Intrusion Detection and Event Monitoring in SCADA Networks

  • Paul Oman
  • Matthew Phillips
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 253)

This paper describes the implementation of a customized intrusion detection and event monitoring system for a SCADA/sensor testbed. The system raises alerts upon detecting potential unauthorized access and changes in device settings. By markedly increasing the logging of critical network events, the system shows dramatic improvements in both the security and overall auditing capabilities. In addition to its role in securing SCADA networks, the system assists operators in identifying common configuration errors.

Keywords: Intrusion detection, real-time monitoring, SCADA networks


Intrusion Detection Circuit Breaker Protective Relay Device Setting SCADA System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. Office of Energy Assurance, 21 Steps to Improve Cyber Security of SCADA Networks, U. S. Department of Energy, Washington, DC, 2002.Google Scholar
  2. P. Oman, A. Krings, D. Conte de Leon and J. Alves-Foss, Analyzing the security and survivability of real-time control systems, Proceedings of the Fifth Annual IEEE Systems, Man and Cybernetics Information Assurance Workshop, pp. 342-349, 2004.Google Scholar
  3. P. Oman, E. Schweitzer and D. Frincke, Concerns about intrusions into remotely accessible substation controllers and SCADA systems, Proceed- ings of the Twenty-Seventh Annual Western Protective Relay Conference, 2000.Google Scholar
  4. [4]
    P. Oman, E. Schweitzer and J. Roberts, Protecting the grid from cyber attack - Part 1: Recognizing our vulnerabilities, Utility Automation & Enginering T&D, vol. 6(7), pp. 16-22, 2001.Google Scholar
  5. [5]
    P. Oman, E. Schweitzer and J. Roberts, Protecting the grid from cyber attack - Part 2: Safeguarding IEDs, substations and SCADA systems, Utility Automation & Enginering T&D, vol. 7(1), pp. 25-32, 2002.Google Scholar
  6. [6]
    M. Phillips, Event Monitoring and Intrusion Detection in SCADA Sys- tems, M. S. Thesis, Department of Computer Science, University of Idaho, Moscow, Idaho, 2005.Google Scholar
  7. M. Roesch, Snort (
  8. [8]
    F. Sheldon, T. Potok, A. Krings and P. Oman, Critical energy infrastruc- ture survivability: Inherent limitations, obstacles and mitigation strategies, International Journal of Power and Energy Systems, pp. 86-92, 2004.Google Scholar
  9. U. S. House of Representatives (Committee on Government Reform), Telecommunications and SCADA: Secure links or open portals to the security of our nation’s critical infrastructure, Serial No. 108-196, U. S. Government Printing Office, Washington, DC, March 30, 2004.Google Scholar
  10. [10]
    J. Waite, A Testbed for SCADA Security and Survivability Research and Instruction, M. S. Thesis, Department of Computer Science, University of Idaho, Moscow, Idaho, 2004.Google Scholar
  11. [11]
    J. Waite, J. Oman, M. Phillips, S. Melton and V. Nair, A SCADA testbed for teaching and learning, Proceedings of the Thirty-Sixth Annual North American Power Symposium, pp. 447-451, 2004.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Paul Oman
    • 1
  • Matthew Phillips
    • 1
  1. 1.Computer ScienceUniversity of IdahoMoscowUSA

Personalised recommendations