Cyber SCADA Research for the Nation's Critical InfrastructureCyber SCADA Research for the Nation's Critical Infrastructure
CHRISTOPHER KLAUS*, KEITH ANDREW, and MICHAEL VOGT
SCADA systems used to control critical infrastructure systems have increasingly become part of our CyberInfrastructure by utilizing the Internet for SCADA communications. Unfortunately SCADA systems were not built
with cybersecurity in mind to defend against vulnerabilities inherent with Internet communications. There is a clear need to develop Cyber SCADA Research for the Nation's Critical Infrastructure in order to identify and
explore SCADA cyber attacks, correct existing vulnerabilities, and to help defend against these current and future attacks.
Western Kentucky University’s Cyber Defense Laboratory (CDL) presents this poster to discuss methods of utilizing advanced pattern recognition, classification, trend predictions and autonomic computing from other
challenging disciplines to research SCADA intrusion analysis and prevention.
While federal agencies have cyber defense data warehouses for classified data, currently no equivelent unclassified data warehouse is available to academic researchers. The immediately puts a bottle-neck in any attempt to
train cyber-security personnel and provide a defense against the rapidly growing cyber threats. The CDL has the largest non-government agency owned classified data warehouse for cyber attack data, called ARL NACMAST.
Our strategy leverages this existing infrastructure to create a Cyber Attack Unclassified Data Warehouse for SCADA cyber attacks. This will promote and support the rapid development of effective SCADA Cyber Security
Plugfest, SCADA CYBER SECURITY WORKSHOP,
Nov. 3, 2010, http://www.nacmast.com/scada-workshop
We thank Electronic Warfare Associates and the United States Army Research Laboratory for extensive support and grant
funding this research. We also gratefully acknowledge the NACMAST crew and research scientists for supplying data and
technical support. Special thanks also goes to WKU’s Advanced Research & Technology Program for aid in administering this
Western Kentucky University
Bowling Green, KY
Nov. 12-13, 2010
Cyber Defense Laboratory, Western Kentucky University
Electronic Warfare Associates Government Systems Inc.
Department of Physics and Astronomy
Bowling Green, KY 42101
Applied Physics Institute
Argonne National Laboratory
Army Research Laboratory
Cyber Mapping, MTP
Electronic Warfare Associates, GSI
George Mason University
Michigan State University
Mississippi State University
University of Arizona
University of Louisville
Sensors and other
FirewallSCADA Laboratories at Western Kentucky
University, Southern Methodist University,
and University of Arizona are being
configured as environments to explore
SCADA cyber attacks. Each SCADA
Laboratory will focus on separate Critical
Infrastructure interests .
CDL Data Warehouse
Appropriate methods to capture network traffic
data of SCADA cyber attacks are being explored.
Initial testing of data capture is being performed
by WKU and SMU with results from the Plugfest
at the SCADA Cyber Security Workshop in
Dallas, TX. SMU is replicating these attacks,
which are captured and transferred to WKU’s
CDL Data Warehouse.
Leveraging knowledge from data capture with
the SCADA Laboratories, the Interrogator /
Seminole Architecture will be modified to
capture and analyze SCADA cyber attacks.
The Biosphere 2 is controlled by
SCADA systems, and is a good
representative of a city’s Critical
Computer Network Defense Analysts
(CNDAs) at the CDL and Electonic Warfare
Associates will review and document
SCADA Cyber Attacks, utilizing network
analysis tools within the Interrogator
Architecture. CNDAs’ network assessments
are based on NSA’s INFOSEC Assessment
and Evaluation Methodology
Red / blue teams have been created at each university comprised of
researchers, faculty, students, and certified ethical hackers. These
teams take turns at attacking and defending the SCADA
In the future, it is intended that these teams take turns at attacking
and defending the Biosphere 2.
SCADA cyber attacks:
• Unauthorized Command Execution,
• SCADA Denial of Service,
• SCADA Man-in-the-Middle,
• Replay, and
• Malicious Service Commands.
Network traffic and CNDA documentation of
SCADA cyber attacks will be stored in the
CDL Data Warehouse.
will be place in
the Biosphere 2’s
Common SCADA equipment is/was
utilized at the SCADA Laboratories
and the recent Plugfest.
The goal is to encourage industries
supporting critical infrastructures to
send their SCADA equipment to our
laboratories for testing.
Biosphere 2 would be utilized for
testing interactions between large
suites of SCADA equipment.
SCADA controls are utilized in all critical
infrastructures (electric, water, transportation,
etc.). These images are from systems that
have been compromised by ad hoc SCADA
attacks. Stuxnet is the first example of a
SCADA worm, which significantly increases
the vulnerabilities of these infrastructures.
SCADA cyber attacks are utilized
by our research team. The goal is
for the CDL Data Warehouse to
become available as a user
facility for other cyber security
Research produces methods
for defending and hardening
SCADA equipment. Modules for better detection of
SCADA cyber attacks will be
developed for the Interrogator /
Interrogator is the Army
Research Laboratory’s (ARL)
current IDS architecture, which
is utilized for DoD facilities.
Seminole is a special ARL-
derived IDS architecture for use
with non-DoD participants.
Current research Planned research