Register now for SANS Cyber Defense Initiative 2016 and save $400.

Reading Room

Industrial Control Systems / SCADA

Featuring 17 Papers as of September 16, 2016

  • How to Target Critical Infrastructure: The Adversary Return on Investment from an Industrial Control System Masters
    by Matthew Hosburgh - July 12, 2016 

    Imagine a device that could decrypt all encryptionwithin seconds. A box with this capability could be one of the most valuable pieces of equipment for an organization, but even more valuable to an adversary. What if that box only worked against American encryption? If true, a particular market would be ripe for the harvest. A device that powerful could be used to decrypt secrets and data in transit, making encrypted data an adversary might have access to, extremely valuable. Similarly, Critical Infrastructure is a target for some because of the yield that a successful attack could result in. Death, disruption or damage is a real possibility. The Return on Investment (ROI) and Return on Security Investment (ROSI) fall short in actually determining the level of protection required for an organization striving to protect the most sensitive data or system. The Adversary Return on Investment (AROI) is the missing piece to the equation. From the adversarys vantage point, data, infrastructure or systems have value. By understanding this value an organization can more appropriately align its security strategy; especially, for the most critical infrastructure.


  • SANS 2016 State of ICS Security Survey Analyst Paper
    by Derek Harp and Bengt Gregory-Brown - June 28, 2016 

    Analysis of survey data collected between January and April 2016 indicates that security for ICSes has not improved in many areas and that many problems identified as high-priority concerns in our past surveys remain as prevalent as ever. In this report we focus on identifying and prioritizing recommendations to address the greatest concerns.



  • Constructing a Measurable Tabletop Exercise for a SCADA Environment Masters
    by Matthew Hosburgh - March 14, 2016 

    It was the start of the evening shift. Because daylight savings just fell back it was already dark outsideat six oclock PM central time.


  • The Impact of Dragonfly Malware on Industrial Control Systems Masters
    by Nell Nelson - January 22, 2016 

    During the past several years and ending in 2014, Dragonfly malware infected hundreds of business computers in an often successful attempt to collect information on industrial control systems across the United States and Europe.


  • Developments in Car Hacking Masters
    by Roderick Currie - January 7, 2016 

    In the developed world, there is arguably no appliance more prevalent in peoples lives than the automobile.


  • Secure Architecture for Industrial Control Systems Masters
    by Luciana Obregon - October 15, 2015 

    Industrial Control Systems (ICS) have migrated from stand-alone isolated systems to interconnected systems that leverage existing communication platforms and protocols to increase productivity, reduce operational costs and further improve an organizations support model. ICS are responsible for a vast amount of critical processes necessitating organizations to adequately secure their infrastructure. Creating strong boundaries between business and process control networks can reduce the number of vulnerabilities and attack pathways that an intruder may exploit to gain unauthorized access into these critical systems. This paper provides guidance to those organizations that must secure their ICS systems and networks through a defense-in-depth approach to security, achieved through the identification of key security patterns and controls that apply to critical information security domains. The goal is a visual explanation that allows stakeholders to understand how to reduce information risk while preserving the confidentiality, integrity and availability of critical infrastructure resources in the industrial control environment.


  • The Industrial Control System Cyber Kill Chain by Michael J. Assante and Robert M. Lee - October 5, 2015 

    Read this paper to gain an understanding of an adversary's campaign against ICS. The first two parts of the paper introduce the two stages of the ICS Cyber Kill Chain. The third section uses the Havex and Stuxnet case studies to demonstrate the ICS Cyber Kill Chain in action.


  • Challenges for IDS/IPS Deployment in Industrial Control Systems Masters
    by Michael Horkan - August 7, 2015 

    Intrusion Detection and Prevention Systems (IDS/IPS) are a key component of defense-in-depth strategy for information systems. Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems need to incorporate this technology in order to properly defend against a growing threat landscape. This paper examines how to deploy this technology in a sample ICS/SCADA setting, identifies hurdles that both industrial control system vendors and asset owners must overcome in order to make IDS/IPS deployment successful, and provides recommendations for both vendors and owners in order to approach the use of these technologies. This paper is written with two audiences in mind. It is intended for the enterprise IT professional who is familiar with security technologies and best practices, but unfamiliar with ICS/SCADA, as well as ICS/SCADA engineers and managers who lack experience in enterprise security.


  • The Perfect ICS Storm by Glenn Aydell - June 8, 2015 

    As manufacturing Industrial Control System (ICS) architectural designs have evolved from isolated and proprietary systems with physical separation to a layered architecture using more standard IT components to the latest trend of Industrial Internet of Things (IIoT); so too have the challenges associated with securing these environments.


  • Leveraging the SCADA Cloud for Fun and Profit Masters
    by Matthew Hosburgh - December 19, 2014 

    Long live the operator! At a point in time, they were the backbone of the phone system, ensuring that calls were routed where they needed to go. In many organizations, an operator still exists in one form or another. A version of this operator is common in a Security Operation Center (SOC) and many Industrial Control System (ICS) networks. In the ICS and Supervisory Control and Data Acquisition (SCADA) world, centralized security monitoring is either non-existent or so limited that the information provided does not paint an accurate security picture.


  • Energy and Utilities Defense Response based on 2014 Attack Pattern Masters
    by Adi Sitnica - December 11, 2014 

    False sense of security and management not understanding the value of cyber security are just a few of the issues why the Energy and Utilities industry are behind in terms of elevating cyber security to a status level on par or higher with physical security.


  • Rate my nuke: Bringing the nuclear power plant control room to iPad by Mikko Niemel - November 14, 2014 

    Industrial Control Systems monitor and control industrial processes that exist in the physical world and by design, are isolated from public networks. However, the prevailing use case, connectivity, and integration of mobile devices in the workplace has impacted the industrial environment. These isolated control system networks are now under pressure due to market demand to become Internet-accessible. Therefore, a security architecture for mobile device usage in th industrial environment must be designed with security controls and proper certificate-based authentication.


  • The Spy with a License to Kill Masters
    by Matthew Hosburgh - October 24, 2014 

    The opening scene of GoldenEye underscores the skills and precision of James Bond, 007. Years of experience and training make impossible missions look routine. These skills alone would not allow 007 to succeed; rather, a calculated plan that targeted the vulnerabilities in the Archangel Chemical Weapons Facility coupled with 007's skills provided for a successful mission.


  • Security Operations Centre (SOC) in a Utility Organization by Babu Veerappa Srinivas - October 7, 2014 

    Cyber security threats are an increasing manifold, irrespective of the size of an organization. This is evident after reviewing many industry reports such as Verizon 2014 Data Breach Investigation Report (Verizon, 2014), Trustwave 2014 Global Security Report ((Trustwave, 2014) and Symantec Internet Security Threat Report 2014 (Symantec, 2014).


  • Protect Critical Infrastructure Systems With Whitelisting by Dwight Anderson - August 5, 2014 

    Today there tends to be a misunderstanding regarding the operational aspect of critical infrastructure systems.


  • Breaches on the Rise in Control Systems: A SANS Survey Analyst Paper
    by Matthew Luallen - April 1, 2014 

    Survey shows SCADA breaches on rise from 2013, and more targeted.


Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters - This paper was created by a SANS Technology Institute student as part of their Master's curriculum.