks, are evaluated based on the proposed methodology.
Although all networks are protected by firewalls, they are
distinctive in roles, technologies, and architecture.
1) Primary control center: This is a wide-area control that
consists of real-time communication servers, EMS appli-
cation servers, and relational databases. These servers are
highly redundant systems with additional servers as slave
mode; failover in case of unforeseen failures.
2) Backup control center: It has identical settings, config-
urations, and system architecture as the primary control
center that serves as “site-backup” mode for disastrous
coordination in case of a primary center failure. It pe-
riodically updates the latest databases of the primary
control center through ICCP servers for real-time data ex-
change, including real-time and historical power system
information.
3) Substation: An Ethernet-based peer-to-peer communica-
tion within the substation, linking the instrumental de- combinations and specific vulnerability tests, the time required
vices, e.g., IP-based IEDs, to the substation computer. for each machine ranges from 5 to 9 h. The setup of the studies
The main role of substation control is within the sub- includes different platforms to ensure that local security checks
station. The computer in the substation also serves as a are covered in the test. Tests for DoS are also included in the
server that sends real-time data to other networks and evaluation. Table II shows the risk vulnerability assessment on
receives control commands from the control center. 43 computer systems distributed in the control network. This
4) Power plant: The power plant is deployed with high evaluation shows the number of findings that is grouped in
redundancy for data reliability purposes within the net- each category, i.e., high, medium, low, and relevant, with more
work. The power plant network involves complex process than 10 000 vulnerabilities scanned. For instance, potential high
control and monitoring functions. It is a high-speed and and medium risk levels associated to each backdoor and DoS
large capacity network that acquires real-time data from shown in the table are detected in 1.1.5.3. It appears that the
physical devices, e.g., boiler or gas turbine. backdoor can be accessed through ports 5800 and 5900. The
5) Web-based SCADA: It is a portal page of user interfaces detection of DoS can crash a service by sending a single long
that manages the municipal (smaller) control network, text line that crashes a software module. Lower risk factors
in which data reliability and backup are maintained by include traceroute from a scanning server and other unknown
third-party vendors. It is a client–server technology that services that are detected as nonmalicious. By going through
provides same role as a control center. similar evaluations on each computer system, the worst case
The evaluation is performed from a server outside the cam- index σ = 5.75 is obtained. Aside from backdoors that pose
pus’ network to determine the vulnerability of the machines and the threat of a computer network system, accessing the control
how effective the boundary protection is. Since each computer network with administrative privilege passwords is one way that
has been exhaustively scanned through the ports, i.e., 65 535 can access the SCADA system. To harden intrusion attempts,
TEN et al.: CYBERSECURITY FOR CRITICAL INFRASTRUCTURES 861

TABLE III disruption of the backup control center and real-time services in
PASSWORD C OMBINATION AND I TS V ULNERABILITY OF IP 1.1.1.1
the primary control center. The importance of a backup control
center is to continue functions of the primary control cen-
ter under extreme circumstances. Communication, relational
database, and real-time application services in control centers
are critical elements. Groups 4 and 5 represent a disruption
of power plant operations and substation automation. Security
breaches in these groups may also result in penetration into the
control center. Each intrusion scenario is derived from attack
a set of administrative passwords are randomly generated for
leaves, where G1 , G2 , . . . , G43 are attack leaves. Intrusion sce-
the case study for evaluation of their password strengths. This
narios are expressed as follows:
also incorporates the existence of factory default password

and insufficient security improvement [52]. The last column of Gi → i1
Table II shows the number of passwords associated with each i=13,14,...,17
computer system generated. Equation (12) shows the piecewise 
functions to determine rβ , where the increment of ri is 0.25 for Gi → i2
i=1,2,...,12,22,23,...,26,31,32
each level. The strength of password that is “difficult to crack” 
(si ) has been given as 1000, 1 × 1015 , 1 × 1020 , 1 × 1035 , and Gi → i3
1 × 1050 . Table III shows a set of passwords that can be used to i=1,2,...,12,22,23,...,26,33,34,...,36

access IP 1.1.1.1. It tabulates the combination of each password Gi → i4
and its vulnerability level for each password. Equation (7) i=1,2,...,12,22,23,...,26,37,38
is used to determine vβ which is 1. Comparison with vα is 
Gi → i5
necessary to determine the maximum value. This maximum
i=1,2,...,12,22,23,...,26,39
value will be multiplied with the precondition of cybersecurity 
to determine v(G) Gi → i6
⎧ 0, if sβ < 1000
i=1,2,...,12,27,28,26,31,32

⎪
⎪ Gi → i7
⎪ 2.5×10−16 sβ ,
⎪ if 1000 ≤ sβ < 1×1015
⎪
⎨ 2.5×10−21 s +0.25, if 1×1015 ≤ s < 1×1020 i=1,2,...,12,27,28,26,33,34,...,36
rβ =
β β 
−36 35 (12) Gi → i8
⎪
⎪ 2.5×10 s β +0.5, if 1×10 20
≤ sβ < 1×10
⎪ 2.5×10−51 s +0.75, if 1 1035 ≤ s < 1×1050
⎪
⎪
⎩ β β i=1,2,...,12,27,28,26,37,38

1, if sβ ≥ 1×1050 . Gi → i9
i=1,2,...,12,27,28,26,39
An attack tree shown in Fig. 5 demonstrates the network 
relationship between a power plant, a substation, a web-based Gi → i10 (13)
SCADA, and the primary and backup control centers. The i=1,2,...,12,29,30,31,32

formulation of the attack tree is based upon the abstraction of Gi → i11
the power control networks that is monitored through control i=1,2,...,12,29,30,33,34,...,36
systems. These combinations may result in an intrusion into the 
Gi → i12
control center. To derive the scenario combination, groups of i=1,2,...,12,29,30,37,38
attack leaves are arranged as follows: 
Gi → i13
Group 1 : (G13 × G14 × · · · × G17 ) i=1,2,...,12,29,30,39
⎛ ⎞ 
G22 × G23 × · · · × G26 Gi → i14
Group 2 : ⎝ G27 × G28 ⎠ i=1,2,...,12,22,23,...,26,40,41
G29 × G30 
Gi → i15
Group 3 : (Group 2 × Group 4 × Group 5 i=1,2,...,12,22,23,...,26,42,43
× G1 × · · · × G10 ) 
⎛ ⎞ Gi → i16
G31 × G32 i=1,2,...,12,27,28,40,41
⎜ G × G34 × · · · × G36 ⎟ 
Group 4 : ⎝ 33 ⎠ Gi → i17
G37 × G38
i=1,2,...,12,27,28,42,43
 G39 
G40 × G41 Gi → i18
Group 5 : .
G42 × G43 i=1,2,...,12,29,30,40,41

Gi → i19 .
Each group represents the computer systems of a subnetwork i=1,2,...,12,29,30,42,43
from a power plant, substation networks, and a web-based
SCADA system. Group 1 represents the disruption of the web- The preconditions of cybersecurity (χ) for all systems are
based SCADA system, where security breaches in a web server determined with 1.00, except for IPs 1.1.1.4, 1.1.1.8, 1.1.2.3,
may be exploited by intruders. Groups 2 and 3 represent a 1.1.4.2, 1.1.4.9, and 1.1.5.6 that are determined with 0.67.
862 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 40, NO. 4, JULY 2010

Fig. 5. Attack Tree of the Power System Control Framework.

Fig. 6. Leaf vulnerability with implemented and improved countermeasures. (a) Leaf vulnerability. (b) Vulnerability improvement for each attack leaf.

v(G) and v  (G) are computed in accordance with the con- passwords, and the findings on high and medium categories
figuration of the attack tree. The leaf vulnerability and its of risk factor for each system have been removed. Overall,
improvement are shown in Fig. 6(a) and (b). Since the password this has also lowered all of the leaf vulnerabilities shown in
combination in the set reveals a weakness, a password policy Fig. 6(b). Among which, v(G30 ) has been improved the most
with at least eight characters and four different character types with 84.37%. Improvement in all cases has been archived at
has been enforced for security improvement. This has resulted the level of at least 50%. Also, eliminating the factory default
in improvement of preconditions to 0.67 or, even better, 0.33. password and guest account reduced the leaf vulnerability. In
The factory default passwords have been replaced with stronger the next step, V (I) and V  (I) are evaluated using (2). Each
TEN et al.: CYBERSECURITY FOR CRITICAL INFRASTRUCTURES 863

R EFERENCES
[1] J. Eisenhauer, P. Donnelly, M. Ellis, and M. O’Brien. (2006, Jan.).
Roadmap to Secure Control Systems in the Energy Sector. [Online].
Available: http://www.controlsystemsroadmap.net/pdfs/roadmap.pdf
[2] Supervisory Control and Data Acquisition (SCADA) Systems, Nat. Com-
mun. Syst., Arlington, VA, Oct. 2004. [Online]. Available: http://www.
ncs.gov/library/tech_bulletins/2004/tib_04-1.pdf
[3] Critical infrastructure protection report, Government Accountability Of-
fice, Washington, DC, May 2005. [Online]. Available: http://www.gao.
gov/new.items/d05434.pdf
[4] Challenges and Efforts to Secure Control Systems, Government Ac-
countability Office, Washington, DC, Mar. 2004. [Online]. Available:
http://www.gao.gov/new.items/d04354.pdf
[5] M. R. Permann and K. Rohde, Cyber Assessment Methods for SCADA
Security, Research Triangle Park, NC: Instrum. Soc. Amer. [Online].
Available: http://www.oe.energy.gov/DocumentsandMedia/Cyber_
Assessment_Methods_for_SCADA_Security_Mays_ISA_Paper.pdf
[6] R. E. Carlson, J. E. Dagle, S. A. Shamsuddin, and R. P. Evans,
A Summary of Control System Security Standards Activities in the
Energy Sector, DC: U.S. Dept. Energy, Office Electricity Delivery
Energy Reliab., Nat. SCADA Test Bed (NSTB), Oct. 2005. [Online].
Available: http://www.oe.energy.gov/DocumentsandMedia/Control_
System_Security_Standards_Activities.pdf
[7] Information Security: Technologies to Secure Federal Systems, Mar. 2004,
Fig. 7. Scenario vulnerability with implemented and improved Report to Congressional Requesters, GAO-04-467. [Online]. Available:
countermeasures. http://www.gao.gov/new.items/d04467.pdf
[8] M. Amin, “Security challenges for the electricity infrastructure,”
intrusion scenario is the product of attack leaves. The scenario Computer, vol. 35, no. 4, pp. 8–10, Apr. 2002.
[9] J. D. McDonald, Power Substations Engineering, 2nd ed. Boca Raton,
vulnerability is shown in Fig. 7. Note that a logarithmic scale FL: CRC Press, May 30, 2007.
is used to highlight the difference between V (I) and V  (I). [10] J. Salmeron, K. Wood, and R. Baldick, “Analysis of electric grid security
The improvement of i1 is 92.11%. The remaining values are under terrorist threat,” IEEE Trans. Power Syst., vol. 19, no. 2, pp. 905–
close to 100%. The system vulnerability has been improved 912, May 2004.
[11] R. A. Leon, V. Vittal, and G. Manimaran, “Application of sensor network
from 0.0306 to 0.0024. for secure electric energy infrastructure,” IEEE Trans. Power Del., vol. 22,
no. 2, pp. 1021–1028, Apr. 2007.
[12] A. G. Bruce and R. Lee, “A framework for the specification of SCADA
VI. C ONCLUSION AND F UTURE W ORK data links,” IEEE Trans. Power Syst., vol. 9, no. 1, pp. 560–564,
Feb. 1994.
Cybersecurity for critical infrastructures is an emerging area [13] R. L. Krutz, Securing SCADA Systems, 1st ed. Hoboken, NJ: Wiley,
Nov. 28, 2005.
that requires extensive new research. The comprehensive liter- [14] Q. Liu, J.-N. Hwang, and C.-C. Liu, “Communication infrastructure for
ature survey reported in this paper has identified the lack of re- wide area protection of power systems,” in Proc. Power Syst. Commun.
search in some areas. New research needs to be done in each of Infrastructures Future, Beijing, China, Sep. 2002.
[15] C.-L. Su, C.-N. Lu, and T.-Y. Hsiao, “Simulation study of Internet based
the components of the RAIM framework, such as the following: inter control center data exchange for complete network modeling,” IEEE
1) SCADA-system-specific real-time correlation and intrusion Trans. Power Syst., vol. 17, no. 4, pp. 1177–1183, Nov. 2002.
detection algorithms; 2) online risk monitoring and mitigation [16] K. Schneider, C.-C. Liu, and J.-P. Paul, “Assessment of interactions
between power and telecommunications infrastructures,” IEEE Trans.
algorithms capturing both cyber system vulnerabilities and the Power Syst., vol. 21, no. 3, pp. 1123–1130, Aug. 2006.
resulting consequences; 3) advanced modeling techniques that [17] T. Mander, F. Nabhani, L. Wang, and R. Cheung, “Data object based
capture the dynamic nature of the attacker behavior, as well as security for DNP3 over TCP/IP for increased utility commercial aspects
security,” in Proc. IEEE Power Eng. Soc. Gen. Meeting, Jun. 24–28, 2007,
the system behavior; and 4) advanced modeling that accounts pp. 1–8.
for impacts such as load loss, loss due to equipment damage, [18] M. Adamiak and W. Premerlani, “The role of utility communications in
and economic loss. Vulnerability assessment can be performed a deregulated environment,” in Proc. 32nd HICSS, 1999, vol. Track3,
p. 3026.
periodically, and the validation of the proposed framework [19] M. Amin and B. F. Wollenberg, “Toward a smart grid: Power delivery
can be conducted through test-bed development. For instance, for the 21st century,” IEEE Power Energy Mag., vol. 3, no. 5, pp. 34–41,
the components include instrumenting logs (both power equip- Sep./Oct. 2005.
ment logs and computer system logs), real-time monitoring [20] F. F. Wu, K. Moslehi, and A. Bose, “Power system control centers:
Past, present, and future,” Proc. IEEE, vol. 93, no. 11, pp. 1890–1908,
of logs, event correlations and hypothesis formation, what- Nov. 2005.
if impact analysis, and proactive/mitigation countermeasures [21] Vulnerability Assessment Methodology for Electric Power Infrastructure,
to restore a power system. The proposed methodology using U.S. Dept. Energy, Office Energy Assurance, Washington DC,
Sep. 30, 2002.
attack trees provides a simplified way to hypothetically eval- [22] C.-W. Ten, C.-C. Liu, and G. Manimaran, “Vulnerability assessment of
uate the system vulnerability level. This paper can be further cybersecurity for SCADA systems using attack trees,” in Proc. IEEE
extended by considering the reduction of system vulnerability Power Eng. Soc. Gen. Meeting, Tampa, FL, Jun. 24–28, 2007, pp. 1–8.
[23] T. D. Nelson, “Mitigations for security vulnerabilities found in control
within a budgetary limit. Efficient delivery of information from system networks,” in Proc. 16th Annu. Joint ISA POWID/EPRI Controls
substations or control centers may be needed to help power Instrum. Conf., 2006, pp. 1–12.
system dispatchers identify critical messages quickly. Various [24] C.-W. Ten, G. Manimaran, and C.-C. Liu, “Cybersecurity for electric
power control and automation systems,” in Proc. eNetworks Cyberengi-
techniques for visualization of the system health, in terms of neering Workshop, IEEE-SMC, Montreal, QC, Canada, Oct. 7–10, 2007,
vulnerability level and other critical information, are desirable. pp. 29–34.
864 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART A: SYSTEMS AND HUMANS, VOL. 40, NO. 4, JULY 2010

[25] M. Naedele, D. Dzung, and M. Stanimirov, “Network security for sub- [50] F. Sheldon, S. Batsell, S. Prowell, and M. Langston, Cryptographic Pro-
station automation systems,” in SAFECOMP, U. Voges, Ed. Berlin, tection of SCADA Communications—Part 1: Background, Policies and
Germany: Springer-Verlag, 2001, pp. 25–34. Test Plan. Washington, DC: American Gas Assoc., Sep. 7, 2005.
[26] T. S. Sidhu and Y. Yin, “Modeling and simulation for performance evalua- [51] NERC Tech. Rep. Cybersecurity Standards. [Online]. Available:
tion of IEC61850-based substation communication systems,” IEEE Trans. http://www.nerc.com/filez/standards/Cyber-Security-Permanent.html
Power Del., vol. 22, no. 3, pp. 1482–1489, Jul. 2007. [52] User Manual for the Workshop, North Amer. Electric Rel. Coun-
[27] P. Baybutt, “Cybersecurity risk analysis for process control systems using cil (NERC), Minneapolis, MN, Sep. 2006. Cybersecurity Standards
rings of protection analysis (ROPA),” Process Safety Progr., vol. 23, no. 4, Workshop
pp. 284–290, Dec. 2004, PrimaTech Tech. Rep. [53] A. Torkilseng and G. Ericsson, “Some guidelines for developing a frame-
[28] N. Ye, J. Giordano, and J. Feldman, “A process control approach to cyber work for managing cybersecurity for an electric power utility,” ELECTRA
attack detection,” Commun. ACM, vol. 44, no. 8, pp. 76–82, Aug. 2001. Report—JWG D2/B3/C2.01, Oct. 2006.
[29] J.-W. Park and J.-M. Lee, “Transmission modeling and simulation [54] D. M. Nicol, W. H. Sanders, and K. S. Trivedi, “Model-based evaluation
for Internet-based control,” in Proc. IEEE 27th IECON, Nov. 2001, from dependability to security,” IEEE Trans. Dependable Secure Com-
pp. 165–169. put., vol. 1, no. 1, pp. 48–65, Jan. 2004.
[30] A. Miller, “Trends in process control systems security,” IEEE Secur. [55] W. L. McGill and B. M. Ayyub, “The meaning of vulnerability in the
Privacy, vol. 3, no. 5, pp. 57–60, Sep. 2005. context of critical infrastructure protection,” in Critical Infrastructure
[31] C. DeMarco and Y. Braden, “Threats to electric power grid security Protection: Elements of Risk. Arlington, VA: School of Laws, George
through hacking of networked generation control,” in Proc. 3rd CRIS, Mason Univ., Dec. 2007.
Alexandria, VA, Sep. 2006. [56] J. Depoy, J. Phelan, P. Sholander, B. Smith, G. Varnado, and G. Wyss,
[32] X. Wu, D. Zhang, and K. Wang, “Palm line extraction and matching “Risk assessment for physical and cyber-attacks on critical infrastruc-
for personal authentication,” IEEE Trans. Syst., Man, Cybern. A, Syst., tures,” in Proc. IEEE MILCOM, Oct. 17–20, 2005, vol. 3, pp. 1961–1969.
Humans, vol. 36, no. 5, pp. 978–987, Sep. 2006. [57] S. Kumar, “Classification and detection of computer intrusions,” Ph.D.
[33] S. A. Klein and J. N. Menendez, “Information security considerations dissertation, Dept. Comput. Sci., Purdue Univ., West Lafayette, IN,
in open system architectures,” IEEE Trans. Power Syst., vol. 8, no. 1, Aug. 1995.
pp. 224–230, Feb. 1993. [58] Y. Xie, “A spatiotemporal event correlation approach to computer secu-
[34] G. N. Ericsson and A. Torkilseng, “Management of information se- rity,” Ph.D. dissertation, School Comput. Sci., Carnegie Mellon Univ.,
curity for an electric power utility—On security domains and use of Pittsburgh, PA, Aug. 2005, (CMU-CS-05-175).
ISO/IEC17799 standard,” IEEE Trans. Power Del., vol. 20, no. 2, [59] K. Lye and J. Wing, “Game strategies in network security,” in Proc. Work-
pp. 683–690, Apr. 2005. shop Foundations Comput. Secur., Copenhagen, Denmark, 2002, pp. 1–2.
[35] T.-Y. Chen, Y.-M. Chen, and C.-B. Wang, “A formal virtual enterprise [60] F. Sheldon, T. Potok, A. Krings, and P. Oman, “Critical energy infrastruc-
access control model,” IEEE Trans. Syst., Man, Cybern. A, Syst., Humans, ture survivability, inherent limitations, obstacles, and mitigation strate-
vol. 38, no. 4, pp. 832–851, Jul. 2008. gies,” Int. J. Power Energy Syst., no. 2, pp. 86–92, 2004.
[36] T. Brown, “Security in SCADA systems: How to handle the growing [61] F. Sheldon, S. Batsell, S. Prowell, and M. A. Langston, “Position
menace to process automation,” IEE Comput. Control Eng., vol. 16, no. 3, statement: Methodology to support dependable survivable cyber-secure
pp. 42–47, Jun. 2005. infrastructure,” in Proc. 38th Hawaii Int. Conf. Syst. Sci., 2005, vol. 9,
[37] F. Sheldon, S. Batsell, S. Prowell, and M. Langston, “Assessment and pp. 1–10.
remediation of vulnerabilities in the SCADA and process control systems [62] G. Dondossola, G. Deconinck, F. D. Giandomenico, S. Donatelli,
of utilities,” Internet Security Systems (white paper), 2005. M. Kaaniche, and P. Verissimo, “Critical utility infrastructural re-
[38] F. Cleveland, “IEC TC57 security standards for power system’s infor- silience,” in Proc. Complex Netw. Infrastructure Protection, Rome, Italy,
mation infrastructure—Beyond simple encryption,” in Proc. IEEE Power Mar. 28–29, 2006.
Eng. Soc. Gen. Meeting, Tampa, FL, Jun. 24–28, 2007, pp. 1079–1087. [63] G. Dondossola, O. Lamquet, and A. Torkilseng, “Key issues and re-
[39] Z. Xie, G. Manimaran, V. Vittal, A. G. Phadke, and V. Centeno, “An infor- lated methodologies in the security risk analysis and evaluation of elec-
mation architecture for future power system and its reliability analysis,” tric power control systems,” in Proc. CIGRÉ Session, Study Committee
IEEE Trans. Power Syst., vol. 17, no. 3, pp. 857–863, Aug. 2002. D2 Inf., Telecommun. Telecontrol Syst. Elect. Power Ind., Paris, France,
[40] C. H. Hauser, D. E. Bakken, and A. Bose, “A failure to communicate,” Sep. 2006.
IEEE Power Energy Mag., vol. 3, no. 2, pp. 47–55, Mar./Apr. 2005. [64] S. Evans, D. Heinbuch, E. Kyle, J. Piorkowski, and J. Wallner, “Risk-
[41] Attack trends, Carnegie Mellon Comput. Emergency Response based systems security engineering: Stopping attacks with intention,”
Team/Center Coordination (CERT/CC), Pittsburgh, PA, 2002. [Online]. IEEE Secur. Privacy, vol. 2, no. 6, pp. 59–62, Nov./Dec. 2004.
Available: http://www.cert.org/archive/pdf/attack_trends.pdf [65] S. M. Rinaldi, J. P. Peerenboom, and T. K. Kelly, “Identifying, under-
[42] S. McClure, J. Scambray, and G. Kurtz, Hacking Exposed: Network Secu- standing, and analyzing critical infrastructure interdependencies,” IEEE
rity Secrets and Solutions, 4th ed. New York: McGraw-Hill, 2003. Control Syst. Mag., vol. 21, no. 6, pp. 11–25, Dec. 2001.
[43] M. Amin, “North America’s electricity infrastructure: Are we ready for [66] S. E. Schechter, “Toward econometric models of the security risk from
more perfect storms?” IEEE Secur. Privacy, vol. 1, no. 5, pp. 19–25, remote attack,” IEEE Secur. Privacy, vol. 3, no. 1, pp. 40–44, Jan. 2005.
Sep./Oct. 2003. [67] S. Bistarelli, F. Fioravanti, and P. Peretti, “Defense trees for economic
[44] R. Richardson, “2007 CSI computer crime and security survey,” in Proc. evaluation of security investments,” in Proc. ARES, 2006, pp. 416–423.
12th Annu. Comput. Crime Security Survey, 2007, pp. 1–28. [68] M. Long, C.-H. Wu, and J. Y. Hung, “Denial of service attacks on
[45] E. Goetz, “Cybersecurity of the electric power industry,” in Report of network-based control system: Impact and mitigation,” IEEE Trans. Ind.
Investigative Research for Infrastructure Assurance (IRIA). Hanover, Inf., vol. 1, no. 2, pp. 85–96, May 2005.
NH: Inst. Security Technol. Studies, Dartmouth College, Dec. 2002. [69] X. Luo, R. Chang, and E. Chan, “Performance analysis of TCP/AQM
[46] F. Sheldon, S. Batsell, S. Prowell, and M. Langston, Control Systems under denial-of-service attacks,” in Proc. 13th IEEE Int. Symp. Modeling,
Cybersecurity Awareness. Washington DC: U.S. Comput. Emergency Anal., Simul. Comput. Telecommun. Syst., Sep. 27–29, 2005, pp. 97–104.
Readiness Team (CERT), Jul. 25, 2005, pp. 1–10. [70] D. S. Yeung, S. Jin, and X. Wang, “Covariance-matrix modeling and
[47] J. Tang, R. Hovsapian, M. Sloderbeck, J. Langston, R. Meeker, detecting various flooding attacks,” IEEE Trans. Syst., Man, Cybern. A,
P. McLaren, D. Becker, B. Richardson, M. Baca, J. Trent, Z. Hartley, Syst., Humans, vol. 37, no. 2, pp. 157–169, Mar. 2007.
R. Parks, and S. Smith, “The CAPS-SNL power system security test bed,” [71] J. Bigham, D. A. O. Gamez, X. Jin, J. Rodaway, C. Phillips, and L. Titkov,
in Proc. 3rd CRIS, Alexandria, VA, Sep. 2006. “Safeguarding electricity cyber-infrastructures against the worm threat,”
[48] G. Dondossola, F. Garrone, J. Szanto, and G. Fiorenza, “Emerging in- in Proc. 2nd CRIS, Grenoble, France, Oct. 25–27, 2004.
formation technology scenarios for the control and management of the [72] S. Nadjm-Tehrani, S. Burschka, K. Burbeck, and T. Chyssler, “Safeguard-
distribution grid,” in Proc. 19th Int. Conf. Exhib. Elect. Distrib., Vienna, ing information infrastructures: Alarm reduction and anomaly detection,”
Austria, Mar. 21–24, 2007. in Proc. 2nd CRIS, Grenoble, France, Oct. 25–27, 2004.
[49] J. M. Weiss, “Control systems cybersecurity–maintaining the reliability [73] Y. Zhang, M. Ilic, and O. Tonguz, “Application of support vector machine
of the critical infrastructure,” Testimony of Joseph M. Weiss Control classification to enhanced protection relay logic in electric power grids,”
Systems Cybersecurity Expert before the House Government Reform in Proc. LESCOPE, Montreal, QC, Canada, Oct. 10–12, 2007, pp. 31–38.
Committee’s Subcommittee on Technology, Information Policy, Inter- [74] S. Su, W.-L. Chan, K.-K. Li, X. Duan, and X. Zeng, “Context information-
governmental Relations, and the Census U.S. House of Representatives, based cybersecurity defense of protection system,” IEEE Trans. Power
Mar. 30, 2004. Del., vol. 22, no. 3, pp. 1477–1481, Jul. 2007.
TEN et al.: CYBERSECURITY FOR CRITICAL INFRASTRUCTURES 865

[75] G. A. Wang, H. Chen, J. J. Xu, and H. Atabakhsh, “Automatically detect- Govindarasu Manimaran (M’99–SM’10) received
ing criminal identity deception: An adaptive detection algorithm,” IEEE the Ph.D. degree in computer science and engineer-
Trans. Syst., Man, Cybern. A, Syst., Humans, vol. 36, no. 5, pp. 988–999, ing from the Indian Institute of Technology, Madras,
Sep. 2006. India, in 1998.
[76] E. Jonsson and T. Olovsson, “A quantitative model of the security intru- He is currently an Associate Professor with the
sion process based on attacker behavior,” IEEE Trans. Softw. Eng., vol. 23, Department of Electrical and Computer Engineering,
no. 4, pp. 235–245, Apr. 1997. Iowa State University (ISU). His research expertise
[77] N. Ye, Y. Zhang, and C. M. Borror, “Robustness of the markov-chain is in the areas of resource management in real-time
model for cyber-attack detection,” IEEE Trans. Rel., vol. 53, no. 1, systems and networks, overlay networks, network
pp. 116–123, Mar. 2004. security, and their applications to critical infrastruc-
[78] L. Lavalle, C. Balducelli, and G. Vicoli, “A CBR-based algorithm to tures such as the electric grid. He has published over
monitor and information intensive critical infrastructure,” in Proc. 2nd 100 peer-reviewed research publications. He is the coauthor of the book entitled
CRIS, Grenoble, France, Oct. 25–27, 2004. Resource Management in Real-Time Systems and Networks (MIT Press, 2001).
[79] N. Ye, Q. Chen, and C. M. Borror, “EWMA forecast of normal system Dr. Manimaran received the Young Engineering Research Faculty Award
activity for computer intrusion detection,” IEEE Trans. Rel., vol. 53, no. 4, at ISU in 2003. He has given tutorials on Internet infrastructure security in
pp. 557–566, Dec. 2004. conferences, such as the IEEE Infocom 2004 and IEEE ComSoc Tutorials Now
[80] C.-W. Ten, C.-C. Liu, and G. Manimaran, “Vulnerability assessment of (2004), and served as Workshop Cochair, Symposium Cochair, and Session
cybersecurity for SCADA systems,” IEEE Trans. Power Syst., vol. 23, Chair on many occasions.
no. 4, pp. 1836–1846, Nov. 2008.
[81] G. Dondossola, J. Szanto, M. Masera, and I. N. Fovino, “Evaluation of
the effects of intentional threats to power substation control systems,” in Chen-Ching Liu (F’94) received the Ph.D. degree
Proc. CNIP, Rome, Italy, 2006. from the University of California, Berkeley.
[82] C. M. Davis, J. E. Tate, H. Okhravl, C. Grier, T. J. Overbye, and D. Nicol, He is currently a Professor of power systems
“SCADA cybersecurity test bed development,” in Proc. NAPS, Sep. 2006, with the School of Electrical, Electrionic and Me-
pp. 483–488. chanical Engineering, University College Dublin,
[83] G. Dondossola, F. Garrone, J. Szanto, and F. Gennaro, “A laboratory test National University of Ireland, Dublin, Ireland. He
bed for the evaluation of cyber-attacks to interacting ICT infrastructures was the Palmer Chair Professor of Electrical and
of power grid operators,” in Proc. CIRED Seminar: SmartGrid Distrib., Computer Engineering with Iowa State University.
Frankfurt, Germany, Jun. 2008, p. 54. During 1983–2005, he was a Professor of electri-
[84] B. Schneier, “Attack trees: Modeling security threats,” Dobb’s J., vol. 24, cal engineering with the University of Washington,
no. 12, pp. 21–29, Dec. 1999. Seattle, where he also served as the Associate Dean
[85] A. Moore, R. Ellison, and R. Linger, Attack modeling for informa- of Engineering from 2000 to 2005.
tion security and survivability, Carnegie Mellon Univ., Pittsburgh, PA, Dr. Liu received the IEEE Third Millennium Medal in 2000 and the IEEE
CMU/SEI-2001-TN-001. [Online]. Available: http://citeseer.ist.psu.edu/ Power Engineering Society Outstanding Power Engineering Educator Award in
moore01attack.html 2004. He was the Chair of the Technical Committee on Power System Analysis,
[86] G. Conti, M. Ahamad, and J. Stasko, “Attacking information visual- Computing, and Economics of the IEEE Power Engineering Society.
ization system usability overloading and deceiving the human,” in Proc.
ACM Symp. Usable Privacy Security, Pittsburgh, PA, Jun. 2005, vol. 93,
pp. 89–100.
[87] C. Fung, Y. L. Chen, X. Wang, J. Lee, R. Tarquini, M. Anderson, and
R. Linger, “Survivability analysis of distributed systems using attack
tree methodology,” in Proc. IEEE MILCOM, Oct. 17–20, 2005, vol. 1,
pp. 583–589.
[88] G. C. Dalton, R. F. Mills, J. M. Colombi, and R. A. Raines, “Analyzing
attack trees using generalized stochastic Petri nets,” in Proc. IEEE Inf.
Assurance Workshop, Jun. 2006, pp. 116–123.

Chee-Wooi Ten (S’00) received the B.S. and M.S.

degrees in electrical engineering from Iowa State
University, Ames, in 1999 and 2001, respectively.
He is currently working toward the Ph.D. degree in
the School of Electrical, Electronic, and Mechanical
Engineering, University College Dublin, National
University of Ireland, Dublin, Ireland.
He was a Summer Intern with the MidAmerican
Energy Control Center in 2000. He was also an
Application Engineer with Siemens Energy Manage-
ment and Information System, Singapore, from 2002
to 2005. His research interests include interdependence modeling for power
infrastructure.