ISSN 0040-6015, Thermal Engineering, 2016, Vol. 63, No. 13, pp. 948–956. © Pleiades Publishing, Inc., 2016.

Original Russian Text © Y.S. Vasiliev, P.D. Zegzhda, D.P. Zegzhda, 2016, published in Izvestiya Rossiiskoi Akademii Nauk, Energetika.

Providing Security for Automated Process Control Systems

at Hydropower Engineering Facilities
Y. S. Vasiliev, P. D. Zegzhda, and D. P. Zegzhda
Peter the Great St. Petersburg Polytechnic University, St. Petersburg, 195251 Russia
e-mail: zeg@ibks.ftk.spbstu.ru
Received December 30, 2015

Abstract—This article suggests the concept of a cyberphysical system to manage computer security of auto-
mated process control systems at hydropower engineering facilities. According to the authors, this system
consists of a set of information processing tools and computer-controlled physical devices. Examples of cyber
attacks on power engineering facilities are provided, and a strategy of improving cybersecurity of hydropower
engineering systems is suggested. The architecture of the multilevel protection of the automated process con-
trol system (APCS) of power engineering facilities is given, including security systems, control systems, access
control, encryption, secure virtual private network of subsystems for monitoring and analysis of security
events. The distinctive aspect of the approach is consideration of interrelations and cyber threats, arising when
SCADA is integrated with the unified enterprise information system.

Keywords: computer security, hydropower engineering facilities, cyber attacks, APCS, SCADA
DOI: 10.1134/S0040601516130073

INTRODUCTION 1. SECURITY IN THE ERA

The current development phase of postindustrial
society is characterized by continuous information
revolution that consists in integrating Internet tech-
nologies with virtually all systems of production ACS,
power engineering and communication systems,
banking systems, and, of course, defense systems.
As a result of informatization at power production
facilities, components of automated process control
systems (APCSs) have become part of common cyber-
space. The consequences of cyberspace expansion to
ensure cyberspace security are:
(1) The versatility of the Internet as the living envi-
ronment for cyberspace makes it possible to combine
all aspects of production, financial, and sociopolitical
life into one single whole and form the transitive clo-
sure of all computer systems.
(2) Creation of possibilities in principle of avail-
ability of any Internet-related computer devices.
(3) Origin of the cybersecurity (cyberspace security)
concept characterized by the birth of a new class of
threats, determined by openness of modern IT, and new
arrangements for delivering destructive means [1, 2].
The goal of this article is to try analyze the main
trends in nascence of new threats and their routes in
hydropower engineering with the aim of drawing
experts’ attention to commingle their efforts for resist-
ing the challenges of modernity.
OF GLOBALIZATION
The combination of communication systems and
data processing tools has led to a new phase of produc-
tion process improvement in the form of continuous
tracking of process state and process–environment
interaction. With respective computation capacities, the
entire production process can thus be presented as a sin-
gle system. Not only does this system provide the possi-
bility of automated control but sometimes it can even be
self-regulating (adapting), which allows sustaining the
system in a target zone of efficient performance.
Internetization has resulted in:
(1) organizational modifications of production
designs transformed into a form suitable for distrib-
uted adaptive and remote control; and
(2) changes in concept and production designs,
which increases the share of data components, that
ensure and automatize physical components perfor-
mance, and makes it possible to refer hydropower
engineering systems to a new class of objects called
cyberphysical systems [2, 3].
Thus, informatization globalization via interneti-
zation has resulted in structural modifications of pro-
duction designs and their evolution with an increasing
share and importance of information (progressive)
components, i.e., transformed them into a cyberphys-
ical object.

948
 PROVIDING SECURITY FOR AUTOMATED PROCESS CONTROL SYSTEMS
Set of physical
components Internet
for process Corporate
implementation
enterprise
network data
Executive unit environment
for physical
process control
Control
Feedback
center
Fig. 1. Logical structure of the cyberphysical system.
2. CYBERSECURITY
OF INDUSTRIAL SYSTEMS
The concept of a cyberphysical object (or system as
a collection of such) is a convenient conceptual frame-
work for representing production and processing
designs that integrate systems of transformation of dif-
ferent kinds of energy with information-communicative
environment. This environment ensures the exchange
among components and sustainable operation of the
entire system by monitoring and automated control.
The distinct features of cyberphysical systems are
specified in [4] and include:
(1) high computerizing level, continuous telecom-
munication (data exchange) with similar systems and
communication with the Internet;
(2) availability of the center (subsystem) of auto-
mated system operation control and stable operability
sustenance under different disturbances from the envi-
ronment, including purposeful and random influences;
(3) availability of the common data space or cyber-
space that is a set of firmware for data processing and
transfer, intrasystem exchange and exchange with the
environment, systems of automated control of physi-
cal components by programmable logic controllers,
and sustenance of a given performance script suitable
for adaptive control, and also data protection cryptos-
ervers, firewalls, antiviruses, etc.;
(4) intelligent control of automated generation of
work scripts, based on automated prediction and
adaptive control, which ensures systems self-contain-
ment and reduces the dependence on the operator.
Thus, the conceptual logical design of the cyber-
physical system includes a set of connected physical
components responsible for implementing production
processes, a set of connected information components
responsible for process control at different automation
levels, and a communicative environment that ensures
data exchange within the system and with the environ-
ment and transmits control commands to actuating
units via PLCs.
THERMAL ENGINEERING Vol. 63 No. 13
949
The logical structure is shown in Fig. 1 [5].
The emergence of cyberspace is currently insepara-
ble from the concept of cybersecurity manifested in
such factors as possibility of hidden, remote, and hardly
detectable catastrophic exposures and operability
dependence of modern production systems as cyber
objects on deliberate and random computer exposures.
Commonly referred to as cyber threats or cyber
attacks [6], these phenomena have become far more
widespread in the last decade [3]; this is why it has
become necessary to protect modern power engineer-
ing, transportation, financial, and, of course, special-
purpose systems against cyber threats.
Critical systems are commonly defined as a type of
systems with a developed infrastructure in which oper-
ating troubles may be caused by cyber attacks. Hydro-
power engineering systems should be rightfully
referred to this type.
In this article, operational stability of hydropower
engineering systems as cyberphysical objects is consid-
ered specifically in terms of cybersecurity.
3. CYBERSECURITY
IN POWER ENGINEERING
The relevance of cyberspace security provision is
exemplified by data components of automated power
engineering process control systems.
The APCS is an intricate hi-tech set of hardware
and software intended to ensure automated control of
industrial, transportation, and processing equipment
and operations at production site in general or in par-
ticular production areas [5].
The APCS is a single information and telecom-
munication system with several control user inter-
faces (terminals), tools and media for transfer, pro-
cessing, and storage of information on progress of
controlled processes, and also terminating hardware
automation elements, such as sensors, controllers,
actuating units. All the APCS elements form a com-
plex supervisory control, telemetry, and communica-
tion infrastructure interconnected on the basis of
industrial APCS (SCADA) protocols.
SCADA (Supervisory Control and Data Acquisi-
tion) is a software package that is intended for develop-
ment or support of APCS operations in real-time mode
and includes subsystems of acquisition, processing, dis-
play, and archiving of information on controlled and
monitored objects and facilities. SCADA is used in
APCSs in all critical production sectors, where real-
time process control by the operator is required.
SCADA systems are packaged with supplementary soft-
ware for programming of industrial controllers (so-
called integrated SCADA systems, SoftLogic SCADA).
Currently, the most popular SCADA systems are such
software products as Simatic WinCC; CitectSCADA;
Proficy iFIX; Wonderware inTouch. All of the most
common SCADA systems are operated on the Win-
2016
950 VASILIEV et al.
Table 1. APCS security violations
No. Incident site Date
1 Queensland, Australia Oct. 2001
2 Amudsen–Scott South Pole Station Jan. 2003
Davis-Besse nuclear power
3 Jan. 2003
station in Ohio (United States)
Water supply system in Illinois
4 Nov. 2011
(United States)
dows platform, use different database control systems
and application program interfaces (APIs), and support
various remote control protocols. This aspect ensures
such strong points of APCSs as high control and
response rates, simple structure, etc. However, it also
determines the tight hierarchy and cascadeness of
APCS segments, which consists in the complicated
procedure of replacing APCS components and ava-
lanche-like response from components in case of emer-
gencies that determine the security of APCSs, safety at
industrial production facilities, and sectoral safety in
general.
The specific solution of this problem is determined
by technical characteristics of APCSs, such as
(1) distributive nature of components and hetero-
geneous (nonuniform) information and software con-
stituents, which shows in the diversity of used opera-
tion systems (OSs), communications, hardware, soft-
ware and user interfaces;
(2) geographical remoteness of informatization and
control objects and segments;
(3) active role of the human element amplified by
criticality of controlled objects or industrial cycle
technology; and
(4) absence of any universal approach and solu-
tions tailored for a specific task of controlling a partic-
ular process, sector, or production site.
3.1. Safety and Security at Power Engineering APCSs:
Problem Urgency
The Sayano-Shushenskaya power station accident
happened in 2009. It had been caused by a number of
factors, including the disordered operation of the reg-
ulating system that varied the loading of hydropower
sets with regard to the current workload of the electric
power system [7].
Incident details
Modifications of the valve operation parameters in the SCADA
system of wastewater treatment plants resulted in the discharge
of nontreated wastewater onto the city streets, into the river, and
then into the ocean
Computers responsible for controlling life-sustenance systems
hacked, money reward
required in return of the safety at the station
SQL Slammer infected the office computers and penetrated the
power station control network due to vulnerable Microsoft soft-
ware
Breakdown of a pump used to supply water to thousands
of houses
Industrial facilities in Iran have been regularly
attacked by the Stuxnet worm and its modified ver-
sions since 2010 onwards. The data stream between
Siemens Simatic Step 7 programmable logic control-
lers and Siemens Simatic WinCC workstations of the
SCADA system is intercepted and modified. Thus, a
means has been used to attempt unauthorized data
acquisition and subversions in APCS of Iranian indus-
trial enterprises, power station, and airports. The pro-
gram’s uniqueness was that it had been the first ever
case of purposeful destruction of sectoral infrastruc-
ture in history [8].
A major role in the list of APCS security threats is
played by threats to infrastructure and operation sys-
tems of SCADA systems [6]. Most APCS software
components are based on the MS Windows platform
that has traditionally contained mistakes leading to
security violations. However, whereas exposures on
general-purpose computers are eliminated by regular
software updates from the manufacturer, this is
impossible in SCADA systems because system updates
suspend process activities and may negatively affect
further operation of SCADA [5]. In addition, there are
problems solved for information systems but without
any required solution for APCSs; these problems
include errors in automated control software, vulnera-
bilities in system configuration setting, vulnerabilities
in data transmission media, vulnerabilities in con-
trolling network protocols, and absence of required
protection for data transmission lines.
Thus, the security of APCSs is an urgent task
requiring a prompt solution.
The facts of security violations in power engineer-
ing and hydrosystem APCSs are given in Table 1.
According to the analysis, the main cause of the
increasing number of security violations in APCSs is
integration with corporate systems, little consideration
given to security maintenance systems, and disregard
of network security components.
THERMAL ENGINEERING Vol. 63 No. 13 2016
 PROVIDING SECURITY FOR AUTOMATED PROCESS CONTROL SYSTEMS
Connection
to other industrial
and corporate
networks
Internet
Fig. 2. Paths of impact on APCSs at power engineering
facilities.
According to the surveys of the Ural Center for
Security Systems (UCSS) [9], even common security
tools and means are used inefficiently, which is proven
by the following facts:
(1) Of all engineering protection arrangements,
network security assurance measures of various full-
ness and sufficiency have been taken at 88% of the
facilities; moreover, the remote access and/or access
from the corporate network is ensured for APCSs in
17% of the cases.
(2) Embedded protection means are used mainly to
limit unauthorized human-machine communication
(data mart mode, etc.); at the lower level (PLCs),
these means are either unadjusted or disabled.
(3) Antivirus protection is used in 25% of APCSs;
however, virus definitions are updated only in 11% of
APCSs.
(4) System and applied software are regularly
updated only in 8% of APCSs.
That is why there were 108 incidents fixed by
ICS-CERT [3] in the first half of 2015: 20% of them
occurred in critical production areas, 13% were
power engineering incidents, and 18% occurred in
power production systems (hydropower and thermal
power plants).
The urgency of APCS-related problems that
require prompt solution and development of ground-
breaking world-class technologies is determined by
the Russian national security strategy, according to
which studies of problems in all-Russia information
structure in the globalizing world and development of
means and methods of safety and security precautions
in automated control systems are classified as priority
tasks [10, 11].
4. SPECIFIC ISSUES OF SAFETY
AND SECURITY PRECAUTIONS
FOR APCSS IN HYDROPOWER ENGINEERING
In terms of purpose, operating conditions, and
used tools and technologies, APCSs used at hydro-
THERMAL ENGINEERING Vol. 63 No. 13
951
power engineering facilities radically differ from office
systems and data processing centers. Now, we shall
enumerate the factors that directly affect the security
provision issue and must be taken into account while
elaborating the approach to protecting APCSs [12].
(1) Distributive nature of components and hetero-
geneous (nonuniform) information and software con-
stituents. APCSs are large-scale, complex, hi-tech
information hardware and software systems with a
diversity of used OS, communications, equipment,
and software and user interfaces, very often with geo-
graphically remote informatization and control seg-
ments and objects. At the same time, these systems are
designed without taking account of information secu-
rity provision requirements and, therefore, incompat-
ible with APCSs with traditional approaches to reli-
ability and security provision.
(2) APCSs are extremely conservative. Unlike con-
stantly improved and adjusted office systems regularly
updated via the Internet, software of APCS compo-
nents implemented at industrial facilities are hardly
updated at all. This is due to the fact that an embedded
software developer cannot ensure full-scale software
tests by the company; thus, the software can be tested
at real-life objects only.
(3) APCSs strongly depend on their operating envi-
ronment and are very sensitive to its modification.
Office systems are constantly developed and
reworked, and their parts can be replaced with more
modern or similar components compatible by com-
munication protocols. Moreover, an office system can
be updated by adding new components (e.g., control
and protective means) given that they support the pro-
tocols used in the system. This is critical to protection
means that must not affect the system itself but only
control its operation (data flow ciphering devices,
intruder detection systems, antiviruses, etc.). As
attested by practical use of protective means and tools,
sometimes they block the operation of the system,
which is not critical to most office applications but
may carry catastrophic effects for APCSs used at
hydropower engineering facilities.
(4) Active human influence amplified by criticality
of controlled objects and industrial cycle technologies.
At the same time, personnel usually shows insufficient
IT and information security expertise. Combined with
high operational criticality of objects, this determines
the high risk of possible attacks based on social engi-
neering.
The main violations result from the large number of
external connection lines: thus, there are huge opportu-
nities for external, sometimes purposeful influence on
information components of APCSs, which is shown in
Fig. 2.
Actually, the APCS is the intermediate link in the
general information enterprise structure and can
exchange information both with the corporate-wide
network including administrative services, industrial
2016
952 VASILIEV et al.

However, computerized ECSs are integrated with

Enterprise the common information environment and become
level part of the common cyberspace, i.e., objects of specific
Remote cyber attacks that use weak points in applied software
Shop Operator and communication control means as well as connec-
level PLC CNC station
interfaces nodes tions with the common environment. This is shown in
Industrial Fig. 4, where the telecommunication and logical con-
Robot nection among the APCS, the ECS, and the corporate-
controller PLC CNC control
level devices wide network of electric system planning and control
with permanent Internet access is given.
Peripherals I/O devices Sensors Actuating
devices A fact important to this article is that systems inte-
level grating APCSs and office networks are more vulnera-
Fig. 3. APCS hardware components available from the ble, more exposed to potential intrusions and,
enterprise data network (PLC is for programmable logic although necessary, their cybersecurity becomes a
controllers; CNC is for computerized numerical control finer link than emergency protection.
machines). Thus, one should note that it is necessary to solve
the security provision problem for APCSs at hydro-
power engineering facilities, which depends on the fol-
Data acquisition
lowing factors [14–16]:
Energy Commands Data control Enterprise
(1) possibility of localizing and identifying over the
exchange Settings center data network
Internet industrial equipment and software in local
and global networks;
APCS Emergency (2) existence of weak authorization and authenti-
protection cation means (authentication data weaved in the firm-
system ware, authentication data by default, unreliable
authentication algorithms, etc.);
Control script
(3) absence of encryption in industrial transport
Internet protocols, such as modbus, s7comm, etc.;
(4) absence of OS and application upgrades;
Fig. 4. Data exchange circuit in systems with emergency (5) dependence on the operating environment and
protection. difficulties with adopting protective means;
(6) difficult communication control (large amounts
of data);
departments, suppliers, etc. and the Internet and with (7) human influence.
specific subsystems of a hydropower plant up to the
level of controlling industrial controllers and periph-
eral equipment (Fig. 3). 5. MAIN AREAS OF SECURITY PROVISION
Thus, an operator who makes a mistake or shows FOR APCSS AT POWER ENGINEERING
negligence may cause serious troubles in a hydropower FACILITIES
system control with severe effects. An opportunity is The specifics of security provision for APCSs in
created to execute remote commands for process con- power engineering is conditioned by their technical
trol or self-regulation and automated adaptation to characteristics, such as distributed components and
variable conditions. heterogeneous information and program constituents
All power-engineering facilities are currently and geographical remoteness of informatization and
equipped with emergency control systems (ECSs). controlled objects and segments. Consequently, com-
They are intended to prevent disorders in operational mon approaches to reliability and security provision
stability of electric energy systems by defining settings do not fit for APCSs.
on the basis of monitoring data and tentative design of It can be concluded from the foregoing that emer-
specific circuit-mode, mode-balance, and emergency gency control systems do not ensure emergency pre-
situations [13] and to stop the process in case of non- vention. They are a part of the common information
routine events and inherently false commands (Fig. 4). environment and can become objects of catastrophic
Correct operation of ECSs makes it necessary to attacks.
acquire and process large amounts of data from sensors The main routes of these adverse influences result
and tracking systems that record the state of the object, from the following factors:
whereas automated acquisition of monitoring data (1) risk of bypassing ECSs or blocking them alto-
expands lists of controlled parameters and reduces the gether using their information and communication
time for elaborating emergency commands. components;

THERMAL ENGINEERING Vol. 63 No. 13 2016

 PROVIDING SECURITY FOR AUTOMATED PROCESS CONTROL SYSTEMS 953

Enterprise resource planning

ERP (accounting, procurement, marketing, etc.)
systems Enterprise resource management

Production Production performance system

management (technology management)
AECS
APCS SCADA (supervisory process
APCS control system)
Data acquisition and direct
control based on using
Data acquisition system sensors, regulators,
and actuating units
Data input-output
I/O (sensor, actuating
units, regulatory bodies)

Process facility

Fig. 5. Hierarchy of automated systems at a power engineering facility.

(2) potential spoofing or blocking of control com-
mands;
(3) human factor because, sometimes, the decision
to disable the ECS is taken specifically by the operator;
(4) threats of purposeful information onslaught on
the system and applied software of the ECS;
(5) in terms of security, the ECS can be considered
the ACS of some part of the process.
Security provision for power facilities includes a set
of specific problems aimed at protecting the informa-
tion components of the electric power system and its
whole architecture, integrating ECSs, APCSs, operat-
ing units, and communication systems as required by
the hierarchy of the information networks of the power
facility (Fig. 5).
One should take into account that there are some
problems solved for information systems but with no
coherent solution for APCSs. These problems include
errors in automated control software, vulnerabilities in
system configuration setting, vulnerabilities in con-
trolling network protocols, and absence of enciphering
for data transmission paths.
As shown in Table 2, APCSs have already gained
widespread use in Russia.
Typical protection systems developed for APCSs
based on such SCADA as WinCC, inTouch, etc.
include protection against cyber attacks, separation of
access to APCS elements, communication path con-
trol, etc.
However, when carried over to differently config-
ured APCSs, these solutions require adaptation; more-
over, they do not assure protection against all threats.
Thus, the primary phase of power facility protection
must be to recognize security threats to APCSs.
5.1 Recognition of Security Threats to APCSs
of Electric Power Systems
APCSs include hardware and software constitu-
ents. Typical hardware tools are the Master Terminal
Unit (MTU) installed in the control center, commu-

Table 2. Applications of foreign SCADA systems in Russian APCSs

Type APCS site and name

WinCC Diagnostics and information system of the turbine generator set at the Samara CHP plant
Citect SCADA APCS of the power generating set at the Stavropol SDPP
inTouch APCS of boilers and turbines at OAO (OJSC) Novosibirskenergo
iFIX APCS at CHP plant 13 of OAO (OJSC) Permenergo

THERMAL ENGINEERING Vol. 63 No. 13 2016

954 VASILIEV et al.
nication equipment, and Remote Terminal Unit
(RTU) or PLC that control mechanical drives and/or
sensors. The MTU stores and processes information
from the RTU inputs and outputs, whereas the RTU
or the PLC are responsible for local process control.
Communication hardware makes it possible to trans-
mit information and data between the MTU and the
RTU or the PLC. The software is configured to give
the following commands to the system: what query is
necessary to make and when, what are acceptable
value ranges for certain parameters, and how to react
to variations in external parameters. SCADA systems
are usually developed as failsafe systems with signifi-
cant redundancy embedded in the system architec-
ture. Specific threats typical of industrial systems are
largely determined exactly by their architectural char-
acteristics.
Security threats typical of APCSs of electric power
systems can be classified by:
(1) used types of vulnerabilities, such as organiza-
tional, configuration, software, network edge, and
communication system vulnerabilities;
(2) types of consequences, such as information dis-
closure, service denial, access denial, control denial,
presentation denial, presentation substitution;
(3) threatened objects, such as SCADA, PLC, OS
and infrastructure, transport protocols.
We should mention such typical industrial threats
as presentation denial and presentation substitution:
they are usually fulfilled by user substitution (spoof-
ing) attacks, and the result is either that the APCS
operator loses control of the system or receives unreli-
able information and does not notice occurrence of
emergencies.
There are several basic standards that combine
industrial protocols describing network interfaces and
bus field requirements (ANSI/ISA-50.02, IEC 62026,
IEC 61158, IEC 61784, IEC 61918); however, there is
no common standard. Almost all the described proto-
cols are required to function in real-time mode, which
is why most of them have no embedded security pro-
vision tools, neither enciphering, or digital signature.
5.2 General Layout of the Security Architecture
of APCSs Used in Electric Power Systems
To resist the foregoing threats while designing the
network architecture, we recommend separating the
SCADA network from the corporate-wide network for
sweeping the APCS. The strict control of changes in
the network equipment operation, configuration, and
software is inappropriate in the corporate-wide net-
work. The SCADA network traffic flowing in the cor-
porate-wide network can be easily intercepted or
exposed to DoS attacks. In case of separate networks,
the SCADA network must remain unaffected by secu-
rity and capacity problems of the corporate-wide net-
work [3, 12, 17].
The reality is that the SCADA must be connected
to the corporate-wide network. This connection is a
serious security threat, and due attention should be
given to its development and actualization. If the net-
works must be connected, we recommend introducing
a minimal number of connections passing through the
firewall (FW) and the demilitarized zone (DMZ). The
DMZ is a separate network segment directly con-
nected to the FW. The servers with the APCS data, the
access to which must be gained from the corporate-
wide network, are placed in this network segment;
however, these systems must be available from the cor-
porate network. The minimal access through the FW,
including the opening of only those ports that are nec-
essary for certain means of communication, are
allowed for any external relations (Fig. 6) [2, 12, 14].
The main trend in the development of APCSs is
consolidation of industrial and corporate-wide net-
works. The fact that APCSs have a long service life of 15
to 20 years, use specialized means of communication
(consequently, a lot of different protocols), and were
designed without taking account the required informa-
tion security provision attests to increased risks of secu-
rity violations of APCSs integrated with corporate-wide
IT systems. Technologies for protection of initially
unprotected control systems are based on network seg-
regation, logical separation of the control network from
the corporate-wide network, and use of firewalls.
Industrial equipment manufacturers do make attempts
to embed security functions (authentication, password
protection of PLC); without additional protective
means, however, these APCS components remain
unprotected because of their architecture designed
without regard to IS requirements.
The main areas of security provision for APCSs at
power facilities must include [3, 5, 16]:
(1) Security provision arrangements, such as
(a) elaboration of security policies and procedures;
(b) evaluation of risks and exposures;
(c) personnel training and advanced employee
training in security matters.
(2) Control network security provision measures,
such as
(a) determination of external network communica-
tion paths of APCSs;
(b) control of all communication paths via firewalls;
(c) distinguishing of several demilitarized zones;
(d) logical separation of the control network.
(3) APCS security control, including
(a) user identity check;
(b) access control;
(c) information auditing;
(d) enciphering;
(e) virtual private network (VPN).
(4) Monitoring:
THERMAL ENGINEERING Vol. 63 No. 13 2016
 PROVIDING SECURITY FOR AUTOMATED PROCESS CONTROL SYSTEMS 955

Modem Data Applica- Configu-

pool acquisition tions DB ration HMI Engineering
server server Historian server server devices workstation
ATS
PLC
Field bus
Infrastructure SCADA LAN
for access Web server Log history
to field devices DB Security Authenti-
server cation
External server
WEB DMZ
Remote VPN
DB DMZ
archiving access
Remote Security DMZ
corporate network Authentication DMZ
ATS Applica-
Corporate Worksta- tions WLAN
connect access
server tions server Mail server FTP server point
Modem
pool DNS server Authenti-
Internet cation
Web server server
Corporate LAN
DNS DMZ
Mail DMZ
Web DMZ
External communication FTR DMZ
infrastructure Corporate Authentication DMZ
FW
Intruder detection system Wireless DMZ

Fig. 6. Architecture of multilevel protection of APCSs at power engineering facilities.

(a) comprehensive monitoring of system events,
security event recognition and analysis;
(b) system security testing.
CONCLUSIONS
Security tools can be efficiently integrated with
APCSs at hydropower engineering facilities on the
condition that a comprehensive program is developed
and implemented from a definition of goals and oper-
ations up to full-scale audit and improvement plans.
An efficient security strategy for APCSs must include
deep protection and hierarchically structured security
tools and means to minimize effects of breakdowns of
any mechanisms whatever.
REFERENCES
1. K. Andersson, Cybersecurity: Public Sector Threats and
Responses (CRC, Boca Raton, FL, 2012).
2. Critical Infrastructure Protection II, Ed. by M. Papa and
S. Shenoi (Springer-Verlag, New York, 2012).
3. Y. S. Vasiliev, P. D. Zegzhda, and V. I. Kuvshinov, “Mod-
ern problems of cybersecurity,” Nonlinear Phenom.
Complex Syst. (Minsk, Belarus) 17 (3), 210–214 (2014).
http://www.j-npcs.org/online/vol2014/v17no3p210.pdf.
4. R. Axelrod and R. Iliev, “Timing of cyber conflict,” Proc.
Natl. Acad. Sci. U. S. A. 111 (4), 1298–1303 (2014).
www.pnas.org/cgi/doi/10.1073/pnas.1322638111.
5. K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, and
A. Hahn, “Guide to industrial control systems (ICS)
security. Revision 2,” (Available from National Insti-
tute of Standards and Technology, Special Publication
800-82 Revision 2, 2015). http://dx.doi.org/. doi
10.6028/NIST.SP.800-82r2
6. F. B. Schneider, “Blueprint for a science of cybersecu-
rity,” The Next Wave 19 (2), 47–57 (2012).
7. Report on Technical Investigation on Causes of the Acci-
dent that Occurred on August 17, 2009 at the Filial
Branch of the OJSC “RosHydro” — P. S. Neporozhny
Sayano-Shushenskaya Hydroelectric Power Plant,
(Fond Nats. Energ. Bezop. (FNEB), 2009). http://
www.energystate.ru/news/files/Sayano-Shushenskaya-
GES–akt-rassledovaniya.pdf.
8. Stuxnet Code Analysis (ESET, 2010; Symantec, 2011;
Nauchn. Tsentr “NATsILUS”, 2011). http://aroundcyber.
files.wordpress.com/2012/11/stuxnet-codeanalys-rus.pdf.
9. UTsSB — Ural Center of Security Systems.
http://www.ussc.ru/about/.
10. Yu. S. Vasil’ev, D. P. Zegzhda, P. D. Zegzhda, and
T. V. Stepanova, “Towards technological indepen-
dence of Russian cybersecurity branch,” in Probl. Inf.
Bezop. Komp’yut. Sist., No. 4, 17–29 (2014).
11. Yu. S. Vasil’ev and D. P. Zegzhda, To the Question of
Cyber Security of Autonomous Control Systems in Power
Engineering (S. Peterb. Gos. Politekh. Univ., St. Peters-
burg, 2015) [in Russian].
12. R. R. R. Barbosa, R. Sadre, A. Pras, “Difficulties in
modelling SCADA traffic: A comparative analysis,” in

THERMAL ENGINEERING Vol. 63 No. 13 2016

956 VASILIEV et al.
Proc 13th Int. Conf. “Passive and Active Measurement”
(PAM 2012), Vienna, Mar. 12–14, 2012 (Springer-Ver-
lag, Berlin, 2012), pp. 126–135.
13. B. Zhu, A. Joseph, S. Sastry, “A taxonomy of cyber attacks
on SCADA systems,” in Proc. 2011 Int. Conf. on Internet of
Things and 4th Int. Conf. on Cyber, Physical and Social
Computing (iThings/CPSCom), Dalian, China, Oct. 19–
22, 2011 (IEEE, 2011). http://www.researchgate.net/
publication/254049910. doi 10.1109/iThings/CPSCom.
2011.3410.1109/iThings/CPSCom.2011.34
14. P. D. Zegzhda, T. V. Stepanova, and A. I. Pechenkin,
“Security of power system ICS, which implement
industrial network communication protocols,” Izv.
Ross. Akad. Nauk, Energ., No. 5, 59–64 (2013).
15. P. D. Zegzhda, “Modern state of cyber security,” in
Proc. 24th Sci.-Pract. Conf. “Methods and Technical
Tools of Information Security,” June 29–July 2, 2015
(S.-Peterb. Politekh. Univ., St. Petersburg, 2015),
pp. 16–20.
16. Yu. S. Vasil’ev and P. D. Zegzhda, “Information secu-
rity in hydropower engineering,” in Abstracts 9th Sci.-
Pract. Conf. “Hydropower. New Developments and Tech-
nologies,” St. Petersburg, Oct. 22–24, 2015 (Vseross.
Nauchno-Issl. Inst. Gidrotekh. B. E. Vedeneeva,
St. Petersburg, 2015), Part 1, p. 31.
17. S. Baker, N. Filipiak, and K. Timlin, In the Dark: Cru-
cial Industries Confront Cyberattacks (McAfee Rep.,
2011). http://www.mcafee.com/us/resources/reports/
rp-critical-infrastructure-protection.pdf.
Translated by S. Kuznetsov
THERMAL ENGINEERING Vol. 63 No. 13 2016