In recent years, an increasing number of attacks have targeted Industrial Control Systems (ICS) worldwide, exposing the fragility of these systems. Understanding the SCADA networks that govern critical infrastructures is increasingly vital to protect this system. However, the confidential nature of ICS data typically restricts access to the real world, limiting efforts of academic research for more realistic studies. While previous studies have focused on some isolated network characteristics in a single infrastructure, none have taken a comparative approach across multiple critical infrastructures and multiple industrial protocols.
Aiming to fill this gap, our research dissects operational SCADA networks across multiple ICS based on real-world data. This study focused on network measurement of SCADA traffic in two ways: (1) between distinct ICS such as power, gas, and water, and (2) among the subsystems in the power grid from generation to end-customer grids.
Our analysis reveals distinct and shared behaviors of these networks, providing insight into their network behavior and configuration. It also reveals non-standard configurations, protocol operation characteristics, topology configurations, and considerable variations in periodic traffic patterns, high packet transmission rates, and message types. These insights contribute to a more realistic understanding of SCADA networks, challenging previous assumptions and emphasizing the existence of substantial diversity in SCADA traffic within these infrastructures. Our findings underscore the need for a specialized approach tailored to each critical infrastructure and open the door for better network characterization for cybersecurity measures and more accurate designs in intrusion detection systems.