=Paper=
{{Paper
|id=Vol-1830/Paper90
|storemode=property
|title=Dynamics of SCADA System Malware: Impacts on Smart Grid Electricity Networks and Countermeasures
|pdfUrl=https://ceur-ws.org/Vol-1830/Paper90.pdf
|volume=Vol-1830
|authors=Adeyinka A. Falaye,Oluwafemi Osho,Maxwell I. Emehian,Seun Ale
}}
==Dynamics of SCADA System Malware: Impacts on Smart Grid Electricity Networks and Countermeasures==
https://ceur-ws.org/Vol-1830/Paper90.pdf
International Conference on Information and Communication Technology and Its Applications
(ICTA 2016)
Federal University of Technology, Minna, Nigeria
November 28 – 30, 2016
Dynamics of SCADA System Malware: Impacts on Smart Grid Electricity Networks
and Countermeasures
Adeyinka A. Falaye1, Oluwafemi Osho2, Maxwell I. Emehian3, and Seun Ale4
1
Department of Computer Science, Federal University of Technology, Minna, Nigeria
2
Department of Cyber Security Science, Federal University of Technology, Minna, Nigeria
3,4
Department of Mathematics, Federal University of Technology, Minna, Nigeria
{1falaye.adeyinka, 2femi.osho}@futminna.edu.ng
Abstract—Supervisory Control and Data Acquisition (SCADA) systems, which control the flow of data and information on
system malware have contributed to the degradation of most most modern power grids.
critical installations across the globe, especially the power Control systems such as SCADA systems are structured
grids. This study seeks to investigate the dynamics of spread of to achieve/maintain set goals by reducing the probability of
malware targeted at SCADA systems on smart-grid unwanted behavior, to meet demand of the critical
electricity networks. We develop a mathematical model for infrastructure the system is controlling, and to obtain
the propagation of SCADA malware. The infectious-free and maximum production profit. SCADA systems are mostly
endemic equilibrium are obtained, with the former tested and found in critical national infrastructures such as the electric
found to be locally asymptotically stable. We investigate using power grid, transportation systems and oil and gas
numerical simulations the effects of antivirus, and the distributions. And it is because of their critical nature that
combination of vulnerability scanning and security patches. these SCADA systems remain at high risk of attack from an
Our results emphasize the importance of the proposed instantaneously growing set of attackers, who are highly
countermeasures at reducing or eliminating the risks posed by
skilled and motivated. SCADA systems consist of several
the SCADA system malware.
components including programming logic controllers
Keywords – SCADA; Smart Grid; Reproduction Number; (PLCs)/remote terminal units, which communicate with the
Local Stability; Programming logic controller SCADA servers and perform most of the supervisory and
overriding controls, such as controlling continuous flow of
signals, and providing enabling conditions for fault
I. INTRODUCTION detention.
According to the 2016 Digital Cyber Crime Unit of To effectively run a functional power grid, there is a
Microsoft Corporation, malware attacks cost global economy strong dependency on SCADA systems. But keeping the
an estimated 3 trillion US Dollars annually [1]. This is higher systems secure and immune to malware attacks from
than entire GDP estimate of Africa in 2015 [2], [3], and external forces, as well as internally generated errors, is very
approximately the external reserve of the People’s Republic essential in avoiding outages. This is a massive challenge
of China which stood at about 3.17 trillion US Dollars as at because of the complexity of the SCADA systems and their
September 2016 [4]. operation on real-time, as well as their connectivity to the
In this modern era, there is an increasing spate of internet, all of which makes the systems perform their
dependency on the effectiveness and efficiency of a well- various duties.
structured electric power system, a major infrastructure in Malware attacks have over time evolved from the more
the economic development of a country or society and also a common internet worm and virus attacks to more precise
backbone to the proper functioning of other critical attacks on target systems. While there have been significant
infrastructures, which very much need electric power to damages by these internet worms and virus attacks, present
function at full capacity. These include infrastructures such set of malware are designed to specifically steal information
as telecommunications, internet, water, air traffic control and which are considered confidential, take control of systems
transportation [5]. Though these infrastructures can operate for malicious purposes, create pathways (backdoors) through
without main power supply for a short period of time, in the which other attacks can be launched or cause complete
long run, longer and larger outages in power may put them in breakdown of targeted infrastructures. A typical example of
jeopardy, and as a result, creating a crippling effect on the such malware is Stuxnet [6].
economy. These power outages can be as a result of Malware attacks on SCADA systems vary from mere
technical or/and operational faults. However, over the years, invasive forms (e.g. to steal confidential information or to
they have also been caused by targeted malware attacks on analysis the traffic of power supply by the system) to more
the Supervisory Control and Data Acquisition (SCADA) invasive forms (e.g. to take control of the system or to cause
139
� International Conference on Information and Communication Technology and Its Applications (ICTA 2016)
a disruption in the normal functions of the systems) [7]. On smart-grid/electric power systems, [19] presented a
Figure 1 depicts a SCADA system malware attack. framework that models a category of cyber-physical
In this paper, we investigate the effectiveness of existing switching vulnerabilities. Chopade, Bikdash, and Kateeb
control strategies for SCADA system malware, specifically, [20] proposed a flexible and extensible framework for
the use of antivirus signatures, and also propose a new survivability of smart –grid and SCADA systems. They
control strategy, which combines vulnerability scanning and considered survival under severe emergencies, vulnerabilities
implementation of security patches. and WMD attacks. The work of [21] focused on the
The ensuing contents of this paper are organized thus: development of a novel hierarchical method applied to Petri
Section II describes related works. Section III introduces the nets to model coordinated attacks on smart grid, while that of
proposed model, as well as its variables and parameters. In [22] entailed the simulation and evaluation of the impacts of
Section IV, the equilibrium points, effective reproduction data integrity attacks on automatic generation control.
number and the local stability of the infectious-free Regarding other SCADA systems, [23], focusing on
equilibrium point are presented. Section V presents the stealthy deception attacks, proposed some enhanced
numerical simulations and analysis of obtained results. The hydrodynamic models which were used for detection of
study is finally concluded in Section VI. physical faults and cyber attacks to automated canal systems;
while an aspect-oriented model for evaluating the security of
automotive cyber-physical systems was proposed by [24].
II. RELATED WORKS They focused on four attacks: man-in-the-middle, fuzz,
interruption and replay attacks.
The need to fully grasp the dynamics of the spread of On the other hand, in modeling attacks that affect any
various malwares has over the years necessitated the type of SCADA system, [25] and [26] proposed models for
formulation of various models. The use of epidemiology in intrusion detection. While in the former, the models were
many of the models has been inspired by the near Modus/TCP-based, in the latter study, behavioral modeling
similarities which the spread of malware share with was applied. Another study, by [27], entails a SCADA
biological virus [8]. Mathematically, epidemiology has security framework which includes real-time monitoring,
developed quite rapidly since the mid 20th century [9]. anomaly detection, impact analysis, and mitigation
One main procedure used in epidemiology is application strategies, and the proposal and evaluation of a new
of a compartmental model, where the population is divided algorithm which considers both password policies and port
into various sectors according to their epidemic status. auditing for evaluating cybersecurity.
Another important procedure entails the use of a system of One of the few studies, however, that considered
differential equations. malware propagation on SCADA networks is [28]. The
Many existing models of malware propagation find their authors modeled Stuxnet attack using Boolean Logic Driven
root in some classical classic epidemiology models including Markov Processes (BDMP).
[10]–[13], and often consider malware attacks on computer
systems. For instance, [9] developed an SIR model to
III. FORMULATION OF MODEL
determine the dynamics of malware attacks on computer
networks. Misra, Verma and Sharma [14] also focused on A model formulation involves a process whereby the
computer network. Their model considered two states: basic assumptions of the model are clearly stated while
infected and susceptible. The effect of anti-malware was relating these assumptions from the real world to the
equally investigated. Liu, Liu, Liu, Cui, and Huang [15] mathematical model [12]. The assumptions of the proposed
proposed a new compartmental model. They however model include:
investigated the effect of heterogeneous immunization on the The entire population is divided into four (4) states
spread of the malware. Piqueira, Vasconcelos, Gabriel and i.e. the Vulnerable Class, the Infectious Class, the
Araujo [16], on their part, considered more states. Immune Class and the Recovered Class; all based on
Specifically, using simple systems identification techniques, their epidemiological status.
they developed a model named SAIC (Susceptible, Every new PLC added to the network is considered
Antidotal, Infectious, Contaminated), based on the SIR to be vulnerable, while a few of them are considered
model [10]–[12]. In [17], the SIS model was modified to to be infected.
include what was termed a re-introduction parameter, which The rate at which new PLCs are added to the
represents the re-introduction of an existing computer virus network and existing ones which die due to non-
or the introduction of a new virus. infectious reason is assumed to be constant.
Few studies have considered spread of malware on other The active population includes all the PLCs.
systems. One of these is the work of [18]. They combined There is a vertical transmission into the infectious
generic epidemiological models with graph theory to model class as a result of connectivity to the internet.
and monitor the evolution of malware that target telephony It is assumed that there is an external factor i.e. a
networks, specifically, the Private Branch eXchanges (PBX). Universal Serial Bus (USB) device that can be
In modeling attacks on SCADA systems, studies have introduced into the smart grid network, as mountable
considered different SCADA systems, and focused on devices, to transfer and copy files.
various attacks. While many have modeled other attacks few All model parameters are constant.
studies have attempted malware attacks on SCADA All interactions within the network occur
networks. homogeneously.
140
� International Conference on Information and Communication Technology and Its Applications (ICTA 2016)
Figure 1. Model of a SCADA system malware attack
Another basic procedure of modelling is the description N(t), which represents the total number of SCADA
of the various notations, as well as the parameters used in the PLCs/RTUs within each substations over an electric
formulation of the model. smart grid network at time, t, after connection has
The various notations are described below: been established.
V(t), which represents the number of vulnerable
SCADA PLCs/software-based remote terminal units The following are the parameters used in the model:
(RTUs) within each substations over an electric 𝛼 is the constant rate at which new PLCs are, on the
smart grid network at time, t, after connection has average, added to the electric smart grid network.
been established. 𝑝 is the probability of recruiting PLCs from 𝛼
I(t), which represents the number of infectious number of PLCs.
SCADA PLCs/RTUs within each substations over β is the constant rate of interaction of the vulnerable
an electric smart-grid network at time, t, after class with the infectious class.
connection has been established. 𝛾 is the natural death rate or death due to non-
IMUN(t), which represents the number of immune infectious reason.
SCADA PLCs/RTUs within each substations over 𝑎1 is the proportion of time of scanning due to
an electric smart grid network at time, t, after implementation of vulnerability scanning of the
connection has been established. network.
R(t), which represents the number of recovered 𝑎2 is the rate of the effectiveness of detection of
SCADA PLCs/RTUs within each substations over vulnerabilities due to vulnerability scanning of the
an electric smart grid network at time, t, after network.
connection has been established. 𝑎3 is the rate of removal of vulnerabilities due to
USB(t), which represents the number of Universal implementation of security patches on the network.
Serial Bus (USB) devices used by employees on any 𝜃 is the rate of vertical transmission of infected
of the substations within an electric smart grid PLCs into the network.
network at time, t, after connection has been 𝜇 is the rate of recovery due to application of
established. antivirus.
141
� International Conference on Information and Communication Technology and Its Applications (ICTA 2016)
𝛿 is the death rate due to SCADA malware attack on Letting
the electric smart grid network.
𝜑 is the rate of natural recruitment of Universal 𝐼𝑀𝑈𝑁 𝑡 = 𝑀 𝑡 ; 𝑈𝑆𝐵 𝑡 = 𝑈 𝑡 ; 𝑎𝑛𝑑𝑎1 𝑎2 𝑎3 = 𝑎
Serial Bus (USB) devices into the network.
The system in (1) above as well as the external factor
A VIMR (Vulnerable Class, Infectious Class, Immune becomes
Class and Recovered Class) model, depicted in Figure 2, is
proposed to explain the dynamics of spread of malicious 𝑑𝑉(𝑡)
codes. The total size of the population is N, where N = V + I = 𝛼𝑝 − 𝛽𝑉 𝑡 𝐼 𝑡 − 𝛾𝑉 𝑡 − 𝑎𝑉(𝑡)
𝑑𝑡
+ M + R, and varies with time.
𝑑𝐼(𝑡)
= 𝛽𝑉 𝑡 + 𝛼𝜃 − 𝜇 − 𝛿 − 𝛾 𝐼(𝑡)
𝑑𝑡
𝑑𝑀(𝑡)
= 𝑎𝑉(𝑡) − 𝛾𝑀 𝑡
𝑑𝑡
𝑑𝑅(𝑡)
= 𝜇𝐼 𝑡 − 𝛾𝑅 𝑡 (2)
𝑑𝑡
Figure 2. The Flow of Malicious Codes into a Smart Grid Network
And
Our main aim is to study the dynamics of SCADA
system malware and based on our assumptions in the smart 𝑑𝑈(𝑡)
grid network, the dynamics of the SCADA system malware = 𝜑−𝜇 𝑈 𝑡
consists of the following system of ordinary differential 𝑑𝑡
equations:
𝑑𝑉(𝑡)
= 𝛼𝑝 − 𝛽𝑉 𝑡 𝐼 𝑡 − 𝛾𝑉 𝑡 − 𝑎1 𝑎2 𝑎3 𝑉(𝑡) IV. INFECTIOUS-FREE AND ENDEMIC EQUILIBRIUM POINTS
𝑑𝑡 AND EFFECTIVE REPRODUCTION NUMBER
Points whereby the SCADA systems and electric smart
𝑑𝐼 𝑡 grid configuration do not change with time or when no force
= 𝛼𝜃𝐼 𝑡 − 𝛽𝑉 𝑡 𝐼 𝑡 − 𝜇𝐼 𝑡 − 𝛿𝐼 𝑡 − 𝛾𝐼 𝑡 is acting on the system, are known as the equilibrium points.
𝑑𝑡
We obtained the equilibrium points and also tested for
stability of the equilibrium points.
𝑑𝐼𝑀𝑈𝑁(𝑡)
= 𝑎1 𝑎2 𝑎3 𝑉(𝑡) − 𝛾𝐼𝑀𝑈𝑁 𝑡 A. Equilibrium Points
𝑑𝑡
For equilibrium points, we have that
𝑑𝑅(𝑡)
= 𝜇𝐼 𝑡 − 𝛾𝑅 𝑡 (1) 𝑑𝑉(𝑡) 𝑑𝐼(𝑡) 𝑑𝑀(𝑡) 𝑑𝑅(𝑡)
𝑑𝑡 = = = =0
𝑑𝑡 𝑑𝑡 𝑑𝑡 𝑑𝑡
An external factor was also considered but do not
constitute part of the population of the entire system, i.e. We obtain Infectious-Free Equilibrium
𝛼𝑝 𝑎𝛼𝑝
𝐸0 = , 0, ,0
𝑑𝑈𝑆𝐵(𝑡) 𝛾+𝑎 𝛾(𝛾 + 𝑎)
= 𝜑𝑈𝑆𝐵 𝑡 − 𝜇𝑈𝑆𝐵 𝑡
𝑑𝑡
And the Endemic Equilibrium
Thus, the total population of SCADA system PLCs is
given as
𝐸∗
𝑑𝑁(𝑡) 𝜇 + 𝛿 + 𝛾 − 𝛼𝜃 𝑎 + 𝛾 𝛼𝜃 − 𝜇 − 𝛿 − 𝛾 − 𝛽𝛼𝑝
= 𝛼 − 𝛾𝑁 − 𝛿 − 𝛼𝜃 𝐼(𝑡) = , ,
𝑑𝑡 𝛽 𝛼𝜃 − 𝜇 − 𝛿 − 𝛾 𝛽
𝑎 𝜇 + 𝛿 + 𝛾 − 𝛼𝜃 𝑎 + 𝛾 𝛼𝜃 − 𝜇 − 𝛿 − 𝛾 − 𝛽𝛼𝑝
,𝜇
𝛽𝛾 𝛾 𝛼𝜃 − 𝜇 − 𝛿 − 𝛾 𝛽
142
� International Conference on Information and Communication Technology and Its Applications (ICTA 2016)
B. Effective Reproduction Number and Local Stability V. NUMERICAL SIMULATIONS AND ANALYSIS
A major procedure in modeling the dynamics of malware We set out in Table I, variables and hypothetical values
is the effective reproduction number denoted by 𝑅0 and it of our model.
also helps in predicting part of the population which will not Similarly, population-dependent parameter values usually
be infected. have to be inputted based on computer malware
System (2) has an infectious-free equilibrium whereby epidemiology and population data. We set out in Table II
the infective part of the population is zero while the parameters and corresponding values.
vulnerable and immune remain positive denoted by
𝐸 0 = 𝑉, 𝐼 = 0, 𝑀, 𝑅 = 0 TABLE I. HYPOTHETICAL MODEL VARIABLES AND POPULATION-
DEPENDENT
Thus, analyzing the local stability of the infectious-free S/N Variables Hypothetical values Source
equilibrium give the endemic point whereby there will be a 1 V 20 Assumed
rise or reduction to zero when a small number of infectious 2 I 5 Assumed
PLCs are brought into a highly vulnerable population. 3 M 10 Assumed
4 R 0 Assumed
Eliminating R, system (2) reduces to 5 B 7 Assumed
𝑑𝑉(𝑡)
= 𝛼𝑝 − 𝛽𝑉 𝑡 𝐼 𝑡 − 𝛾𝑉 𝑡 − 𝑎𝑉(𝑡)
𝑑𝑡 TABLE II. HYPOTHETICAL MODEL POPULATION PARAMETERS
S/N Parameter Hypothetical Values Source
1 a Varies Assumed
𝑑𝐼(𝑡)
= 𝛽𝑉 𝑡 + 𝛼𝜃 − 𝜇 − 𝛿 − 𝛾 𝐼 𝑡 (3) 2 2 Assumed
𝑑𝑡 3 0.1 Assumed
We obtain the effective reproduction number 𝑅0 by 4 0.1 Assumed
investigating the local stability of the infectious-free 5 Varies Assumed
equilibrium. 6 Varies Assumed
Theorem 1: The infectious-free equilibrium is locally
7 0.2 Assumed
8 𝛾 0.1 Assumed
asymptotically stable whenever 𝑅0 < 1
Figure 3 shows the different rates of recovery due to
We obtain the Jacobian of system (3) at infectious-free application of anti-virus signatures with time i.e.(𝜇 =
equilibrium 0.1, 0.5, 0.9), we discovered that if the anti-virus is used at
the rate of 10% (i.e. on 1 out of 10 systems), the infectious
−(𝛾 + 𝑎) −𝛽𝑉(𝑡) class of PLCs continue to increase instantaneously from the
𝐽=
0 𝛽𝑉 𝑡 + [𝛼𝜃 − 𝜇 − 𝛿 − 𝛾] initial population of 5,000 to above 15,000 in the first two
days of interaction with the vulnerable class. The instant
Reducing the matrix to an upper triangular matrix, we increase then tends to stabilize a bit, mostly due to the little
have a characteristic equation as effect of the disinfected PLCs. It then rises instantaneously,
and after the next 5 days, rises to above 25,000, at 50% (i.e.
𝐽0 on 2 out of 10 systems) it increases to about 10,000 in the
−𝛽𝛼𝑝
−𝛾 − 𝑎 next one and half days due to interaction with the vulnerable
𝛾+𝑎 class of PLCs, before it starts decreasing gradually in the
=
− −𝛽𝛼𝑝 − 𝛼𝛾𝜃 − 𝑎𝛼𝜃 + 𝛾𝜇 + 𝑎𝛾 + 𝛿𝛾 + 𝑎𝛿 + 𝛾 2 + 𝑎𝛾 next two to five days to little below 5,000, mostly due to the
0
𝛾+𝑎 positive effect of the anti-virus signatures; though this
happens with a possibility of re-infection. But at 90% (i.e. on
9 out of every 10), the infectious population of PLCs
We assume our effective reproduction number to be the increase minimally to about 7,000 in the first day due to the
leading Eigen value, thus we assume interaction with the vulnerable class before it gradually
decreases mainly due to the very high effect of the antivirus
𝑅0 signatures and the infectious population of PLCs will
− −𝛽𝛼𝑝 − 𝛼𝛾𝜃 − 𝑎𝛼𝜃 + 𝛾𝜇 + 𝑎𝛾 + 𝛿𝛾 + 𝑎𝛿 + 𝛾 2 + 𝑎𝛾 continually decline till it goes into extinction after 5days.
= Figure 4 shows the variation in the rate of natural
𝛾+𝑎
recruitment of the USB devices into the network. At 10%
usage of USB devices for transfer and copying of files, there
is an instant increase in the population of infectious PLCs
Since 𝑅0 < 1, thus we have a local stability, which from the initial 5,000 to above 10,000 after just one and half
implies that the malware can be curtailed through appropriate days due to interaction between the vulnerable class and the
corresponding countermeasure parameters. USB devices plugged into the system, which of course, some
143
� International Conference on Information and Communication Technology and Its Applications (ICTA 2016)
are infected. But population of the infectious PLCs then
stabilizes mostly due to the implementation of anti-virus
signatures which at this point gradually detects infected USB
devices. After the second day, the population of the
infectious PLCs begins a rapid decline due to the disinfection
of the infected USB devices by the anti-virus signatures until
it the infected power line carries goes into extinction totally
after five days.
Figure 5 shows the variation in the rate of vulnerability
scanning, detection of vulnerability and implementation of
security patches. At 10% vulnerability scanning, detention of
vulnerability and implementation of security patches, the
infectious population of PLCs increases from the initial
5,000 to above 14,000 in the one and half days due to the
interaction with the vulnerable class, then it stabilizes a bit
and decreases gradually to about 7,000 due to the
implementation of the security patches. At 50% vulnerability Figure 3. The Different Rate of Recovery due to Application of the Anti-
Virus Signatures with Time
scanning, detention of vulnerability and implementation of
security patches, the population of the infectious PLCs
increases to about 11,000 in one and half days due to the
interaction with the vulnerable class but stabilizes and then
decreases gradually to about 5,000 (the initial population)
mainly due to the detection and implementation of the
security patches. But at 90% vulnerability scanning,
detention of vulnerability and implementation of security
patches, the population of the infectious PLCs increase from
the initial 5,000 to almost 10,000 in the first day mainly due
to the interaction with the vulnerable class, then stabilizes a
bit and gradually declines until it goes into extinction in the
next 5 days, mainly due to the effect of the vulnerability
scanning, detention of vulnerability and implementation of
security patches.
From Figures 3, 4 & 5, it was discovered that there is
always an instantaneous increase in the infectious class of
the PLCs due to their interaction with the vulnerable class of
the PLCs; and the consequences of this initial increase
include power outages, damages to equipments, as well as
financial losses. These are mainly due to the fact that these Figure 4. The Variation in the Rate of Natural Recruitment of USB
infectious PLCs can be used by interest groups or syndicates Devices into the System
to carry out their agenda before such infections are detected
and mitigated.
VI. CONCLUSION
We developed a model for the dynamics of SCADA
system malware on smart-grid electricity networks for a
population consisting of the Vulnerable, Infected, Immune
and Recovered classes of PLCs or Remote Terminal Units.
We also incorporated an external factor, the Universal Serial
Bus (USB), and considered three control parameters:
vulnerability scanning, detection from vulnerability scanning
and the implementation of security patches.
Our findings highlight the necessity of control strategies,
viz. antivirus, vulnerability scanning, and application of
security patches, at mitigating malware spread on SCADA
systems.
Future studies could consider other parameters including
human behavior. Many studies have confirmed that many
security breaches are the result of non-technical factors. In
this study, the propagation was considered as a function of Figure 5. The Variation in the Rate of Removal of Vulnerability due to
time. Propagation as a function of geographical spread and Vulnerability Scanning and Implementation of Security Patches
cost should be explored.
144
� International Conference on Information and Communication Technology and Its Applications (ICTA 2016)
REFERENCES [16] J. R. C. Piqueira, A. A. De Vasconcelos, C. E. C. J. Gabriel, and V.
O. Araujo, “Dynamic models for computer viruses,” Comput. Secur.,
[1] Microsoft, “Digital Crimes Unit Fact Sheet.” vol. 27, pp. 355–359, 2008.
[2] Knoema, “IMF World Economic Outlook (WEO), October 2015.” [17] J. C. Wierman and D. J. Marchette, “Modeling computer virus
[Online]. Available: https://knoema.com/IMFWEO2015Oct/imf- prevalence with a susceptible-infected-susceptible model with
world-economic-outlook-weo-october-2015. [Accessed: 22-Oct- reintroduction,” Comput. Stat. Data Anal., vol. 45, pp. 3–23, 2004.
2016].
[18] I. Androulidakis, S. Huerta, V. Vlachos, and I. Santos, “Epidemic
[3] Knoema, “World GDP Ranking 2016 | Data and Charts | Forecast.” Model for Malware Targeting Telephony Networks,” in IEEE 23rd
[Online]. Available: https://knoema.com/nwnfkne/world-gdp- International Conference on Telecommunications, 2016, pp. 1–5.
ranking-2016-data-and-charts-forecast. [Accessed: 22-Oct-2016].
[19] S. Liu, S. Mashayekh, D. Kundur, T. Zourntos, and K. Butler-Purry,
[4] Trading Economics, “China Foreign Exchange Reserves 1980-2016.” “A framework for modeling cyber-physical switching attacks in smart
[Online]. Available: grid,” IEEE Trans. Emerg. Top. Comput., vol. 1, no. 2, pp. 273–285,
http://www.tradingeconomics.com/china/foreign-exchange-reserves. 2013.
[Accessed: 21-Oct-2016].
[20] P. Chopade, M. Bikdash, and I. Kateeb, “Interdependency Modeling
[5] B. Les Cardwell and A. Shebanow, “The Efficacy and Challenges of for Survivability of Smart Grid and SCADA network under severe
SCADA and Smart Grid Integration,” J. Cyber Secur. Inf. Syst., vol. emergencies, vulnerability and WMD attacks,” Southeastcon, 2013
1, no. 3, pp. 2–10, 2013. Proc. IEEE, no. April, pp. 1–7, 2013.
[6] A. Teixeira, G. Dán, H. Sandberg, and K. H. Johansson, “A cyber [21] T. M. Chen, J. C. Sanchez-Aarnoutse, and J. Buford, “Petri net
security study of a SCADA energy management system: Stealthy modeling of cyber-physical attacks on smart grid,” IEEE Trans.
deception attacks on the state estimator,” IFAC Proc. Vol., vol. 18, Smart Grid, vol. 2, no. 4, pp. 741–749, 2011.
no. PART 1, pp. 11271–11277, 2011.
[22] S. Sridhar and G. Manimaran, “Data integrity attacks and their
[7] O. Gervasi, “Encryption Scheme for Secured Communication of Web impacts on SCADA control system,” IEEE PES Gen. Meet. PES
Based Control Systems,” pp. 609–618, 2010. 2010, pp. 1–6, 2010.
[8] M. H. R. Khouzani and S. Sarkar, “Dynamic malware attack in [23] S. Amin, X. Litrico, S. S. Sastry, and A. M. Bayen, “Cyber security
energy-constrained mobile wireless networks,” in 2010 Information of water scada systems-part II: Attack detection using enhanced
Theory and Applications Workshop, ITA 2010 - Conference hydrodynamic models,” IEEE Trans. Control Syst. Technol., vol. 21,
Proceedings, 2010, pp. 408–418. no. 5, pp. 1679–1693, 2013.
[9] B. K. Mishra and A. Prajapati, “Dynamic Model on the Transmission [24] A. Wasicek, P. Derler, and E. a. Lee, “Aspect-oriented Modeling of
of Malicious Codes in Network,” Int. J. Comput. Netw. Inf. Secur., Attacks in Automotive Cyber-Physical Systems,” in 2014 51st
vol. 10, pp. 17–23, 2013. ACM/EDAC/IEEE Design Automation Conference (DAC), 2014, pp.
[10] W. O. Kermack and A. G. McKendrick, “A Contribution to the 1–6.
Mathematical Theory of Epidemics,” Proc. R. Soc. London. Ser. A, [25] N. Goldenberg and A. Wool, “Accurate modeling of Modbus / TCP
Contain. Pap. a Math. Phys. Character, vol. 115, no. 772, pp. 700– for intrusion detection in SCADA systems,” Int. J. Crit. Infrastruct.
721, 1927. Prot., vol. 6, no. 2, pp. 63–75, 2013.
[11] W. O. Kermack and A. G. McKendrick, “Contributions to the [26] A. Dolgikh, T. Nykodym, V. Skormin, and Z. Birnbaum, “Using
mathematical theory of epidemics-III. Further studies of the problem behavioral modeling and customized normalcy profiles as protection
of endemicity,” Proc. R. Soc. London. Ser. A, Contain. Pap. a Math. against targeted cyber-attacks,” in International Conference on
Phys. Character, vol. 141, no. 843, pp. 94–122, 1933. Mathematical Methods, Models, and Architectures for Computer
[12] W. O. Kermack and A. G. McKendrick, “Contribution to the Network Security, 2012, pp. 191–202.
Mathematical Theory of Edipemics. II. The Problem of Endemicity,” [27] C. W. Ten, G. Manimaran, and C. C. Liu, “Cybersecurity for critical
Proc. R. Soc. London. Ser. A, Contain. Pap. a Math. Phys. Character, infrastructures: Attack and defense modeling,” IEEE Trans. Syst.
vol. 138, no. 834, pp. 55–83, 1932. Man, Cybern. Part ASystems Humans, vol. 40, no. 4, pp. 853–865,
[13] N. T. J. Bailey, The Mathematical Theory of Infectious Diseases, 2nd 2010.
ed. New York: Hafner Press, 1975. [28] S. Kriaa, M. Bouissou, and L. Piètre-Cambacédès, “Modeling the
[14] A. K. Misra, M. Verma, and A. Sharma, “Capturing the interplay Stuxnet attack with BDMP: Towards more formal risk assessments,”
between malware and anti-malware in a computer network,” Appl. in 7th International Conference on Risks and Security of Internet and
Math. Comput., vol. 229, pp. 340–349, 2014. Systems, CRiSIS 2012, 2012, pp. 1–8.
[15] W. Liu, C. Liu, X. Liu, S. Cui, and X. Huang, “Modeling the spread
of malware with the influence of heterogeneous immunization,” Appl.
Math. Model., vol. 40, pp. 3141–3152, 2016.
145
�