Copyright © 2018 Qais Saif Qassim et. al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. International Journal of Engineering & Technology, 7 (2.14) (2018) 145-152 International Journal of Engineering & Technology Website: www.sciencepubco.com/index.php/IJET Research Paper A review: towards practical attack taxonomy for industrial control systems Qais Saif Qassim 1 *, Norziana Jamil1 2 , Razali Jidin 1 , Mohd Ezanee Rusli1 2 , Md Nabil Ahmad Zawawi1 .2 , Md Zaini Jamaludin 1 , Muhammad Reza Z’aba 3 , Wan Azlan Wan Kamarulzaman 4 1 Institute of Informatics and Computing in Energy, Universiti Tenaga Nasional, Selangor, Malaysia 2 College of Computer Science and Information Technology, Universiti Tenaga Nasional, Selangor, Malaysia 3 Faculty of Computer Science and Information Technology, University of Malaya, Kuala Lumpur, Malaysia 4 Tenaga Nasional Berhad, Malaysia *Corresponding author E-mail: qaissaif@uniten.edu.my Abstract Supervisory Control and Data Acquisition (SCADA) system is the underlying control system of most national critical infrastructures such as power, energy, water, transportation and telecommunication. In order to understand the potential threats to these infrastructures and the mechanisms to protect them, different types of cyber-attacks applicable to these infrastructures need to be identified. Therefore, there is a significant need to have a comprehensive understanding of various types of cyber-attacks and its classification associated with both Opera-tion Technology (OT) and Information Technology (IT). This paper presents a comprehensive review of existing cyber- attack taxonomies available in the literature and evaluates these taxonomies based on defined criteria. Keywords: SCADA; Cyber-Attack; Taxonomy. 1. Introduction Cyber-attacks have greatly increased over the years, where the attackers have progressively improved in devising attacks toward a specific target. With cyber threats on the rise, it is necessary to correctly identify the suspected threat in a timely manner [1]. In today’s world, there is an increasing overlap between the cyber- based technologies and the physical systems. For example, mod- ern critical infrastructures such as power plants and water supply systems heavily rely on information and communications technol- ogies, to reduce costs as well as to increase efficiency, flexibility and interoperability [1-2]. As a result, these technologies are ex- posed to significant cyber threats. One of the heightened risks with cyber-attacks against critical infrastructure is the physical compo- nent to these attacks. An attack in this area is not limited to infor- mation or processes [4]. The physical components of these sys- tems suggest that any impact on the information also has a possi- bility of causing an impact within the physical world. The recent Stuxnet worm is the first malware that was specifically designed to attack networked industrial control systems [5]. Stuxnet’s abil- ity to reprogram the logic of control hardware and alter physical processes demonstrates the danger of modern cyber threats. Although existing research works with regard to taxonomies of SCADA/ICS attacks is limited, analyzing attacks against comput- er and network systems will enlighten the classification of SCADA/ICS attacks due to the overlapping infrastructure. There- fore, in this work, we surveyed attack taxonomies in the areas of computer, network and SCADA systems to identify SCADA/ICS possible attacks and present a better understanding on their influ- ence on the cyberphysical systems. This paper is organized as follow. Section 2 presents the cyber-attack taxonomies, which have been considered in this work for evaluation. Section 3 pre- sents the analysis of the examined taxonomies. We present a new cyber-attack taxonomy in section 4, while section 5 concludes the results obtained from this work. 2. Cyber-attacks taxonomies Attack taxonomy is a framework for describing the characteristics of attacks and the classifiers chosen are fundamental to achieve a systematic attack classification. There have been many attempts to define cyber-attack taxonomy for classifying cyber-attacks or incidents. In this section, we provide a brief survey of existing taxonomies that assist with identifying attacks. In [6] presented the first attempt at unified security taxonomy. It was considered as one of the most comprehensive studies of computer security inci- dents. In this work, a detailed analysis of data collected by CERT/CC consisting of over 4,500 security incidents between 1989 and 1995 was executed. Based on this data, the authors pro- posed a network and attack taxonomy for classifying and compar- ing such incidents. This taxonomy contained five primary compo- nents:  Tools of attack: Defined as the means of exploiting a com- puter or network vulnerability. Attack tools include physical attack, information exchange, user command, script, toolkit, data trap.  System vulnerability: Vulnerability is a weakness in a sys- tem allowing unauthorized action, weakness in design, im- plementation or configuration.  Action represents a spectrum of activities that can take place on computers and networks. More specifically, an action is a step taken by a user or a process in order to achieve a re- sult. Actions can be as probe, scan, flood, authenticate, by- pass, spoof, read, copy, steal, modify and delete.