SCADA Security Research

The Trustworthy Cyber Infrastructure for the Power Grid (TCIPG) is an academic research effort led by University of Illinois and funded by the US Department of Energy and DHS. And at almost $19M for five years, it is not a small effort. Even prior to this funding, its predecessor was TCIP which was funded by the NSF from 2005 – 2010.

So we like to check in from time to time to see what is coming out of this investment. Most of the results from this program are research papers, although there is the concept of some of the resulting technology being spun out to commercial organizations. There is also a potential workforce development impact here, and it would be good to know how many and what percentage of past TCIP and TCIPG researchers are working for ICS vendors or asset owners. This would help justify the amount spent on the largely academic results.


UPDATE: Tim Yardley from the University of Illinois kindly provided the following corrected information in a comment:

Not sure we will ever get to reviewing 58 publications; skimming through 13 took quite a bit of time. Anyone who sees something of practical value to the ICS vendor or owner/operator in a paper please highlight it in the comments or contact us.


A Digital Bond intern pulled the research papers from TCIPG for the last 12 months. There Here are 13 research papers:

One of the major differences between TCIP and TCIPG is cyber security is no longer the main driver of research. Only five of the thirteen papers involved cyber security. I’m unqualified to comment on some of the more power related papers on such as those on SyncroPhasors, State Estimation, or the Virtual Power System Testbed.


The IDS for AMI paper recommends a specification based network IDS over signature or anomaly based network IDS, with the possibility of specification based host IDS if the performance is deemed acceptable. The sensors would be deployed throughout the network, aggregated in certain locations and forwarded to the management and analysis console – – much like the AMI data. A worthwhile read but not likely to happen anytime soon. Even the term specification based IDS may be a bit of a stretch for what is out there today. There are IDS sensors that check stateful adherence to a specification, but the paper was going further considering a specific processes use of the specification.

For practical reasons I would have liked to see some value placed on the various sensor locations related to the detection and prevention goals. Harkening back to my financial security days, a certain level of fraud was not worth the cost of preventing it. Much the same is going to be true with many types of AMI attacks. And we are not going to be able to deploy the ideal solution at once, so where do we get the biggest return on our security investment with IDS for AMI?

Long-lived Authentication Protocols

This paper considered the need to change both crypto keys and algorithms in systems that would be deployed for decades. They have both a re-keying and re-moduling protocol, and they talk about its use in another research project called Gridstat. Will the industry see anything like this related to Smart Grid meters or other large deployments? Should it?

Trusted Virtual Containers

I found the most interesting part of this paper to be Section 4 where the authors detail four scenarios between different entities in the power grid that will require trust on each others platforms. For example access to remote logs or aggregation of data from different smart grid participants. The trusted virtual containers were created on OpenSolaris and involved creating virtual machines for specific purposes.


The forensics paper was not control system specific. Detecting False Data Injection Attacks on DC State Estimation was the fifth security related paper.

Note – – We also checked out the Energy Sector Roadmap site, and they only had sketchy detail on one new project in the last 12 months.