SCADA Systems: Challenges for Forensic Investigators

Ahmed, Irfan; Obermeier, Sebastian; Naedele, Martin; Richard, Golden G.

doi:10.1109/mc.2012.325

Cited by 95 publications

(61 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In particular, several authors have proposed the installation of agents on SCADA networks to conduct live forensic acquisition (Ahmed et al, 2012), (Kilpatrick et al, 2006). Live data acquisition is the extraction of data when the device is still running; in digital forensics this is normally used to recover RAM in the memory of a computer (Jones, 2007).…”

Section: Related Researchmentioning

confidence: 99%

“…A key limitation with the majority of existing work such as (Ahmed et al, 2012) (Patzlaff, 2013) is they have not conducted a practical evaluation of their forensic framework. In order to establish if their implementation is capable of extracting forensic artefacts from PLCs.…”

Section: Related Researchmentioning

confidence: 99%

“…Most related research has focused on the development of live forensic frameworks using agents to collect forensic artefacts from SCADA systems such as (Ahmed, Obermeier, Naedele, & Richard, 2012) (Taveras, 2013) (Kilpatrick, Gonzalez, Chandia, Papa, & Shenoi, 2006). Many of these approaches have focused on acquiring evidence from computer systems.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Exploring The Use Of PLC Debugging Tools For Digital Forensic Investigations On SCADA Systems

Wu¹,

Nurse²

2015

JDFSL

View full text Add to dashboard Cite

The Stuxnet malware attack has provided strong evidence for the development of a forensic capability to aid in thorough post-incident investigations. Current live forensic tools are typically used to acquire and examine memory from computers running either Windows or Unix. This makes them incompatible with embedded devices found on SCADA systems that have their own bespoke operating system. Currently, only a limited number of forensics tools have been developed for SCADA systems, with no development of tools to acquire the program code from PLCs. In this paper, we explore this problem with two main hypotheses in mind. Our first hypothesis was that the program code is an important forensic artefact that can be used to determine an attacker's intentions. Our second hypothesis was that PLC debugging tools can be used for forensics to facilitate the acquisition and analysis of the program code from PLCs. With direct access to the memory addresses of the PLC, PLC debugging tools have promising functionalities as a forensic tool, such as the "Snapshot" function that allows users to directly take values from the memory addresses of the PLC, without vendor specific software. As a case example we will focus on PLC Logger as a forensic tool to acquire and analyse the program code on a PLC. Using these two hypotheses we developed two experiments. The results from Experiment 1 provided evidence to indicate that it is possible to acquire the program code using PLC Logger and to identify the attacker's intention, therefore our hypothesis was accepted. In Experiment 2, we used an existing Computer Forensics Tool Testing (CFTT) framework by NIST to test PLC Logger's suitability as a forensic tool to analyse and acquire the program code. Based on the experiment's results, this hypothesis was rejected as PLC Logger had failed half of the tests. This suggests that PLC Logger in its current state has limited suitability as a forensic tool, unless the shortcomings are addressed.

show abstract

Section: Related Researchmentioning

confidence: 99%

Section: Related Researchmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Exploring The Use Of PLC Debugging Tools For Digital Forensic Investigations On SCADA Systems

Wu¹,

Nurse²

2015

JDFSL

View full text Add to dashboard Cite

show abstract

“…The work of Ahmed [97] demonstrated a need for forensically examining SCADA systems without turning them off. Ahmed put forward a technique called live forensics in order to detect and thus partially mitigate threats in real time.…”

Section: Live Forensicsmentioning

confidence: 99%

Smart Grid Cyber Security: An Overview of Threats and Countermeasures

López¹,

Sargolzaei²,

Santana³

et al. 2015

JEPE

View full text Add to dashboard Cite

Abstract:The smart grid is the next generation of power and distribution systems. The integration of advanced network, communications, and computing techniques allows for the enhancement of efficiency and reliability. The smart grid interconnects the flow of information via the power line, intelligent metering, renewable and distributed energy systems, and a monitoring and controlling infrastructure. For all the advantages that these components come with, they remain at risk to a spectrum of physical and digital attacks. This paper will focus on digital vulnerabilities within the smart grid and how they may be exploited to form full fledged attacks on the system. A number of countermeasures and solutions from the literature will also be reported, to give an overview of the options for dealing with such problems. This paper serves as a triggering point for future research into smart grid cyber security.

show abstract

“…In case of potential security incidents, several challenges exist for conducting an effective forensic investigation [4]. Forensic investigation actions are focused on understanding the cause and effects of the intrusion on SCADA systems, in order to improve their cyber defense.…”

Section: B Malwares and Virusesmentioning

confidence: 99%

Security and intrusion detection on critical SCADA systems for water management

Stoian

Ignat

Capatina

et al. 2014

2014 IEEE International Conference on Automation, Quality and Testing, Robotics

View full text Add to dashboard Cite

SCADA systems are broadly employed in supervising and controlling industrial areas comprising manufacturing industries, traffic control, power plants, integrated water management systems (distribution, treatment and sewage).The security of SCADA systems represents a significant subject on account of the critical function that these systems perform in offering vital utility services. In nowadays industrial systems ubiquitous access to Internet enhance the vulnerabilities of SCADA systems, for the reason that this allows a remote attacker to obtain control of, or produce interruption to the network critical functions. The attacks affect the network control plane and /or the data plane.Critical infrastructures, requiring uninterrupted operation, maintenance, and protection, have need of robust and secured control SCADA systems. The paper intends to depicts the critical architectural constituents of these systems, detect vulnerabilities and possible threats, and illustrate protection techniques that may be set up in order to reduce attacks involving situation awareness solutions.

show abstract

SCADA Systems: Challenges for Forensic Investigators

Cited by 95 publications

References 13 publications

Exploring The Use Of PLC Debugging Tools For Digital Forensic Investigations On SCADA Systems

Exploring The Use Of PLC Debugging Tools For Digital Forensic Investigations On SCADA Systems

Smart Grid Cyber Security: An Overview of Threats and Countermeasures

Security and intrusion detection on critical SCADA systems for water management

Contact Info

Product

Resources

About