[摘要] Supervisory Control and Data Acquisition (SCADA) systems form the monitoring and control backbone of the power grid. It is critical to ensure that SCADA systems are continuously available and operating correctly at their expected level of performance. However, as key components of the power grid infrastructure, SCADA systems are likely to be targeted by nation-state-level attackers willing to invest considerable resources to disrupt the power grid.We present the first intrusion-tolerant SCADA system that is resilient to both system-level compromises and sophisticated network-level attacks and compromises. While existing SCADA systems often deploy two control centers for fault tolerance, we show that two control centers, even if active at the same time, cannot provide the necessary resilience. We develop a novel architecture that distributes the SCADA system management across three or more active sites to ensure continuous availability in the presence of simultaneous intrusions and network attacks. To make our architecture viable for deployment by power companies that budget for no more than two control centers, we extend our architecture to allow the two control centers used today to be augmented with one or more commodity data center sites to provide the same level of resilience at a feasible cost.The system design is implemented in the Spire intrusion-tolerant SCADA system, which is available as open source. Spire was recently tested in a red-team experiment, during which an experienced hacker team completely compromised a traditional SCADA system setup according to best practices, but was unable to impact Spire’s guarantees over several days of attack. In addition, a wide-area deployment of Spire, using two control centers and two data centers spanning 250 miles (similar to large U.S. power grids), delivered nearly 99.999% of all SCADA updates initiated over a 30-hour period within 100ms. These results demonstrate that Spire provides meaningful security advantages over traditional SCADA systems and that Spire can meet the latency requirements of SCADA for the power grid.