Forensics in Industrial Control System: A Case Study

Electronic Workshops in Computing, 2016

The actions carried out following any cyber-attack are vital in limiting damage, regaining control and determining the cause and those responsible. Within SCADA and ICS environments there is certainly no exception. Critical National Infrastructure (CNI) relies heavily on SCADA systems to monitor and control critical processes. Many of these systems span huge geographical areas and contain thousands of individual devices, across an array of asset types. When an incident occurs, those assets contain forensic artefacts, which can be thought of as any data that provides explanation to the current state of the SCADA system. Knowing what devices exist within the network and the tools and methods to retrieve data from them are some of the biggest challenges for incident response within CNI. This paper aims to identify those assets and their forensic value whilst providing the tools needed to perform data acquisition in a forensically sound manner. It will also discuss the key stages in which the incident response process can be managed.

2012

An embedded system is a special-purpose computer system designed to perform one or a few dedicated functions, for example, just portable devices such as MP3 players, cell phone, to telemetric system like car navigation system etc. The more embedded systems are diversifying various types, the more forensic community is concentrating on efforts of research correspond to all kinds of embedded systems. Forensic analysis of electronic systems will become an area of increasing significance in the near future. Clearly, the growing use of embedded systems and the ubiquitous age is required advanced digital forensic techniques for the future forensic computing. In this paper, we introduce new emerging embedded systems and show a comprehensive methodology for forensic analysis of electronic systems.

Journal of Sensor and Actuator Networks, 2020

Cyber–Physical Systems (CPS) connect the physical world (systems, environments, and humans) with the cyber world (software, data, etc.) to intelligently enhance the operational environment they serve. CPS are distributed software and hardware components embedded in the physical world and possibly attached to humans. They offer smart features, such as enhancing and optimizing the reliability, quality, safety, health, security, efficiency, operational costs, sustainability, and maintainability of physical systems. CPS are also very vulnerable to security attacks and criminal activities. In addition, they are very complex and have a direct impact on their environment. Therefore, it is hard to detect and investigate security attacks, while such attacks may have a catastrophic impact on the physical world. As a result, CPS must incorporate security measures in addition to suitable and effective forensics capabilities. When the security measures fail and an attack occurs, it becomes imper...

IFIP Advances in Information and Communication Technology, 2006

Supervisory control and data acquisition (SCADA) systems are widely used in industrial control and automation. Modern SCADA protocols often employ TCPlIP to transport sensor data and control signals. Meanwhile, corporate IT infrastructures are interconnecting with previously isolated SCADA networks. The use of TCPlIP as a carrier protocol and the interconnection of IT and SCADA networks raise serious security issues. This paper describes an architecture for SCADA network forensics. In addition to supporting forensic investigations of SCADA network incidents , the architecture incorporates mechanisms for monitoring process behavior, analyzing trends and optimizing plant performance.

2020

Supervisory Control and Data Acquisition (SCADA) has been at the cored of Operational Technology (OT) used in industries and process plants to monitor and control critical processes, especially in the energy sector. In petroleum sub-sector, it has been used in monitoring transportation, storage and loading of petroleum products. It is linked to instruments that collect and monitor parameters such as temperature, pressure and product densities. It gives commands to actuators by the use of the application programs installed on the programmable logic controllers (PLCs). Earlier SCADA systems were isolated from the internet, hence protected by an airgap from attacks taking place on interconnected systems. The recent trend is that SCADA systems are becoming more integrated with other business systems using Internet technologies such as Ethernet and TCP/IP. However, TCP/IP and web technologies which are predominantly used by IT systems have become increasingly vulnerable to cyberattacks that are experienced by IT systems such as malwares and other attacks. It is important to conduct vulnerability assessment of SCADA systems with a view to thwarting attacks that can exploit such vulnerabilities. Where the vulnerabilities have been exploited, forensic analysis is required so as to know what really happened. This paper reviews SCADA systems configuration, vulnerabilities, and attacks scenarios, then presents a prototype SCADA system and forensic tool that can be used on SCADA. The tool reads into the PLC memory and Wireshark has been to capture network communication between the SCADA system and the PLC.

European Scientific Journal, 2013

SCADA (Supervisory Control and Data Acquisition System) systems were originally created to be deployed in non-networked environments. Therefore they lack of adequate security against Internet-based threats and cyber-related forensics. In recent years, SCADA systems have undergone a series of changes that might increase the risks to which they are exposed. Among these risks it can be observed that its increased connectivity may permit remote controls over the Internet, or the incorporation of general purpose tools, thus incorporating already known vulnerabilities of these. Any cyber-attack against SCADA systems demands forensic investigation to understand the cause and effects of the intrusion or disruption on such systems. However, a SCADA system has a critical requirement of being continuously operational and therefore a forensic investigator cannot turn off the SCADA system for data acquisition and analysis. This paper leads to the creation of a high level software application capable of detecting critical situations like abnormal changes of sensor reads, illegal penetrations, failures, physical memory content and abnormal traffic over the communication channel. One of the main challenges is to achieve the development of a tool that has minimal impact over the SCADA resources, during the data acquisition process.

Computer, 2000

SCADA systems run 24/7 to control and monitor industrial and infrastructure processes. In case of potential security incidents, several challenges exist for conducting an effective forensic investigation. This paper discusses these challenges and investigates potential solutions. It shows the limitations of traditional IT-based approaches and also presents research challenges for initiating and continuing research in SCADA systems. Furthermore, it discusses how the research community has tackled these problems so far.

IEEE Security & Privacy, 2017

SCADA (Supervisory Control and Data Acquisition System) systems were originally created to be deployed in non-networked environments. Therefore they lack of adequate security against Internet-based threats and cyber-related forensics. In recent years, SCADA systems have undergone a series of changes that might increase the risks to which they are exposed. Among these risks it can be observed that its increased connectivity may permit remote controls over the Internet, or the incorporation of general purpose tools, thus incorporating already known vulnerabilities of these. Any cyber-attack against SCADA systems demands forensic investigation to understand the cause and effects of the intrusion or disruption on such systems. However, a SCADA system has a critical requirement of being continuously operational and therefore a forensic investigator cannot turn off the SCADA system for data acquisition and analysis. This paper leads to the creation of a high level software application capable of detecting critical situations like abnormal changes of sensor reads, illegal penetrations, failures, physical memory content and abnormal traffic over the communication channel. One of the main challenges is to achieve the development of a tool that has minimal impact over the SCADA resources, during the data acquisition process.

2010

Embedded systems are ubiquitous in society and can contain information that could be used in criminal cases for example in a serious road traffic accident where the car management systems could provide vital forensic information concerning the engine speed etc. A critical review of a number of methods and procedures for the analysis of embedded systems were compared against a ‘standard’ methodology for use in a Forensic Computing Investigation. A Unified Forensic Methodology (UFM) has been developed that is forensically sound and capable of dealing with the analysis of a wide variety of Embedded Systems.