1. Repositório Aberto da Universidade do Porto
  2. FEUP - Faculdade de Engenharia
  3. FEUP - Dissertação
Please use this identifier to cite or link to this item: https://hdl.handle.net/10216/119066
Author(s): Filipe Pestana Duarte Rocha
Title: Cybersecurity analysis of a SCADA system under current standards, client requisites, and penetration testing
Issue Date: 2019-02-04
Abstract: Supervisory Control and Data Acquisition (SCADA) systems are essential for monitoring and controlling a country's Critical Infrastructures (CI) such as electrical power grids, gas, water supply, and transportation services. These systems used to be mostly isolated and secure, but this is no longer true due to the use of wider and interconnected communication networks to reap benefits such as scalability, reliability, usability, and integration. This architectural change together with the critical importance of these systems made them desirable cyber-attack targets. Just as in other Information Technology (IT) systems, standards and best practices have been developed to provide guidance for SCADA developers to increase the security of their systems against cyber-attacks.With the assistance of EFACEC, this work provides an analysis of a SCADA system under current standards, client requisites, and testing of vulnerabilities in an actual prototype system. Our aim is to provide guidance by example on how to evaluate and improve the security of SCADA systems, using a basic prototype of EFACEC's ScateX# SCADA system, following both a theoretical and practical approach. For the theoretical approach, a list of the most commonly adopted ICS (Industrial Control Systems) and IT standards is compiled, and then sets of a generic client's cybersecurity requisites are analyzed and confronted with the prototype's specifications. A study of the system's architecture is also performed to identify vulnerabilities and non-compliances with both the client's requisites and the standards and, for the identified vulnerabilities, corrective and mitigation measures are suggested. For the practical approach, a threat model was developed to help identify desirable assets on SCADA systems and possible attack vectors that could allow access to such assets. Penetration tests were performed on the prototype in order to validate the attack vectors, to evaluate compliance, and to provide evidence of the effectiveness of the corrective measures.
Subject: Engenharia electrotécnica, electrónica e informática
Electrical engineering, Electronic engineering, Information engineering
Scientific areas: Ciências da engenharia e tecnologias::Engenharia electrotécnica, electrónica e informática
Engineering and technology::Electrical engineering, Electronic engineering, Information engineering
TID identifier: 202391892
URI: https://hdl.handle.net/10216/119066
Document Type: Dissertação
Rights: openAccess
Appears in Collections:FEUP - Dissertação

Files in This Item:
File Description SizeFormat 
315683.pdfCybersecurity analysis of a SCADA system under current standards, client requisites, and penetration testing1.24 MBAdobe PDFThumbnail
View/Open
Show full item record Recommend this item Display Statistics


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.