Security Enhancements for Distributed Control Systems

  • Jeffrey Hieb
  • James Graham
  • Sandip Patel
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 253)

Security enhancements for distributed control systems (DCSs) must be sensitive to operational issues, especially availability. This paper presents three security enhancements for DCSs that satisfy this requirement: end-to-end security for DCS protocol communications, role-based authorization to control access to devices and prevent unauthorized changes to operational parameters, and reduced operating system kernels for enhanced device security. The security enhancements have been implemented on a laboratory-scale testbed utilizing the DNP3 protocol, which is widely used in electrical power distribution systems. The test results show that the performance penalty for implementing the security enhancements is modest, and that the implemented mechanisms do not interfere with plant operations.

Keywords: DNP3, secure communication, role-based authorization, RTU security


Access Control Access Control Model Distribute Control System Industrial Control System Inside Threat 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. [1]
    J. Abshier, Ten principles for securing control systems, Control, vol. 18(10), pp. 77-81, 2005.Google Scholar
  2. [2]
    J. Abshier and J. Weiss, Securing control systems: What you need to know, Control, vol. 17(2), pp. 43-48, 2004.Google Scholar
  3. [3]
    J. Alves-Foss, C. Taylor and P. Oman, A multi-layered approach to secu- rity in high assurance systems, Proceedings of the Thirty-Seventh Annual Hawaii International Conference on System Sciences, 2004.Google Scholar
  4. American Gas Association, Cryptographic Protection of SCADA Com- munications; Part 1: Background, Policies and Test Plan, AGA Report No. 12 (Part 1), Draft 5, Washington, DC (www.gtiservices. org/security/ AGA12Draft5r3. pdf), 2005.
  5. American Gas Association, Cryptographic Protection of SCADA Com- munications; Part 2: Retrofit Link Encryption for Asynchronous Serial Communications, AGA Report No. 12 (Part 2), Draft, Washington, DC (www.gtiservices. org/security/aga-12p2-draft-0512. pdf 2005.
  6. [6]
    C. Bowen III, T. Buennemeyer and R. Thomas, Next generation SCADA security: Best practices and client puzzles, Proceedings of the Sixth Annual IEEE Systems, Man and Cybernetics Information Assurance Workshop, pp. 426-427, 2005.Google Scholar
  7. [7]
    T. Brown, Security in SCADA systems: How to handle the growing menace to process automation, Computing and Control Engineering Journal, vol. 16(3), pp. 42-47, 2005.CrossRefGoogle Scholar
  8. [8]
    E. Byres and J. Lowe, The myths and facts behind cyber security risks for industrial control systems, presented at the VDE Congress, 2004.Google Scholar
  9. W. Clinton, Presidential Decision Directive 63, The White House, Wash- ington, DC (www.), 1998.
  10. [10]
    A. Creery and E. Byres, Industrial cyber security for power system and SCADA networks, Proceedings of the Fifty-Second Annual Petroleum and Chemical Industry Conference, pp. 303-309, 2005.Google Scholar
  11. [11]
    J. Fernandez and A. Fernandez, SCADA systems: Vulnerabilities and remediation, Journal of Computing Sciences in Colleges, vol. 20(4), pp. 160-168, 2005.Google Scholar
  12. [12]
    D. Ferraiolo, R. Sandhu, S. Gavrila, D. Kuhn and R. Chandramouli, Proposed NIST standard for role-based access control, ACM Transactions on Information and System Security, vol. 4(3), pp. 224-274, 2001.CrossRefGoogle Scholar
  13. [13]
    D. Gaushell and W. Block, SCADA communication techniques and standards, Computer Applications in Power, vol. 6(3), pp. 45-50, 1993.CrossRefGoogle Scholar
  14. [14]
    D. Geer, Security of critical control systems sparks concern, IEEE Computer, vol. 39(1), pp. 20-23, 2006.MathSciNetCrossRefGoogle Scholar
  15. [15]
    J. Graham and S. Patel, Correctness proofs for SCADA communications protocols, Proceedings of the Ninth World Multi-Conference on Systemics, Cybernetics and Informatics, pp. 392-397, 2005.Google Scholar
  16. [16]
    W. Harrison, N. Hanebutte, P. Oman and J. Alves-Foss, The MILS architecture for a secure global information grid, CrossTalk: The Journal of Defense Software Engineering, vol. 18(10), pp. 20-24, 2005.Google Scholar
  17. Instrumentation Systems and Automation Society, Security Technologies for Manufacturing and Control Systems (ANSI/ISA-TR99. 00. 01-2004), Research Triangle Park, North Carolina, 2004.Google Scholar
  18. Instrumentation Systems and Automation Society, Integrating Electronic Security into the Manufacturing and Control Systems Environment (ANSI/ISA-TR99. 00. 02-2004), Research Triangle Park, North Carolina, 2004.Google Scholar
  19. [19]
    T. Kropp, System threats and vulnerabilities (power system protection), IEEE Power and Energy, vol. 4(2), pp. 46-50, 2006.CrossRefGoogle Scholar
  20. [20]
    J. Liedtke, On micro-kernel construction, Proceedings of the Fifteenth ACM Symposium on Operating Systems Principles, pp. 237-250, 1995.Google Scholar
  21. LynuxWorks (
  22. [22]
    R. McClanahan, SCADA and IP: Is network convergence really here? IEEE Industry Applications, vol. 9(2), pp. 29-36, 2003.CrossRefGoogle Scholar
  23. [23]
    A. Miller, Trends in process control systems security, IEEE Security and Privacy, vol. 3(5), pp. 57-60, 2005.CrossRefGoogle Scholar
  24. [24]
    M. Naedele and O. Biderbost, Human-assisted intrusion detection for process control systems, Proceedings of the Second International Conference on Applied Cryptography and Network Security, 2004.Google Scholar
  25. National Communications System, Supervisory Control and Data Acquisition (SCADA) Systems, Technical Bulletin 04-1, Arlington, Virginia, 2004.Google Scholar
  26. Office of Energy Assurance, 21 Steps to Improve Cyber Security of SCADA Networks, U. S. Department of Energy, Washington, DC, 2002.Google Scholar
  27. [27]
    P. Oman, E. Schweitzer and D. Frincke, Concerns about intrusions into remotely accessible substation controllers and SCADA systems, Proceed-ings of the Twenty-Seventh Annual Western Protective Relay Conference, 2000.Google Scholar
  28. [28]
    P. Oman, E. Schweitzer and J. Roberts, Safeguarding IEDs, substations and SCADA systems against electronic intrusions, Proceedings of the Western Power Delivery Automation Conference, 2001.Google Scholar
  29. [29]
    S. Patel, Secure Internet-Based Communication Protocol for SCADA Net-works, Ph. D. Dissertation, Department of Computer Engineering and Computer Science, University of Louisville, Louisville, Kentucky, 2006.Google Scholar
  30. President’s Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America’s Infrastructures, Report Number 040-000-00699-1, United States Government Printing Office, Washington, DC, 1997.Google Scholar
  31. [31]
    A. Risely, J. Roberts and P. LaDow, Electronic security of real-time protection and SCADA communications, Proceedings of the Fifth Annual Western Power Delivery Automation Conference, 2003.Google Scholar
  32. W. Rush and A. Shah, Impact of Information Security Systems on RealTime Process Control, Final Report, NIST Project SB1341-02-C-081, Gas Technology Institute, Des Plaines, Illinois ( processcontrol/testbed/GTI Final April2005.pdf), 2005.
  33. [33]
    K. Stouffer, J. Falco and K. Kent, Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security - Initial Public Draft, National Institute of Standards and Technology, Gaithersburg, Maryland, 2006.Google Scholar
  34. [34]
    E. Swankoski, N. Vijaykrishnan, M. Kandemir and M. Irwin, A parallel architecture for secure FPGA symmetric encryption, Proceedings of the Eighteenth International Parallel and Distributed Processing Symposium, 2004.CrossRefGoogle Scholar
  35. [35]
    A. Wright, Proposal on secure authentication and authorization for re- mote access to SCADA field equipment, presented at the Instrumentation Systems and Automation (ISA) Society EXPO, 2005.Google Scholar
  36. [36]
    A. Wright, J. Kinast and J. McCarty, Low-latency cryptographic pro- tection for SCADA communications, in Applied Cryptography and Net- work Security (LNCS 3089), M. Jakobsson, M. Yung and J. Zhou (Eds. ), Springer, Berlin-Heidelberg, Germany, pp. 263-277, 2004.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Jeffrey Hieb
    • 1
  • James Graham
    • 1
  • Sandip Patel
    • 2
  1. 1.Computer Science and EngineeringUniversity of LouisvilleLouisvilleUSA
  2. 2.Information Science and SystemsMorgan State UniversityBaltimoreUSA

Personalised recommendations