{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,14]],"date-time":"2025-11-14T07:26:47Z","timestamp":1763105207237,"version":"3.41.2"},"reference-count":64,"publisher":"Emerald","issue":"4","license":[{"start":{"date-parts":[[2008,10,10]],"date-time":"2008-10-10T00:00:00Z","timestamp":1223596800000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2008,10,10]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>Supervisory control and data acquisition (SCADA) systems are widely used by utility companies during the production and distribution of oil, gas, chemicals, electric power, and water to control and monitor these operations. A cyber attack on a SCADA system cannot only result in a major financial disaster but also in devastating damage to public safety and health. The purpose of this paper is to survey the literature on the cyber security of SCADA systems and then suggest two categories of security solutions.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>The paper proposes the use of secure socket layer\/transport layer security (SSL\/TLS) and IP security (IPsec) solutions, implemented on the test\u2010bed at the University of Louisville, as the optimal choices when considering the level of security a solution can provide and the difficulty of implementing such a security measure. The paper analyzes these two solution choices, discuss their advantages and disadvantages, and present details on efficient ways of implementing these solutions.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>The SSL\/TLS solution to the protocol security using public domain toolkits such as OpenSSL may provide a fast, effective, and economical solution. However, the SSL\/TLS protocol and its implementation toolkits have their limitations so this approach may need another enhancement.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Practical implications<\/jats:title><jats:p>IPsec can be used to provide IP\u2010level security in addition to SSL\/TLS.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>The use of these enhanced security approaches in SCADA systems should effectively reduce the vulnerability of these critical systems to malicious cyber attacks, and thereby potentially avoiding the serious consequences of such attacks.<\/jats:p><\/jats:sec>","DOI":"10.1108\/09685220810908804","type":"journal-article","created":{"date-parts":[[2008,10,25]],"date-time":"2008-10-25T07:02:37Z","timestamp":1224918157000},"page":"398-414","source":"Crossref","is-referenced-by-count":25,"title":["Securing SCADA systems"],"prefix":"10.1108","volume":"16","author":[{"given":"Sandip C.","family":"Patel","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Pritimoy","family":"Sanyal","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022021220052446800_b1","unstructured":"AGA (2003), \u201cCryptographic protection of SCADA communications\u201d, AGA Report No. 12\u20101 (draft), American Gas Association, Washington, DC, March."},{"key":"key2022021220052446800_b2","unstructured":"Bellovin, S. (2000), \u201cHackers penetrate Gazprom\u201d, The Risk Digest, Vol. 20 No. 87."},{"key":"key2022021220052446800_b3","unstructured":"Bent, D. (2003), \u201cOSSI making progress on NIST certification of OpenSSL\u201d, available at: http:\/\/dotnet.sys\u2010con.com\/author\/2523bent.htm (accessed April, 2008), December."},{"key":"key2022021220052446800_b4","doi-asserted-by":"crossref","unstructured":"Berket, K., Agarwal, D.A. and Chevassut, O. (2002), \u201cA practical approach to the InterGroup protocols\u201d, Future Generation Computer Systems, Vol. 18 No. 5, pp. 709\u201019.","DOI":"10.1016\/S0167-739X(02)00036-5"},{"key":"key2022021220052446800_b5","doi-asserted-by":"crossref","unstructured":"Boriani, D.V. (1995), \u201cAxiomatic specification and logic programming: fast prototyping of correct designs\u201d, ISA Transactions, Vol. 34 No. 1, pp. 53\u201065.","DOI":"10.1016\/0019-0578(94)00050-V"},{"key":"key2022021220052446800_b6","unstructured":"Byres, E. (2004), \u201cThe myths and facts behind cyber security risks for industrial control systems\u201d, news release, bcit News, October 4."},{"key":"key2022021220052446800_b8","unstructured":"CERT (2003), \u201cAdvisory CA\u20102003\u201026\u201d, Carnegie Mellon University, Pittsburgh, PA, available at: www.cert.org\/advisories\/CA\u20102003\u201026.html (accessed April, 2008)."},{"key":"key2022021220052446800_b9","unstructured":"CVE (2007), \u201cCVE ID: CAN\u20102003\u20100543\u201d, National Cyber Security Division of Department of Homeland Security, Washington, DC, Common Vulnerabilities and Exposures, available at: http:\/\/cve.mitre.org\/cgi\u2010bin\/cvename.cgi?name\u2009=\u2009CAN\u20102003\u20100543 (accessed April, 2008)."},{"key":"key2022021220052446800_b7","doi-asserted-by":"crossref","unstructured":"Canvel, B., Hiltgen, A., Vaudenay, S. and Vuagnoux, M. (2003), \u201cPassword interception in a SSL\/TLS channel\u201d, Advances in Cryptology \u2013 CRYPT'03, Lecture Notes in Computer Science, Vol. 2729, pp. 583\u201099.","DOI":"10.1007\/978-3-540-45146-4_34"},{"key":"key2022021220052446800_b15","unstructured":"DHS (2003), \u201cCritical infrastructure identification, prioritization, and protection\u201d, US Department of Homeland Security, Washington, DC, Presidential Directive\/Hspd\u20107 December, available at: www.whitehouse.gov\/news\/releases\/2003\/12\/20031217\u20105.html (accessed April, 2008)."},{"key":"key2022021220052446800_b14","unstructured":"DHS (2006), \u201cHomeland security advisories and information bulletins\u201d, US Department of Homeland Security, Washington, DC, August, available at: www.dhs.gov\/xinfoshare\/publications\/editorial_0335.shtm (accessed April, 2008)."},{"key":"key2022021220052446800_b13","unstructured":"DOE (2002), \u201c21 steps to improve cyber security of SCADA network\u201d, US Department of Energy, Washington, DC, September, available at: www.oe.energy.gov\/DocumentsandMedia\/21_Steps_\u2010_SCADA.pdf (accessed April, 2008)."},{"key":"key2022021220052446800_b12","unstructured":"DOE (2003), \u201cMeeting brief: DOE\/DHS SCADA meeting\u201d, US Department of Energy, Washington, DC, July 16, available at: www.oe.netl.doe.gov\/docs\/prepare\/scada.pdf (accessed April, 2008)."},{"key":"key2022021220052446800_b11","unstructured":"DOE (2005), \u201cOpenSSL security vulnerabilities in ASN.1 parsing\u201d, US Department of Energy, Washington, DC, Computer Incident Advisory Capability, available at: www.ciac.org\/ciac\/bulletins\/n\u2010159.shtml (accessed April, 2008)."},{"key":"key2022021220052446800_b16","unstructured":"DOT (2007), \u201cSafety and security\u201d, US Department of Transportation, Washington, DC, available at: http:\/\/transit\u2010safety.volpe.dot.gov\/(accessed April, 2008)."},{"key":"key2022021220052446800_b10","doi-asserted-by":"crossref","unstructured":"Dierks, T. and Allen, C. (1999), RFC 2246 \u2013 the TLS Protocol Version 1.0., Network Working Group, The Internet Society, Reston, VA, January.","DOI":"10.17487\/rfc2246"},{"key":"key2022021220052446800_b17","doi-asserted-by":"crossref","unstructured":"Dutta, P.K., Hui, J.W., Chu, D.C. and Culler, D.E. (2006), \u201cSecuring the deluge network programming system\u201d, Proceedings of the Fifth International Conference on Information Processing in Sensor Networks, Nashville, Tennessee, April 19\u201021, pp. 326\u201033.","DOI":"10.1145\/1127777.1127826"},{"key":"key2022021220052446800_b18","unstructured":"Fini, L. (2000), \u201cLinux in embedded industrial applications: a case study\u201d, Linux Journal, Vol. 2000 No. 77, p. 12."},{"key":"key2022021220052446800_b19","doi-asserted-by":"crossref","unstructured":"Freudenthal, E., Port, L., Pesin, T., Keenan, E. and Karamcheti, V. (2002), \u201cSwitchboard: secure, monitored connections for client\u2010server communication\u201d, Proceedings of the 22nd International Conference on Distributed Computing Systems Workshops, July 2\u20105, pp. 660\u20105.","DOI":"10.1109\/ICDCSW.2002.1030844"},{"key":"key2022021220052446800_b20","unstructured":"Frost and Sullivan (2001), \u201cEuropean SCADA systems market in dynamic shape\u201d, company news, Frost and Sullivan, San Antonio, TX, available at: www.engineeringtalk.com\/news\/fro\/fro144.html (accessed April, 2008), October 11."},{"key":"key2022021220052446800_b21","unstructured":"Garfinkel, S. (2002), Web Security, Privacy & Commerce, 2nd ed., O'Reily & Associates, Inc., Sebastopol, CA."},{"key":"key2022021220052446800_b22","doi-asserted-by":"crossref","unstructured":"Geer, D. (2006), \u201cSecurity of critical control systems sparks concern\u201d, Computer, Vol. 39 No. 1, pp. 20\u20103.","DOI":"10.1109\/MC.2006.32"},{"key":"key2022021220052446800_b23","unstructured":"Gellman, B. (2002), \u201cUS fears Al Qaeda cyber attacks\u201d, Washington Post, June 26."},{"key":"key2022021220052446800_b24","doi-asserted-by":"crossref","unstructured":"Gieling, T.H., van Meurs, W.M. and Janssen, H.J. (1996), \u201cA computer network with SCADA and case tools for on\u2010line process control in greenhouses\u201d, Advances in Space Research, Vol. 18 Nos 1\/2, pp. 171\u20104.","DOI":"10.1016\/0273-1177(95)00804-N"},{"key":"key2022021220052446800_b26","unstructured":"Graham, J.H. and Patel, S.C. (2005), \u201cCorrectness proofs for SCADA communication protocols\u201d, Proceedings of the 9th World Multi\u2010Conference on Systemics, Cybernetics and Informatics, Orlando, FL, July 10\u201013, pp. 392\u20107."},{"key":"key2022021220052446800_b25","unstructured":"Graham, J., Mostafa, S., Arazi, B., Tantawy, A., Hieb, J., Ralston, P. and Patel, S. (2007), \u201cImprovements in SCADA and DCS systems security\u201d, Proceedings of International Conference on Computers and Their Applications, Honolulu, Hawaii, March 28\u201030, pp. 194\u2010200."},{"key":"key2022021220052446800_b27","doi-asserted-by":"crossref","unstructured":"Heng, G.T. (1996), \u201cMicrocomputer\u2010based remote terminal unit for a SCADA system\u201d, Microprocessors and Microsystems, Vol. 20 No. 1, pp. 39\u201045.","DOI":"10.1016\/0141-9331(95)01066-1"},{"key":"key2022021220052446800_b28","unstructured":"Hieb, J.L., Graham, J.H. and Patel, S.C. (2007), \u201cSecurity enhancements for distributed control systems\u201d, in Goetz, E. and Shenoi, S. (Eds), Critical Infrastructure Protection: IFIP International Federation for Information Processing Series, Vol. 253, Springer, New York, NY, pp. 55\u201068."},{"key":"key2022021220052446800_b29","unstructured":"IEC (2003), Power System Control and Associated Communications \u2013 Data and Communication Security, The International Electrotechnical Commission, Geneva, May."},{"key":"key2022021220052446800_b31","unstructured":"Kato, H., Furuya, M., Tamano\u2010Mori, M., Kaneko, S. and Nakano, T. (2001), \u201cRisk analysis and secure protocol design for www\u2010based remote control with operation\u2010privilege management\u201d, Proceedings of the IEEE International Conference on Systems, Man and Cybernetics, Vol. 2, pp. 1107\u201012."},{"key":"key2022021220052446800_b32","unstructured":"Kegel, D. (2001), \u201cSSL\/TLS\u201d, available at: www.kegel.com\/ssl\/ (accessed April, 2008)."},{"key":"key2022021220052446800_b33","doi-asserted-by":"crossref","unstructured":"Kokai, Y., Masuda, F., Horiike, S. and Sekine, Y. (1997), \u201cRecent development in open systems for EMS\/SCADA\u201d, International Journal of Electrical Power & Energy Systems, Vol. 20 No. 2, pp. 111\u201023.","DOI":"10.1016\/S0142-0615(97)00038-0"},{"key":"key2022021220052446800_b34","unstructured":"Kotok, A. (2002), \u201cUtility deregulation requires effective e\u2010business standards\u201d White Paper, June, available at: www.disa.org\/pdfs\/white_paper03.pdf (accessed April, 2008)."},{"key":"key2022021220052446800_b35","unstructured":"Majdalawieh, M., Parisi\u2010Presicce, F. and Wijesekera, D. (2005), \u201cDistributed network protocol security (DNPSec) security framework\u201d, Proceedings of 21st Annual Computer Security Applications Conference, Tucson, AZ, December 5\u20109."},{"key":"key2022021220052446800_b30","unstructured":"M\u00f6ller, B. (2004), \u201cSecurity of CBC ciphersuites in SSL\/TLS: problems and countermeasures\u201d, available at: www.openssl.org\/ \u223c\u2009bodo\/tls\u2010cbc.txt (accessed April, 2008), May."},{"key":"key2022021220052446800_b36","unstructured":"NIPC (2002), \u201cTerrorist interest in water supply and SCADA systems\u201d, Information Bulletin 02\u2010001, National Infrastructure Protection Center, Washington, DC, January."},{"key":"key2022021220052446800_b37","unstructured":"NISCC (2003), Vulnerability Advisory 006489\/OpenSSL, UNIRAS: Computer Emergency Response Team, National Infrastructure Security Co\u2010ordination Centre, London, November."},{"key":"key2022021220052446800_b38","unstructured":"OpenSSL (2007), \u201cOpenSSL project homepage\u201d, available at: www.openssl.org\/ (accessed April, 2008)."},{"key":"key2022021220052446800_b39","unstructured":"Palmieri, F. (2003), \u201cVPN scalability over high performance backbones evaluating MPLS VPN against traditional approaches\u201d, Proceedings of the Eighth IEEE International Symposium on Computers and Communication, Kemer\u2010Antalya, Turkey, June 30\u2010July 3."},{"key":"key2022021220052446800_b40","unstructured":"Patel, S.C. (2006), \u201cSecure internet\u2010based communication protocol for SCADA networks\u201d, PhD dissertation, University of Louisville, Louisville, KY."},{"key":"key2022021220052446800_b41","unstructured":"Patel, S.C. and Grahm, J.H. (2004), \u201cSecurity considerations in DNP3 SCADA systems\u201d, Proceedings of the 17th Computer Applications in Industry and Engineering, Orlando, FL, November 17\u201019, pp. 73\u20108."},{"key":"key2022021220052446800_b44","doi-asserted-by":"crossref","unstructured":"Patel, S.C., Bhatt, G.D. and Graham, J. (2008), \u201cImproving the cyber security of SCADA communication networks\u201d, Communications of ACM (in press)..","DOI":"10.1145\/1538788.1538820"},{"key":"key2022021220052446800_b42","unstructured":"Patel, S., Graham, J., Ralston, P. and Tantalean, R. (2005a), \u201cSecure SCADA communications, monitoring, and control over the internet\u201d, Proceedings of the 18th Computer Applications in Industry and Engineering, Honolulu, Hawaii, November 9\u201011, pp. 169\u201074."},{"key":"key2022021220052446800_b43","unstructured":"Patel, S., Tantalean, R., Ralston, P. and Graham, J. (2005b), \u201cSupervisory control and data acquisition remote terminal unit testbed\u201d, Intelligent Systems Research Laboratory Technical Report TR\u2010ISRL\u201005\u201001, Department of Computer Engineering and Computer Science, University of Louisville, Louisville, KY."},{"key":"key2022021220052446800_b46","unstructured":"Petree, V. (1995), \u201cSCADA\u2010Linux still hard at work\u201d, Linux Journal, Vol. 1995 No. 10, February."},{"key":"key2022021220052446800_b45","unstructured":"Petree, V. (1998), \u201cLinux means business\u201d, Linux Journal, Vol. 1998 No. 54, October."},{"key":"key2022021220052446800_b47","unstructured":"Portmann, M. and Seneviratne, A. (2001), \u201cSelective security for TLS\u201d, Proceedings of 9th IEEE International Conference on Networks, October 10\u201012, pp. 216\u201021."},{"key":"key2022021220052446800_b48","unstructured":"Poulsen, K. (2003a), \u201cSlammer worm crashed Ohio nuke plant net\u201d, The Register, available at: www.theregister.co.uk\/2003\/08\/20\/slammer_worm_crashed_ohio_nuke\/ (accessed April, 2008)."},{"key":"key2022021220052446800_b49","unstructured":"Poulsen, K. (2003b), \u201cBrits found OpenSSL bugs\u201d, SecurityFocus, September."},{"key":"key2022021220052446800_b50","doi-asserted-by":"crossref","unstructured":"Preu, K., Le Lann, M\u2010V., Cabassud, M. and Anne\u2010Archard, G. (2003), \u201cImplementation procedure of an advanced supervisory and control strategy in the pharmaceutical industry\u201d, Control Engineering Practice, Vol. 11 No. 12, pp. 1449\u201058.","DOI":"10.1016\/S0967-0661(03)00098-4"},{"key":"key2022021220052446800_b51","unstructured":"Rescorla, E. (2001), SSL and TLS: Designing and Building Secure Systems, Addison\u2010Wesley, Boston, MA."},{"key":"key2022021220052446800_b52","unstructured":"Smith, T. (2001), \u201cHacker jailed for revenge sewage attacks\u201d, The Register, available at: www.theregister.co.uk\/2001\/10\/31\/hacker_jailed_for_revenge_sewage\/ (accessed April, 2008)."},{"key":"key2022021220052446800_b53","doi-asserted-by":"crossref","unstructured":"Su, C\u2010L., Lu, C\u2010N. and Lin, M\u2010C. (2000), \u201cWide area network performance study of a distribution management system\u201d, International Journal of Electrical Power & Energy Systems, Vol. 22 No. 1, pp. 9\u201014.","DOI":"10.1016\/S0142-0615(99)00029-0"},{"key":"key2022021220052446800_b54","unstructured":"Sun Microsystems, Inc. (2004), \u201cJava\u2122 Secure Socket Extension (JSSE) Reference Guide for the Java\u2122 2 SDK, standard edition, v 1.4.2\u201d, available at: http:\/\/java.sun.com\/j2se\/1.4.2\/docs\/guide\/security\/jsse\/JSSERefGuide.html (accessed Aril, 2008)."},{"key":"key2022021220052446800_b55","doi-asserted-by":"crossref","unstructured":"Tak, S., Lee, Y. and Park, E.K. (2003), \u201cA software framework for non\u2010repudiation service in electronic commerce based on the internet\u201d, Microprocessors and Microsystems, Vol. 27 Nos 5\/6, pp. 265\u201076.","DOI":"10.1016\/S0141-9331(03)00027-9"},{"key":"key2022021220052446800_b56","unstructured":"Taylor, K. and Palmer, D. (2003), \u201cApplying enterprise architectures and technology to the embedded devices domain\u201d, Proceedings of the Australasian Information Security Workshop Conference on ACSW Frontiers 2003, Adelaide, Australia, January, pp. 185\u201090."},{"key":"key2022021220052446800_b58","unstructured":"US\u2010CERT (2004), \u201cTechnical cyber security alert TA04\u2010111A: vulnerabilities in TCP\u201d, United States Computer Emergency Readiness Team, Washington, DC, September, available at: www.us\u2010cert.gov\/cas\/techalerts\/TA04\u2010111A.html (accessed April, 2008)."},{"key":"key2022021220052446800_b57","unstructured":"US\u2010CERT (2007), \u201cAdvisory notes\u201d, Vulnerability numbers: VU# 255484, VU# 380864, VU#686224, VU#732952, VU#935264, and VU#104280, United States Computer Emergency Readiness Team, Washington, DC, available at: www.kb.cert.org\/vuls (accessed April, 2008)."},{"key":"key2022021220052446800_b59","unstructured":"Varoli, J. (2000), \u201cIn bleak Russia, a young man's thoughts turn to hacking\u201d, The New York Times online, June."},{"key":"key2022021220052446800_b60","doi-asserted-by":"crossref","unstructured":"Vaudenay, S. (2002), \u201cSecurity flaws induced by CBC padding \u2013 applications to SSL, IPSEC, WTLS\u201d, Proceedings of Advances in Cryptology \u2013 EUROCRYPT'02, Amsterdam, Netherlands, pp. 534\u201045.","DOI":"10.1007\/3-540-46035-7_35"},{"key":"key2022021220052446800_b61","unstructured":"Ventuneac, M., Coffey, T. and Salomie, I. (2003), \u201cA policy\u2010based security framework for web\u2010enabled applications\u201d, Proceedings of the 1st International Symposium on Information and Communication Technologies, Dublin, Ireland, pp. 487\u201092."},{"key":"key2022021220052446800_b62","unstructured":"Viega, J., Messier, M. and Chandra, P. (2002), Network Security with OpenSSL, O'Reilly & Assoc. Inc., Sebastopol, CA."},{"key":"key2022021220052446800_b63","unstructured":"Watts, D. (2003), \u201cSecurity and vulnerability in electric power systems\u201d, Proceedings of the 35th North American, Power Symposium, Rolla, MO, October 20\u201021, pp. 559\u201066."},{"key":"key2022021220052446800_b64","unstructured":"Yasinsac, A. and Childs, J. (2001), \u201cAnalyzing internet security protocols\u201d, Proceedings of the 6th IEEE International Symposium on High Assurance Systems Engineering, October 22\u201024, pp. 149\u201059."}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/09685220810908804","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810908804\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/09685220810908804\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T00:09:07Z","timestamp":1753402147000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/16\/4\/398-414\/181857"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2008,10,10]]},"references-count":64,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2008,10,10]]}},"alternative-id":["10.1108\/09685220810908804"],"URL":"https:\/\/doi.org\/10.1108\/09685220810908804","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2008,10,10]]}}}