CSIT (June 2013) 1(2):135–141

DOI 10.1007/s40012-013-0013-5

ORIGINAL RESEARCH

SCADA communication protocols: vulnerabilities, attacks

and possible mitigations
Durga Samanth Pidikiti • Rajesh Kalluri •
R. K. Senthil Kumar • B. S. Bindhumadhava

Received: 31 October 2012 / Accepted: 26 March 2013 / Published online: 19 April 2013
Ó CSI Publications 2013

Abstract Current hierarchical SCADA systems uses Abbreviations

communication protocols which aren’t having the inbuilt SCADA Supervisory control and data acquisition
security mechanism. This lack of security mechanism will MTU Master terminal unit
help attackers to sabotage the SCADA system. However, to RTU Remote terminal unit
cripple down the SCADA systems completely coordinated HMI Human machine interface
communication channel attacks can be performed. IEC ICS Industrial control systems
60870-5-101 and IEC 60870-5-104 protocols are widely
used in current SCADA systems in power utilities sector.
These protocols are lacking in the application layer and the
data link layer security. Application layer security is nec-
essary to protect the SCADA systems from Spoofing and 1 Introduction
Non-Repudiation attacks. Data link layer security is nec-
essary to protect the systems from the Sniffing, Data SCADA system’s operation completely depends on the
modification and Replay attacks. IEC 60870-5-101 & 104 data received from the RTU, based on which the control
communication protocol vulnerabilities and their exploi- actions will be taken. So, if an attacker wants to cause
tation by coordinated attacks are explained in this paper. damage to ICS systems which are using SCADA, the
Proposed experimental research model can be used to attacker mainly focuses on modifying the data or com-
mitigate the attacks at application layer and data link layer pletely blocking the data transfer.
by adopting the IEC 62351 standards. Since SCADA system’s communication protocols were
initially designed without security, they are luring the
Keywords SCADA
MTU
RTU
Risk analysis
HMI attackers now a day. There are two types of attackers, one
is a targeted attacker and dumb attacker. The unskilled
intellectuals perform the dumb attacks wherein many of
them can be alleviated without much effort by the use of
D. S. Pidikiti
R. Kalluri (&)
R. K. S. Kumar
redundant systems and other security measures. The skilled
B. S. Bindhumadhava intellectuals perform the targeted attacks which will be
Real Time Systems and Smart Grid Group, Centre for
pretty hard to handle with the existing security measures of
Development of Advanced Computing, C-DAC Knowledge
Park, Bangalore, India the SCADA systems. The coordinated attacks are difficult
e-mail: [email protected] to handle due to their diverse attack origin nature [3–5].
D. S. Pidikiti Coordinated attacks can be modeled and analyzed to avoid
e-mail: [email protected] detection [2, 8]. Coordinated attacks are difficult to dif-
R. K. S. Kumar ferentiate between decoy and actual attacks [2]. There is a
e-mail: [email protected] large variety of coordinated attacks [2]. These coordinated
B. S. Bindhumadhava attacks are gaining a lot of attention from both amateur and
e-mail: [email protected] professional attackers. The Coordinated communication

123
136 CSIT (June 2013) 1(2):135–141

channel attacks if planned and executed with precision can 2. Lack of inbuilt security mechanisms in both the
break down all the existing SCADA systems. Coordinated protocols for providing security at application layer
communication channel attacks performed by the skilled and data link layer.
intellectuals will be carried out only when they have per- 3. The communication vulnerabilities at data transit level
formed a preliminary risk analysis. This preliminary risk are
analysis gives out all the possible loop-holes that exist in
a. Limited bandwidth, this leads to limited frame
the system [1].
length of data being transferred (Example: Only 255
There is an old adage stating that, ‘‘Start thinking thyself
octets can be transmitted both by IEC 60870-5-101
as your enemy while implementing battle strategies to win
& IEC 60870-5-104 protocols at a time).
a war’’. The same concept can be applied to this scenario
b. Unreliable media of communication (The com-
also wherein the security providers of the critical systems
munication medium may or may not have security
should start thinking themselves as their attackers. So, the
mechanisms implemented).
first step will be to perform the risk analysis over the
communication channel to eliminate the possible coordi- The possible attacks due to lack of the application layer
nated communication channel attacks. Possible attacks can security are
be represented using attack trees [7] and defense graphs
a. Spoofing [3–5].
[1].
b. Non-Repudiation [3–5].
One more advantage of using the risk analysis or vul-
nerability analysis [6] is that a particular industry may The possible attacks due to the lack of data link layer
decide to completely implement the security to all the security are
devices or apply it to particular selected critical areas. With
a. Sniffing [3–5].
this, a balance can be achieved between the implementa-
b. Data modification [3–5].
tion cost and the benefit of implementing security mecha-
c. Replay [3–5].
nisms [1].
The rest of the paper is organized as follows: Sect. 2 These vulnerabilities are also discussed along with few
discusses about the vulnerabilities of communication pro- other vulnerabilities in IEC 62351 security document.
tocols IEC60870-5-101 and IEC60870-5-104. Section 3 These vulnerabilities are acting as crevices for the IEC
discusses about an in-depth view of exploiting vulnerabil- 60870-5-101 and IEC 60870-5-104 protocols wherein the
ities. Section 4 discusses, uncoordinated and coordinated attackers are prowling into plunder them.
attacks using the existing vulnerabilities. Section 5 dis- The possible areas for communication channel attacks in
cusses application layer security for IEC 60870-5 series a SCADA environment are
protocols based on IEC 62351. Section 6 discusses exper-
1. Communication between MTU and RTU, wherein the
imental research model. Section 7 discusses additional
IEC 60870-5-101 and IEC 60870-5-104 protocols are
security mechanism. Section 8 discusses observed results.
used for data transmission.
Section 9 discusses future work. Conclusion of this paper
2. Communication between MTU and HMI.
is expressed in Sect. 10 by examining some important
properties of the proposed paper. These are the major areas of communication of data
wherein the modification of data may lead to wrong control
decisions which will cause chaos.
2 Vulnerabilities of communication protocols IEC
60870-5-101, IEC 60870-5-104
3 An indepth view of exploiting vulnerabilities
Before going in through the attacks, an attacker first tries to
espial the weak links of the communicating protocols and The checksum vulnerability which was stated earlier is
then tries to figure out their usage to cause maximum having two problems.
chaos. Some of the weak links present in the communi-
A. Insufficient size of checksum.
cation protocols IEC 60870-5-101 and IEC 60870-5-104
B. Checksum alone is unreliable for data integrity.
are as follows:
1. One byte checksum in the case of IEC 60870-5-101
3.1 Insufficient checksum size
protocol and absence of checksum field in IEC
60870-5-104 protocol, as it is completely dependent
The size of checksum in the IEC 60870-5-101 protocol is
on lower layers for data integrity.
just one byte, here there is always a possibility of overflow

123
CSIT (June 2013) 1(2):135–141 137

of the checksum. The preliminary research in the SCADA 4.1 Uncoordinated attacks
industry showed some supporting results for this.
An example of the above statement is consider a case It is again classified into two types
where the maximum value of the checksum is 100 and the
a. Dumb way.
sum of all the data is 130 or 230 or 330 and so on, then the
b. Smart way.
checksum value will be shown as 30. This is revealing that
the exact value of checksum cannot be determined by the Dumb way of performing an uncoordinated attack is a
use of a single byte checksum. very simple attack here the attackers doesn’t need any prior
knowledge about the communication protocol structure. In
this attack the attacker simply modifies some bytes of data
3.2 Checksum alone is unreliable for data integrity and transmits it to the destination station. An experiment
has been conducted to show this attack but the drawback of
Purely relying on the checksum alone for checking the data this attack is the MTU simulator has detected the modifi-
integrity is not appreciated. A smart attacker can play a cation based on the checksum and popped out a message
hoax on the operator by changing both the data value and stating ‘‘Checksum mismatch’’. So, this attack will not
the corresponding checksum value. An example for this have any serious impact on the systems.
mechanism is shown in Sect. 5. Smart way of performing an uncoordinated attack
requires knowledge about the communication protocol in
3.2.1 Communication vulnerabilities at data transit level use. The frame format of IEC 60870-5-101 protocol is
explained in the Fig. 1.
The limited bandwidth for data transmission is acting as The CF (Control Field) 8 bits classification table is
an obstacle for the packet frame length. Due to this shown in the Fig. 1. In this ACD bit is transmitted from the
limited bandwidth only 255 octets can be transmitted at a slave (controlled station) system to the master (controlling
time by using both the IEC 60870-5-101 and IEC station) system. The purpose of this bit is to inform the
60870-5-104 protocols. This is indirectly acting as a master that the slave station is having the digital data with
barricade on the security bits to be added during data it. Then if the master system wants to read the digital data
transmission. it would send the digital data request. Generally digital data
The unreliable medium of communication which is not is considered to be the data regarding circuit breakers,
having security mechanisms is also adding insult to the switches and so on. This digital data is considered as the
injury. Generally the medium of communication will be critical data in most cases. So, keeping this in mind an
radio waves or the twisted cable (Fiber optic also). If radio intelligent attacker will modify this bit value and the
waves are used as a communication medium then fre- checksum correspondingly and misguides the master sta-
quency interference can be created by producing a different tion and makes the digital data unavailable to it.
signal apart from intended communication signal with One more bit DFC is also transmitted from slave (con-
same frequency range. trolled station) system to the master system. The purpose of
The IEC 62351 security standard is provided for adding this bit is to indicate the master (controlling station) system
the security mechanism to the IEC 60870-5 series proto- that if it further sends the requests it will lead to overflow.
cols. The IEC 62351 is providing security mechanisms at Based on this the master will decide whether to transmit
the application layer level but it is not dealing with the further requests or not. A smart attacker will modify this bit
Data link layer security mechanisms. Thus, by the use of and the corresponding checksum value. By this the attacker
IEC 62351 document alone complete security to the com- fulfills in making the master station wait continuously.
munication protocols of SCADA systems can’t be The bits common address of ASDU (CAASDU) and link
provided. address (LA) consists of the station address and link
address respectively. A smart attacker will change these
bits and the corresponding checksum value. The result of
this modification is the intended control operation will not
4 Uncoordinated and coordinated attacks using take place at the desired RTU. The other bits in the frame
the existing vulnerabilities format like type identification (TI), variable structure
qualifier (VSQ), cause of transmission (COT) can also be
The succeeding part will deal with the impact of the modified. But, the affect of these attacks will be very
uncoordinated and coordinated attacks based on the vul- minimal as these modifications can be very easily detected
nerabilities stated in the previous sections. by the operator.

123
138 CSIT (June 2013) 1(2):135–141

Fig. 1 Frame format of IEC 60870-5-101 & 104 communication unit, CS checksum, L length, RES reserved, PRM primary message,
protocols Legend: CF control field, LA link address, TI type FCB frame count bit, FCV frame count bit valid, DFC data flow
identification, VSQ variable structure qualifier, COT cause of control, ACD access demand
transmission, CAASDU common address of application service data

4.1.1 Attack’s intention 5 Application layer security for IEC 60870-5 series
protocols based on IEC 62351
The attacker can mislead the control center operator.
Authentication mechanism is considered as a critical
4.1.2 Loophole of this attack security measure at the application layer level. Here
authentication is of two types.
Control center operator can detect this attack after cross
1. Operator authentication.
checking the tag values and ranges.
2. MTU/RTU authentication.
4.2 Coordinated attacks Non-Repudiation attack can be eradicated by the use of
operator authentication. In operator authentication mecha-
Coordinated attacks are generally practiced by the people nism each and every operator possesses a unique authen-
who wanted to cause maximum damage to a particular tication credentials. Some operator privileges can also be
organization or a nation. These attacks are also known as set. Thus by the use of operator authentication operators
targeted coordinated attacks. The targeted coordinated are made accountable.
attacks will not be carried by a single person instead they Spoofing attack or masquerade attack can be eradicated
are carried by a group of professionals in different areas. by the use of the MTU/RTU authentication. IEC 62351
The network access and access credentials are obtained just stated a mechanism wherein only critical data request will
like any normal communication channel attack but, the be authenticated and non critical data will not be authenti-
variation here is in the collection of details of communi- cated. This is to reduce the bandwidth and processing
cation protocols and the field details. The attackers here requirements. There is one more mechanism specified in
will study the communication protocols and figure out the IEC 62351 called as aggressive mode wherein the challenge
possible vulnerabilities which will be exploited to cause a response mechanism is eliminated. But, the aggressive
maximum damage. mode is less secure than the challenge response mechanism.
An experiment has been conducted to prove this attack’s The IEC 62351 also specified key exchange mechanism for
severity. changing/managing of the authentication credentials.

4.2.1 Attack’s intention

6 Experimental research model
The maximum damage can be caused when the attacker
knew about the field details like tag ids and tag values and One major problem in implementing these security mech-
ranges of field devices like actuators and circuit breakers. anisms to the existing SCADA systems is that, the RTU
Based on those details the attacker can send control com- and MTU software is a third party software which is not
mands for malfunctioning of the field devices. The smart revealed to outsiders. The design of the security model
coordinated attacks are considered as the brutal attacks should be in such a way that it should not affect the
over any control system because they cannot be detected existing SCADA systems technically and economically.
and controlled easily. Therefore, the security mechanism for application layer

123
CSIT (June 2013) 1(2):135–141 139

security should be provided externally to the systems The processing power required for computing the same 25
without disturbing the existing SCADA system’s working. bytes is say 100 ms. Now as we are including the challenge
This can be implemented by the use of the single board response mechanism for providing the application layer
computers (SBCs). These SBCs will act as an extra layer; security by the SBCs. The challenge message consists of 112
wherein the data to be transmitted will be wrapped up bits (23 bytes) and response message consists of 72 bits (9
within this extra security layer. Keeping this as foundation bytes). The critical ASDU request and critical ASDU response
logic, following security design model shown in Fig. 2 was will occupy 50 bytes. Then the total number of bytes that are
developed for IEC 60870-5-101 protocol. The Security getting transferred with the security mechanism included for
Hardener shown in the Fig. 2 is a SBC. critical data are 82 bytes (23 bytes challenge ? 9 bytes
The above security model was designed with full com- response ? 50 bytes of challenge request and response).
pliance of IEC 62351 security standard. In this model Now the increase in number of bytes leads to increase in
authentication of critical data alone is performed to opti- the bandwidth consumption. The processing power will
mize the bandwidth utilization and the processing power. also be incremented by some factor ‘‘X’’. So, the new
processing power will be ‘‘100 ms ? X’’.
6.1 Calculation for supporting the bandwidth Note: the ‘‘X’’ value will be less than 100 ms.
and processing power optimization If we have chosen an aggressive mode request instead of
challenge response mechanism then the number of extra
Let us consider the normal Application Service Data Unit bytes added will be 57 bytes (7 bytes of aggressive mode
(ASDU) of IEC 60870-5-101 protocol is of length 25 bytes. request ? 50 bytes of normal data transfer).

Fig. 2 Authentication security

model for IEC 60870-5-101
protocol

123
140 CSIT (June 2013) 1(2):135–141

Note: the challenge and response mechanism data length After completely analyzing the packet structure of IEC
taken is with only minimum values (mentioned in IEC 60870-5-101 protocol it was observed that there are actu-
62351) required so, there is always a possibility that the ally 2 sizes of packets which are getting transmitted in
data length may increase. between MTU and RTU. Some ASDU packets are \16
The design diagram of IEC 60870-5-104 protocol for bytes size and some are [16bytes size. The ASDUs which
implementing authentication layer security is shown in the are\16 bytes are completely encrypted and are transmitted
Fig. 3. in between the boards and only 16 bytes (which includes
The IEC 60870-5-104 protocol is an IP based protocol checksum byte also to provide greater level of security) of
so, the design model for it is different from the design the ASDUs which are [16 bytes will be encrypted and is
model of the IEC 60870-5-101 protocol to some extent but, transmitted in between the boards along with remaining
the data transfer mechanism is almost similar. data. To provide a strong security mechanism AES-128 bit
This design model is also in full compliance with the encryption algorithm (block cipher) was used. This tech-
IEC 62351 security document. In these models only the nique was implemented and tested on SCADA TESTBED
challenge response mechanisms alone are shown. The in our simulation lab.
aggressive mode of authentication is not shown as it is less Data modification attack, replay attack and Sniffing
secure when compared to the challenge response mecha- attack can be eradicated by using the encryption tech-
nism. This aggressive mode is very important in time niques. The replay attack can also be eradicated by the use
critical scenarios but the scenarios where we are working of the time stamping techniques in the data transmission
are allowing the delay caused by the challenge response protocols.
mechanism.

8 Observed results
7 Additional security mechanism
Time delay involved by implementing
IEC 62351 document provides only the application layer
security. But in SCADA, application layer security alone S. Mechanism Time taken (at
can’t guarantee the data integrity which is critical. So, to No. MTU)
provide the data integrity security encryption mecha-
1. Challenge-response 1258 ms
nisms should be included. As MTU and RTU are third
2. Challenge-response with key change 1263 ms
parties software, we have implemented the data link
3. Challenge-response with key change and 1365 ms
layer security mechanism also by the bump in wire
data link layer security
mechanism.

Fig. 3 Authentication security

model for IEC 60870-5-104
protocol

123
CSIT (June 2013) 1(2):135–141 141

9 Future work References

1. Bindhumadhava BS, Senthil Kumar RK, Kalluri R, Pidikiti DS

Future work is to implement the security mechanism for (2012) SCADA systems security-threat analysis using defense
IEC 60870-5-104 protocol. graphs. In: International conference on cyber, physical and system
security
2. Braynov S, Jadliwala M (2003) Representation and analysis of
coordinated attacks. In: FMSE ’03 Proceedings of the 2003 ACM
10 Conclusion workshop on formal methods in security engineering, pp 43–51
3. Gregg M (2007) Certified ethical hacker guide. Que Publication
The lack of security mechanisms both at application layer 4. http://csrc.nist.gov/. Accessed 22 Oct 2012
5. http://www.cert-in.org.in/. Accessed 23 Oct 2012
level and the data link layer level are pushing the legacy 6. http://www.cert.org/. Accessed 23 Oct 2012
SCADA systems into mire of cyber attacks. These cyber 7. Ten C-W, Manimaran G, Liu C-C (2010) Cybersecurity for critical
attacks are being launched as a means of cyber warfare by infrastructures: attack and defense modeling. IEEE Trans Syst
criminals to cause damage to the organization or nation. By Man Cybern Part A Syst Hum 40(4):853–865
8. Xh Li, Sh Xu (2007) A stochastic modeling of coordinated internal
adopting proposed experimental research model, these attacks and external attacks
can be eradicated and security at both application & data link
layer will be provided for the SCADA systems. This research
model is in compliance with IEC 62351 standards also.

123