+1 Recommend
1 collections
      • Record: found
      • Abstract: found
      • Conference Proceedings: found
      Is Open Access

      Forensic Readiness for SCADA/ICS Incident Response


      , , , , , ,

      4th International Symposium for ICS & SCADA Cyber Security Research 2016 (ICS-CSR)

      Cyber Security Research

      23 - 25 August 2016

      SCADA, critical infrastructure, digital forensics, incident response, SCADA forensics



            The actions carried out following any cyber-attack are vital in limiting damage, regaining control and determining the cause and those responsible. Within SCADA and ICS environments there is certainly no exception. Critical National Infrastructure (CNI) relies heavily on SCADA systems to monitor and control critical processes. Many of these systems span huge geographical areas and contain thousands of individual devices, across an array of asset types. When an incident occurs, those assets contain forensic artefacts, which can be thought of as any data that provides explanation to the current state of the SCADA system. Knowing what devices exist within the network and the tools and methods to retrieve data from them are some of the biggest challenges for incident response within CNI. This paper aims to identify those assets and their forensic value whilst providing the tools needed to perform data acquisition in a forensically sound manner. It will also discuss the key stages in which the incident response process can be managed.


            Author and article information

            August 2016
            August 2016
            : 142-150
            [0001]Information Security Research group

            School of Computing and Mathematics

            Department of Computing, Engineering and Science

            University of South Wales

            Pontypridd, CF371DL

            [0002]Computer Science and Informatics

            Cardiff University, Queen’s Buildings

            5 The Parade, Roath

            Cardiff CF24 3AA, UK
            [0003]Airbus Group Innovations

            Quadrant House Celtic Springs


            Newport NP10 8FZ, UK
            [0004]Department of International Politics

            Aberystwyth University

            Penglais, Aberystwyth


            SY23 3FE, UK
            © Eden et al. Published by BCS Learning & Development Ltd. Proceedings of the 4th International Symposium for ICS & SCADA Cyber Security Research 2016

            This work is licensed under a Creative Commons Attribution 4.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/

            4th International Symposium for ICS & SCADA Cyber Security Research 2016
            Queen’s Belfast University, UK
            23 - 25 August 2016
            Electronic Workshops in Computing (eWiC)
            Cyber Security Research
            Product Information: 1477-9358BCS Learning & Development
            Self URI (journal page): https://ewic.bcs.org/
            Electronic Workshops in Computing


            1. 2012 2018 Scada systems: Challenges for forensic investigators’ Computer 45 12 44 51

            2. CA 2015 Data acquisition: Best practices guide Technical report, CA Technologies

            3. 2014 Guide to vulnerability assessment for electric utility operations systems Technical report, NESCOR (National Electric Sector Cybersecurity Organization Resource

            4. CPNI 2015 Security for industrial control systems - establish response capabilities: A good practice guide Technical report, CPNI

            5. 2015 Improving network security monitoring for industrial control systems,in ‘14th IFIP/IEEE Int Symposium on Integrated Management IM 2015

            6. 2008 Recommended practice: Recommended practice: Creating cyber forensics plans for control systems Technical report, Department of Homeland Security

            7. 2012 Analyzing network traffic with basic linux tools Technical report, SANS Institute InfoSec Reading Room

            8. 2011 ‘Intercepting network traffic’ NETRESEC (Network Forensics and Network Security Monitoring) URL ext-link-type="uri" xlink: href="http://www">http://www.netresec.com/?page=Blogmonth =2011-03post=Sniffing- Tutorial-part-1— Intercepting-Network-Traffic

            9. ICS-CERT 2009 Recommended practice: Developing an industrial control systems cybersecurity incident response capability Technical report U.S. Department of Homeland Security

            10. 2015 ‘Runtime-monitoring for industrial control systems’ Electronics 4 4 995 1017

            11. 2014 ‘Control systems/scada forensics, what’s the difference? Digital Investigation 11 3 160 174

            12. 2015 Encase imager vs. ftk imager > ext-link-type="uri" xlink: href="http://bsmuir.kinja.com/encase-imager-vs-ftk-imager-1677906594">http://bsmuir.kinja.com/encase-imager-vs-ftk-imager-1677906594 Accessed 21st 06 2016

            13. NERC 2013 Request for information north american electric reliability corporation response Technical report, National Institute of Standards and Technology

            14. NIST 2011 Guide to industrial control systems (ics) security Technical report, National Institution of Standards and Technology

            15. 2012 Good practice guide for digital evidence Technical report, ACPO (Association of Chief Police Officers for England, Wales and Northern Ireland)

            16. 2014 Developing cyber forensics for scada industrial control systems,in ‘Proceedings of the International Conference on Information Security and Cyber Forensics’ SDIWC Digital Library

            17. 2014 ‘Incident response: How to fight back’ SANS Institute InfoSec Reading Room

            18. 2015 Automated asset discovery in industrial control systems -exploring the problem,in ‘Proceedings of the 3rd International Symposium for ICS SCADA Cyber Security Research 2015’ EWIC

            19. 2013 Towards a scada forensics architecture,in ‘Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research’ 12


            Comment on this article