Article Preview
TopIntroduction
Supervisory Control and Data Acquisition (SCADA) systems are cyber physical systems distributed over a large geographical area and if compromised, can severely impact public health and safety. A SCADA system (Figure 1) comprises of a layered architecture from lowest level simple sensors and actuator field devices through Programming Logic Controllers (PLC) and Remote Terminal Units (RTU) over a communications networks to the highest layer comprising SCADA servers and Human Machine Interface (HMI).
Figure 1.
A geographically distributed SCADA system interconnected through Internet and wireless communications
Historically, SCADA systems were designed as on-site networked systems which were not accessible over the Internet. Thus cyber intrusions required physical access to the system, for example, as in the case for Stuxnet (Langner, 2011). Over time, SCADA systems have increasingly been connected to the Internet and a natural progression to Internet of Things (IoT) connectivity has taken place. Internet accessibility provides many benefits, better communications protocols, cost effectiveness and remote access; however networked SCADA systems get exposed to a large number of cyber threats (Genge et al., 2012). SCADA systems and protocols were not designed with off-site network connectivity in mind as security was not a serious concern for an isolated and secure system. However, with interconnectivity and open standards serious vulnerabilities in SCADA system have been observed (Erol-Kantarci, & Mouftah, 2013). The sensors and actuators in modern SCADA systems can communicate over a variety of communications media, such as WiFi, cellular and Bluetooth. Thus SCADA systems comprise of many old as well as new communications technologies, potentially providing many entry points for an attack from around the globe (Nazir, et al., 2018).
Vulnerabilities in the communications protocols can be exploited to launch cyber-attacks. Internet and cellular network connectivity have amplified the threat (Zhu et al., 2011), as attackers can exploit known security loopholes in open standards to gain access to SCADA systems (Igure et al., 2006). The widespread availability of free protocol information, increased general technology awareness and the current global security situation has made such attacks easier and more likely to be launched (Nazir, et al., 2018). Thus these systems have come to the attention of malicious users as evidenced by the steadily increasing number of attacks over recent years (Cyber Security Breaches Survey, 2017). One way to counter the cyber threats is by learning to identify an attack instance in the network traffic.
SCADA systems are event driven and under normal operations most of the commands and responses are time or event triggered, making it possible to use security and monitoring approaches unlike in open environments (Mantere, et al., 2013). The Intrusion Detection Systems (IDS) research requires realistic datasets for normal and attack scenarios which are generally not available for training and testing the algorithms (Buczak, & Guven, 2016). A network traffic data log for gas pipeline was created by (Morris et al., 2015) providing both normal and attack operations. The regular command-response patterns are repetitive, which make them suitable for detecting anomalous behaviours (Turnipseed, 2015).