2005 IEEE/PES Transmission and Distribution 1

Conference & Exhibition: Asia and Pacific

Dalian, China

Network Security Vulnerabilities in SCADA

and EMS
M.T.O. Amanullah, A. Kalam, Member, IEEE, and A. Zayegh, Member, IEEE

operational data that could result in public safety concerns

Abstract--Power system deregulation brings broader reliance
on information systems and telecommunication network to share
the critical and non-critical data. In par with the network system
expansion in power system, network security vulnerabilities have
increased tremendously. Utilities are currently more vulnerable
for external attacks due to integration of cooperate network and
Supervisory Control and Data Acquisition (SCADA) system at
modern utilities. The potential impact of security breaches are
operational disruptions, lose of public confidence and corporate
reputation. Regular vulnerability assessments, expert
information security architecture design and managing security
are the major steps that every electric power company should
undertake to minimize the number and impact of security
breaches. This paper classifies key information security
vulnerabilities in SCADA and energy management system (EMS)
and elaborates the potential impacts of each. Several remedial
strategies to crate an efficient information security of SCADA
and EMS have also been presented in this paper.
Index Terms--Computer network security, Energy
management, SCADA systems
and/or serious disruptions to the nation’s critical
infrastructure. Action is required by all organizations,
government or commercial, to secure their SCADA networks
as part of the effort to adequately protect the nation’s critical
infrastructure [1]. This paper discusses key technological
issues related in network security vulnerabilities in SCADA
and EMS.
II. IMPORTANCE OF NETWORK SECURITY FOR POWER INDUSTRY
20 years ago, administrative and power system control
network were built separately. There were no interconnections
and no data was interchanged between the networks. Today,
the administrative and control networks are more tightly
coupled as shown in Figure 1.
Administrative SCADA/EMS

I. INTRODUCTION

S CADA networks contain computers and applications that

perform key functions in providing essential services and
commodities (e.g., electricity, natural gas, gasoline, water,
Administrative
Network
Power Control
Systems
waste treatment, transportation). As such, they are part of the
nation’s critical infrastructure and require protection from a
variety of threats that exist in cyber space today. By allowing
the collection and analysis of data and control of equipment
External
such as pumps and valves from remote locations, SCADA connections
networks provide great efficiency and are widely used.
However, they also present a security risk. SCADA networks
were initially designed to maximize functionality, with little Fig.1. Interconnected administrative and power system control network
attention paid to security. As a result, performance, reliability,
flexibility and safety of distributed control SCADA systems They are however still separate network. In the future, the
are robust, while the security of these systems is often weak. network will be merged into one integrated administrative and
This makes some SCADA networks potentially vulnerable to power system control network as shown in Figure 2.
disruption of service, process redirection, or manipulation of
Integrated
Power and
M.T.O. Amanullah is working towards his PhD at the School of Electrical Administrative
Engineering, Victoria University, Melbourne, Australia. (e-mail: system
amanullah.maungthanoo@research.vu.edu.au).

Akhtar Kalam is with the Faculty of Science, Engineering and

Technology, Victoria University, Melbourne, Australia.
Fig.2. Integrated administrative and power system control network
Aladin Zayegh is with the School of Electrical Engineering, Victoria
University, Melbourne, Australia.

0-7803-9114-4/05/$20.00 ©2005 IEEE. 1


Due to this integrated networking, there have been more
than forty real-world cases where control systems have been
impacted by electronics means [2]. These events have
occurred in electric power control systems for transmissions,
distribution and generation (including fossil, gas turbine and
nuclear, where three plants experienced denial of service
events), as well as control systems for water, oil/gas,
chemicals, paper and agricultural businesses. Some of these
events have resulted in damage. Confirmed damage from
cyber intrusions have included intentionally opening valves
resulting in discharge of millions of liters of sewage, opening
breaker switches, tampering with boiler control settings
resulting in shutdown of utility boilers, shutdown of
combustion turbine power plants, and shutdown of industrial
facilities.
As providers of life-critical products and services, electric
power providers need to develop new security systems and
procedures that are responsive to the improvements in
technology and also recognize the development of threats and
attacks. This implies that utilities not only need to deal with
physical intrusion, but also with logical intrusion.
It is essential for electric system providers to recognize that
while cyber security is an important component of protecting
their systems, it is only one tool from a much larger set of
information control techniques. Cyber security is only
effective if it is deployed as part of a comprehensive set of
security policies, and when it is combined with adequate
attention to physical security. Like many security-related
issues, operating a reliable information security system
requires more than a purely technological fix. Systems are
initially compromised by attacks against lax operating
procedures and poor implementations [3].
III. COMMON MISCONCEPTIONS ABOUT SCADA
SYSTEM SECURITY
At the heart of the issue of SCADA system security, there are
three major misconceptions that are commonly held by utility
managers [4].
A. The SCADA system resides on a physically separate,
standalone network
Most SCADA systems were originally built before and
often separate from other corporate networks. As a result, IT
managers typically operate on the assumption that these
systems cannot be accessed through corporate networks or
from remote access points. Unfortunately, this belief is usually
fallacious.
In reality, SCADA networks and corporate information
technology (IT) systems are often bridged as a result of two
key changes in information management practices. First, the
demand for remote access computing has encouraged many
utilities to establish connections to the SCADA system that
enable SCADA engineers to monitor and control the system
from points on the corporate network. Second, many utilities
have added connections between corporate networks and
SCADA networks in order to allow corporate decision makers
2
2
to obtain instant access to critical data about the status of their
operational systems. Often, these connections are
implemented without a full understanding of the
corresponding security risks. In fact, the security strategy for
utility corporate network infrastructures rarely accounts for
the fact that access to these systems might allow unauthorized
access and control of SCADA systems.
B. Connections between SCADA systems and other corporate
networks are protected by strong access controls
Many of the interconnections between corporate networks
and SCADA systems require the integration of systems with
different communications standards. The result is often an
infrastructure that is engineered to move data successfully
between two unique systems. Due to the complexity of
integrating disparate systems, network engineers often fail to
address the added burden of accounting for security risks.
As a result, access controls designed to protect SCADA
systems from unauthorized access through corporate networks
are usually minimal, which is largely attributable to the fact
that network managers often overlook key access points
connecting these networks. Although the strategic use of
internal firewalls and intrusion detection systems (IDS),
coupled with strong password policies, is highly
recommended, few utilities protect all entry points to the
SCADA system in this manner.
C. SCADA systems require specialized knowledge, making
them difficult for network intruders to access and control
The above misconception assumes that all attackers of a
SCADA system lack the ability to access information about
their design and implementation. These assumptions are
inappropriate given the changing nature of utility system
vulnerabilities in an interconnected environment. Due to the
fact that utility companies represent a key component of one
of the nation’s critical infrastructures, these companies are
likely targets of coordinated attacks by “cyber-terrorists”, as
opposed to disorganized “hackers.” Such attackers are highly
motivated, well-funded, and may very well have “insider”
knowledge. Further, a well-equipped group of adversaries
focused on the goal of utility operations disruption is certain
to use all available means to gain a detailed understanding of
SCADA systems and their potential vulnerabilities.
Furthering this risk is the increasing availability of
information describing the operations of SCADA systems. To
support competition in product choices, several standards for
the interconnection of SCADA systems and remote terminal
units (RTUs) have been published, as have standards for
communication between control centers, acceptance of alarms,
issuance of controls, and polling of data objects. Furthermore,
SCADA providers publish the design and maintenance
documents for their products and sell toolkits to help develop
software that implements the various standards used in
SCADA environments.
Finally, the efforts of utility companies to make efficient
use of SCADA system information across their company has
led to development of “open” standard SCADA systems. As a

result of this development, SCADA system security is often
only as strong as the security of the utility’s corporate
network.
While the RTUs on a network may be difficult to access
outside of the dedicated serial lines, it is only moderately
difficult to penetrate the control panel for the SCADA
manager through the corporate network and quickly ‘learn’
commands by watching actions that are carried out on the
screen. Attacks on highly complex systems become much
easier when attackers first penetrate the workstations of
SCADA operators.
IV. NETWORK SECURITY VULNERABILITIES IN THE
ELETRIC POWER INDUSTRY
As a result of their widespread use of SCADA systems for
network management, power companies are currently
vulnerable to internal and external network attacks. Because
corporate networks and SCADA systems are linked at most
utilities, the security of the SCADA system is often only as
strong as the security of the corporate network. With pressure
from deregulation forcing the rapid adoption of open access
capabilities, vulnerabilities in these systems are increasing
rapidly.
As e-business initiatives gain momentum, power
companies often integrate, billing and accounting information
systems with other corporate information systems. In addition,
consolidation through mergers and the integration of new lines
of business are forcing power companies to connect diverse
legacy systems without considering security risks. All of these
factors are increasing the number and severity of security
vulnerabilities. The information security concerns in the
industry are evolving from operational issues to e-business
and Internet concerns in the present and future. Electric power
companies, which are already concerned with security
vulnerabilities affecting their ability to protect transmission
and delivery systems, are beginning to realize additional
potential vulnerabilities. For example, the development of
advanced customer information systems (CIS) and e-
procurement methods are prime examples of emerging
concerns. In addition, expansion into new lines of business
that require the integration of legacy systems will introduce
completely new information security challenges.
Corporate networks and SCADA systems are often linked,
which means that the security of the SCADA system is only as
strong as the security of the corporate network. With pressure
from deregulation forcing the rapid adoption of open access
capabilities, vulnerabilities in corporate networks are
increasing rapidly.
Several common system vulnerabilities found on SCADA
and corporate networks that impact the relative security of
SCADA systems are [5]:
A. Public Information Availability
Often, too much information about a utility company
corporate network is easily available through routine public
queries. This information can be used to initiate a more
3
3
focused attack against the network. Examples of this
vulnerability are listed below:
• Websites often provide data useful to network
intruders about company structure, employee
names, e-mail addresses, and even corporate
network system names.
• Domain name service (DNS) servers permit “zone
transfers” providing IP addresses, server names,
and e-mail information.
B. Insecure Network Architecture
The network architecture design is critical in offering the
appropriate amount of segmentation between the internet, the
company’s corporate network, and the SCADA network.
Network architecture weaknesses can increase the risk that a
compromise from the Internet could ultimately result in
compromise of the SCADA system. Some common
architectural weaknesses include the following:
• Configuration of file transfer protocol (FTP), web,
and e-mail servers sometimes inadvertently and
unnecessarily provides internal corporate network
access.
• Network connections with corporate partners are not
secured by firewall, intrusion detection system
(IDS), or virtual private network (VPN) systems
consistent with other networks
• Dial-up modem access is authorized unnecessarily
and maintenance dial-ups often fail to implement
corporate dial access policies
• Firewalls and other network access control
mechanisms are not implemented internally, leaving
little to no separation between different network
segments
C. Lack of Real-Time Monitoring
• Vast amounts of data from network security devices
overwhelm utility information security resources
rendering monitoring attempts futile
• Even when intrusion detection systems are
implemented, network security staff can only
recognize individual attacks, as opposed to organized
patterns of attacks over time
V. REMEDIAL STRATEGIES TO BE TAKEN TO INCREASE THE
SECURITY OF SCADA NETWORK
The following steps focus on specific actions to be taken to
increase the security of SCADA networks and minimize the
vulnerabilities [1]:
A. Identify all connections to SCADA networks
Conduct a through risk analysis to assess the risk and
necessity of each connection to the SCADA network. Develop
a comprehensive understanding of all connections to the
SCADA network and how well these connections are
protected.

B. Disconnect unnecessary connections to the SCADA
network
To ensure the highest degree of security of SCADA systems,
isolate the SCADA network from other network connections
to as great a degree as possible. Any connection to another
network introduces security risks, particularly if the
connection creates a pathway from or to the Internet.
Although direct connections with other networks may allow
important information to be passed efficiently and
conveniently, insecure connections are simply not worth the
risk; isolation of the SCADA network must be a primary goal
to provide needed protection.
C. Evaluate and strengthen the security of any remaining
connections to the SCADA network
Conduct penetration testing or vulnerability analysis of any
remaining connections to the SCADA network to evaluate the
protection posture associated with these pathways. Use this
information in conjunction with risk management processes to
develop a robust protection strategy for any pathways to the
SCADA network. Since the SCADA network is only as
secure as its weakest connecting point, it is essential to
implement firewalls, IDSs and other appropriate security
measures at each point of entry.
D. Harden SCADA networks by removing or disabling
unnecessary services
SCADA control servers built on commercial or open-
source operating systems can be exposed to attack through
default network services. To the greatest degree possible,
remove or disable unused services and network daemons to
reduce the risk of direct attack. This is particularly important
when SCADA networks are interconnected with other
networks. Examples of services to remove from SCADA
networks include automated meter reading/remote billing
systems, email services and internet access.
E. Do not rely on proprietary protocols to protect the systems
Some SCADA systems use unique, proprietary protocols
for communications between field devices and servers. Often
the security of SCADA systems is based solely on the secrecy
of these protocols. Unfortunately, obscure protocols provide
very little “real” security. It is wise not solely rely on
proprietary protocols or factory default configuration settings
to protect the system.
F. Implement the security features provided by device and
system vendors
Most older SCADA systems (most systems in use) have no
security features. SCADA system owners must insist that their
system vendor implement security features in the form of
product patches or upgrades. Analyze each SCADA device to
determine whether security features are present. Additionally,
factory default security settings (such as in computer network
firewalls) are often set to provide maximum usability, but
minimal security. Set all security features to provide the
maximum level of security. Allow settings below maximum
security only after a thorough risk assessment of the
4
4
consequences of reducing the security level.
G. Establish strong controls over any medium that is used as
a backdoor into the SCADA network
Strong authentication must be implemented to ensure secure
communications where backdoors vendor connections exist in
SCADA system. Modems, wireless and wired networks used
for communications and maintenance represent a significant
vulnerability to the SCADA network and remote sites.
H. Implement internal and external intrusion detection
systems and establish 24-hour-a-day incident monitoring
To be able to effectively respond to cyber attacks, establish
an intrusion detection strategy that includes alerting network
administrators of malicious network activity originating from
internal or external sources. Intrusion detection system
monitoring is essential 24 hours a day. Additionally, incident
response procedures must be in place to allow an effective
response to any attack. To complement network monitoring,
enable logging on all systems and audit system logs daily to
detect suspicious activity as soon as possible.
I. Perform technical audits of SCADA devices and networks,
and any other connected networks
Technical audits of SCADA devices and networks are
critical to ongoing security effectiveness. Many commercial
and open-source security tools are available that allow system
administrators to conduct audits of their systems/networks to
identify active services, patch level and common
vulnerabilities. The use of these tools will not solve systemic
problems, but will eliminate the “paths of least resistance” that
an attacker could exploit. Analyze identified vulnerabilities to
determine their significance, and take corrective actions as
appropriate. Track corrective actions and analyze this
information to identify trends. Additionally, retest systems
after corrective actions have been taken to ensure that
vulnerabilities were actually eliminated. Scan non-production
environments actively to identify and address potential
problems.
J. Conduct physical security surveys and assess all remote
sites connected to the SCADA network
Any location that has a connection to the SCADA network
is a target, especially unmanned or unguarded remote sites.
Conduct a physical security survey and inventory access
points at each facility that has a connection to the SCADA
system. Identify and assess any source of information
including remote telephone/computer network/ fiber optic
cables that could be tapped; radio and microwave links that
are exploitable; computer terminals that could be accessed;
and wireless local area network access points. Identify and
eliminate single points of failure. The security of the site must
be adequate to detect or prevent unauthorized access. Do not
allow “live” network access points at remote, unguarded sites
simply for convenience.

K. Establish SCADA “Red Teams” to identify and evaluate
possible attack scenarios
Establish a “Red Team” to identify potential attack
scenarios and evaluate potential system vulnerabilities. Use a
variety of people who can provide insight into weaknesses of
the overall network, SCADA systems, physical systems, and
security controls. People who work on the system every day
have great insight into the vulnerabilities of your SCADA
network and should be consulted when identifying potential
attack scenarios and possible consequences. Also, ensure that
the risk from a malicious insider is fully evaluated, given that
this represents one of the greatest threats to an organization.
Feed information resulting from the “Red Team” evaluation
into risk management processes to assess the information and
establish appropriate protection strategies.
L. Regular Vulnerability Assessments
Many utilities fail to regularly assess the vulnerabilities of
their SCADA and EMS, on a regular, re-occurring basis. In
addition to assessing operational systems, corporate networks,
web servers, and customer management systems should also
be assessed to reveal unintended gaps in security, including
unknown links between public and private networks, and
firewall configuration problems [4].
M. Expert Information Security Architecture Design
An overwhelming number of security technologies,
networking devices, and configuration options are available to
utility companies. While firewalls, IDSs, and VPNs can all
help protect networks from malicious attacks, improper
configuration and/or product selection can seriously hamper
the effectiveness of a security posture. In order to minimize
risks associated with network architecture design, utilities
should work with information security professionals to ensure
that evolving network architectures do not compromise
information security [4].
N. Managed Security
As companies deploy network security technologies
throughout their networks, the need to properly manage and
monitor these devices is becoming increasingly complex.
Unfortunately, the implementation of “technology-only”
solutions without close monitoring and management
significantly weakens the effectiveness of security devices.
Hiring experienced IT security professionals to monitor
network security devices can help to mitigate risk; however
this option is cost-prohibitive for most, if not all, utility
companies. As a result, many organizations are outsourcing
the management and monitoring of security devices to highly
specialized, managed security companies. Managed security
services ensure that all security devices are configured
properly and fully patched, while monitoring the actual
activity on each device to detect malicious activity in real
time. Managed security services enable corporations to
maintain a real time security monitoring capability at a
relatively low cost, and simultaneously increase the value of
existing information security devices by enhancing their
5
5
performance and capabilities [4].
VI. ADVANTAGES OF MANAGED SECURITY SOLUTIONS
The advantages of managed security solutions are [4]:
A. Cost-effective Security Management
Managed security products eliminate the need for
organizations to recruit and retain qualified IT security staff –
a task that has occupied a rapidly increasing portion of the IT
budget in recent years.
B. Centralized Device Monitoring
Many large and mid-sized organizations operate a variety
of security devices spread over several geographic locations.
Continuous monitoring and maintenance of these devices from
a single location is difficult, if not impossible, for most
organizations. Managed security products allow organizations
to feed data from all security devices to a central (outsourced)
location for real-time, continuous monitoring and analysis.
C. Upgrade and Patch Management
Many organizations overlook frequent patches and system
upgrades released by product vendors (e.g., operating system
patches, firewall upgrades, etc.) rendering protective
mechanisms more vulnerable to new hacker techniques.
Managed security products ensure that all patches and
upgrades are added to all security devices immediately upon
release.
D. Incident Response and Forensics
Most organizations experience difficulty sifting through
millions of lines of log data and IDS alerts even after
malicious activity has been detected. By standardizing the data
produced by all security devices, managed security products
are able to retrieve data that identifies the type and source of
malicious activity, which can then be used by law
enforcement to identify and prosecute those responsible.
E. Intelligent Decision Support
Managed security products feed security device logs,
activity reports, and alerts into a proprietary analysis engine
that searches for patterns of malicious activity that would
otherwise be overlooked (if not ignored) by untrained or even
expert security staff. The decision support function enables
organizations to react in real-time to prevent potential security
threats, rather than simply investigating the problem after
malicious activity has already occurred.
VII. CONCLUSION
This paper briefly outlined and explained the network
securities vulnerability issues involves in SCADA and EMS.
Several remedial actions to be taken to increase the security of
SCADA network have also been presented. The complex
architecture, interconnected nature and extreme sensitivity of
SCADA mandate that utility organizations have a
comprehensive plan for assessing and mitigating potential
online vulnerabilities and threats.
 6

and Electronics Department, Faculty of Engineering and Science at Victoria

University, Melbourne, Australia.

VIII. REFERENCES
[1] 21 Steps to Improve Cyber Security of SCADA Networks [Online].
Available: http://www.esisac.com/publicdocs/21StepsBooklet.pdf
[2] Control Systems Cyber Security—Maintaining the Reliability of the
Critical Infrastructure (2004, Mar. 30). [Online]. Available:
http://reform.house.gov/TIPRC/Hearings/EventSingle.aspx?EventID=90
0
[3] G.N. Ericsson and A. Torkilseng, "Management of Information Security
for an Electric Power Utility ⎯On Security Domains and Use of
ISO/IEC17799 Standard," IEEE Trans. Power Delivery, vol. 20,NO.2,
pp. 683-690, Apr. 2005.
[4] Understanding SCADA System Security Vulnerabilities, Riptech,
January 2001. [Online]. Available:
http://www.omegastar.com/rca/scada/scada.html
[5] Information securities challenges in the Electric Power Industry,
Riptech, Symantec Enterprise Security, White Paper.

IX. BIOGRAPHIES

Amanullah Maung Than Oo received the

B.Eng. degree in Mechatronics (Hons)
from International Islamic University
Malaysia. He also obtained his Master
degree in Telecommunication Engineering
from the University of Melbourne,
Australia. He is currently working toward
his PhD degree in the area of Power
System Communications at Victoria
University, Melbourne, Australia. He has
presented conference papers nationally and
internationally. He has also published a
few papers in renowned engineering
journals.

Professor Akhtar Kalam has been actively

engaged in the teaching of power systems
for over twenty years, both in the
Department of Electrical and Electronic
Engineering at the Victoria University of
Technology and overseas. He has
conducted research, provided consultancy
and has over 280 publications on power
system protection and independent power
generation. After completing his double
Bachelor degrees in Science and Electrical
Engineering from India, Professor Kalam
studied for his M.S degree at the University
of Oklahoma in the USA. He obtained his
PhD from University of Bath in UK for his work on the application of
distance protection to series compensated extra high voltage line. His major
interests are in power system analysis, power system protection, and expert
system application in power system, cogeneration and renewable energy.

Dr. Aladin Zayegh received his BE

degree in Electrical Engineering from
Aleppo University in 1970 and PhD
degree from Claude Bernard University,
France in 1979. In 1980, he joined the
Faculty of Engineering, Tripoli, Libya.
Since 1984 he has held lecturing position
at Footscray Institute of Technology and
Victoria University of Technology,
Australia. He is currently Associate
Professor and the head of the Electrical