2015 International Conference on Protocol Engineering (ICPE) and International Conference on New Technologies of Distributed Systems (NTDS).
Taxonomy of attacks on Industrial Control
protocols
Zakarya DRIAS Ahmed SERHROUCHNI
Schneider Electric Telecom ParisTech
Carros, France Paris, France
Zakarya.drias@schneider- Ahmed.serhrouchni@telecom-
electric.com paristech.com
Abstract— Industrial control systems (ICS) are highly distributed
information systems used to control and monitor critical infra-
structures such as nuclear plants, power generation and
distribution plants, Oil and Gas and many other facilities. The
main architecture principles of ICS are; real time response, high
availability and reliability. For these specific purposes, several
protocols has been designed to ensure the control and supervision
operations. Modbus and DNP3 are the most used protocols in the
ICS world due to their compliance with real time needs. With the
increasing of the connectivity to the internet world for business
reasons, ICS adopted Internet based technologies and most of
communication protocols are redesigned to work over IP. This
openness exposed the ICS components as well as communication
protocols to cyber-attacks with a higher risk than attacks on
traditional IT systems. In order to facilitate the risk assessment of
cyber-attacks on ICS protocols we propose a taxonomy model of
different identified attacks on Modbus and DNP3.the model is
based on the threat origin, threat type, attack type, attack
scenario, vulnerability type and the impact of the attack. We
populate this Taxonomy model with identified attacks on Modbus
and DNP3 from previous academic and industrial works.
Keywords—ICS, Modbus, DNP3, Attack Taxonomy
I. INTRODUCTION
Industrial control systems is a large term used to describe
several types of systems such as, DCS (Distributed Control
systems), SCADA (Supervisory Control and data Acquisition),
IAS (Industrial Automation system), IACS (Industrial
Automation and Control Systems) or even PLC(Programmable
Logic Controller). ICS are typically used in industries such
Power plants, Water and waste water facilities, Oil and Gas
refineries and distribution, Nuclear plants …etc. These control
systems are critical to the operation of critical infrastructures
that are often highly interconnected and mutually dependent
systems. It is important to note that approximately 90 percent
of the critical infrastructures operate many of the industrial
processes mentioned above [13] SCADA systems are a set of
Software and hardware used generally in the control and
monitoring of geographically dispersed assets and process (Ex:
Gas Distribution) where the centralization of data acquisition
and control are critical to System Operation. Where the DCS is
generally focused on the automatic control of a process usually
within a closed area (Ex: Gas Refineries).
Understanding how ICS work requires a basic understanding
of the underlying communication protocols and their semantic.
In the Industrial automation and control sector, many
specialized protocols are used today for different purposes,
control commands, Monitoring, real time data exchange.
Those Protocols are designed to ensure efficiency, Reliability
and precision real time operation. Therefore, any other
inefficient functions are taken off the protocol. Unfortunately,
978-1-4673-9265-5/15/$31.00 ©2015 IEEE
Olivier VOGEL
Schneider Electric
Carros, France
Olivier.vogel@schneider-
electric.com
this usually includes the security functions and features such
as authentication and encryption which expose the protocol
users to a security threats. Another source of vulnerabilities is
the convergence of the protocols to run over IP networks to
meet the evolving needs of the business. The most used
protocols in the ICS are DNP3 and Modbus. DNP3 is widely
used in the energy sector where the control system is
monitoring and controlling geographically dispersed
outstation. Modbus protocol is used for the communication
inter- controller or between controller and field devices where
the real time operations are required.
Both protocols are specified to be easy to use but without any
security awareness. This lack of security in DNP3 and Modbus
motivated us to conduct an investigation on the different
attacks on both protocols and build a generic taxonomy model
for attacks on communication protocols in general and
industrial control protocols in particular in order to simplify
the risk analysis. Our study takes into account only attacks on
IP based protocols, since all the field protocols are converging
to be integrated to the IP stack.
This paper is structured as the following; in section II, we
start with an overview of industrial control protocols in typical
control system architecture with a deep focus on Modbus and
DNP3. In section III, we follow by proposing the attack
taxonomy model and several attack on Modbus TCP and
DNP3 identified in academic and industrial works. In section
IV, we populate the taxonomy model by identified attacks. We
conclude by discussing our perspectives and future works.
II. OVERVIEW ON INDUSTRIAL CONTROL PROTOCOLS
In ICS architectures the communication protocols are used in
the different architecture layers; corporate network, operation
network (Control Room), and control network respecting the
operational constraints of each network. Corporate network
protocols are similar to ones used in the IT systems where in
Operation and control networks, customized and proprietary
protocols are used to guarantee the required performances,
reliability and precision in Control and supervision operations.
Figure 1 is illustrating the different protocols most used in ICS
layers. The critical part in automation system architecture is
the communication between the Control room and Control
network Devices, as well as inter-communication between
control devices (PLCs, RTUs) . The most used protocols for
those communications are; DNP3 and Modbus that we detail
in the following subsections.
A. Modbus Protocol
Modbus is an application layer protocol commonly used in
control systems. It was published initially by Modicon in
1979, and the protocol standards are now managed by the
2015 International Conference on Protocol Engineering (ICPE) and International Conference on New Technologies of Distributed Systems (NTDS).
Figure 1 Overview of communication protocols in Typical ICS
Architecture
Modbus foundation. Modbus is one of the most widely used
control systems protocol for monitoring and controlling
purposes [17].Originally, Modbus was running over serial
communication channels. The protocol was extended to run
over TCP communications and there are gateway products that
convert serial Modbus to Modbus TCP and vice versa.
Modbus was created for real time purposes in order to receive
and send commands to controllers and field devices. While
designed, security has not been taken into account, which
makes from Modbus a point of failure in ICS architecture.
Modbus has two variants, Modbus serial and Modbus TCP, in
our work we focus only on Modbus TCP as it is the most used
nowadays. The Modbus TCP protocol stack is showed in
Figure 2; where Modbus message is encapsulated in TCP
packet. For a connection between the Modbus client and
server, the server (Slave) listens on the port number 502.
Modbus is a Request /Response protocol where there is no
exception reporting. The protocol message format is detailed
in the figure 3. Modbus Message consists on Modus
Application Protocol (MBAP) header and Modbus Application
PDU. The MPAB contains four fields; transaction identifier,
Protocol identifier, Length, Unit Identifier. Transaction
identifier allows matching the request and responses while the
protocol identifier the application protocol encapsulated by the
MBAP, for example Modbus is designated by 0. The length
field indicates the length of the required data including Unit
ID and, functional code and function parameters. The function
code indicates the transaction type. In Modbus specification
[18] we find 127 function codes with the ability to implement
customized functional codes. Some examples of function
codes are: FC 1 – Read Coils, FC 6 – Write Single Register,
FC 7 – Read Exception Status, FC 17 – Report Slave ID.
Reference [18] details the function codes of Modbus.
Figure 2 Example of Modbus Master Slave exchange
Figure 3 Modbus TCP Message Structure
Figure 4 Modbus TCP Protocol Stack
B. Distributed Network Protocol (DNP3)
DNP3 is an application layer protocol developed by GE Harris
in early 1990s. The aim of the protocol is to define how to
communicate the control command between SCADA devices
in dispersed geographical areas. The first priority of DNP3 is
to ensure the reliability of the communication between the
SCADA master (DNP3 Client) and remote outstations (DNP3
server). While created, DNP3 was a serial protocol but the
openness of Industrial control systems on internet technologies
and the need of simplifying the access to remote outstations
led to extend DNP3 to work on IP, by encapsulating DNP 3
Data frame in TCP and UDP Packets [17].
DNP3 reliability is due to the frequent use of CRC checks for
any exchange between Master and slaves in addition to the
TCP CRC. Unlike Modbus, DNP supports bidirectional
communication flows; therefore, the outstation (Slave) can
initiate a communication with the master for alarming
purposes. Later in this chapter we detail the different use cases
of DNP3 protocol. A master sends a request message to the
salve, with a specific Class and command. Initially the master
polls the point values for monitored data using the command
Read and class 0, then stores them the master database as static
reference data points, then it polls the events data by sending
Read command on the class 1, 2, 3 which corresponds to the
buffers of the slave the polled data are compared with the
static data.
Figure 5 DNP3 Master Slave Exchange
2015 International Conference on Protocol Engineering (ICPE) and International Conference on New Technologies of Distributed Systems (NTDS).
The slave can be configured to report the content of the buffer
1, 2, 3 as unsolicited messages. The figure 5, shows the format
of DNP3 message, and specifies DNP3 request and reply
messages in the application layer of TCP/IP stack.
The application header of the DNP3 contains an application
layer Byte to indicate the message control information such as
dealing with large responses that may exceed the buffer size.
The functional code field indicates the purpose of both request
and reply message. In DNP3 specification [17], we find 23
defined function codes for request classified into six
categories; Transfer function, control function, freeze function,
application control function, configuration functions and time
synchronization functions. A reply message can be:
Confirmation, Response or unsolicited response. The
Application header incorporates two bytes with a specific
function for each bit to indicate errors in the master or the
slave such as Slave restart, Function code not supported and
unknown request. Following the application header, the Data
section of DNP3 message is a set of data objects that
encapsulated the requested data by the Master or in the
unsolicited messages. Figure 4 and is an example of DNP3
exchange between master and slave.
Unlike Modbus, DNP3 supports today, two authentication
modes; shared key authentication between the master and
slave and certificate based authentication. In our paper we
don't focus on the DNP3 secure, as it is not widely used since
the key management in the SCADA systems is still not
standardized.
Figure 6 DNP3 Message structure
Figure 7 DNP3 Protocol Stack
III. ATTACK TAXONOMY MODEL
st
In April 21 2011, the most sophisticated attack against a
control system has been discovered by Symantec known as
"Stuxnet" [1]. Stuxnet exploited several zero day
vulnerabilities in Windows to take control of the control-
command software installed in the control room of the Iranian
nuclear facility. Its main target is to damage the control system
by reprogramming the PLCs to change their behavior from the
one set up by the asset owner to a behavior set by the attacker.
Since Stuxnet attack, the security of ICS is becoming the
highest priority of the critical infrastructures owners.
Most works on attacks taxonomy have focused on the
classification of attacks for the IT systems such as [2], [3], [4],
communication standards and protocols [5], [6]. Other works
has focused on the attack taxonomy for SCADA systems
which categorized the attacks based on their target in the
SCADA component by listing each attack description and the
vulnerability exploited by the attacker [7], [8], and [11].
Huitsing et al [9], East and al [10] have proposed taxonomy of
cyber-attacks on industrial protocols by enumerating the
cyber-attacks on the protocols regardless the implementation
of the vendors. Their taxonomies were missing a generic
model for attack on communication protocols and were
specified to each protocol.
In our paper the main objective is to build taxonomy of attack
on most common used industrial protocols in order to simplify
the risk analysis in the industrial facility using those protocols.
Other sub objectives are:
 Construct a model of cyber-attack classification for
industrial communication protocols with a specification of key
design principles of the protocols and the context of usage in
order to determine the critical flows. The model should be able
to generate the taxonomy.
 The model should be open to be enriched, we mean by
enrichment adding new threats, attack target and other Attack
scenarios.
 The model should contain different levels of details on an
attack. Due to privacy matters in some attacks or
vulnerabilities disclosure, an attack may be incomplete or
missing some details on the exploitability. In this case we
assume all possible attack scenarios presented in the
taxonomy. Any false scenario will be taken off when the real
attack is disclosed.
These four goals led us to propose a model of attack taxonomy
that we call "TAVI" the proposal of this model for ICS
protocols attack taxonomy is an adaptation of the AVT model
proposed by Fleury and al [12] to be more focusing on
communication protocols and to simplify their related risk
analysis. The following is detailing the attack taxonomy
model actors:
 Threat origin: following NIST SP800-82 R2 [13],
industrial control systems in general and protocols in
particular are threaten by numerous threat vectors
including; Attackers , Bot-network Operators, Criminal
groups, foreign intelligence systems, Insiders, Phishers,
Spammers, Spyware/malware Authors, Terrorists and
industrial spies. For more details on the threat vectors refer
to [13].
 Threats: Based on the definition in [14] a threat is
"Any circumstance or event with the potential to adversely
impact organizational operations (including mission,
functions, image, or reputation), organizational assets, or
individuals through an information system via
unauthorized access, destruction, disclosure, modification
of information, and/or denial of service. Also, the potential
for a threat-source to successfully exploit particular
information system vulnerability". Therefore, we
categorize the threats into five major categories; Spoofing,
Data Tempering, Disclosing data, Denial of service and
elevation of privileges. An attack on ICS protocol is part of
one or several threat categories.
2015 International Conference on Protocol Engineering (ICPE) and International Conference on New Technologies of Distributed Systems (NTDS).
Threats
Threat Origin Threat Type
Attacker Spoofing
Bot-Network Operator Data Tampering
Criminal group Data Disclosure
Foreign Intellegence systems Elevation of priveleges
Insiders
Phishers
Spammer Authors
Industrial spies
Attack Scenario: is the description of actions that an
attacker to sabotage the protocol parties; client, server and
communication layer. Fluery et al [12] details a list of
attack scenarios such as, Probe, Scan, Flood, Authenticate,
Bypass, Spoof, Eavesdrop, Misdirect, Read/Copy,
Terminate, Execute, Modify, and Delete. Part of these
attack actions applies to our case of study; DNP3 and
Modbus which will be detailed later in this paper.
 Attack Target: the attack target is the portion of the
protocol specification that attacker is targeting, we identify
three important parts in the protocol description; Client,
Server and communication layer (Network). In our
taxonomy model, an attack is targeting the client, the
server, as well as the communication layer.
 Vulnerability type: Vulnerability describes the
weak part of the protocol specification that makes it
exploitable by a threat using one of the attack scenarios
previously discussed. A vulnerability type is a lack of
security principles; Availability, Integrity and
confidentiality. We categorize all vulnerabilities in those
three high level categories; Lack of availability, lack of
integrity and lack of confidentiality.
 Impact: the impact of an attack is about calculating
the risk level associated to this attack [15]. For risk level
estimation, we use the Common vulnerability Scoring
system (CVSS) .CVSS is a universal and free scoring
system for disclosed vulnerabilities. Houmb et al [16]
Specifies the CVSS algorithms and the different metrics
used to determine the final score for vulnerability and how
to deduct its related impact. In our case all the previous
taxonomy model entries are inputs of the CVSS.
IV. TAXONOMY OF ATTACKS ON MODBUS AND DNP3
In this section we describe the different attacks on Modbus
TCP and DNP3 that we identified in [9], [10] and published on
[17]. Then, we populate the taxonomy model that we proposed
with attacks on Modbus TCP and DNP3. Note, that attacks
that we discuss in the following sections are targeting the
protocols specification. Table 2 resumes the population of the
taxonomy model with the different attacks on Modbus TCP
and DNP3.
A. Attacks on Modbus:
We assume that most of attacks on Modbus TCP rely on the
ability to implement interception, modification and generation
mechanisms. All Modbus TCP implementations today in the
ICS market do not implement security features, which confirm
our assumption. The following are published attacks and
Modbus TCP discussed in [9] and [17].
Attack Vulnerability Impact (CVSS)
Attack Scenario Attack Target Vulnerability Type
Probe Client (Master) Lack of Availability
Scan Server (Salve) Lack of Intergrity
Flood Communication layer Lack of Confidentiality
Authenticate
Bypass
Spoof
Eavesdrop
Misdirect
Read/Copy
Terminate
Execute
Modify
Delete
Table 1 TAVI Attack taxonomy model
1) Broadcast Message Spoofing (M1):
The attack is about sending faked broadcast messages to
Modbus server in the device, which doesn't answer to the
Modbus client but executes any action added to the Modbus
message in order to modify the behavior of the Field device.
Unfortunately the switches cannot completely filter the
broadcast traffic. This attack scenario is possible only in the
case of using Modbus gateway from Ethernet to serial
devices and requires a Modbus protocol sniffer and Modbus
message generator.
2) Baseline response replay (M2): This attack involves
recording Modbus messages between a Modbus client and a
Modbus server, and replaying some of the recorded
messages back to the Server. This attack exploits the fact
that non CRC is used in the Modbus TCP specification.
3) Direct Slave Control (M3): This attack involves locking
out a master (client) and controlling one or more field
devices. This attack consists on spoofing the identity of the
existing Modbus client and taking the control on the device
embedding Modbus server. Spoofing the identity dos not
require a sophisticated effort as the client identity is only
related to its IP address.
4) Modbus Network Scanning (M4): This attack involves
sending benign messages to all possible addresses on a
Modbus network to obtain information about field devices.
5) Passive Reconnaissance (M5): This attack involves
passively reading Modbus messages or network traffic. This
attack helps the attacks to profile the process details by
reconstructing the device application.
6) Response Delay (M6): This attack involves delaying
response messages so that the master receives out-of-date
information from slave devices. This attack intends to
sabotage the supervision in case of the command in the
Modbus message is a diagnostic message. Or interrupt the
process if the command in the message is to execute a
function in the Device application, then the client will
resend the same message and flood the device by the same
Modbus message or deduct that the device is out of the
network which will false alarm the operator to take an
inappropriate action.
7) Man in the middle attack (M7): This attack involves
introducing a computer with the appropriate (serial or
Ethernet) adaptors to an unprotected communication link.
This man in the middle device is embedding a client and
Modbus server; therefore it can read, modify and fabricate
Modbus messages to or from the device. This attack is
known to be the most dangerous attack on Modbus
protocols as it can take the full control of both protocol
parties; client and server in the same time.
 2015 International Conference on Protocol Engineering (ICPE) and International Conference on New Technologies of Distributed Systems (NTDS).

Protocol Threats Attack Vulnerability Impact

Attacks
Modbus CVS S
attacks Threat Origin Threat Type Attack S cenario Attack Target Vulnerability Type S core
Lack of integrity
M1 Attacker, Insiders, Botnet Operator Spoofing, Data tampering Spoof, Authenticate bypass Server (Slave) 7.8
Lack of confidentiality
Scan, Probe, authenticate
M2 Attacker, Insiders, Criminal group Spoofing, Data tampering Server (Slave) Lack of integrity 6.9
bypass
Probe,
Lack of integrity
M3 Attacker, Insiders, Criminal group, Spoofing,Data disclosure AuthenticateBypass,Delete, Client /server 9.2
Lack of availability
modify, execute, terminate
Industrial spies, Attacker, Criminal Client, Server,
M4 Data disclosure Scan Lack of confidentiality 2.9
group, Botnet operator, Communication layer
Industrial spies, Attacker, Criminal Read/copy, Authenticate client, server,
M5 Data Disclosure Lack of confidentiality 2.9
group, Botnet operator,Insiders Bypass communication layer
Attacker, Criminal group, Botnet Lack of integrity, Lack
M6 Data tampering M isdirect, Eavesdrop, Flood Client 7.8
operator,Insiders, Spammer authors of availability
Probe,Scan, Flood,
Spoofing, Data tampering, Authenticate bypass, Spoof, Lack of integrity,lack of
Attacker, Criminal group, Botnet Cient , server,
M7 Data disclosure,Elevation of Eavesdrop, M isdirect, confidentiality, lack of 10
operator,Insiders, Spammer authors communication link
privileges Read/Copy, Terminate, availability
Execute, M odify,Delete
DNP3
Attacks
Industrial spies, Attacker, Criminal Read/copy, Authenticate server, communication
D1 Data Disclosure Lack of confidentiality 2.9
group, Botnet operator,Insiders Bypass layer
SCAN, Probe, authenticate
D2 Attacker, Insiders, Criminal group Spoofing, Data tampering Server (Slave) Lack of integrity 6.9
bypass
Probe,Scan, Flood,
Spoofing, Data tampering, Authenticate bypass, Spoof, Lack of integrity,lack of
Attacker, Criminal group, Botnet Cient , server,
D3 Data disclosure,Elevation of Eavesdrop, M isdirect, confidentiality, lack of 10
operator,Insiders, Spammer authors communication link
privileges Read/Copy, Terminate, availability
Execute, M odify,Delete
Attacker, Criminal group, Botnet Lack of integrity,lack of
D4 Data tampering M isdirect communication link 4.9
operator,Insiders availability
Authenticate Bypass, Spoof
Attacker, Criminal group, ,Insiders, Data tampering, elevation of Lack of integrity, Lack
D5 Execute,M odify Server 9.2
Spammer Author privileges,Spoofing of availability

Authenticate Bypass,Spoof
Attacker, Criminal group, ,Insiders, Data tampering, elevation of Lack of integrity, Lack
D6 Execute,M odify,delete Server 9.2
Spammer Author privileges,Spoofing of availability

Attacker, Criminal group, ,Insiders, Data tampering, elevation of Lack of integrity, Lack
D7 Execute, M odify Server 9.2
Spammer Author privileges,Spoofing of availability

Attacker, Criminal group, Botnet
D8
operator,Insiders, Spammer authors
Spoofing, Data tampering,
Data disclosure,Elevation of
privileges
Probe,Scan, Flood,
Authenticate bypass, Spoof, Lack of integrity,lack of
Cient , server,
Eavesdrop, M isdirect, confidentiality, lack of 10
communication link
Read/Copy, Terminate, availability
Execute, M odify,Delete

Table 2 Taxonomy of Attacks on Modbus /TCP and DNP3

4) Transport Sequence Modification (D4): The Sequence

B. Attacks on DNP3:
We take into account the same assumptions on the ability to
intercept, modify and generate DNP3 messages.
1) Passive network reconnaissance (D1): An attacker able to
access the control room or the outstation captures and
analyzes DNP3 messages. This attack is similar to the
Passive network reconnaissance on Modbus TCP. The goal
of this attack is to get information on the topology of
control network, devices functions and device control
application.
2) Baseline Response Replay (D2): An attacker with
knowledge of normal DNP3 traffic patterns simulates
responses to the master while sending fabricated messages
to outstation devices
3) Man in the middle (D3): An attacker installs a “man-in-
the-middle” device between the master and outstations that
can read modify and fabricate DNP3 messages and/or
network traffic.
field is used to ensure in-order delivery of fragmented
messages. The sequence number increments with each
fragment sent, so predicting the next value is trivial. An
attacker who inserts fabricated messages into a sequence of
fragments can inject any data and/or cause processing
errors.
5) Outstation Write Attack (D5): This attack sends a DNP3
message with Function Code 2, which writes data objects to
an outstation. The attack can corrupt information stored in
the outstation’s memory, causing an error or overflow.
6) Clear Objects Attack (D6) This attack sends a DNP3
message with Function Code 9 or 10 to freeze and clear
data objects. The attack can clear critical data or cause an
outstation device to malfunction or crash. Note that the
attack involving Function Code 10 is problematic because a
message with this function code does not require an
acknowledgement.
 2015 International Conference on Protocol Engineering (ICPE) and International Conference on New Technologies of Distributed Systems (NTDS).
7) Outstation Data Reset (D7): This attack sends a DNP3
message with Function Code 15. The attack causes an
outstation device to reinitialize data objects to values
inconsistent with the state of the system.
8) Configuration Capture Attack (D8): This attack sends a
message with the fifth bit in the second byte of the IIN set,
which indicates that the configuration file of the targeted
outstation is corrupted. The attack causes the master to
transmit a new configuration file, which is intercepted by
the attacker. A separate attack is then executed to modify
and upload the file to the targeted outstation.
In table 2 we apply the attack taxonomy model on the
described attacks on Modbus TCP and DNP3 with applying a
CVSS scoring to each attack based on the different entries of
the taxonomy model as an impact analysis. The result of the
impact analysis indicates which attack is may have a
catastrophic impact on the infrastructure deploying both
protocols. In our analysis we conclude that both Man in the
middle attack and spoofing attack disclose the highly risky
vulnerabilities in the design of the protocols; lack of
authentication and miss of integrity.
V. CONCLUSION AND FUTURE WORKS
In this paper we conducted an analysis of attacks on most used
industrial control protocols, DNP3 and Modbus. We discussed
in details the semantic of both protocols and defined a
taxonomy model for attacks on both protocols which we
populated with different attack identified in prior researches on
attacks on ICS. This taxonomy simplifies the risk analysis
related to cyber-attacks on ICS in general and control
protocols in particular. In a future work we will exploit the
results of this taxonomy to conduct a risk assessment on ICS
in prior design stage and to define the security counter
measure by including security requirement and services in the
ICS Design steps. These security services are mutual
authentication between two communicators and cryptographic
mechanisms to protect the integrity of data in transit and data
in rest in both Modbus TCP and DNP3. Redesigning the
protocols to include security services of integrity and
authentication is the subject of our next work. The ultimate
goal is to standardize the services that we will include to the
protocols.
REFERENCES
[7] Octavio Nieto-Taladriz Garcia Security in Embedded Systems
Challenges and Oportunities, International Conference on Emerging
Security Information, Systems and Technologies, Securware 2007
[8] Srivaths Ravi, Anand Raghunathan, Paul Kocher and Sunil Hattangady
Security in embedded systems: Design challenges, ACM Transactions
on Embedded Computing Systems (TECS), vol.3, no.3, pages 461–
491,2004.
[9] Huitsing, P., Chandia, R., Papa, M., & Shenoi, S. (2008). Attack
taxonomies for the Modbus protocols. International Journal of Critical
Infrastructure Protection, 1, 37-44
[10] East, S., Butts, J., Papa, M., & Shenoi, S. (2009). A Taxonomy of
Attacks on the DNP3 Protocol. In Critical Infrastructure Protection III
(pp. 67-81). Springer Berlin Heidelberg.
[11] Zhu, B., Joseph, A., & Sastry, S. (2011, October). A taxonomy of cyber-
attacks on SCADA systems. In Internet of things (iThings/CPSCom),
2011 international conference on and 4th international conference on
cyber, physical and social computing (pp. 380-388). IEEE.
[12] Fleury, T., Khurana, H., & Welch, V. (2008). Towards a taxonomy of
attacks against energy control systems. In Critical Infrastructure
Protection II (pp. 71-85). Springer US.
[13] STOUFFER, Keith, FALCO, Joe, et SCARFONE, Karen. Guide to
industrial control systems (ICS) security. NIST special publi-cation,
2011, p. 800-82
[14] Gutierrez, C. M., & Jeffrey, W. (2006). Minimum security requirements
for federal information and information sys-tems. Federal Information
Processing Standards Publica-tion, 17.
[15] Houmb, Siv Hilde, and Virginia NL Franqueira. "Estimating ToE risk
level using CVSS." Availability, Reliability and Security, 2009.
ARES'09. International Conference on. IEEE, 2009.
[16] KNAPP, Eric D. et LANGILL, Joel Thomas. Industrial Network
Security: Securing critical infrastructure networks for smart grid,
SCADA, and other Industrial Control Systems. Syngress, 2014.
[17] DigitalBond, Modbus TCP.
http://www.digitalbond.com/scadapedia/protocols/modbus-2
[18] MODBUS, I. D. A. Modbus application protocol specification v1.
1a. North Grafton, Massachusetts (www. modbus. org/specs. php), 2004.

[1] Nicolas Falliere, Liam O Murchu, and Eric Chien, W32. Stuxnet Dossier
, Symantec Security Response, Version 1.4 February 2011,
[2] Simon Hansman, Ray Hunt, A taxonomy of network and computer
attacks, Computers & Security,DTD5, 2004.
[3] John D. Howard, An Analysis Of Security Incidents On The Internet
1989 - 1995, dissertation, Carnegie Mellon University, April 1997.
[4] Kevin S. Killourhy, Roy A. Maxion and Kymie M. C. Tan,A Defense-
Centric Taxonomy Based on Attack Manifestations, Proceedings of
International Conference on Dependable Sys-tems & Networks:
Florence, Italy, 28 June - 01 July 2004.
[5] Daniel Lough, A Taxonomy of Computer Attacks with Applications to
Wireless Networks, Ph.D Thesis, Virginia Polytechnic Institute and State
University, 2001
[6] MO Chun Man and Victor K. Wei, A taxonomy for attacks on mobile
agent; EUROCON’2001, Trends in Communications, International
Conference on. Volume 2, 4-7 July 2001 Page(s):385 - 388 vol.2