Modeling And Detecting Anomalies In Scada Systems

  • Nils Svendsen
  • Stephen Wolthusen
Conference paper
Part of the The International Federation for Information Processing book series (IFIPAICT, volume 290)

The detection of attacks and intrusions based on anomalies is hampered by the limits of specificity underlying the detection techniques. However, in the case of many critical infrastructure systems, domain-specific knowledge and models can impose constraints that potentially reduce error rates. At the same time, attackers can use their knowledge of system behavior to mask their manipulations, causing adverse effects to observed only after a significant period of time. This paper describes elementary statistical techniques that can be applied to detect anomalies in critical infrastructure networks. A SCADA system employed in liquefied natural gas (LNG) production is used as a case study.


SCADA systems anomaly detection multivariate analysis 


  1. 1.
    M. Amanullah, A. Kalam and A. Zayegh, Network security vulnerabilities in SCADA and EMS, Proceedings of the IEEE/PES Transmission and Distribution Conference and Exhibition: Asia and Pacific, pp. 1–6, 2005.Google Scholar
  2. 2.
    R Bace, Intrusion Detection, Sams, Indianapolis, Indiana, 2000.Google Scholar
  3. 3.
    J. Bigham, D. Gamez and N. Lu, Safeguarding SCADA systems with anomaly detection, Proceedings of the Second International Workshop on Mathematical Methods, Models and Architectures for Computer Network Security, pp. 171–182, 2003.Google Scholar
  4. 4.
    P. Bracken, The Command and Control of Nuclear Forces, Yale University Press, New Haven, Connecticut, 1985.Google Scholar
  5. 5.
    P. Brockwell and R. Davis, Introduction to Time Series and Forecasting Springer-Verlag, New York, 2002.CrossRefzbMATHGoogle Scholar
  6. 6.
    J. Chong, P. Pal, M. Atigetchi, P. Rubel and F. Webber, Survivability architecture of a mission critical system: The DPASA example, Proceedings of the Twenty-First Annual Computer Security Applications Conference, pp. 495–504, 2005.Google Scholar
  7. 7.
    M. Coutinho, G. Lambert-Torres, L. da Silva, E. Fonseca and H. Lazarek, A methodology to extract rules to identify attacks in power system critical infrastructure, Proceedings of the IEEE Power Engineering Society General Meeting, pp. 1–7, 2007.Google Scholar
  8. 8.
    M. Dacier (Ed.), Design of an Intrusion-Tolerant Intrusion Detection System, MAFTIA Deliverable D10 (Version 4.3), IBM Zurich Research Laboratory, Zurich, Switzerland, 2002.Google Scholar
  9. 9.
    D. Denning, An intrusion-detection model, IEEE Transactions on Software Engineering, vol. 13(2), pp. 222–232, 1987.CrossRefGoogle Scholar
  10. 10.
    Y. Deswarte, L. Blain and J. Fabre, Intrusion tolerance in distributed computing systems, Proceedings of the IEEE Symposium on Research in Security and Privacy, pp. 110–121, 1991.Google Scholar
  11. 11.
    D. Dzung, M. Naedele, T. von Hoff and M. Crevatin, Security for industrial communication systems, Proceedings of the IEEE, vol. 93(6), pp. 1152– 1177, 2005.CrossRefGoogle Scholar
  12. 12.
    F. Haji, L. Lindsay and S. Song, Practical security strategy for SCADA automation systems and networks, Proceedings of the Canadian Conference on Electrical and Computer Engineering, pp. 172–178, 2005.Google Scholar
  13. 13.
    V. Igure, S. Laughter and R. Williams, Security issues in SCADA networks, Computers and Security, vol. 25(7), pp. 498–506, 2006.CrossRefGoogle Scholar
  14. 14.
    R. Johnson and D. Wichern, Applied Multivariate Statistical Analysis Prentice Hall, Upper Saddle River, New Jersey, 2007.zbMATHGoogle Scholar
  15. 15.
    O. Kosut and L. Tong, Capacity of cooperative fusion in the presence of Byzantine sensors, Proceedings of the Forty-Fourth Annual Allerton Conference on Communication, Control and Computation, 2006.Google Scholar
  16. 16.
    T. Kropp, System threats and vulnerabilities: Power system protection, IEEE Power and Energy, vol. 4(2), pp. 46–50, 2006.CrossRefGoogle Scholar
  17. 17.
    E. Murtoviita, J. Keronen, J. Suni and M. Bjork, Visual aids for substation monitoring and security control, Proceedings of the Third International Conference on Power System Monitoring and Control, pp. 225–227, 1991.Google Scholar
  18. 18.
    M. Naedele, Addressing IT security for critical control systems, Proceedings of the Fortieth Annual Hawaii International Conference on System Sciences, p. 115, 2007.Google Scholar
  19. 19.
    H. Nguyen and K. Nahrstedt, Attack containment framework for large-scale critical infrastructures, Proceedings of the Sixteenth International Conference on Computer Communications and Networks, pp. 442–449, 2007.Google Scholar
  20. 20.
    P. Palensky and T. Sauter, Security considerations for FAN-Internet connections, Proceedings of the IEEE International Workshop on Factory Communication Systems, pp. 27–35, 2000.Google Scholar
  21. 21.
    President's Commission on Critical Infrastructure Protection, Critical Foundations: Protecting America's Infrastructures, The White House, Washington, DC (, 1997.Google Scholar
  22. 22.
    G. Shafiullah, A. Gyasi-Agyei and P. Wolfs, Survey of wireless communications applications in the railway industry, Proceedings of the Second International Conference on Wireless Broadband and Ultra Wideband Communications, p. 65, 2007.Google Scholar
  23. 23.
    StatoilHydro, The long road to LNG, Stavanger, Norway (www.statoilhyd ault.aspx), 2007.Google Scholar
  24. 24.
    R. Stroud, I. Welch, J. Warne and P. Ryan, A qualitative analysis of the intrusion-tolerance capabilities of the MAFTIA architecture, Proceedings of the International Conference on Dependable Systems and Networks, pp. 453–461, 2004.Google Scholar
  25. 25.
    N. Subramanian, C. Yang and W. Zhang, Securing distributed data storage and retrieval in sensor networks, Proceedings of the Fifth Annual IEEE International Conference on Pervasive Computing and Communications, pp. 191–200, 2007.Google Scholar
  26. 26.
    Substations Committee of the IEEE Power Engineering Society, IEEE Recommended Practice for Network Communication in Electric Power Substations, IEEE Standard 1615–2007, IEEE, Piscataway, New Jersey, 2007.Google Scholar
  27. 27.
    R. Walpole, R. Meyers and S. Meyers, Probability and Statistics for Engineers and Scientists, Prentice Hall, Upper Saddle River, New Jersey, 1998.Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2008

Authors and Affiliations

  • Nils Svendsen
    • 1
  • Stephen Wolthusen
    • 1
  1. 1.Gjovik University CollegeGjovikNorway

Personalised recommendations