Professional Documents
Culture Documents
Digital Forensic: Project Phase 2
Digital Forensic: Project Phase 2
Digital Forensic: Project Phase 2
Project Phase 2
(Summary of Selected Papers)
Abbreviation used:
SCADA: Supervisory Control And Data Acquisition
ICS: Industrial Control System
PLC: Programmable Logic Controller
RTU: Remote Terminal Unit
HMI: Human Machine Interface
DCS: Distributed Control System
IED: Intelligent Electronic Device
Section four is aimed at forensic readiness and discusses the different options for incident
response management, the importance of an incident response team, and also the
guidelines, good practices and frameworks available to them. E.g. by discussing the
factors like the level of activity partaken by an internal team will essentially determine
what is outsourced externally to third-party services and when, Cost, Compliance. At the
second last part it talked about Good Practices, Guidelines and Frameworks like In the UK
the SICS (Security for Industrial Control Systems) Framework was developed by CPNI
(Centre for Protection of National Infrastructure) and CESG (Communications-Electronics
Security Group) to provide security guidelines across all aspects of ICS. At the end it looks
at Establishing an Incident Response Capability (Define an Incident Response Policy and
Plan, Roles and Responsibilities, Exercise the Plan)
This paper present a case study of forensics in ICS and describe a method of safeguarding
important volatile artefacts from an embedded industrial control system and several
other sources. ICS system can be a single embedded system like a PLC working stand-
alone for controlling a simple process like an automatic door in an office building or an
elevator, a very complex DCS connected to SCADA system in a nuclear power plant. On
the other hand, there is little knowledge of ICS in the “forensic computer investigator
world” resulting in a serious need for computer forensics to become more informed.
A big part of the ICS system are normal computers. Also the network/protocols are mostly
just like normal ICT with conventional network. For this part of the system traditional
investigation methods are sufficient for digital investigation on the ICS system. However,
standard forensics methodologies do not have inherent data collection capabilities for
PLC, RTU, IED, or some other field-level device. ICS systems are designed with Safety in
mind, rather than Security. Designed for longer timeline, to run for 20 or 30 years without
update /upgrade.
PLC and DCS systems are embedded systems with their own OS’s and program languages.
Dedicated hardware and many protocols (e.g. Modbus, Profibus, and DNP3) are in use.
Most digital forensic investigations techniques only cover conventional computer
forensics and network investigations. This paper present an ICS Forensic process including
important steps for acquiring important digital evidence for digital forensic investigation
purposes. Section 2 shows the related work of digital forensics for ICS systems. ICS
forensics challenges discussed in Section 3, also an ICS process in this section. Paper
describes and discuss a case study of ICS forensics in Section 4. Finally, conclusion and
future work in Section 5.
There are data acquisition tools compatible with some field devices with the use of cables
and flashing equipment, although this type of equipment is usually used for system
servicing and repairs. This makes it difficult to obtain less common models of PLCs and
RTUs and forensically sound access to the RAM and ROM on these devices is difficult to
achieve without first turning the device off. R. Barbosa described Anomaly Detection in
SCADA Systems, A Network Based Approach. He presented an extensive characterization
of network traces collected in SCADA networks. Very little information is publicly available
about real world SCADA traffic. The number of attacks reported to the United States'
Department of Homeland Security (DHS) grew from 9 in 2009, to 198 in 2011 and 171 in
2012.
In 2008 U.S. Department of Homeland Security [4] provided a guidance for creating a
cyber-forensics program for a control systems environment. This guidance described the
challenges with collection, data analyses and reporting to industrial control systems. This
guidance also describes what elements are important during investigations: Reference
clock system, Activity logs and transaction logs, other sources of data, General system
failures, Real time forensics, Device integrity monitoring, Enhanced all-source logging and
auditing.
There is a project operating called the CRISALIS, aims at providing new means to secure
critical infrastructure environments from targeted attacks. If ICT people talk about
Security and Safety they mean: Firewalls to prevent hackers from entering the system
since confidential information must be protected. Antimalware for protecting the users
and the systems against viruses. Anti-spam to protect the users against spam in their mail
If ICS people talk about Security and Safety in ICS systems they do mean: Protect the
system against dangerous issues like wrong values in PLC’s. Flow control and temperature
sensors in the chemical plant. Voltage and current.
For ICS Forensic process split up the information from two different sources: Network
data, Device data. For network data acquisition network investigation (depending on
investigation) we have to decide on what level (or levels) we need to analyze the network
traffic. A typical distributed ICS system has at least three different levels of network types:
Device level such as sensor, programmable logic controller (PLC), actuator.
Cell Level that is responsible to control the device controllers.
Plant Level that is responsible to control the cell controllers.
Sources of network data can be listed as: Live Network Data (raw network data, arp tables,
flow records, etc.), Historical Network Data (host based logs, database queries, firewall-
logs etc.), Other Log Files (backup archives, access point logs, historians, etc.) Device data
acquisition forensic tools do not exist for most ICS devices.
At the end paper is about case study of an ICS investigation of an incident in a Wind
Turbine in October 2013. This investigation showed that how crucial some ICS systems
related forensic investigations depend on volatile memory inside the PLC. The only device
what was still intact (during fire) was the ground controller inside the turbine tower on
the ground level of the tower section. It was possible to make a copy of the RAM memory
from the device. Using service software and hardware from the wind turbine
manufacturer and log files were investigated.
Forensic Analysis of SCADA/ICS System with Security and
Vulnerability Assessment
The information security vulnerabilities of ICS have been studied extensively, and the
vulnerable nature of these systems is well-known. However in the case of a security
incident (e.g. system failure, security breach, or denial of service attack), it is important
to understand what the digital forensics consequences of such incidents are, what
procedures/protocols are needed to be used during an investigation, what
tools/techniques are appropriate to be used by an investigator, and where the forensic
data can be collected from and how. Taking into these questions consideration, there is a
serious gap in the literature as forensic attack analysis is commonly guided by experience
and by intuition rather than by a systematic or scientific process. This paper aims to close
this gap by developing fairly complex SCADA/ICS laboratory at Sam Houston State
University.
This laboratory have a realistic SCADA/ICS system which can be used to study real-life
experiments such as penetration assessment and testing, vulnerability assessment and
testing, and the ICS forensics research. This paper is about the DF and security challenges
in SCADA/ICS, system infrastructure, forensic attack scenarios and results
studied/examined at that laboratory.
The 1st section of this paper just talked about SCADA/ICS system introduction
components, significance & their operation etc. SCADA is mainly used in Industrial Control
Systems in order to remotely collect real time data to automate and control networked
equipment. For instance, SCADA collects data regarding where the leaks have occurred in
a pipeline infrastructure. And stated that in recent years, the system evolved with the
technology and SCADA started to use the public network and become exposed to possible
cyberattacks. There are two main components of the SCADA system; control center and
field sites. Field sites are based on RTU and PLC and field sites send field equipment
information to the control center. The control center is the hub of the SCADA system.
Also, it has three components such as HMI, database management system and Master
Terminal Unit (MTU).
The SCADA systems have been target of attacks particularly in the last two decades with
the advancements in technology. Bonnie et al. classify the cyberattacks into two
categories namely; hardware, software. This research paper is on the cyberattacks on
SCADA hardware. In the case of cyberattack in hardware, the attacker can change the
dataset point by gaining unauthenticated remote access to the hardware device, could
change the operator display values.
In order to meet the accountability requirement of the data security objectives, analysis
of forensic attacks (performed to identify possible weaknesses before they are exploited
by malicious entities) on SCADA system is essential. The authors proposed a four-stage
approach which helps performing forensic attacks targeting the SCADA systems and their
countermeasures.
1. Identify Vulnerabilities
2. Identify Attack Methods: identify the ways in which attacker may exploit the
vulnerability.
3. Implement Immediate Risk Reduction: The goal in this stage is to identify the
need for increasing the SCADA system’s defense mechanism.
4. Implement Long-term Solutions: Once the attacks have been identified, now
find long-term solutions. It is also important to find a way to provide a security
plan for the systems.
As the SCADA system is a real-time system, forensic analysis must be live analysis. State
of the art digital forensic toolkits do not support the unique features of SCADA system
protocols and system’ log formats. Therefore, forensic tools particularly designed and
developed for SCADA systems are needed. In order to carry out the forensic investigation,
7-step forensic investigation model was used; Identification and Preparation, Identifying
data sources, Preservation, Prioritizing, and Collection, Examination, Analysis, Reporting,
and Presentation and Reviewing Results.
SCADA is traditionally developed in a non-network environment, however due to the
increasing demand for connectivity through the Internet; the SCADA system has started
to use the public network and hence became exposed to the cyberattacks. For instance,
SQL injection, cross-site scripting, malware attacks, and buffer overflow attacks are only
some of the attacks can be utilized against to SCADA/ICS systems.
Next the design/structure of laboratory have been explained in the paper. The ICS
components hardware/software used in lab. In order to create simulation of critical
infrastructure, InduSoft Web Studio 9 by Wonderware was used. InduSoft is a SCADA
software platform that provides data acquisition application. It also allows to control the
live runtime of the SCADA system. The operation of the HMI software and SCADA server
are controlled from the InduSoft Web Studio. The InduSoft can be run on the Windows
OS. Then in this lab four-step approach (stated above) was adapted to experiments.
Considering all of experiments, the only test case that the paper author were able to
maliciously affect the SCADA system’s operation was a type of Denial of Service Attack
called IP flooding on the UDP. In order to perform the IP flooding attack. Particularly, the
attacks are successfully performed on Humidity Sensor, Wind Sensor, Rotary Encoder,
Proximity Sensor, KOYO Led Lights and the Buzzer. Other details of attacks and results are
all given in tables for in this paper.