Final Week to Get an iPad Mini, Chromebook Flip, or $250 Off with OnDemand and vLive Training!

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Industrial Control Systems / SCADA

Featuring 26 Papers as of June 13, 2019

  • SANS 2019 State of OT/ICS Cybersecurity Survey Analyst Paper (requires membership in community)
    by Barbara Filkins and Doug Wylie - June 11, 2019 

    In this survey, SANS experts Doug Wylie and Barb Filkins, with advisor and SANS instructor Jason Dely, examine the current state of known and perceived cybersecurity risks, threats and potential impacts to industrial and automation control systems that are applied within the Operational Technology (OT) domain. The survey explores how adeptly we are safeguarding operations and protecting human and company capital from a range of technical and non-technical cybersecurity risks that stem from threats that include malicious and unintentional insiders and outsiders. View the associated infographic here.

  • Gaining Endpoint Log Visibility in ICS Environments STI Graduate Student Research
    by Michael Hoffman - March 11, 2019 

    Security event logging is a base IT security practice and is referenced in Industrial Control Security (ICS) standards and best practices. Although there are many techniques and tools available to gather event logs and provide visibility to SOC analysis in the IT realm, there are limited resources available that discuss this topic specifically within the context of the ICS industry. As many in the ICS community struggle with gaining logging visibility in their environments and understanding collection methodologies, logging implementation guidance is further needed to address this concern. Logging methods used in ICS, such as WMI, Syslog, and Windows Event Forwarding (WEF), are common to the IT industry. This paper examines WEF in the context of Windows ICS environments to determine if WEF is better suited for ICS environments than WMI pulling regarding bandwidth, security, and deployment considerations. The comparison between the two logging methods is made in an ICS lab representing automation equipment commonly found in energy facilities.

  • ICS Layered Threat Modeling by Mounir Kamal - January 22, 2019 

    The ultimate goal of building cybersecurity architecture is to protect systems from potential threats that can cause imminent harm to the institution. Often, we hear a common expression in the information security world “security by design,” which is a deeper terminology than it looks, as it requires compiling a list of possible threats against targeted systems. Building a threat model will guide us on how to build a secure architecture and achieve the security by design concept, and this is what precisely the paper aims to explore. This paper is an intensive study to collect accurate and plausible threat models that can help to secure ICS architecture by design.

  • The 2018 SANS Industrial IoT Security Survey: Shaping IIoT Security Concerns Analyst Paper (requires membership in community)
    by Barbara Filkins - July 18, 2018 

    IIoT endpoint security is the leading concern of respondents to the 2018 SANS IIoT Security Survey, with network security controls and countermeasures being the main enablers of IIoT security. Most of the growth in connected devices is expected to be for those used for monitoring, status, alarms and alerting, as well as predictive maintenance, but over 50% of respondents are still using their devices controlling operations and processes. Read on to learn more.

  • Passive Analysis of Process Control Networks by Jennifer Janesko - June 1, 2018 

    In recent years there has been an increased push to secure critical ICS infrastructures by introducing information security management systems. One of the first steps in the ISMS lifecycle is to identify which assets are present in the infrastructure and to determine which ones are critical for operations. This is a challenge because, for various reasons, the documentation of the current state of ICS networks is often not up-to-date. Classic inventorying techniques such as active network scanning cannot be used to remedy this because ICS devices tend to be sensitive to unexpected network traffic. Active scanning of these systems can lead to physical damage and even injury. This paper introduces a passive network analysis approach to starting, verifying and/or supplementing an ICS asset inventory. Additionally, this type of analysis can also provide some insight into the ICS network’s current security posture.

  • Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark STI Graduate Student Research
    by Gabriel Sanchez - October 20, 2017 

    Though attacks on the industrial control system (ICS) and their protocols are not a new occurrence, recent years have highlighted a growing trend in such attacks. To make matters worse, cyber defenders have also dealt with a slow migration to more secure ICS protocols due to costs associated with equipment downtime. With the increase in attacks and the slow migration to more secure ICS protocols, it is crucial for cyber defenders to be able to quickly set up labs to mimic and observe how potential attacks on the ICS network function so that necessary defenses and detection mechanisms can be put in place. This paper lays out how to setup a lab with multiple virtual machines and ICS software that can observe a Master workstation controlling a PLC. First, Wireshark will be used to illustrate and compare normal Modbus TCP communications between the Master and PLC workstations. Wireshark will then be used to demonstrate and compare a MITM attack with an Ettercap filter that manipulates the Modbus TCP communications against both workstations.

  • Securing Industrial Control Systems-2017 Analyst Paper (requires membership in community)
    by Bengt Gregory-Brown - July 11, 2017 

    We annually gather and analyze raw data from hundreds of IT and industrial control systems (ICS) security practitioners. Our mission is to turn these inputs into actionable intelligence to support new developments and address trends in the field to inform the crucial business decisions. Here we report on these trends and other changes that make active use of ICS as a core enabler for business imperatives and provide actionable advice for today's security practitioners.

  • Incentivizing Cyber Security: A Case for Cyber Insurance by Jason D. Christopher - June 27, 2017 

    In the wake of recent events-Ukraine, Shamoon v2, WannaCry--providing cyber security continues to be an enigma. Unlike traditional engineering problems, we cannot define the constraints and rules adequately. We lack the data and models to describe the variables, let alone the mathematical function. Read on for ideas on how ICS can benefit from cyber insurance.

  • Digital Ghost: Turning the Tables Analyst Paper (requires membership in community)
    by Michael J. Assante - February 1, 2017 

    The complex weave of digital technology relies heavily on hyperconnected systems to move data and unlock value through analytics. The benefits are real, but the stakes involved require a serious look at the potential downsides, including the risk of cyber attacks. Organizations embracing technology innovation should not focus solely on efficiency and productivity, for innovation done correctly can also reduce the risks that come with expanding digital touchpoints.

  • How to Target Critical Infrastructure: The Adversary Return on Investment from an Industrial Control System STI Graduate Student Research
    by Matthew Hosburgh - July 12, 2016 

    Imagine a device that could decrypt all encryption—within seconds. A box with this capability could be one of the most valuable pieces of equipment for an organization, but even more valuable to an adversary. What if that box only worked against American encryption? If true, a particular market would be ripe for the harvest. A device that powerful could be used to decrypt secrets and data in transit, making encrypted data an adversary might have access to, extremely valuable. Similarly, Critical Infrastructure is a target for some because of the yield that a successful attack could result in. Death, disruption or damage is a real possibility. The Return on Investment (ROI) and Return on Security Investment (ROSI) fall short in actually determining the level of protection required for an organization striving to protect the most sensitive data or system. The Adversary Return on Investment (AROI) is the missing piece to the equation. From the adversary’s vantage point, data, infrastructure or systems have value. By understanding this value an organization can more appropriately align its security strategy; especially, for the most critical infrastructure.

  • SANS 2016 State of ICS Security Survey Analyst Paper (requires membership in community)
    by Derek Harp and Bengt Gregory-Brown - June 28, 2016 

    Analysis of survey data collected between January and April 2016 indicates that security for ICSes has not improved in many areas and that many problems identified as high-priority concerns in our past surveys remain as prevalent as ever. In this report we focus on identifying and prioritizing recommendations to address the greatest concerns.

  • Constructing a Measurable Tabletop Exercise for a SCADA Environment STI Graduate Student Research
    by Matthew Hosburgh - March 14, 2016 

    It was the start of the evening shift. Because daylight savings just “fell back” it was already dark outside—at six o’clock PM central time.

  • The Impact of Dragonfly Malware on Industrial Control Systems STI Graduate Student Research
    by Nell Nelson - January 22, 2016 

    During the past several years and ending in 2014, Dragonfly malware infected hundreds of business computers in an often successful attempt to collect information on industrial control systems across the United States and Europe.

  • Developments in Car Hacking STI Graduate Student Research
    by Roderick Currie - January 7, 2016 

    In the developed world, there is arguably no appliance more prevalent in people’s lives than the automobile.

  • Secure Architecture for Industrial Control Systems STI Graduate Student Research
    by Luciana Obregon - October 15, 2015 

    Industrial Control Systems (ICS) have migrated from stand-alone isolated systems to interconnected systems that leverage existing communication platforms and protocols to increase productivity, reduce operational costs and further improve an organization’s support model. ICS are responsible for a vast amount of critical processes necessitating organizations to adequately secure their infrastructure. Creating strong boundaries between business and process control networks can reduce the number of vulnerabilities and attack pathways that an intruder may exploit to gain unauthorized access into these critical systems. This paper provides guidance to those organizations that must secure their ICS systems and networks through a defense-in-depth approach to security, achieved through the identification of key security patterns and controls that apply to critical information security domains. The goal is a visual explanation that allows stakeholders to understand how to reduce information risk while preserving the confidentiality, integrity and availability of critical infrastructure resources in the industrial control environment.

  • The Industrial Control System Cyber Kill Chain by Michael J. Assante and Robert M. Lee - October 5, 2015 

    Read this paper to gain an understanding of an adversary's campaign against ICS. The first two parts of the paper introduce the two stages of the ICS Cyber Kill Chain. The third section uses the Havex and Stuxnet case studies to demonstrate the ICS Cyber Kill Chain in action.

  • Challenges for IDS/IPS Deployment in Industrial Control Systems by Michael Horkan - August 7, 2015 

    Intrusion Detection and Prevention Systems (IDS/IPS) are a key component of defense-in-depth strategy for information systems. Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems need to incorporate this technology in order to properly defend against a growing threat landscape. This paper examines how to deploy this technology in a sample ICS/SCADA setting, identifies hurdles that both industrial control system vendors and asset owners must overcome in order to make IDS/IPS deployment successful, and provides recommendations for both vendors and owners in order to approach the use of these technologies. This paper is written with two audiences in mind. It is intended for the enterprise IT professional who is familiar with security technologies and best practices, but unfamiliar with ICS/SCADA, as well as ICS/SCADA engineers and managers who lack experience in enterprise security.

  • The Perfect ICS Storm by Glenn Aydell - June 8, 2015 

    As manufacturing Industrial Control System (ICS) architectural designs have evolved from isolated and proprietary systems with physical separation to a layered architecture using more standard IT components to the latest “trend” of Industrial Internet of Things (IIoT); so too have the challenges associated with securing these environments.

  • Leveraging the SCADA Cloud for Fun and Profit STI Graduate Student Research
    by Matthew Hosburgh - December 19, 2014 

    Long live the operator! At a point in time, they were the backbone of the phone system, ensuring that calls were routed where they needed to go. In many organizations, an operator still exists in one form or another. A version of this operator is common in a Security Operation Center (SOC) and many Industrial Control System (ICS) networks. In the ICS and Supervisory Control and Data Acquisition (SCADA) world, centralized security monitoring is either non-existent or so limited that the information provided does not paint an accurate security picture.

  • Energy and Utilities Defense Response based on 2014 Attack Pattern STI Graduate Student Research
    by Adi Sitnica - December 11, 2014 

    False sense of security and management not understanding the value of cyber security are just a few of the issues why the Energy and Utilities industry are behind in terms of elevating cyber security to a status level on par or higher with physical security.

  • Rate my nuke: Bringing the nuclear power plant control room to iPad by Mikko Niemel - November 14, 2014 

    Industrial Control Systems monitor and control industrial processes that exist in the physical world and by design, are isolated from public networks. However, the prevailing use case, connectivity, and integration of mobile devices in the workplace has impacted the industrial environment. These isolated control system networks are now under pressure due to market demand to become Internet-accessible. Therefore, a security architecture for mobile device usage in th industrial environment must be designed with security controls and proper certificate-based authentication.

  • The Spy with a License to Kill STI Graduate Student Research
    by Matthew Hosburgh - October 24, 2014 

    The opening scene of GoldenEye underscores the skills and precision of James Bond, 007. Years of experience and training make impossible missions look routine. These skills alone would not allow 007 to succeed; rather, a calculated plan that targeted the vulnerabilities in the Archangel Chemical Weapons Facility coupled with 007's skills provided for a successful mission.

  • Security Operations Centre (SOC) in a Utility Organization by Babu Veerappa Srinivas - October 7, 2014 

    Cyber security threats are an increasing manifold, irrespective of the size of an organization. This is evident after reviewing many industry reports such as Verizon 2014 Data Breach Investigation Report (Verizon, 2014), Trustwave 2014 Global Security Report ((Trustwave, 2014) and Symantec Internet Security Threat Report 2014 (Symantec, 2014).

  • Protect Critical Infrastructure Systems With Whitelisting by Dwight Anderson - August 5, 2014 

    Today there tends to be a misunderstanding regarding the operational aspect of critical infrastructure systems.

  • Breaches on the Rise in Control Systems: A SANS Survey Analyst Paper (requires membership in community)
    by Matthew Luallen - April 1, 2014 

    Survey shows SCADA breaches on rise from 2013, and more targeted.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted.

STI Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.