di Marco Capriz
“As a young boy, I was taught in high school that hacking was cool.”
Kevin Mitnick, one of the most famous hackers of all time.
“Further, the next generation of terrorists will grow up in a digital world, with ever more powerful and easy-to-use hacking tools at their disposal.”
Dorothy Denning, Distinguished Professor, Department of Defense Analysis, Naval Postgraduate School.
“If you spend more on coffee than on IT security, then you will be hacked. What’s more you deserve to be hacked.”
Richard A. Clarke, former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism.
Kevin Mitnick’s carried out his first recorded computer crime at the age of 16, when in 1979 he hacked in to Digital Equipment Corporation’s network to steal software. He went on to make the FBI’s “Most Wanted” list between 1989 and 1995. Although Mitnick’s main motivation for cyber crime was monetary gain, he delighted in being ahead of the authorities that were chasing him. For him cybercrime was a game.
The situation has changed dramatically in the 15 years since Mitnick was eventually apprehended. As software and networking tools become more sophisticated, they also become more complex and vulnerable to attacks, that are also are becoming more complex.
Cybercrime has become a very lucrative enterprise. Because of this the focus of interdiction agencies and software developers around the world has been to prevent, manage and prosecute attacks directed against enterprises that monetize their digital capabilities. Usually these enterprises have reasonably high levels of security that are bypassed by very sophisticated attackers.
However there are greater dangers lurking in the virtual world of the Internet. Dorothy Denning identifies cyber-terrorism as the next major strategic threat. The United States has taken this strategic threat seriously enough to create Cyber Command, a new division of the Department of Defense, set up to safeguard the nation’s military critical information systems.
However, with most of the counterattack efforts being directed to protect against commercial losses by people and enterprises, and to protect military infrastructure, less attention has been paid to a very critical area that is even today extremely vulnerable to cyber attacks that, if successful, could be far more damaging in terms not only of economic losses but also in terms of physical losses to lives and properties. This is the area of Critical National Infrastructure and specifically a country’s utility infrastructure.
This paper will address the problems stemming from an industry that is completely reliant upon a very outdated and extremely vulnerable IT infrastructure. It will look at the way this infrastructure can be penetrated for malicious purposes and present a possible terrorist attack scenario that exploits poor, or indeed non-existent security measures. And it will examine possible strategies (technical and legislative) that have been proposed to mitigate this threat.
Distributed and targeted attacks.
The most common cyber crimes are caused by a Distributed Denial of Service (DDoS) attack. These are initiated when a large number of pre-infected computers (BOTs) send a synchronized set of requests to a specific target IP address or group of addresses in such a way as to overwhelm the servers at the receiving end of the requests and put them out of service for the duration of the attack. A DDoS attack can cause significant loss of earnings for an e-Commerce enterprise. It can also significantly impair overwhelm systems beyond those directly attacked, as the massive mount of traffic generated by the BOTNet (the collective name of all the infected BOTs) slows down or indeed halts traffic on major Internet nodes throughout the world.
The economic damage done by a DDoS attack also extends beyond the attacked enterprise’s loss of revenue during the attack period. According to a 2004 CRS report to Congress (Brian Cashell, April 2004) the stock value loss following a known digital attack against a listed company can be as high as 15% of its market value.
As disruptive as these attacks are, they seldom last long or have long lasting consequences. Software companies respond quickly to the problem by identifying the signatures of the attack and releasing the appropriate countermeasures.
More insidious than DDoS attacks are targeted attacks based around social engineering, phishing and identity theft. Whereas DDoS attacks are sometimes initiated by criminals to blackmail e-Commerce site operators, most tend still to be initiated for the scope of generic electronic vandalism. Electronic fraud, however, is targeted.
According to the Department of Justice, in 2009 the economic losses owing to computer crimes in the US alone were close to $600M (Internet Crime Complaint Center, 2009). These losses primarily resulted from identity theft and credit card fraud. The CRS report mentioned earlier refers to a study carried out by the British company Mi2g that expected a worldwide loss of $250B through cyber crime. The figure is based on a 2004 study and was considered to be on the low side at the time. Given the distributed nature of the attacks, it is difficult to estimate the current economic damage caused by cyber attacks but estimates that exceed $1,000B may not be an overstatement.
As high as that figure may be, its impact is not significant on a national level: again because of the distributed nature of the losses, the overall economic health of a country has not yet been affected. This is why an attack directed against a utility could have very different consequences. The economic damage that might ensue could have a cascading effect that might lead to an exponential increase in damage, in economic and physical terms. It is becoming alarmingly clear that one of the biggest and so far underreported threats to the economic and strategic security of a nation are those that might be conducted against a power grid.
Unlike DDoS attacks that are carried out against data, attacks against utilities providers are directed specifically towards the control systems that govern the operation of the utility. Control system attacks are different from distributed attacks. Whereas BOTs can still be used to disguise the original source of the attack, the attacker does not need to infect a large number of machines to achieve his desired effect. All a cyber terrorist needs to do is to understand how a utility system control network works and modify to destructive intent legal instructions that are sent to the control systems that manage critical aspects of a power plant, and potentially cause the plant to shut down. This is not an unrealistic scenario. Richard Clarke, the former National Coordinator for Security, Infrastructure Protection, and Counter-terrorism, writes
Digital control systems monitor activity and send commands to engines, valves, switches, robotic arms, lights, cameras, doors, elevators, trains and aircraft (…) often without a human in the loop. (Clarke, 2010)
This level of automation requires that processes that previously would be monitored and controlled on site are now managed over a telecommunications network. The systems that monitor and control processes remotely are known as Supervisory Control And Data Acquisition (SCADA) systems.
A SCADA system comprises of Programmable Logic Controllers (PLCs) that convert digital signals to electromechanical actions connected over a network to a SCADA control center. The diagram below is a simple schematic of a small SCADA system.
Figure 1: SCADA system.
In the diagram above the PLC1 controls the flow by acting on the pump and PLC2 controls the level of the tank by acting on the valve. Both PLCs are remotely connected to a SCADA control center over a network.
SCADA PLCs, or Remote Terminal Units (RTUs) as they are also known, respond to a number of industry specific interface protocols that generally are manufacturer specific such as Modbus RTU, RP-570, Profibus and Conitel. The communications protocols used between the PLCs and the SCADA center are standards such as IEC 60870-5-101 or 104, IEC 61850 and DNP3.
The Modbus interface was published in 1979. Profibus is more recent, having been first release in 1989; Conitel and RP-570 are early 90s interfaces.
None of these interfaces have included security protocols. Indeed the instruction sets are very limited. Below is the complete list of instructions that can be sent to an RP-570 PLC (ABB, 1997):
Figure 2: RP-570 Instruction Set.
As can be seen, not a single command has anything to do with security or user verification. Just as worryingly, none of the communications protocols include security provisions. In the IEC 60870 standard description there is a note that states:
Security mechanisms are outside of the scope of this standard (IEC, 2006).
The lack of security protocols is not surprising. Most SCADA systems in operation are very old. Most have hard wired code that is not remotely upgradeable. Unfortunately the distributed nature of process control systems, particularly in a distributed environment such as a power grid, makes it very expensive to consider upgrading or modernizing SCADA systems. In a paper written for The Eighth Workshop on the Economics of Information Security held in London in June 2009, Ross Anderson and Shailendra Fuloria observe (Ross Anderson, 2009):
Industrial control systems have both lock-in and complex supply chains. A utility that builds a plant such as a power station or oil refinery is typically locked into the control system vendor for at least 25 years; the vendor for its part typically supplies the software for the central control function, plus the systems integration, while purchasing a wide range of equipment (cabling, sensors, actuators and indeed whole subsystems) from other vendors.
First, the lock-in here has nothing to do with network effects; it is physical. The real assets of the North American energy sector are worth over a trillion dollars; control systems at major sites amount for $3–4 billion, while remote field devices add a further $1.5–2.5bn.
Absent a catastrophic attack, this investment will be replaced only when it is fully depreciated.
In the same paper the authors comment on the vulnerability of SCADA systems thus (Ross Anderson, 2009):
In the late 1990s, some writers started to point out the vulnerability of industrial control systems to online sabotage. Utility control systems have traditionally been designed for dependability and ease of safe use. They used completely private networks and thus their designers gave no thought to authentication or encryption. These networks were typically organized with a star topology, with many sensors and actuators connected to a control centre. Common protocols such as DNP and Modbus enable anyone who can communicate with a sensor to read it, while anyone who can send data to an actuator can give it instructions. But private networks are expensive, and the prospect of orders-of-magnitude cost reductions led engineers to connect control systems to the Internet. The result was that many industrial control systems became insecure without their owners realizing this.
One of the more baffling responses to the criticism that SCADA systems lack security is the observation made by some in the industry that SCADA systems provide “security through obscurity” by leveraging the very proprietary nature of the protocols used. This is a fallacious argument. A determined attacker, such as a cyber terrorist, may well have the resources to invest in lifting the obscurity veil. Indeed this is a worry that is discussed by a paper published by Riptech on the Information Warfare website. On the issue the authors remark (Riptech, 2001):
The above misconception assumes that all attackers of a SCADA system lack the ability to access information about their design and implementation. These assumptions are inappropriate given the changing nature of utility system vulnerabilities in an interconnected environment. [Because] utility companies represent a key component of one of the nation’s critical infrastructures, these companies are likely targets of coordinated attacks by “cyber-terrorists”, as opposed to disorganized “hackers.” Such attackers are highly motivated, well funded, and may very well have “insider” knowledge. Further, a well-equipped group of adversaries focused on the goal of utility operations disruption is certain to use all available means to gain a detailed understanding of SCADA systems and their potential vulnerabilities.
Given the vulnerability of SCADA systems, it may be worth looking in more detail at how these introduce vulnerabilities in the processes that they control and at what the consequences of these vulnerabilities may be.
The Israeli company C4 is a security consulting company specializing in penetration tests to discover system vulnerabilities. C4 has proposed an interesting scenario to show that supposedly secure utility providers hiding under the illusion of “security through obscurity” are anything but secure.
In a presentation to be found on their website C4 shows that a determined group of attackers with either inside knowledge of a power grid’s layout or the time and engineering skills to learn how it is controlled by hacking in to the SCADA center, can hijack the SCADA network and feed PLCs with instructions that would potentially cause a shutdown of the power grid. C4’s hypothesis is that a knowledgeable group of attackers will be able to gain access to the Human Machine Interface (HMI) and monitor packets transmitted between it and the PLCs.
The standard operator objection that “security through obscurity” works because even if an attacker monitored network traffic on which the HMI server is located he would not be able to understand which instructions are being sent to which physical location, armed only with a hexadecimal or IP address of that location. However this again is a specious argument. The greatest weaknesses in a typical SCADA system are that this sort of information is, unfortunately, easily obtainable. The Riptech paper quoted earlier observes (Riptech, 2001):
Often, too much information about a utility company corporate network is easily available through routine public queries. This information can be used to initiate a more focused attack against the network. Examples of this vulnerability are […] [w]ebsites [that] often provide data useful to network intruders about company structure, employee names, e-mail addresses, and even corporate network system names [and] Domain Name Service (DNS) servers permit “zone transfers” providing IP addresses, server names, and e-mail information.
Eyal Udassin of C4 further observes that (Udassin, 2008)
Although without a mapping of the addresses & datapoints to physical locations and controlled devices, it is very difficult to generate malicious packets, such a map can usually be found on the operators’ workstations and the SCADA server as a tag database. Each tag is a user-friendly name given to an address/datapoint.
The weaknesses exposed by C4 and Riptech indicate that a SCADA system can be attacked through poor security practices that do not isolate the corporate network from a production network. By hacking in to the corporate network in this case it is possible to gather the required information on the production network in order to mount an attack on the SCADA system.
IBM’s X-Force is the security consulting arm of IBM. They have also studied vulnerabilities in SCADA networks. X-Force carries out penetration tests on client networks and according to them the simplest tests usually yield the most results. In a presentation on SCADA Security and Terrorism X-Force personnel state that in many penetration test cases they were able to (IBM X-Force, 2006):
- Guess simple passwords
- Access systems through SQL injections
- Port scan for available open ports
- Access SNMP MIBs
- Carry out anonymous FTP SMB and Telnet sessions with no password query
- Exploit known vulnerabilities in unpatched systems
- Deploy backdoors and Trojans
Confirming the weaknesses outlines by C4 and Riptech above, X-Force personnel claim to have demonstrated to a client, while doing a presentation (!) their capability to access the production network leveraging poor security that allowed them to enter the company’s corporate network through an open WiFi access (IBM X-Force, 2006).
Figure 3: IBM X-Force’s customer demonstration results.
Given that it is potentially quite easy to hack in to a SCADA system, what might be the potential damage that could be inflicted on an operator dependent on such systems? Given the critical nature of the service they provide it is worth looking at the consequences of a targeted attack against a power grid operator.
Attacking the grid.
The technology of electric power distribution has not changed much in decades. As Anderson and Fuloria observe above systems will not be replaced until they are depreciated. SCADA systems can have depreciation periods that range from 5 to 25 years. It is likely that at any one time a SCADA system at a power plant might be 10-15 years old, use Modbus communications over a dial-up line and have an HMI based on an unpatched old version of Windows. As Riptech, X-Force and C4 have observed it is likely that the operators have maps hanging in various rooms at the power plant openly displaying physical locations of PLCs with their digital identifiers (phone numbers, MAC addresses, IP addresses). Social engineering might lead to a much more detailed understanding of the plant’s operation. An attacker would then have a reasonable understanding of how to initiate an attack.
A power plant distributes electricity through a tree-like structure of power lines that branch at substations along the way.
Figure 4: power plant distribution.
At each substation there are switches that are controlled by PLCs or RTUs, which regulate the flow of electricity at that point.
Figure 5: Switching diagram on HMI client.
An attacker that could gain control of the switches could cause a lot of damage by opening all of them suddenly causing a power station lock up. Sudden unexpected load drops cause big problems in power stations. A 600MW power station needs to generate 10 tons of steam at 7000C per second. Whereas interlocking and power management ensure that the production load is balanced with the distribution, this is entirely dependent on the SCADA system working the substation switches correctly. The gap between production capacity and consumption in a power station is small: about 1%. Anything in excess of that will cause the power station to initiate a shutdown. A huge imbalance will be problematic. Explosive steam shut-off valves will take off some of the load, but the furnace needs to be stopped, as does the conveyor belt carrying the coal to the furnace (in the case of a nuclear power stations the shutdown process is faster as control rods can be quickly lowered terminating a nuclear reaction – but few of these are online these days following the no-nuclear policies of the last decades).
Arguing the lack of IT security in power stations, Eyal Udassin hypothesizes the following scenario: a skilled group of attackers penetrate the production network (in ways similar to those exposed by the X-Force team described above) and over a period of time monitor SCADA commands to become familiar with the geographical location of the PLCs and RTUs, their logical addresses, and the command sequences that are sent to them to manage the flux of power distribution between day and night usage. In most countries there is a significant variation between daytime and nighttime use of power.
Figure 6: Variations between daytime and nighttime residential power use in Florida. (Florida Solar Energy Center, 2002).
Udassin suggests (Udassin, 2008) that a possible attack strategy would be to understand the sequence of PLC commands that regulates the power release flux then reverse them. In detail an attacker might do the following:
Stage 1: Preparation mode:
- Install malware on the SCADA communications Server (this might be accessible and poorly protected as X-Force have shown)
Stage 2: Learning Mode:
- Sniff traffic to and from the field (easy to distinguish if protocols are known; addresses and locations are acquired)
- Create request/response PLC instruction pairs with a timestamp for day & night classification.
Stage 3: Active Mode:
- When enough packet data is collected, wait for the next critical time of day transition (dawn, nightfall)
- Drop all messages being sent from the SCADA server to the PLCs
- Replace them with the commands of the opposite timeframe to the field.
If this attack sequence is carried out in the morning when demand for power increases, the opposite commands will be sent to the PLCs that regulate the increase or decrease of production. According to Udassin’s attack plan, as electricity demand constantly rises the field devices will receive night-time command – e.g. “disconnect aux. power plant from the grid”, “lower power output from main power plant” etc. Operators will then try to connect more power plants, without success as the commands are ignored. This will generate network instability, as supply will not meet the demand, potentially causing blackouts.
If the attack is also timed to coincide with a backup power station being taken offline for maintenance the consequences could be more severe.
The weakness that is exploited in Udassin’s scenario is dependent on the fact that the communication between the SCADA controller and the PLCs does not allow for message authentication. This is partly due to the fact that the protocols themselves do not include this capability.
However investment in technology that has not yet reached an accounting write-off period is not the only excuse for being lackadaisical about security. As Mariana Hentea observes
SCADA systems are now adopting Web technology (ActiveX, Java, etc.) and OPC (as a means for communicating internally between the client and server modules). However, Web applications are an interesting target for cyber attacks that are increasingly automated. Web is the dominant development platform for software, but Web-based secure software is immature (Hentea, 2008).
Hentea further notes that the fact that SCADA systems now run on common software such as Windows and UNIX and use standard communications protocols such as TCP/IP. So the “security through obscurity” protection argument is getting increasingly weak.
New technology does allow plant managers to take advantage of better software security tools. But where operators can modernize a plant’s network to include security capabilities (by installing remotely upgradeable PLCs for instance, with better processing capabilities, and implement strong security protocols) there is little financial incentive for them to do so.
Indeed it is this lack of financial incentive to increase security (or possible the lack of penalties for non-compliance) that is exposing the power generation industry to an even greater threat.
Poor regulation and disaster scenarios.
The North American Electric Reliability Corporation (NERC) is a self-regulatory organization, subject to oversight by the U.S. Federal Energy Regulatory Commission and governmental authorities in Canada. NERC reliability standards define the reliability requirements for planning and operating the North American bulk power system. According to the NERC website
all bulk power system owners, operators, and users must comply with approved NERC reliability standards. These entities are required to register with NERC through the appropriate regional entity (NERC).
NERC standard CIP 002 to 009 “provide a cyber security framework for the identification and protection of Critical Cyber Assets to support reliable operation of the Bulk Electric System” (NERC, 2006). Specifically NERC standard 002/R1.2.4 identifies “blackstart” power stations as Critical National Infrastructure assets subject to conformance of the NERC cyber security standards. Blackstart power stations are those that are equipped with a diesel generator that allows them to restart the main generator in case of total grid power loss. Not all power stations are equipped with blackstart capabilities, but those who are have to comply with more stringent cyber safety regulations defined by NERC, as they are assets can restore power to the grid without requiring external power sources.
Incredibly, NERC’s regulation is making the North American grid less secure! The problem appears to be that NERC did not think through the obvious consequences of imposing regulation with poor oversight. According to Joseph Weiss who testified in front of the House Committee on Homeland Security on October 17, 2007, “NERC’s attitude toward cybersecurity alarming at best and negligent at worst (Controlglobal.com, 2007)”. Blogging for Controlglobal.com he states that
Some generation managers considered NERC CIP compliance a “game” to remove assets from CIP-002 without realizing they were shooting themselves in the foot by not addressing the reliability threat. Specifically, at a meeting of plant managers, one manager of a very large coal-fired power plant was charged to ensure his plant was not considered a critical cyber asset. Another plant manager whose plant had black start capability and therefore deemed a critical cyber asset by CIP-002 considered it cost-effective to remove its black start capability. In both cases, the plant managers didn’t consider the potential cyber threat to reliability (Weiss, 2008).
Removing blackstart capabilities makes the grid more vulnerable to accidents or deliberate attacks. One extreme scenario is what might lead to a diesel crisis. If the attack described above was carried out in sequence against many power grid operators, and these did not have blackstart capabilities, if the ensuing blackouts lasted long enough backup diesel generators providing for emergency services would start running out of diesel. This would have to be trucked in from diesel depots. But the diesel depots would be unable to pump diesel because of the blackout. It is possible to conceive of an extreme scenario where trucks would stop running, diesel would not reach generators and the grid would not be able to restart. All of this because power plant operators chose not to invest in cybersecurity!
What can be done to secure critical infrastructure.
Ironically the deficiencies in IT security that plague the critical infrastructure industry have mostly been addressed in other industries. The lesson learned by e-Commerce retailers, for example, can be applied in all IT environments.
In a 2006 NERC’s Control Systems Security Working Group highlights 10 critical infrastructure IT and communications vulnerabilities and suggests easily implementable solutions to mitigate them (NERC, 2006). Highly criticized as NERC’s policing capabilities may be, the recommendations are certainly worth implementing. They include among others:
- Implementing strong IT security policies. This requires significant investment in personnel hiring and retraining, but perhaps more importantly requires plant management to become aware of the cost effectiveness of this expenditure.
- Carrying out security audits to check for default password settings, manufacturer service backdoors, etc.
- Ensuring that all software has the most recent security patches.
- Revisiting the control network infrastructure with access security in mind (physical and virtual) to look for vulnerabilities.
- Redesigning the network using modern safeguarding technologies where possible, such as authentication and encryption.
- Replacing any RTUs or PLCs that have hardwired, non-upgradeable software with equivalent systems that where access security can be implemented and changed remotely.
The US Department of Energy is not leaving all the work of policy suggestion to NERC. On it own website, one can find a series of recommendations that suggest how to secure SCADA networks (US Department of Energy, 2004). These are compiled also by the United States Computer Emergency Readiness Team (US-CERT). Of particular interest is a document titled “21 Steps to Improve Cyber Security of SCADA Networks”.
In addition to the NERC recommendations US-CERT and the DoE also seem to hammer the final nail in the coffin of “security through obscurity” by advising operators to avoid reliance on proprietary protocols and take advantage of standard software security tools that can be periodically updated and upgraded. US-CERT also recommends the use of Red Teams and penetration tests to look for weaknesses such as missed backdoors and unauthorized links between production networks and corporate/sales networks, as well as the accessibility (virtual and physical) of remote sites.
Outside of the US the issue SCADA security is also a hotly debated issue.
In the UK the Centre for the Protection of National Infrastructure (CPNI) has also released a long series of recommendations and standards to be adopted by any operator of SCADA networks. CPNI issues guidance documents on the following under the heading Process Control and SCADA Security Guides:
- Understanding the business risk
- Implementing secure architectures
- Firewall deployment
- Establishment of response capabilities
- Improving skills
- Managing third party risk
- Establishment of ongoing governance (UK CPNI).
The section on business risk goes in to some detail in explaining the relationship between specific IT threats (worms, Trojans, backdoors, etc.) to a specific business threat (to the supply chain, the sales network and ultimately to the plant operations).
This is where the biggest area of weakness still exists. To date no country has successfully enacted legislation that forces owners of critical infrastructure to abide by comprehensive cybersecurity standards. Where this legislation has been partially enacted, too many loopholes exist that allow owners of the infrastructure to avoid implementing the required standards.
So far we have been relatively lucky. Terrorists have not been particularly smart. Even the 9/11 attacks were low tech. But two worrying thoughts emerge from this analysis: there is no reason a terrorist group could not have the knowledge necessary to carry out some of the attacks described in this paper. And far more worryingly it is absolutely certain that nation states have this capability. In the current conflicts in Central Asia and terrorist attacks around the world we have been caught unprepared by the evolution towards what we now know as Fourth Generation Warfare, where there is no clear division between forces in a battlespace (indeed we have had to coin the new term “battlespace” for the 4GW context) and war is conducted “asymmetrically”. It is time we should prepare for the next generation of warfighting (Fifth Generation Warfare?) that will move away from physical landscapes altogether and will be fought within the very unsecured and unbounded “confines” of the digital world.
In World War Two allied bombers attacked German power plants with very expensive raids that had very variable effects. Today it is far more cost effective to attack the same targets using a keyboard.
ABB. (1997). REC 501 RP 570 Protocol Description. Retrieved 2010, 20-June from ABB: http://library.abb.com/GLOBAL/SCOT/scot229.NSF/VerityDisplay/9A5C1896695487E6C2256A7200361578/$File/REC501RP570_EN_A.pdf
Brian Cashell, W. D. (April 2004). The Economic Impact of Cyber-Attacks. CRS. Congressional Research Service ˜ The Library of Congress.
Clarke, R. A. (2010). Cyber War. The next threat to National Security and what you can do about it. New York: Harper Collins.
Controlglobal.com. (2007, 6-November). Control’s Joe Weiss Testifies before Congress. Retrieved 2010 йил 20-June from Controlglobal.com: http://www.controlglobal.com/articles/2007/375.html
Florida Solar Energy Center. (2002, January). Retrieved 2010, 20-June from Research Highlights From A Large Scale Residential Monitoring Study In A Hot Climate: http://www.fsec.ucf.edu/en/publications/html/FSEC-PF-369-02/index.htm
Hentea, M. (2008). Improving Security for SCADA Control Systems. Interdisciplinary Journal of Information, Knowledge, and Management , 3, 77.
IBM X-Force. (2006). IBM X-Force. Retrieved 2010, 20-June from http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf
IEC. (2006, June). INTERNATIONAL IEC STANDARD 60870-5-104. Retrieved 2010, 20-June from IEC Webstore: http://webstore.iec.ch/preview/info_iec60870-5-104%7Bed2.0%7Den_d.pdf
Internet Crime Complaint Center. (2009). 2009 Internet Crime Report. Department of Justice.
NERC. (2006, 2-May). Retrieved 2010, 20-June from Standard CIP–002–1 — Cyber Security — Critical Cyber Asset Identification: http://www.nerc.com/files/CIP-002-1.pdf
NERC. (n.d.). About NERC Standards. Retrieved 2010, 20-June from The North American Electric Reliability Corporation: http://www.nerc.com/
NERC. (2006). Top 10 vulnerabilities of control systems and their associated mitigations. Department of Energy. Princeton, NJ: NERC.
Riptech. (2001). Understanding SCADA System Security Vulnerabilities. Retrieved 2010, 20-June from IWS – The Information Warfare Site: http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf
Ross Anderson, S. F. (2009). Security Economics and Critical National Infrastructure. The Eighth Workshop on the Economics of Information Security (WEIS 2009).
Udassin, E. (2008). Generic Electric Grid Malware Design . Retrieved 2010, 20-June from C4: http://www.c4-security.com/index-5.html
UK CPNI. (n.d.). SCADA. Retrieved June 20, 2010, from UK CPNI: http://www.cpni.gov.uk/ProtectingYourAssets/scada.aspx
US Department of Energy. (2004). 21 steps to improve cybersecurity of SCADA networks. Retrieved June 20, 2010, from US DoE Office of Electricity Delivery and Energy Reliability: http://www.oe.energy.gov/DocumentsandMedia/21_Steps_-_SCADA.pdf
US-CERT. (n.d.). Control Systems Security Program (CSSP) Standards & References. Retrieved June 20, 2010, from US-CERT: http://www.us-cert.gov/control_systems/csstandards.html
Weiss, J. (2008 9-May). Electric Power 2008– is NERC CIP compliance a game? Retrieved 2010 йил 20-June from Controlglobal.com: http://community.controlglobal.com/content/electric-power-2008–-nerc-cip-compliance-game