New In-Person Event locations added! Choose your event, and join us for practical cyber security training.

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Industrial Control Systems / SCADA

Featuring 39 Papers as of April 21, 2021

  • Collection and Analysis of Serial-Based Traffic in Critical Infrastructure Control Systems Graduate Student Research
    by Jonathan Baeckel - February 11, 2021 

    There is a blind spot the size of a 27-ton, 2.25-megawatt maritime diesel generator in the world's critical infrastructure control system (CICS) landscape. Compared to typical IT systems, CICSs are composed of a much larger ratio of non-routable traffic, such as serial-based Fieldbus communications, than their IT-based brethren, which almost exclusively rely on TCP/IP-based traffic. This traffic tells field devices to take actions and reports back process status to operators, engineers, and automated portions of the process. As vital as it is to the process, this specialized traffic is routinely ignored by Operational Technology (OT) architects and analysts charged with defending this type of system. They tend to favor a TCP/IP only approach to traffic collection and analysis that is more geared toward an IT-only environment. This paper analyzes Stuxnet to determine the effect that serial communication monitoring and analysis may have on the situational awareness of such an event. It will pose several questions. Could the attack have been detected without the availability of known Indicators of Compromise (IoC)? Would the attack have been detected sooner? Would there have been no effect at all? This information may help organizations pursue a risk-based approach to architecting a CICS traffic collection and analysis system.

  • Managing ICS Security with IEC 62443 by Jason Dely - December 2, 2020 

    In this followup to “Effective ICS Cybersecurity Using the IEC 62443 Standard,” this paper examines how to use the Standard to strategically reduce ICS cybersecurity risk.

  • Effective ICS Cybersecurity Using the IEC 62443 Standard Analyst Paper (requires membership in community)
    by Jason Dely - November 17, 2020 

    IEC 62443 is the global standard for the security of ICS networks, designed to help organizations reduce the risk of failure and exposure of ICS networks to cyberthreats. This paper explores how that standard can provide guidance to enterprises looking to choose and implement technical security capabilities. It also addresses how Fortinet's layered solutions may help asset owners and system integrators reach IEC 62443 compliance.

  • Industrial Traffic Collection: Understanding the implications of Deploying visibility without impacting production Graduate Student Research
    by Daniel Behrens - September 21, 2020 

    Due to the critical nature of industrial environments and the lifetime of deployed assets, many organizations do not have complete knowledge of what assets are operating in the environment and what communications are involved. With the continuous move to IP based communications for controls equipment, Cybersecurity continues to increase in importance and is a priority for many executives. Industrial controls are unique because they are interfacing with the real world, which has implications on human safety and the ability of an organization to maintain operations. Unfortunately, the criticality of these devices and the lack of robust network functions on many often requires the use of passive solutions to gather information. This paper will focus on outlining the potential impact of collecting network traffic, discussing the functions available on networking equipment to enable it, identifying possible deployment architectures and the pros and cons of each, and explaining a methodology to calculate the potential impacts.

  • Fashion Industry (Securely) 4.0ward Graduate Student Research
    by Shawna Turner - September 9, 2020 

    The fashion market segment is going through a significant technological upgrade. The need to meet modern consumer expectations and desires requires wholesale changes in the way the fashion ecosystem has historically shared information and manufactured products. Fashion cannot use existing security guidance due to the consumer expectations that a fashion product provides a unified physical experience. The addition of significant new technology increases the risk of intellectual property loss. The fashion industry requires a list of minimum-security controls that address the entire ecosystem of fashion from the fashion houses to the supply chain to the factory floor to address information security concerns. This paper begins the process of developing a minimum viable list of controls by combining controls from the Purdue model with recommended controls from the Verizon 2019 Data Breach Investigation Report (DBIR). The paper focuses on proposed controls for the fashion sector; however, they apply to any manufacturing pivoting to Industry 4.0.

  • 60870-5-104 protocol snort rule customization by Adrian Aron - August 10, 2020 

    OT Security emerges as a necessity due to its flat network implementation and criticality of systems operated over the network. Supervisory Control And Data Acquisition (SCADA) 60870-5-104 is widely used in Europe by most Utility operators, making it a target for attackers. While IDS signatures for SCADA IEC104 have been developed, most of its signatures are generic and bind to the standard protocol itself, not to the specific implementation of each customer. For example, an interrogation command telegram in a customer environment might be harmless, while others might be critical information. This paper explains the underlying construct of an IEC104 telegram and how to customize standard snort rules for that specific telegram. In this way, each SCADA command can be interpreted, evaluated for permit/monitor/deny to any controlled device, for each particular SCADA implementation.

  • Implementation Guide for Vendors and Integrators Working in NERC-CIP Environments Analyst Paper (requires membership in community)
    by Tim Conway - July 27, 2020 

    This paper examines some of the essential NERC CIP Standards for third-party organizations to understand as well as how the requirements affecting third-party products and services may vary from site to site or organization to organization.

  • ICS Asset Identification: It's More Than Just Security Analyst Paper (requires membership in community)
    by Mark Bristow - June 24, 2020 

    Historically, asset identification has been associated with time-consuming and costly cybersecurity efforts. In this new SANS report, Mark Bristow, SANS ICS Active Defense and Incident Response certified instructor, explores critical resources needed to start an asset identification program. The author also explains how asset Identification can enhance ROI through such benefits as improved maintenance, reduced mean-time-to-repair, and increased availability.

  • How to Use NERC-CIP: An Overview of the Standards and Their Deployment with Fortinet Analyst Paper (requires membership in community)
    by Tim Conway and Ted Gutierrez - June 17, 2020 

    This paper is a unique review of a few key Fortinet products and how those products align with existing NERC CIP regulation requirements. It also examines how those products might aid an organization in the process of maintaining compliance and explores the product features that will help defend the organization's program during an audit.

  • Responding to Incidents in Industrial Control Systems: Identifying Threats/Reactions and Developing the IR Process Analyst Paper (requires membership in community)
    by Don C. Weber - May 21, 2020 

    Threats, attacks and incidents are not decreasing. Industrial control systems (ICS) have become increasingly vulnerable as cyber criminals discover that OT environments are viable targets. This paper outlines the incident response process in OT environments, and provide examples of the pitfalls of being unprepared.

  • ICS OT Systems Security Engineering Is Not Dead by Isiah Jones - March 23, 2020 

  • Vulnerabilities on the Wire: Mitigations for Insecure ICS Device Communication Graduate Student Research
    by Michael Hoffman - February 12, 2020 

    Modbus TCP and other legacy ICS protocols ported over from serial communications are still widely used in many ICS verticals. Due to extended operational ICS component life, these protocols will be used for many years to come. Insecure ICS protocols allow attackers to potentially manipulate PLC code and logic values that could lead to disrupted critical system operations. These protocols are susceptible to replay attacks and unauthenticated command execution (Bodungen, Singer, Shbeeb, Hilt, & Wilhoit, 2017). This paper examines the viability of deploying PLC configuration modifications, programming best practices, and network security controls to demonstrate that it is possible to increase the difficulty for attackers to maliciously abuse ICS devices and mitigate the effects of attacks based on insecure ICS protocols. Student kits provided in SANS ICS515 and ICS612 courses form the backdrop for testing and evaluation of ICS protocols and device configurations.

  • Guarding the Modern Castle: Providing Visibility into the BACnet Protocol Graduate Student Research
    by Aaron Heller - October 30, 2019 

    Building automation devices are used to monitor and control HVAC, security, fire, lighting, and other similar functions in a building or across a campus. Over 60% of the global market for building automation relies on the BACnet protocol to enable communication between field devices (BSRIA, 2018). There are few open-source network intrusion detection or prevention systems (NIDS/NIPS) capable of interpreting and monitoring the BACnet protocol (Hurd & McCarty, 2017). This blind spot presents a significant security risk. The maloperation of building automation systems can cause physical damage and financial losses, and can allow an attacker to pivot from a building automation network into other networks (Balent & Gordy, 2013). A BACnet/IP protocol analyzer was created for an open-source NIDS/NIPS called Zeek to help minimize this network security blind spot. The analyzer was tested with publicly available BACnet capture files, including some with protocol anomalies. The new analyzer and test cases provide network defenders with a tool to implement a BACnet/IP capable NIDS/NIPS as well as insight into how to defend the modern-day “castles” that rely on the Building Automation and Control network protocol.

  • SANS 2019 State of OT/ICS Cybersecurity Survey Analyst Paper (requires membership in community)
    by Barbara Filkins and Doug Wylie - June 11, 2019 

    In this survey, SANS experts Doug Wylie and Barb Filkins, with advisor and SANS instructor Jason Dely, examine the current state of known and perceived cybersecurity risks, threats and potential impacts to industrial and automation control systems that are applied within the Operational Technology (OT) domain. The survey explores how adeptly we are safeguarding operations and protecting human and company capital from a range of technical and non-technical cybersecurity risks that stem from threats that include malicious and unintentional insiders and outsiders. View the associated infographic here.

  • Gaining Endpoint Log Visibility in ICS Environments Graduate Student Research
    by Michael Hoffman - March 11, 2019 

    Security event logging is a base IT security practice and is referenced in Industrial Control Security (ICS) standards and best practices. Although there are many techniques and tools available to gather event logs and provide visibility to SOC analysis in the IT realm, there are limited resources available that discuss this topic specifically within the context of the ICS industry. As many in the ICS community struggle with gaining logging visibility in their environments and understanding collection methodologies, logging implementation guidance is further needed to address this concern. Logging methods used in ICS, such as WMI, Syslog, and Windows Event Forwarding (WEF), are common to the IT industry. This paper examines WEF in the context of Windows ICS environments to determine if WEF is better suited for ICS environments than WMI pulling regarding bandwidth, security, and deployment considerations. The comparison between the two logging methods is made in an ICS lab representing automation equipment commonly found in energy facilities.

  • ICS Layered Threat Modeling by Mounir Kamal - January 22, 2019 

    The ultimate goal of building cybersecurity architecture is to protect systems from potential threats that can cause imminent harm to the institution. Often, we hear a common expression in the information security world “security by design,” which is a deeper terminology than it looks, as it requires compiling a list of possible threats against targeted systems. Building a threat model will guide us on how to build a secure architecture and achieve the security by design concept, and this is what precisely the paper aims to explore. This paper is an intensive study to collect accurate and plausible threat models that can help to secure ICS architecture by design.

  • The 2018 SANS Industrial IoT Security Survey: Shaping IIoT Security Concerns Analyst Paper (requires membership in community)
    by Barbara Filkins - July 18, 2018 

    IIoT endpoint security is the leading concern of respondents to the 2018 SANS IIoT Security Survey, with network security controls and countermeasures being the main enablers of IIoT security. Most of the growth in connected devices is expected to be for those used for monitoring, status, alarms and alerting, as well as predictive maintenance, but over 50% of respondents are still using their devices controlling operations and processes. Read on to learn more.

  • Passive Analysis of Process Control Networks by Jennifer Janesko - June 1, 2018 

    In recent years there has been an increased push to secure critical ICS infrastructures by introducing information security management systems. One of the first steps in the ISMS lifecycle is to identify which assets are present in the infrastructure and to determine which ones are critical for operations. This is a challenge because, for various reasons, the documentation of the current state of ICS networks is often not up-to-date. Classic inventorying techniques such as active network scanning cannot be used to remedy this because ICS devices tend to be sensitive to unexpected network traffic. Active scanning of these systems can lead to physical damage and even injury. This paper introduces a passive network analysis approach to starting, verifying and/or supplementing an ICS asset inventory. Additionally, this type of analysis can also provide some insight into the ICS network’s current security posture.

  • Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark Graduate Student Research
    by Gabriel Sanchez - October 20, 2017 

    Though attacks on the industrial control system (ICS) and their protocols are not a new occurrence, recent years have highlighted a growing trend in such attacks. To make matters worse, cyber defenders have also dealt with a slow migration to more secure ICS protocols due to costs associated with equipment downtime. With the increase in attacks and the slow migration to more secure ICS protocols, it is crucial for cyber defenders to be able to quickly set up labs to mimic and observe how potential attacks on the ICS network function so that necessary defenses and detection mechanisms can be put in place. This paper lays out how to setup a lab with multiple virtual machines and ICS software that can observe a Master workstation controlling a PLC. First, Wireshark will be used to illustrate and compare normal Modbus TCP communications between the Master and PLC workstations. Wireshark will then be used to demonstrate and compare a MITM attack with an Ettercap filter that manipulates the Modbus TCP communications against both workstations.

  • Securing Industrial Control Systems-2017 Analyst Paper (requires membership in community)
    by Bengt Gregory-Brown - July 11, 2017 

    We annually gather and analyze raw data from hundreds of IT and industrial control systems (ICS) security practitioners. Our mission is to turn these inputs into actionable intelligence to support new developments and address trends in the field to inform the crucial business decisions. Here we report on these trends and other changes that make active use of ICS as a core enabler for business imperatives and provide actionable advice for today's security practitioners.

  • Incentivizing Cyber Security: A Case for Cyber Insurance by Jason D. Christopher - June 27, 2017 

    In the wake of recent events-Ukraine, Shamoon v2, WannaCry--providing cyber security continues to be an enigma. Unlike traditional engineering problems, we cannot define the constraints and rules adequately. We lack the data and models to describe the variables, let alone the mathematical function. Read on for ideas on how ICS can benefit from cyber insurance.

  • Digital Ghost: Turning the Tables Analyst Paper (requires membership in community)
    by Michael J. Assante - February 1, 2017 

    The complex weave of digital technology relies heavily on hyperconnected systems to move data and unlock value through analytics. The benefits are real, but the stakes involved require a serious look at the potential downsides, including the risk of cyber attacks. Organizations embracing technology innovation should not focus solely on efficiency and productivity, for innovation done correctly can also reduce the risks that come with expanding digital touchpoints.

  • How to Target Critical Infrastructure: The Adversary Return on Investment from an Industrial Control System Graduate Student Research
    by Matthew Hosburgh - July 12, 2016 

    Imagine a device that could decrypt all encryption—within seconds. A box with this capability could be one of the most valuable pieces of equipment for an organization, but even more valuable to an adversary. What if that box only worked against American encryption? If true, a particular market would be ripe for the harvest. A device that powerful could be used to decrypt secrets and data in transit, making encrypted data an adversary might have access to, extremely valuable. Similarly, Critical Infrastructure is a target for some because of the yield that a successful attack could result in. Death, disruption or damage is a real possibility. The Return on Investment (ROI) and Return on Security Investment (ROSI) fall short in actually determining the level of protection required for an organization striving to protect the most sensitive data or system. The Adversary Return on Investment (AROI) is the missing piece to the equation. From the adversary’s vantage point, data, infrastructure or systems have value. By understanding this value an organization can more appropriately align its security strategy; especially, for the most critical infrastructure.

  • SANS 2016 State of ICS Security Survey Analyst Paper (requires membership in community)
    by Derek Harp and Bengt Gregory-Brown - June 28, 2016 

    Analysis of survey data collected between January and April 2016 indicates that security for ICSes has not improved in many areas and that many problems identified as high-priority concerns in our past surveys remain as prevalent as ever. In this report we focus on identifying and prioritizing recommendations to address the greatest concerns.

  • Constructing a Measurable Tabletop Exercise for a SCADA Environment Graduate Student Research
    by Matthew Hosburgh - March 14, 2016 

    It was the start of the evening shift. Because daylight savings just “fell back” it was already dark outside—at six o’clock PM central time.

  • The Impact of Dragonfly Malware on Industrial Control Systems Graduate Student Research
    by Nell Nelson - January 22, 2016 

    During the past several years and ending in 2014, Dragonfly malware infected hundreds of business computers in an often successful attempt to collect information on industrial control systems across the United States and Europe.

  • Developments in Car Hacking Graduate Student Research
    by Roderick Currie - January 7, 2016 

    In the developed world, there is arguably no appliance more prevalent in people’s lives than the automobile.

  • Secure Architecture for Industrial Control Systems Graduate Student Research
    by Luciana Obregon - October 15, 2015 

    Industrial Control Systems (ICS) have migrated from stand-alone isolated systems to interconnected systems that leverage existing communication platforms and protocols to increase productivity, reduce operational costs and further improve an organization’s support model. ICS are responsible for a vast amount of critical processes necessitating organizations to adequately secure their infrastructure. Creating strong boundaries between business and process control networks can reduce the number of vulnerabilities and attack pathways that an intruder may exploit to gain unauthorized access into these critical systems. This paper provides guidance to those organizations that must secure their ICS systems and networks through a defense-in-depth approach to security, achieved through the identification of key security patterns and controls that apply to critical information security domains. The goal is a visual explanation that allows stakeholders to understand how to reduce information risk while preserving the confidentiality, integrity and availability of critical infrastructure resources in the industrial control environment.

  • The Industrial Control System Cyber Kill Chain by Michael J. Assante and Robert M. Lee - October 5, 2015 

    Read this paper to gain an understanding of an adversary's campaign against ICS. The first two parts of the paper introduce the two stages of the ICS Cyber Kill Chain. The third section uses the Havex and Stuxnet case studies to demonstrate the ICS Cyber Kill Chain in action.

  • Challenges for IDS/IPS Deployment in Industrial Control Systems by Michael Horkan - August 7, 2015 

    Intrusion Detection and Prevention Systems (IDS/IPS) are a key component of defense-in-depth strategy for information systems. Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems need to incorporate this technology in order to properly defend against a growing threat landscape. This paper examines how to deploy this technology in a sample ICS/SCADA setting, identifies hurdles that both industrial control system vendors and asset owners must overcome in order to make IDS/IPS deployment successful, and provides recommendations for both vendors and owners in order to approach the use of these technologies. This paper is written with two audiences in mind. It is intended for the enterprise IT professional who is familiar with security technologies and best practices, but unfamiliar with ICS/SCADA, as well as ICS/SCADA engineers and managers who lack experience in enterprise security.

  • The Perfect ICS Storm by Glenn Aydell - June 8, 2015 

    As manufacturing Industrial Control System (ICS) architectural designs have evolved from isolated and proprietary systems with physical separation to a layered architecture using more standard IT components to the latest “trend” of Industrial Internet of Things (IIoT); so too have the challenges associated with securing these environments.

  • Leveraging the SCADA Cloud for Fun and Profit Graduate Student Research
    by Matthew Hosburgh - December 19, 2014 

    Long live the operator! At a point in time, they were the backbone of the phone system, ensuring that calls were routed where they needed to go. In many organizations, an operator still exists in one form or another. A version of this operator is common in a Security Operation Center (SOC) and many Industrial Control System (ICS) networks. In the ICS and Supervisory Control and Data Acquisition (SCADA) world, centralized security monitoring is either non-existent or so limited that the information provided does not paint an accurate security picture.

  • Energy and Utilities Defense Response based on 2014 Attack Pattern Graduate Student Research
    by Adi Sitnica - December 11, 2014 

    False sense of security and management not understanding the value of cyber security are just a few of the issues why the Energy and Utilities industry are behind in terms of elevating cyber security to a status level on par or higher with physical security.

  • Rate my nuke: Bringing the nuclear power plant control room to iPad by Mikko Niemel - November 14, 2014 

    Industrial Control Systems monitor and control industrial processes that exist in the physical world and by design, are isolated from public networks. However, the prevailing use case, connectivity, and integration of mobile devices in the workplace has impacted the industrial environment. These isolated control system networks are now under pressure due to market demand to become Internet-accessible. Therefore, a security architecture for mobile device usage in th industrial environment must be designed with security controls and proper certificate-based authentication.

  • The Spy with a License to Kill Graduate Student Research
    by Matthew Hosburgh - October 24, 2014 

    The opening scene of GoldenEye underscores the skills and precision of James Bond, 007. Years of experience and training make impossible missions look routine. These skills alone would not allow 007 to succeed; rather, a calculated plan that targeted the vulnerabilities in the Archangel Chemical Weapons Facility coupled with 007's skills provided for a successful mission.

  • Security Operations Centre (SOC) in a Utility Organization by Babu Veerappa Srinivas - October 7, 2014 

    Cyber security threats are an increasing manifold, irrespective of the size of an organization. This is evident after reviewing many industry reports such as Verizon 2014 Data Breach Investigation Report (Verizon, 2014), Trustwave 2014 Global Security Report ((Trustwave, 2014) and Symantec Internet Security Threat Report 2014 (Symantec, 2014).

  • Protect Critical Infrastructure Systems With Whitelisting by Dwight Anderson - August 5, 2014 

    Today there tends to be a misunderstanding regarding the operational aspect of critical infrastructure systems.

  • Breaches on the Rise in Control Systems: A SANS Survey Analyst Paper (requires membership in community)
    by Matthew Luallen - April 1, 2014 

    Survey shows SCADA breaches on rise from 2013, and more targeted.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.