Proceedings of the 20th World Congress

The International
Proceedings Federation
of the 20th Worldof Congress
Automatic Control
The International
Proceedings Federation
of the 20th9-14,
Worldof Congress
Automatic Control
Toulouse,
The France,
International July
Federation 2017
of Automatic Control
Toulouse, France,Federation
The International July 9-14, 2017 Available online at www.sciencedirect.com
of Automatic Control
Toulouse, France, July 9-14, 2017
Toulouse, France, July 9-14, 2017
ScienceDirect
IFAC PapersOnLine 50-1 (2017) 12179–12184
Cybersecurity
Cybersecurity training in control systems
Cybersecurity training training in in control
control

systems
systems
Cybersecurity using
using real
training
real equipment
in control
equipment 
 systems
using real equipment 
using real equipment
Manuel Domı́nguez ∗ Miguel A. Prada ∗ Perfecto Reguera ∗
∗ ∗ ∗
Manuel
Manuel Domı́nguez
Domı́nguez ∗ Miguel A.
∗∗ Serafı́n A. Prada ∗ ∗ ∗ Perfecto Reguera ∗ ∗
∗
Juan J. Fuertes ∗ Miguel Alonso Prada Perfecto
∗ Antonio MoránReguera ∗
Manuel Juan J. Fuertes ∗∗ Serafı́n
Domı́nguez ∗
Miguel Alonso
A. Prada ∗
∗ Antonio
∗
Perfecto MoránReguera ∗
∗
∗
Juan J. Fuertes ∗ Serafı́n Alonso ∗ Antonio Morán ∗
∗ Juan J. Fuertes Serafı́n Alonso Antonio Morán
∗ SUPPRESS research group, University of León, Escuela de
∗ SUPPRESS research group,
∗Ingenierı́as, group, University
University of
of León,
León, Escuela
Escuela de
de
SUPPRESSCampus
∗Ingenierı́as, researchde
Campus de Vegazana
Vegazana s/n,
s/n, León,
León, Spain
Spain (e-mail:
(e-mail:
SUPPRESS
Ingenierı́as,
manuel.dominguez,researchdegroup,
Campus Vegazana
ma.prada,University of
s/n, León,
prega, León,
Spain
jj.fuertes, Escuela
(e-mail:
saloc, de
manuel.dominguez,
Ingenierı́as, Campus
manuel.dominguez, dema.prada,
Vegazana prega,
ma.prada, jj.fuertes,
s/n, León,
prega, Spainsaloc,
jj.fuertes, (e-mail:
saloc,
a.moran@unileon.es)
a.moran@unileon.es)
manuel.dominguez, ma.prada, prega, jj.fuertes, saloc,
a.moran@unileon.es)
a.moran@unileon.es)
Abstract:
Abstract: The relevance
relevance of of cybersecurity
cybersecurity in in the
the field
field of of critical
critical infrastructures
infrastructures has been
Abstract: inThe
reinforced The the last years,
relevance ofas a result
cybersecurity of thein increased
the field number
of critical of incidents.
infrastructures The
has
has been
Europeanbeen
reinforced
Abstract:
reinforced inThe the last
last years,
the relevance
indeveloped years, ofas aa result
ascybersecurity
result to of
of the
thein increased
the field
increased number
of critical
number of incidents.
incidents.inThe
infrastructures
ofeducation The European
has been
European
Union
Union has
has policies oriented promote research and security and
reinforced
Union
critical has indeveloped
developed
infrastructure
policies
policiesas oriented
the last protection.
years, a It
result
oriented is
to
to
widely
promote
of the
promoteincreased
recognized
research
researchnumber
that
and
and
there ofeducation
incidents.
education
is a
in
inThe
shortage
security
European
security
of qualified
and
and
critical
Union infrastructure
has developed
critical infrastructure protection.
policies
protection. It
oriented
Ittheis widely
to recognized
promote
is increasing
widely recognized researchthat
that there
and
there is a
education shortage
is a shortage in of qualified
security
of qualified and
cybersecurity
cybersecurity professionals
professionals due
due to
to the increasing demand.
demand. The
The situation
situation is
is even
even more
more serious
serious
critical
cybersecurity
in the area infrastructure
of professionals
cybersecurityprotection.
due
of It is widely
to the infrastructures,
critical recognized
increasing demand. due that
The
to there
thesituation is
special a shortage of
is even more serious
characteristics qualified
of the
in
in the
the area
cybersecurity
area of
of cybersecurity
professionals
cybersecurity of
of critical
due to
critical the infrastructures,
increasing
infrastructures, due
due to
demand. The
to the special
special characteristics
thesituation is evenis more
characteristics of
of the
serious
the
control
control and
and monitoring
monitoring systems
systems needed
needed for
for their
their operation.
operation. Furthermore,
Furthermore, there
there is a knowledge
in the
control
gap area
and of
between the cybersecurity
monitoring
industrial systems of critical
control needed
experts,infrastructures,
forwho
their due
operation.
generally have to the received
special characteristics
Furthermore,
not there
training is aainknowledgeof the
knowledge
computer
gap
gap between
control and
between the
the industrial
monitoring
industrial control
systems
control experts,
needed
experts, forwho
their
who generally
operation.
generally have not
not received
haveFurthermore,received training
there
training is ain computer
inknowledge
computer
security,
security, and
and the
the cybersecurity
cybersecurity experts,
experts, who
who ignore
ignore the
the operation
operation of
of industrial
industrial control
control systems.
systems.
gap
It is between
security,
therefore the
and the industrial
cybersecurity
necessary to control
create experts,
experts, who
who ignore
educational generally have
the operation
environments not
that received
of industrial
support training
trainingcontrol in
and computer
systems.
research
It
It is therefore
security, and
is therefore necessary
the
necessary to
cybersecurity create
to without.
create educational
experts, environments
who reason,
educational ignore the
environments that
operation
that support
of industrial
support training
trainingcontroland research
andofsystems.
research
oriented
oriented to
to bridge
bridge this
this gap
gap without. For
For that
that reason, this
this paper
paper presents
presents a
a Laboratory
Laboratory of Critical
Critical
It is therefore
oriented
Infrastructuresto bridge necessary
this gap
Cybersecurity to without.
create
(CICLab)educational
For that that environments
reason,
is flexiblethis enough
paper that support
presents
to create training settings
a Laboratory
different andofresearch
Critical
that
Infrastructures
oriented
Infrastructuresto bridge Cybersecurity
this gap
Cybersecurity (CICLab)
without.
(CICLab) For that
that is flexible
reason, this
that is flexible controlenough
paper to create
presents
enough systems.
to create For a different
Laboratory
different settings
of
settings that
Critical
that
simulate
simulate real
real situations
situations on
on the
the critical
critical infrastructure
infrastructure control systems. For that
that purpose,
purpose, the
the
Infrastructures
simulate real
laboratory includesCybersecurity
situations on the
different (CICLab)
field,critical
control thatandis flexible
infrastructure
monitoring enough
control to create
systems. For
technologies different
that that
are settings
purpose,
widely that
the
used
laboratory
simulate
laboratory includes
real situations
includes different
onenergy
different thefield,
field, control
critical
control and monitoring
infrastructure
and building
monitoring control technologies
systems.and
technologies that
For
that are
that widely
are purpose,
widely Some used
the
used
in
in four
four sectors: industry, management, management smart cities.
four sectors:
laboratory
in
educational includes
sectors: industry,
different
industry,
activities are
energy
energyfield,management,
presented control
management,
in the and building
framework monitoring
building of
management
technologies
management
this laboratory.
and
andthat smart
are cities.
smart widely Some
cities. used
Some
educational
in four sectors:
educational activities
industry,
activities are
are presented
energy management,
presented in
in the
the framework
frameworkbuilding of
of this laboratory.
management
this laboratory.and smart cities. Some
© 2017, IFACactivities
educational (International Federation of
are presented in Automatic
the framework Control) of Hosting by Elsevier Ltd. All rights reserved.
this laboratory.
Keywords:
Keywords: Cybersecurity,
Cybersecurity, Industrial Control
Industrial Control Systems,
Systems, Laboratory,
Laboratory, Education
Education
Keywords: Cybersecurity, Industrial Control Systems, Laboratory, Education
Keywords: Cybersecurity, Industrial Control Systems, Laboratory, Education
1. INTRODUCTION
1. INTRODUCTION
INTRODUCTION doubled the rate of all other information technology jobs
1. doubled
doubled the rate
rate of
the reports of all
all other
other information
information technology
technology jobs
jobs
and
and several
several reports state
state that
that there
there is
is a
a great
great industry
industry
The world is 1.
experiencing INTRODUCTION doubled
and
shortage the
severalof rate
reports
computer of all
stateother
securitythat information
there
professionals.is a technology
great
Some jobs
industry
reports
The world
The world is experiencing aa
is experiencing new
a new industrial
new industrial transformation.
industrial transformation.
transformation. and shortage
shortageseveralof
of computer
reports
computer security
state
securitythat professionals.
there is
professionals. Some
a great reports
Someindustry
reports
Some experts compare the current situation with the in- estimate that the shortage of security professionals in the
Some
The world
Some experts compare the
is experiencing
experts compare thea new
current
current situation
industrial
situation with the
transformation.
with in- estimate
the in- shortage
estimate that
of
that the
the shortage
computer security
shortage of
ofofsecurity
professionals.
security professionals in
in the
Some(Wright,
professionals reports
the
dustrial revolution that happened two centuries ago (Bret- world job market would be around 1 million
dustrial
Some
dustrial
tel et
revolution
experts compare
revolution
al., 2014). In
that the
that happened
current
happened
short, this
two
two centuries
situation
centuries
transformation withagothe
ago
is in- world
(Bret-
(Bret-
driven, estimate
world
2015).
job
job
If
market
that
market
data the would
shortage
wouldskills
science
be
beofof
ofarearound
security
around 11 million
professionals
considered million
as
(Wright,
in the
(Wright,
well, the
tel et al.,
dustrial al., 2014). In
revolution Inthat
short, this transformation
happened transformation
two centuries is driven,
ago driven,
(Bret- 2015).
world
2015). If
job
If data
market
data science
would
science skills
be
skills ofare
are considered
around
considered1 as
million
as well,
(Wright,
well, the
the
tel
on et
one 2014).
hand, by the short,
Internet thisand its related is shortage of professionals increases
technologies shortage of professionals increases significantly. In Spain, significantly. In Spain,
on one
tel one
on hand,
etonal., by the
2014).
hand, by the
In Internet
short,
Internet thisand
and its related
related technologies
transformation
its is driven, 2015).
technologies shortage If ofdata science
professionals skills are
increases considered
significantly. as In
well, the
Spain,
and, the other, by the use of the information contained the
the Plan
Plan forfor Trust
Trust in in the
the Digital
Digital Environment
Environment included
included as
as aa
and,
on
and,oneon the
hand,
on the other,
by
other, by by
the the
Internet
theall use
usetheof
andthe
of the information
its related
information contained
technologies
contained core shortage of professionals increases significantly. In Spain,
in data obtained from levels of the production the
core idea
Plan
idea the
for
the development
Trust in the Digital
development of
of aa Cybersecurity
Environment included Programme as a
in
and,
in data
on the
data
processes.
obtained
obtained
This
from
other,transformation
by
from all
theall the
usethe levels
of the of the
information
levels
already of the production
affects
production
contained
relevant the
core
with Plan
idea
the for
the
aim Trust in the Digital
development
to encourage a Cybersecurity
ofthe Environment
Cybersecurity
promotion,
Programme
included
Programme
identificationas a
processes.
in data
processes. This transformation
obtained
This transformation
from all the already
levels
already of affects
the
affects relevant with
production
relevant core
with the
idea
the aim
the
aim to
to encourage
development
encourage ofthe
a
the promotion,
Cybersecurity
promotion, identification
Programme
identification
industrial sectors such as energy or transport. However, and
and retention
retention of
of talent. Since then, grants and incentives
industrial
processes. to
industrial
according
sectors
This
sectors
the
such as
such
experts,
as energy
transformationwe
energyalready
are
or transport.
or
only
transport.
in itsaffects
first
However,
However,
stage and, with
relevant and
are the to
used aim
retention to talent.
of
promote encourage
talent. the
Since
Since the
training
then,
then, of
grants
promotion,
grants
new
and
and
experts.
incentives
identification
incentives
according
industrial to the
sectors experts,
such as we are
energy only
or in its
transport.first stage
However,and, are
and used to promote the training
are used to promote the training of new experts.incentives
retention of talent. Since then, of new
grants experts.
and
according
therefore, to
it the
is experts, we
necessary to are only in its
introduce majorfirstchanges
stage and, in
therefore, it the
is necessary
necessary to are
introduce major changes in The relevance of
according to
therefore,
structures it
and is experts, we
organizations to only
introduce
(Lee et in its
al., majorfirstchanges
2014). stage and, in are
Theused to promote
relevance of cybersecurity
the trainingin
cybersecurity inof the
newfield
the field of
of industrial
experts. industrial
structures
therefore, it
structures and
and organizations
is organizations
necessary to (Lee (Lee et
introduce al., 2014).
et al.,major
2014).changes in control control
The systems
relevance of has been
cybersecurity reinforced in in
the the
field last years,
of industrial as
The
control systems
relevance
systems of has been
cybersecurity reinforced
has been reinforced in in
the the
field last years,
the last industrial
inincidents of years, as
as
One of
structures theandmajor challenges
organizations is
(Lee that
et al., of the
2014). cybersecu- aa result
result of
of the
the increased
increased number
number of
of incidents and
and their
their
One
One of the major
ofindustrial-related challenges
the major challenges is that
is that of of the
the cybersecu-
cybersecu- acontrol
resulttosystems
ofcritical has
the increased been reinforced of inincidents
number(Nicholson the last years,
and as
their
rity of infrastructures and obviously the impact infrastructures et al., 2012).
rity
One of
rity ofofindustrial-related
industrial-related
the major challenges infrastructures
is that
infrastructures andthe
of
and obviously
cybersecu-
obviously the aimpact
the result
impact to critical
toofreason,
critical infrastructures
the increased
infrastructuresnumberUnion (Nicholson
of incidents
(Nicholson et
et al.,
and2012).
al., their
2012).
training of students and workers in these fields. Several For that the European has developed in
training
training
reports
of students
of
from
students and
rity of industrial-related
international
andinfrastructures
workers in
workers
consulting
in these
these
firms
fields.
andfields.
obviously
agree the For
Several
Several
on the impact
For
the
that
last
reason,
criticalathe
thattodecade
reason, the
set
European
infrastructures
European
of
Union
(Nicholson
Union
communications
has
hasand developed
et al.,
developed
directives
in
2012).
in
reports from
training from international
ofdemand
students and consulting
workers firms
in these agree on the the
For last decade
that decade
reason, a
atheset of communications
European Union and
hasand directives
developed in
reports
increasing international
of competent consulting firmsfields.
professionals agree
in Several
on the the
cyberse- last
oriented to improve setthe of protection
communications of critical directives
infrastruc-
increasing
reports demand
from of competent
international competent professionals
consulting firms in cyberse-
agree cyberse-
on the oriented
the last
oriented to
decade
to improve
improve a set the
theof protection
communications
protection of
of critical
and
critical infrastruc-
directives
infrastruc-
increasing
curity, demand
because these of skills are professionals
currently scarce inin the job tures. The European Commission published in 2004 the
curity,
increasing
curity, because
demand
because these
these skills
ofofcompetent
skills are currently
are currently
professionalsscarceinin
scarce incyberse-
the job tures.
the job oriented
tures. The
The to European
improve
European Commission
the protection
Commission published
of critical
published in 2004
ininfrastruc-
2004 the
the
market. The growth employment in cybersecurity has Communication
Communication ”Critical
”Critical Infrastructure
Infrastructure Protection
Protection in
in the
market.
curity,
market. The
because
The growth
these
growth of
of employment
skills are
employment currentlyin
in cybersecurity
scarce
cybersecurity in the has
job
has tures. The
Communication European ”Critical Commission
Infrastructure published in
Protection 2004in the
the
 This work was supported by the Spanish Secretary of State fight
fight against
against terrorism”
terrorism” (COM/2004/0702)
(COM/2004/0702) and
and in
in 2006
2006
market.
 This work Thewas growth of employment
supported by the Spanish in cybersecurity
Secretary of State has fight Communication
against
presented the ”Critical (COM/2004/0702)
terrorism”
European Infrastructure
Programme for Protection in2006
and inInfras-
Critical the
 presented the European Programme for Critical
forThis
for
Research,
work was
Research,
 This
Development
supportedand
Development and by Innovation
the Spanish
Innovation
(Ministry
Secretary
(Ministry
of Economy
of of State
Economy fight against
presented
tructure the terrorism”
ProtectionEuropean (COM/2004/0702)
Programme
(COM/2006/786). for and
Critical
This inInfras-
2006
Infras-
programme
for work was
and Research,
Competitivity), supported
under grant
Development and by Innovation
the Spanish
UNLE13-3E-1578 Secretary
(Ministry of the of State
National
of Economy tructure Protection (COM/2006/786).
and
for Competitivity),
Research, under grant
Development UNLE13-3E-1578
and Innovation (Ministry of the National
of Technical
Economy
presented
tructure
established the
ProtectionEuropean
aa global framework Programme
(COM/2006/786). for the forThis
This
protection
programme
Critical Infras-
programme
of critical
Programme
and for
Competitivity), Fostering Excellence
under grant in Scientific
UNLE13-3E-1578 ofand
the National established global framework for the protection of critical
Programme for
and Competitivity),
Research
Programme -FEDER
Fostering
under
funds,
for Fostering and
Excellence
grant
by the
in Scientific
UNLE13-3E-1578
Excellence Spanish Nationalofand
in Scientific
and Technical
the Technical
National
Cybersecurity
tructure
established Protection
infrastructures. a global
Later, (COM/2006/786).
framework
in 2009, for
the the This
Communication programme
protection of critical COM
Research -FEDER funds, and by the Spanish Nationaland Cybersecurity infrastructures.
established
infrastructures. Later,
a global
Later, in
framework 2009,
2009,for
incybersecuritythe
thethe Communication
protection
Communication of COM
critical
COM
Programme
Research for Fostering
Institute (INCIBE),
-FEDER through
funds, and Excellence
the 17th
by the in Scientific
Addendum
Spanish Nationalof the Technical
Framework
Cybersecurity 2009/149
2009/149 discussed
discussed the
the cybersecurity threats
threats in
in this
this area
area
Institute (INCIBE), through the 17th Addendum of the Framework infrastructures. Later, incybersecurity
2009, the Communication COM
Research (INCIBE),
Agreement
Institute
Agreement
-FEDER
betweenfunds,
between
INCIBE and the
through
INCIBE
by the
and
and
theSpanish
17th
the
University
Addendum
University
National
ofofLeón.
of
Cybersecurity
the
León.
Framework 2009/149 discussed the threats in this area
Institute (INCIBE), through the 17th Addendum
Agreement between INCIBE and the University of León. of the Framework 2009/149 discussed the cybersecurity threats in this area
Agreement between INCIBE and the University of León.
Copyright © 2017 IFAC 12690
Copyright
2405-8963 © 2017 IFAC 12690
Copyright © 2017, IFAC (International Federation of Automatic Control)
2017 IFAC 12690Hosting by Elsevier Ltd. All rights reserved.
Peer review©under
Copyright 2017 responsibility
IFAC of International Federation of Automatic
12690Control.
10.1016/j.ifacol.2017.08.2151
Proceedings of the 20th IFAC World Congress
12180
Toulouse, France, July 9-14, 2017 Manuel Domínguez et al. / IFAC PapersOnLine 50-1 (2017) 12179–12184
and action plan to improve prevention, response and re-
covery. Finally, the Directive 2016/1148 ”concerning mea-
sures for a high common level of Security of Network and
Information Systems across the Union” (NIS) establishes
minimum security requirements for the operators of essen-
tial services. At a national level, the Spanish Law 8/2011
established the regulatory framework for critical infras-
tructure protection, defining them and creating a National
Centre for Critical Infrastructure Protection (CNPIC) to
be in charge of the initiative, coordination and monitoring
of the actions related to the protection of the national crit-
ical infrastructures. The CNPIC have presented since 2014
strategic sector plans for the following sectors: electricity,
gas, oil, nuclear, finance, water, transport, space, and
chemical industry. Likewise, the European Union included
the security as one of the 7 challenges of its Framework
Programme for Research and Technological Development
2014-2020 (Horizon 2020), emphasizing the protection of
critical infrastructures and the cybersecurity.
The cause of this recent effort is that industrial control sys-
tems (ICS), which control the operation of industries and
infrastructures of the aforementioned critical sectors, were
usually designed for an isolated operation. As a result, the
security aspects were ignored by the ICS staff and control
systems traditionally lacked security measures to protect
them from external threats, caused by the interconnection
to other systems. However, the development of information
and communication technologies has led to a wider connec-
tivity of control systems and devices that work along with
potentially remote software for Supervisory Control and
Data Acquisition (SCADA). This interconnection exposes
them to external threats that were not previously consid-
ered (Knapp and Langill, 2016; Stouffer et al., 2011).
With these premises and as a consequence of the projects
developed for the National Institute of Cybersecurity (IN-
CIBE), the SUPPRESS research group of the University
of León applied for a research infrastructure to develop
a Laboratory for Research on Critical Infrastructure Cy-
bersecurity (CICLab) in the context of the R&D National
Plan of 2013. This laboratory was granted by the Secretary
of State for Research, Development and Innovation in
November 19, 2014.
The laboratory was designed to allow flexibility for the ex-
perimentation in cybersecurity of both the specific devices
and communication networks and the general solutions
and configurations of control and monitoring systems. For
that reason, different field, control and monitoring tech-
nologies have been included in the laboratory, all of them
widely used in four sectors: industry, energy management,
building management and smart cities. The diversity of
equipment and the adaptability of the management tools
make it possible to create different settings that simulate
real situations on the critical infrastructure control sys-
tems. Specifically, it is possible to set up configurations
that use typical communication protocols at the different
levels of automation of industrial control systems, energy
management systems or building management systems.
Furthermore, the laboratory has all the needed elements to
perform vulnerability analyses, penetration testing, traffic
monitoring, etc. in different points of the automation,
locally or remotely. The ability to perform practical tasks
on real equipment and systems narrows the gap between
12691
education and real practice in applied cybersecurity for
critical infrastructures.
From an educational point of view, the laboratory also
uses the technological platform and functionalities of the
Remote Laboratory of Automatic Control of the Univer-
sity of León, http://lra.unileon.es (Prada et al., 2015).
The remote laboratory, which was also developed by the
SUPPRESS research group, is a platform that enables the
remote interaction with industrial physical systems, either
real or simulated, to students, faculty, researchers or pro-
fessionals interested in automation, control and monitoring
systems. Moreover, the remote laboratory provides a set
of tools that enable their collaborative use. The remote
laboratory has already been used for limited experiences
in the field of cybersecurity of industrial control systems
(Canto et al., 2015).
Regarding the educational needs in the cybersecurity field,
the proposed laboratory makes it possible to test architec-
tures in the four fields described above, test the vulnera-
bilities of devices, protocols and software, use intelligent
data analysis to detect attacks, apply forensic analysis to
industrial equipment or test the identification and removal
of specific malware.
The paper is structured as follows: The research and edu-
cational aims are exposed in Section 2. The architecture of
the laboratory is described in Section 3. In section 4, some
educational activities with the laboratory are presented.
Finally, conclusions are discussed in Section 5.
2. RESEARCH AND EDUCATIONAL GOALS
The Laboratory of Critical Infrastructure Cybersecurity
(CICLab) is oriented to both research and education, as
can be expected from a university laboratory. The research
objectives of the laboratory follow those stated in the
Horizon 2020 Programme and the Spanish National R&D
plan 2013-2016 in the area of cybersecurity.
The Horizon 2020 work programme proposes to study the
dependencies between critical infrastructures, communica-
tion networks and the control and monitoring information
systems. The aim is focused on the analysis and proposal
of strategies for the evaluation of critical services, on the
analysis of the cascade effects caused by an incident, and
on anomaly detection. The work programme also states
the need for field tests and the adaptation of general well-
known security solutions into specific ones for industrial
control systems. The work programme emphasizes as well
the security challenges posed by the proliferation of smart
meters in energy distribution networks or smart grids. On
the other hand, the Spanish Plan of Scientific and Tech-
nical Research and Innovation 2013-2016 also considers
cybersecurity in control centers and critical infrastructures
an important security challenge.
As a result, the following research lines are proposed in
the framework of the cybersecurity laboratory:
(1) To conduct experimental studies about cybersecu-
rity in industrial control systems and to develop a
methodology for vulnerability evaluation in devices,
protocols and dedicated software.
Proceedings of the 20th IFAC World Congress
Toulouse, France, July 9-14, 2017 Manuel Domínguez et al. / IFAC PapersOnLine 50-1 (2017) 12179–12184 12181
(2) To develop intelligent data analysis techniques ap-
plied to cybersecurity of industrial control systems.
(3) To develop intrusion and vulnerability detection sys-
tems with a passive approach by means of advanced
detection rules and well-known open IDS tools.
(4) To develop methods/tools for evidence gathering
from industrial equipment to enable forensic analysis.
(5) To develop methods and procedures for prevention
and defense from attacks in critical infrastructures.
With regard to the educational goals, they are selected to
address two challenges:
(1) Training of Master’s degree university students.
(2) Training of qualified professionals (lifelong learning).
In both cases, it is necessary to develop learning envi-
ronments that provide access to real industrial control
systems, which enable realistic practical experiences with-
out safety concerns in equipment or other elements. Of-
ten, in this area, simulated systems are used for training
and experimentation. Although simulated systems are less
costly and easier to manage, they generally constrain the
scope of the experiences and hide certain particularities
of industrial control systems. The use of a comprehensive
infrastructure based on real and commonly used elements
is advisable to improve the versatility of the laboratory
and to narrow the knowledge gap between IT and in-
dustrial professionals (Morris et al., 2011a). Indeed, the
pedagogical impact of these testbeds has been reported to
be significant by other authors (Morris et al., 2011b).
Due to the aforementioned reasons, the use of a laboratory
with real industrial equipment and software is the pro-
posed approach to fulfill the following educational goals:
(1) Introduction to industrial control systems: This goal
is interesting for master’s degree students, who gen-
erally have a general information technology back-
ground. Acquiring knowledge about the elements and
concepts used in control systems might help to bridge
the gap with ICS staff.
(2) Introduction to cybersecurity: This must be an edu-
cational goal of the continuing education courses for
professionals. The first step of any lifelong learning
programme in cybersecurity for critical infrastruc-
tures must be focused on introducing the basic se-
curity concepts, practices and tools.
(3) Understanding common vulnerabilities in critical in-
frastructures: Both from a global perspective and
focused on the four environments included in the
laboratory.
(4) Learning to identify threats and deploy countermea-
sures: A student should learn to assess the vulnera-
bilities that affect each asset, to isolate those assets
into securable groups and to establish the appropriate
security controls to enforce the expected behavior.
(5) Learning to monitor security events: A student should
understand how to passively collect information from
the network and analyze it.
The CICLab has been included in the Spanish Network of
Industrial Laboratories (https://rnli.incibe.es/), led by the
Spanish Institute of Cybersecurity (INCIBE), whose aim
is to gather those laboratories that can be used for security
experimentation in the area of critical infrastructures. It is
12692
the only university laboratory in that network. The other
ones are private laboratories focused on different specific
aspects of industrial systems security. This network might
promote technology transfer.
3. DESCRIPTION OF THE LABORATORY
For the design of the laboratory, four scenarios were
considered for cybersecurity experimentation: industrial
control systems, building management systems, energy
management systems and smart city sensor networks (see
Fig. 1). These subsystems are structured with a common
set of utilities and functionalities. The features of these
subsystems are described in the following paragraphs.
Industrial subsystem: The industrial control system fol-
lows the automation pyramid with the ISA-95 levels from
field to management (see Fig. 2), including usual devices
and technologies at every level: sensors and transmitters,
variable frequency drives, PLCs, SCADA and Historian
software, etc. The control structure of this subsystem uses
a main ring with two PLCs. The PLCs are connected to
their remote input/output devices, exchanging informa-
tion by means of different industrial Ethernet protocols,
such as Modbus TCP, Ethernet/IP, Profinet, etc. The
remote devices manage transmitters and actuators that
are either directly wired or connected through different
fieldbuses: Modbus RTU, ASi, DeviceNet, etc. Further-
more, additional secondary rings are created to manage
protocol exchanges by means of a set of gateways. An
industrial SCADA systems monitors the controllers. A
specific data historian software can be used to aggregate
and analyze data. A flexible routing/firewalling structure
enables different network setups enforcing zone separation
and deep packet inspection. A picture of the devices used
in the industrial subsystem is shown in Fig. 3.
Building management subsystem: This subsystem also
replicates the complete architecture of a typical BMS. Sev-
eral technologies have been included: LonWorks, BACnet,
KNX, EnOcean, Zigbee, etc. For that purpose, sensors,
actuators, controllers, gateways and software are available.
A specific SCADA for building is used for monitoring. The
devices included in the building management system are
shown in Fig. 4.
Energy management subsystem: This subsystem has been
designed to simulate different parts of the electricity grid,
such as distribution and electricity end-use. On the one
hand, it implements the control and monitoring archi-
tecture of a distribution system, including a distribution
substation and a transformer station. In the distribution
substation, a communication ring based on IEC 61850
protocol has been deployed in order to link electricity
analyzers, advanced meters, protection relays, switchgear
devices and remotely-controlled management relays.
On the other hand, the transformer substation consists
of two main parts. The first one is operated by the
electricity supplier and includes energy meters, protection
and management relays, which are remotely controlled
Proceedings of the 20th IFAC World Congress
12182
Toulouse, France, July 9-14, 2017 Manuel Domínguez et al. / IFAC PapersOnLine 50-1 (2017) 12179–12184

Fig. 1. Cybersecurity lab scenarios: industrial control systems, building management systems, energy management
systems and smart city sensor networks.

Fig. 2. Automation pyramid in industrial control systems.

from the electricity control center using Modbus and

IEC 60870-5-104 communication protocols. The second
one, still incomplete in the laboratory, is operated by
the consumer and incorporates basically protection and
operation switchgears. Consumer facilities can also include
intelligent circuit breakers and protection relays as well as
energy management devices in each internal line.
Also, an electricity control center manages the operation
of the different elements of the distribution infrastructure Fig. 3. Industrial subsystem.
by means of an energy and outage management system
(EMS/OMS), which communicates through IEC 60870-
5-104. The distribution system is linked to both the Finally, a smart meter network that measures power
electricity control center and the final consumers. consumption and monitors energy demand is added. It

12693
 Proceedings of the 20th IFAC World Congress
Toulouse, France, July 9-14, 2017 Manuel Domínguez et al. / IFAC PapersOnLine 50-1 (2017) 12179–12184 12183
Fig. 4. Building management subsystem.
includes data concentrators and a central management
system that communicates using PRIME protocol.
Smart city subsystem: The core of this system is a wire-
less sensor network that relies on the IEEE 802.15.4 stan-
dard. The sensors, physically distributed in and around
the laboratory measure different variables such as noise,
luminosity, gases (CO2 , CO, N O2 , etc.) or other weather-
related variables. Other IoT (Internet of things) devices
can be added to this subsystem.
The computing infrastructure has been designed with
the aim to provide enough flexibility for experimentation
and training. The main goals are: a flexible network
segmentation (so that different zones and conduits can
be established), the ability to run security tests in any
point of the architecture and the ability to acquire and
store all the potentially interesting information (network
traffic captures, events, logs, process operation data, etc.)
for further analysis. For that purpose, the laboratory
has different industrial network devices, including, e.g.,
managed and unmanaged switches, firewalls (some with
deep packet inspection capabilities), network taps, etc.
Furthermore, the laboratory makes extensive use of server
virtualization, thanks to 6 servers with dual Intel Xeon
8-core processors and a large data storage capacity.
Additionally, the power supply of the four subsystems
described above is performed through 4 power lines (two
16A single-phase, one 32A single-phase and one 32A three-
phase) that are replicated to ensure the functional safety
of the laboratory and their elements. They are managed
by an electric cabinet (see Fig. 5) with includes remotely
operated switchgears.
12694
Fig. 5. Electric cabinet.
4. EDUCATIONAL ACTIVITIES
The Laboratory of Critical Infrastructures Cybersecurity
(CICLab) at the University of León was launched during
the year 2015. A set of hands-on educational activities have
been designed in order to develop the previously discussed
educational goals in the academic year 2016/2017.
The variety of software, technologies and devices available
in the laboratory makes it possible to design a set of
practical tasks for any introductory course of automation
or control systems, either from a general point of view or
focused on any of the four types of critical infrastructures
included in the laboratory. The educational activity is
in both cases focused on identifying and understanding
the elements, network architectures and industrial pro-
tocols/fieldbuses commonly found in automation. These
ideas are consolidated through tasks with the PLC (such
as configuring I/O and network or programming simple
control strategies) and the SCADA (building and using
monitoring interfaces). These introductory courses are in-
teresting for cybersecurity specialists without background
in automation.
Furthermore, the introduction of cybersecurity concepts in
a familiar environment, such as the subsystems included in
CICLab, allows a gradual learning by the industrial staff.
E.g., the basic concepts, practices and tools can be shown
by means of examples in the industrial control subsystem.
This is the target of the activities described in the rest of
the section.
With regard to the understanding of common vulnerabil-
ities, the educational activity is focused on the analysis
of industrial-oriented protocols and their security weak-
nesses. The reason is that the particular nature of the
communications among their elements is a common source
of threats to the control systems of critical infrastructures.
Besides host-to-host communication using familiar tech-
nologies in general IT networks, a set of specific industrial
network protocols is used at every automation level. The
aim of these protocols is generally oriented to availabil-
ity and they usually lack security measures related to
confidentiality or integrity. For that reason, the proposed
Proceedings of the 20th IFAC World Congress
12184
Toulouse, France, July 9-14, 2017 Manuel Domínguez et al. / IFAC PapersOnLine 50-1 (2017) 12179–12184
educational activity is to to sniff a protocol by means of a
serial/Ethernet tap (such as NetDecoder or CanAnalyzer).
The students have to interpret the protocol traffic to find
the major weaknesses. Examples of malicious modifica-
tions to the captured frames are explained, showing that
if injected, they can be used to write on PLC output
variables, cause a denial of service (by flooding the network
or stopping the PLC), etc.
With regard to the isolation of relevant assets into secur-
able groups, the students need to understand how to define
groups by function, process, control loop, etc. There are
several models proposed for this matter, being the most
relevant the zone-and-conduit model proposed in the IEC-
62443 standard. The flexible structure provided for the
laboratory makes it possible that students can propose
different network segmentations according to specific pre-
requisites.
In order to establish the network zones, it is necessary
to apply the appropriate security controls. Generally, fire-
walls are used for this purpose. For that reason, another
activity proposed to the students will be the firewall selec-
tion, placement and configuration to enforce the defined
requirements. The students can use the available equip-
ment: firewalling and routing software, industrial firewall
appliances, or the firewalls with deep packet inspection
(DPI, which can filter protocols such as Modbus TCP or
Ethernet/IP at the application layer). To configure the
firewall, the students need to set the appropriate rules con-
sidering IP addresses, ports or (for the DPI case) protocol
codes and variables.
The proposed activities with regard to security informa-
tion monitoring are the installation and configuration of
IDSs (Intrusion Detection Systems, such as Snort or Bro)
and SIEMs (Security Information and Event Management,
such as AlientVault OSSIM). These activities show the
students how to detect security-related events in control
networks by monitoring security events obtained from traf-
fic and logs. These systems also enable further analysis of
the stored events, allowing lecturers to introduce the usual
stages of an attack.
5. CONCLUSIONS
The field of cybersecurity of industrial control systems is
attracting a growing interest. In this paper, the Critical
Infrastructure Cybersecurity Laboratory at the University
of León has been presented. This laboratory has been
launched during the year 2015. It has been designed with
the aim of achieving flexible experimentation on security
aspects of the equipment, the communication protocols
and the whole configuration and operation of control and
monitoring systems. The applications of this laboratory
may range from education to research and testing new
technologies. For that purpose, the laboratory includes
heterogeneous field, control and monitoring elements that
are commonly used in four prominent critical infrastruc-
tures: industrial control systems, energy management sys-
tems, building management systems and smart city sensor
networks.
The variety of available control and monitoring systems
and related equipment, as well as the flexibility provided
12695
by the network management tools, allows users to con-
figure and simulate realistic security scenarios in control
systems of critical infrastructures. In this sense, it is pos-
sible to configure test scenarios on a large set of commu-
nications protocols that are commonly used in industrial
automation, energy management or building management
systems. The laboratory users can also work with differ-
ent control and monitoring technologies. Furthermore, the
laboratory includes hardware and software elements to
enable vulnerability detection in equipment, tracking of
the network traffic, intrusion detection, etc. in different
points of the critical infrastructures, as well as the ability
to perform this tests locally or remotely. Further work
includes the assessment of the educational value of the
laboratory by means of the analysis of students’ feedback.
REFERENCES
Brettel, M., Friederichsen, N., Keller, M., and Rosenberg,
M. (2014). How virtualization, decentralization and
network building change the manufacturing landscape:
An industry 4.0 perspective. International Journal of
Mechanical, Industrial Science and Engineering, 8(1),
37–44.
Canto, C.J.D., Prada, M.A., Fuertes, J.J., Alonso,
S., and Domı́nguez, M. (2015). Remote labo-
ratory for cybersecurity of industrial control sys-
tems. IFAC-PapersOnLine, 48(29), 13 – 18. doi:
http://dx.doi.org/10.1016/j.ifacol.2015.11.206. IFAC
Workshop on Internet Based Control Education
IBCE15, Brescia (Italy), November 4-6, 2015.
Knapp, E.D. and Langill, J.T. (2016). Industrial Network
Security, Second Edition: Securing critical infrastruc-
ture networks for smart grid, SCADA, and other In-
dustrial Control Systems. Syngress.
Lee, J., Kao, H.A., and Yang, S. (2014). Service innovation
and smart analytics for industry 4.0 and big data
environment. Procedia CIRP, 16, 3–8.
Morris, T., Srivastava, A., Reaves, B., Gao, W., Pavurapu,
K., and Reddi, R. (2011a). A control system testbed
to validate critical infrastructure protection concepts.
International Journal of Critical Infrastructure Protec-
tion, 4(2), 88–103.
Morris, T., Vaughn, R., and Dandass, Y.S. (2011b). A
testbed for scada control system cybersecurity research
and pedagogy. In Proceedings of the Seventh Annual
Workshop on Cyber Security and Information Intelli-
gence Research, 27. ACM.
Nicholson, A., Webber, S., Dyer, S., Patel, T., and Janicke,
H. (2012). SCADA security in the light of cyber-
warfare. Computers & Security, 31(4), 418 – 436. doi:
http://dx.doi.org/10.1016/j.cose.2012.02.009.
Prada, M.A., Fuertes, J.J., Alonso, S., Garcı́a, S., and
Domı́nguez, M. (2015). Challenges and solutions in
remote laboratories. application to a remote laboratory
of an electro-pneumatic classification cell. Computers &
Education, 85, 180–190.
Stouffer, K., Falco, J., and Scarfone, K. (2011). Guide
to industrial control systems (ICS) security. Technical
Report 82, NIST special publication.
Wright, M.A. (2015). Improving cybersecurity workforce
capacity and capability. Information Systems Security
Association (ISSA) Journal, 14–20.