Multi-range Decoy I/O Defense of Electrical Substations Against Industrial Control System Malware

  • Julian L. RrushiEmail author
Part of the Advanced Sciences and Technologies for Security Applications book series (ASTSA)


Industrial control system malware campaigns, such as BlackEnergy and Dragonfly, targeted electrical substations at various ranges relative to the computers that pushed the attacks into substation relays after being infected. Worm-like propagation of industrial control system malware in the Internet traverses paths along computers that may be far from their target, and that often are completely unrelated to power grid functions. Industrial control system malware hop from computer to computer until landing on one that has access to a target industrial environment. Industrial control system malware enabled by spear-phishing or website redirection attacks exploit web browser vulnerabilities coupled with human factors of energy company personnel. Watering hole attacks cause the installation of industrial control system malware on the computers of power grid operators, and sometimes even on the protective relays of an electrical substation. In this chapter we present a line of work that creates and operates industrial mirages, i.e., phantom substation targets for industrial control system malware to pursue, to intercept such malware bound for the power grid. The discussion focuses on decoy I/O. We also generally describe other key elements of industrial mirage at large, and explain how decoy I/O and those elements work together as integral components of the industrial mirage capability. Industrial mirage is able to actively redirect industrial control system malware to decoys, and can sustain prolonged interaction with such malware. We validated this line of work against numerous malware samples involved in recent industrial control system malware campaigns.


Industrial control systems Malware Defensive deception. 



This research is sponsored by the Air Force Office of Scientific Research and the U.S. Air Force Academy Center for Cyberspace Research under agreement number FA7000-16-2-0002. The U.S. Government is authorized to reproduce and distribute reprints for Government purposes notwithstanding any copyright notation thereon.

The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Air Force, Department of Defense, or the U.S. Government.


  1. 1.
    ICS-CERT: Cyber-attack against Ukrainian critical infrastructure. Available online at
  2. 2.
    Lee RM, Assante J, Conway T (2016) Analysis of the cyber attack on the Ukrainian power grid. Defense use case white paper. Available online at Google Scholar
  3. 3.
    Symantec (2014) Dragonfly: cyberespionage attacks against energy suppliers. Available online at
  4. 4.
    Lezi S (2014) Scanderbeg, the hero of Europe. CreateSpace Independent Publishing Platform, Scotts ValleyGoogle Scholar
  5. 5.
    Falliere N, Murchu LO, Chien E (2011) W32.Stuxnet Dossier. Symantec security response, version 1.4. Available online at
  6. 6.
    Siemens: What properties, advantages and special features does the S7 protocol offer? Available online at
  7. 7.
    Homan J, McBride S, Caldwell R (2016) IronGate ICS malware – Nothing to see here…Masking malicious activity on SCADA systems. FireEye threat research Blog. Available online at Google Scholar
  8. 8.
    Buza DI, Juhasz F, Miru G, Felegyhazi M, Holczer T (2014) CryPLH: Protecting smart energy systems from targeted attacks with a PLC honeypot. Smart grid security, vol 8448. Springer, Berlin, pp 181–192Google Scholar
  9. 9.
    Rist L, Vestergaard J, Haslinger D, De Pasquale A, Smith J, CONPOT ICS/SCADA honeypot. Available online at
  10. 10.
    Vollmer T, Manic M (2014) Cyber-physical system security with deceptive virtual hosts for industrial control networks. IEEE Trans Ind Inf 10(2):1337–1347CrossRefGoogle Scholar
  11. 11.
    International Electrotechnical Commission (2004) IEC 61850 – Communication Networks and Systems in Substations, parts 1 through 9Google Scholar
  12. 12.
    Rrushi J (2011) An exploration of defensive deception in industrial communication networks. Int J Crit Infrastruct Prot 4(1):66–75CrossRefGoogle Scholar
  13. 13.
    Rrushi J (2016) NIC displays to thwart malware attacks mounted from within the OS. J Comput Secur 61(C):59–71CrossRefGoogle Scholar
  14. 14.
    Simms S, Maxwell M, Johnson S, Rrushi J (2017) Keylogger detection using a decoy keyboard. In: Proceedings of the 31st Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Philadelphia. Springer, ChamCrossRefGoogle Scholar
  15. 15.
    Rrushi J, DNIC architectural developments for 0-Knowledge detection of OPC malware. Currently in the second round of review at IEEE Trans Dependable Secure ComputGoogle Scholar
  16. 16.
    Lange J, Iwanitz F, Burke T (2010) OPC – from data access to unified architecture, 4th edn. VDE Verlag GmbH, BerlinGoogle Scholar
  17. 17.
    International Organization for Standardization, Technical Committee 184: manufacturing message specification. Available online at
  18. 18.
    RTDS Technologies: real time digital power simulator. Available online at
  19. 19.
    Strogatz SH (2014) Nonlinear dynamics and chaos – with applications to physics, biology, chemistry, and engineering, 2nd edn. Westview Press, BoulderzbMATHGoogle Scholar
  20. 20.
    Ott E (2002) Chaos in dynamical systems, 2nd edn. Cambridge University Press, CambridgeCrossRefGoogle Scholar
  21. 21.
    Ott E, Grebogi C, Yorke JA (1990) Controlling chaos. Phys Rev Lett 64(1196):1196–1199MathSciNetCrossRefGoogle Scholar
  22. 22.
    Romeiras F, Grebogi C, Ott E, Dayawansa WP (1992) Controlling chaotic dynamical systems. Phys D 58(165):165–192MathSciNetCrossRefGoogle Scholar
  23. 23.
    Searcy W, Nowicki S (2005) The evolution of animal communication – reliability and deception in signaling systems. Princeton University Press, PrincetonGoogle Scholar
  24. 24.
    Goldberg DE (1989) Genetic algorithms in search, optimization and machine learning. Kluwer Academic Publishers, BostonzbMATHGoogle Scholar
  25. 25.
    Brogan WL (1990) Modern control theory, 3rd edn. Prentice-Hall, Upper Saddle RiverzbMATHGoogle Scholar
  26. 26.
    Simon D (2006) Optimal state estimation – Kalman H infinity, and nonlinear approaches, 1st edn. Wiley-Interscience, HobokenCrossRefGoogle Scholar
  27. 27.
    Fridrich J (2009) Steganography in digital media – principles, algorithms, and applications, 1st edn. Cambridge University Press, CambridgeCrossRefGoogle Scholar
  28. 28.
    The Apache Software Foundation: Apache Hadoop. Available online at
  29. 29.
    The Apache Software Foundation: MapReduce. Available online at
  30. 30.
    Lie D, Thekkath CA, Mitchell M, Lincoln P, Boneh D, Mitchell JC, Horowitz M (2000) Architectural support for copy and tamper resistant software. In: Architectural Support for Programming Languages and Operating Systems (ASPLOS IX). ACM, New York, pp 168–177Google Scholar
  31. 31.
    Chen B, Morris R (2003) Certifying program execution with secure processors. In: Proceedings of the Usenix Workshop on Hot Topics in Operating Systems. Lihue, HawaiiGoogle Scholar
  32. 32.
    DNP Technical committee: distributed network protocol. Available online at

Copyright information

© Springer International Publishing AG, part of Springer Nature 2019

Authors and Affiliations

  1. 1.Department of Computer ScienceWestern Washington UniversityBellinghamUSA

Personalised recommendations