Simulation and Impact Analysis of
Denial-of-Service Attacks on Power SCADA
Rajesh Kalluri, Lagineni Mahendra
Center for Development of Advanced Computing,
C-DAC Knowledge Park, No 1, Old Madras Road
Byappanahalli, Bangalore, INDIA
rajeshk@cdac.in, laginenim@cdac.in
Abstract—with ever growing threat of cyber terrorism,
vulnerability of the Supervisory Control and Data Acquisition
(SCADA) systems is the most common subject for most security
researchers now. Attacks on SCADA systems are increasing and
its impact needs to be studied to implement proper counter
measures. Many of the SCADA systems are relatively insecure
with chronic and pervasive vulnerabilities. This paper explains
possible vulnerabilities present in SCADA systems and also
present the impact analysis of Denial of Service (DoS) by
modeling attack using influence diagram. Simulation of DoS
attacks will help in analyzing and accessing the security of
SCADA system and also used to analyze the impact.
Experiments have been conducted on RTU by targeting
“availability” of the system, results have been analyzed and
impact has been studied.
Keywords—Supervisory Control and Data Acquisition
(SCADA); Denial of Service (DOS); Remote Telemetry Unit (RTU);
Master Terminal Unit (MTU); Attack Trees
I. INTRODUCTION
Supervisory Control and Data Acquisition (SCADA)
systems are used to control and monitor the power system on
real time basis. SCADA system consists of various
measurement (power, reactive power, voltage, current,
frequency etc.) transducers, which collects the real world
parameters as electrical signal ranges (like 4-20mA, 0-5V DC,
0-10V DC,+/-20mA,+/-40mA etc.). Transducers signals are
connected to RTU’s/IED’s. RTU convert received analog
signals to digital format and send to control center using IEC
60870-5-101/104[1][2] , IEC 61850[3] , MODBUS and DNP
(Distributed Network Protocol) v3 protocols[4]. RTUs are
connected to master terminal unit (MTU) using various
communication infrastructure like leased line, wide area
network etc. MTU provide data to Human machine interface
(HMI) for needful monitoring and control purposes [9].
Control actions will start from HMI via MTU and RTU to
field.
The threats caused by the attackers/hackers at all the levels
of SCADA system architecture should be first figured out.
Performing threat detection on the live system is not feasible
due to its critical nature. Threat detection at all levels need to
be done by performing the risk analysis over the entire system.
Risk analysis is used as a means by which one can know about
the security level of the particular industry and can incorporate
978-1-4799-5141-3/14/$31.00 ©2016 IEEE
R.K. Senthil Kumar , G.L. Ganga Prasad
Center for Development of Advanced Computing,
C-DAC Knowledge Park, No 1, Old Madras Road
Byappanahalli, Bangalore, INDIA
senthil@cdac.in, gpr@cdac.in
new ways to intensify the security level to eradicate
the specific loop holes in that industry, which if present may
cripple down the entire industry.
One more advantage of using the risk analysis is that, a
particular industry may decide to completely implement the
security to all the devices or apply it to particular selected
critical areas to balance the implementation cost and the
benefits of implementing it.
Approaches involved in performing the risk analysis are
mainly classified into two types i.e. Quantitative approach
and Qualitative approach. But, in real time systems like
SCADA systems a maximum usable approach is the
quantitative approach. Following are some of the techniques
by which quantitative approach can be performed.
• Attack trees
• Defense trees
• Defense graphs
• Influence diagrams
The rest of the paper is organized as follows: Section-II,
illustrates power system possible vulnerabilities and
countermeasures. Section-III will give the glimpse of various
types of DoS attacks using Influence diagram. Section-IV
highlights the DoS experiments conducted on RTU. Section-V
illustrates the impact of those attacks on SCADA systems and
section-VI ends with conclusion.
II. POSSIBLE VULNERABILITIES AND COUNTER MEASURES
Every system whether it’s IT (Information Technology) or ICS
(Industrial Control System) have possibility of cyber attack and
systems might have their own vulnerabilities that will lead to
attack. Loss of access to or misuse of these systems could
result in severe physical damage, disruption and financial loss
to a company. Therefore, SCADA system’s security is having
high priority.
Traditionally, SCADA networks have been segregated from
other corporate networks to minimize exposure to unsecure
areas, such as the Internet. Through internet, possibilities of
attacks will get increased and zero day vulnerabilities for all
the components of SCADA also get the higher percentage of
security mechanism.
 MTU or RTU not to communicate each other. This denial-of-
service effect is achieved by sending messages to the target
that interfere with its operation, and make it hang, crash,
reboot, or do useless work. Denial of service (DoS) is easy to
launch, but hard to prevent.

Fig. 1. Basic SCADA architecture mapping possible vulnerabilities and

counter measures

In SCADA systems, vulnerabilities can impact three main

components namely Master Station (MTU), remote telemetry
unit (RTU) and Communication Networks (ref. Fig.1). Since
RTUs are spreading out over large areas, they are more
vulnerable than others and are at higher security risks. The
vulnerability of Internet and TCP/IP protocol can be extended
to SCADA systems. As a result, SCADA systems are subjected
to cyber attacks with major consequences.
Fig. 2. Influence diagram for DoS attacks on RTU
Fig.1 describes about the possible vulnerabilities and counter
measures at each level. At RTUs level, critical vulnerabilities
When attackers could not access network, they use DoS as a
are malicious configurations, denial of service and malwares.
last effort. When attackers could not access MTU or RTU, they
When RTU is updated with malicious configuration or
make sure that, no one else could not access the same.
malware, even operator may not aware that particular RTU is
Attackers may also conduct this attack to prove that, systems
infected. When RTU and MTU communicate over plain text
are vulnerable. DoS attack is also a way of making RTU or
protocols over communication channel, vulnerabilities include
MTU unavailable for operations.
man in the middle attacks, replay attacks. By exploring the
protocol details and using coordinated attack approach the Some of the symptoms for DoS are :
attack can be more effective. Counter measures at
communication channel include hardening the plain text • Unusually slow network performance
protocols. At control centre, possible vulnerabilities include
• Unavailability of a targeted MTU/ RTU
malwares, DoS attack, sabotage etc.
• Inability to access RTU from MTU
III. DENIAL OF SERVICE ATTACKS
• Dramatic increase in the delay of communication
There are three primary components to security:
confidentiality, integrity, and availability. Denial of Service • Disconnection of a wireless or wired internet
(DoS) [5][6][7] attack targets availability. The goal of a DoS connection
attack is to disrupt some legitimate activity, such as making
A. Influence diagram for Denial of Service attacks
Successful attack on RTU or MTU may lead to data loss and
commands can be ignored by RTU which are initiated from
MTU to RTU. Possible way of DoS attacks on RTU have been
modeled using influence diagram [10] and are as shown in
fig.2. Influence diagrams are useful for understanding the
attack methodology and also useful for preparing counter
measures.
DoS attacks on RTU can be categorized into three broad
categories[8]:
• Bandwidth Consumption
• Resource starvation
• Programming flaws
Fig. 3. Attack on Network Layer
IV. EXPERIMENTS
Making the system unavailable is the target for conducting 9000
DoS attack. Sending request for the same data or resource

Response(millisec)
8000
without any fail will lead to DoS attack and after a particular
7000
time, system will not be able to handle the request. Attacker
can do this type of attack using ICS specific malwares or 6000
Distributed Denial of Service (DDoS) also to hide its own 5000
identity. 4000
3000
In all experiments, the target is to attack RTU which is 2000
communicating over IEC 60870-5-104 protocol. The intention
1000
of carrying out the Denial of Service (DoS) attack on IEC
60870-5-104 RTU was to practically prove that such attack can 0

10000
12000
14000
16000
18000
20000
22000
24000
26000
28000
30000
32000
34000
happen, and RTU can be hit performance-wise and can also
malfunction. It was necessary to be able to come out with a
mechanism to measure the tolerance limit (or threshold) of an
RTU vis-à-vis a DoS attack to behave normally. Packet Flood (Kbits/sec)
Denial of service attack targets network bandwidth and
resources of the target machine. This attack can be carried out Fig. 4. IP Packet flood vs Response Time
by targeting three different layers viz., network layer, transport
layer and application layer. The network bandwidth can be B. Experiment2#Transport layer (TCP SYN flood):
starved by flooding random IP packets at network layer and the Here, SYN request packets have been flooded starting at the
resource starvation can be done by either flooding SYN rate of 500 packets per second. Each SYN request packet is of
packets at transport layer or some user data packets at length 60 bytes. This will leave so many half-open connections
application layer. at the RTU, saturating the number of available connections it is
A. Experiment1#Network layer (IP packet flood): able to make, keeping it from responding to legitimate requests
The experiment has been conducted by generating a packet (of (from MTU) until after the attack ends (see Fig.5).
length 1514 bytes) flood starting at the rate of 10000kbits/sec
and the impact has been observed at the MTU end (ref. Fig.3).
The MTU started to experience an abnormal behavior from the
RTU when the attacker tool generated the packet flood at
35209kbit/sec.

Fig. 5. Attack on Transport Layer

 160
Response(millisec) 140 160

Response(millisec)
120 140
100 120
80 100
60 80
40 60
40
20
20
0
0
500
520
550
580
600
650
680
700
720
750
800
840

100
120
200
250
300
350
380
410
450
480
520
570
Packet Flood (Kbits/sec) Packet Flood (Kbits/sec
Fig. 6. TCP SYN flood vs Response Time Fig. 9. IEC 60870-5-104 application protocol packet flood vs Response Time

The impact on RTU, as observed at MTU, is at 850 SYN
request packets per second. At this rate, the RTU is not able to
respond to the MTU’s requests.
C. Experiment3#Application layer (104APCI packet flood):
After an attacker established a TCP connection with the RTU,
flooding it with a valid packet of IEC 60870-5-104 protocol
forms an attack at application layer (see Fig.8). The total
packet length is 72 bytes with the following user data(Fig.7)
in the application layer.
0x68 0x04 0x07 0x00 0x00 0x00
Fig. 7. One of the IEC 60870-5-104 protocol APCI Packet
Fig. 8. Attack on Application Layer
RTU response time is observed with respect to user data
packets in Fig.9. Response time becoming poor as IEC 60870-
5-104 packet flood increases. The user data packet has been
flooded starting at the rate of 100 packets per second and the
RTU stopped responding to MTU requests at the rate of 580
packets per second.
V. IMPACT OF DOS ATTACKS
This section will describe the impact of the above discussed
attacks (DoS) on the SCADA system in detail. Each attack is
characterized, its possibility is analyzed, and its impact is
studied.
When analyzing the impact of the attacks, we have to consider
the three information security components: Confidentiality,
Integrity and Availability. Analyzing each type of attack
regarding these three characteristics will make it easier to
identify the consequences of each attack. The impacts of
attacks are analyzed on both RTU and MTU side.
In a SCADA network, an attacker could be trying to disrupt the
communications between RTU and MTU by sending spurious
packets in the network. If the attacker is mounting DoS attack
on RTUs, there will not be any possibility of communication.
As the communication is disrupted, the higher level of
networks like[11] Process Control Network and Corporate
Network will also be affected.
when MTU not be able to acquire data from multiple RTUs its
impact will show up on Data archival server/ Data historian
(used to generate reports) and Human machine interface (used
for visualization of data). When RTU is affected due to DoS
attack, commands initiated from HMI/ MTU may not be able
to reach RTU and this may lead to improper functionality.
Attacks on RTU or MTU may affect critical functionalities
such as scheduling, state estimation, islanding etc.
The attacker can also flood the MTU (similar way like RTU)
with ‘n’ number of data packets resulting abnormal behavior
and may get down. Every system has some limit to accept the
packets in particular time interval, if that limit will get
exceeded then the problem will occur. Lots of data at a
particular time will make MTU to perform some abnormal
activity and it can shutdown the system also. MTU abnormal
behavior will affect the RTU and may affect other SCADA
network also. In this scenario, MTU can’t get data from RTUs
and not able to provide for monitoring and further decision
making.
 VI. CONCLUSION
This paper addresses simulation and impact of DoS attacks on
SCADA systems at network layer, transport layer and
application layer. It is very clear and apparent that the cyber
threat and attack is possible in control system. The impact can
be very dangerous. It is important to safe guard the critical
infrastructure in our country as the critical infrastructure
becomes easy target and the hackers may target control system
more in comparison to IT systems. Threats like various types
of denial of service were simulated and their impacts on the
SCADA systems have been determined.
REFERENCES
[1] IEC 60870: Telecontrol equipment and systems - Part 5-101:
Transmission protocols - Companion standard for basic telecontrol tasks
[2] IEC 60870: Telecontrol equipment and systems - Part 5-104:
Transmission protocols - Network access for IEC 60870-5-101 using
standard transport profiles
[3] IEC 61850: Communication networks and systems for power utility
automation
[4] Gordon R. Clarke et al, Practical modern SCADA protocols: DNP3,
60870.5 and related systems, Newnes, 2004
[5] M. Long, C.-H. Wu, and J. Y. Hung, “Denial of service attacks on
network-based control system: Impact and mitigation,” IEEE Trans. Ind.
Inf., vol. 1, no. 2, pp. 85–96, May 2005.
[6] DoS:https://developer.mozilla.org/en-
US/docs/Glossary/Distributed_Denial_of_Service
[7] DoS:http://www.eukhost.com/blog/webhosting/ddos-attack-denial-of-
service/
[8] Michael Gregg “Certified Ethical Hacker Exam Prep“,2011
[9] What’s SCADA got to do with your IT department? By By Rob
Livingstone [http://rob-livingstone.com/2013/10/whats-scada-got-to-do-
with-your-it-department/]
[10] Teodor Sommestad, Mathias Ekstedt, Lars Nordström, Modeling
security of power communication systems using defense graphs and
influence diagrams, IEEE Transactions on power delivery, vol.24, No.4,
oct 2009
[11] ANSI/ISA–99.00.01–2007 - Security for Industrial Automation and
Control Systems
[12] Soumitra K. Ghosh, "Changing Role of SCADA in Manufacturing Plan"
Industry Applications Conference 31st lAS Annual Meeting, lAS '96,
1999.
[13] Dong-Joo Kang l, Hak-Man Kim, “Development of Test-bed and
Security Devices for SCADA Communication in Electric Power
System”, 'Korea Electro-technology Research Institute, Incheon City
College.
[14] Ghosh, Soumitra K. "Changing role of SCADA in manufacturing
plant."Industry Applications Conference, 1996. Thirty-First IAS Annual
Meeting, IAS'96., Conference Record of the 1996 IEEE. Vol. 3. IEEE,
1996.
[15] Kang, Dong-Joo, et al. "Analysis on cyber threats to SCADA
systems."Transmission & Distribution Conference & Exposition: Asia
and Pacific, 2009. IEEE, 2009.
[16] Durga Samanth Pidikiti , Rajesh Kalluri,R. K. Senthil Kumar, B. S.
Bindhumadhava “SCADA Communication Protocols: Vulnerabilities,
Attacks and Possible Mitigations” CSI Journal, 2013 published by
springer