Developing Cyber Forensics for SCADA Industrial Control Systems

A large number of industries including: critical national infrastructure (electricity, gas, water, etc.) and manufacturing firms rely heavily on computer systems, networks, control systems, and embedded devices in order to provide safe and reliable operations. These networks can be very complex and are often bespoke to the types of product the industries may provide. In recent years we have seen a significant rise in malicious attacks against such systems, ranging from sophisticated intelligent attacks to simple tool based delivery mechanisms. With the rise in the reliance on industrial control networks and of course the increasing attacks, the lack of security monitoring and post forensic analysis of SCADA networks is becoming increasingly apparent. SCADA systems forensics is not like standard enterprise file-system forensics, the forensic specialist often has to be an expert in such systems/networks and SCADA related devices in order to identify where potential Forensic evidence could be located. This paper looks at the SCADA/industrial control systems, typical attacks and vulnerabilities, problems with forensic analysis and the development of a forensic methodology/toolkit for such systems.