The Association of Digital Forensics, Security and Law (ADFSL)
Supervisory Control and Data Acquisition (SCADA) system is an industrial control automated system. It is built with multiple Programmable Logic Controllers (PLCs). PLC is a special form of microprocessor-based controller with proprietary operating system. Due to the unique architecture of PLC, traditional digital forensic tools are difficult to be applied. In this paper, we propose a program called Control Program Logic Change Detector (CPLCD), it works with a set of Detection Rules (DRs) to detect and record undesired incidents on interfering normal operations of PLC. In order to prove the feasibility of our solution, we set up two experiments for detecting two common PLC attacks. Moreover, we illustrate how CPLCD and network analyzer Wireshark could work together for performing digital forensic investigation on PLC.
W. Bolton, Programmable Logic Controllers (4th Edition)
Irfan Ahmed, Sebastian Obermeier and Martin Naedele, Golen G. Richard III: SCADA System: Challenges for Forensics Investigations, IEEE Computer, Vol. 45 No. 12, December 2012, pp 44–51, USA
Dillon Beresford, Exploiting Siemens Simatic S7 PLCs, Black Hat USA+2011, July 8, 2011
Alex Sentcha, LibNoDave – exchange data with Siemens PLC, https://alexsentcha.wordpress.com/ Last accessed on 31 May 2015
R.M. van der Knijff, Control systems/SCADA forensics, what's the difference?, Digital Investigation 11 (2014)
Nicolas Falliere, Liam O Murchu, and Eric Chien: W32.Stuxnet Dossier, Version 1.4, Symantec Corporation, February 2011
Davide Nardella, Snap7 http://snap7.sourceforge.net/ Last accessed on 13, June 2015
Davide Nardella, Snap7 Reference manual Rev.5, January 1, 2015
PROFINET, Wikipedia http://en.wikipedia.org/wiki/PROFINET_IO, Last accessed on 18 June 2015
K. Mandia, C. Prosise and M. Pepe, “Incident Response and Computer Forensics”, McGraw-Hill/Osborne, Emeryville, California, 2003
Fabro, M: Recommended Practice: Creating Cyber Forensic Plan for Control Systems, Department of Homeland Security (2008), Idaho National Laboratory (INL), August 2008, USA
SIEMENS SIMATIC S7-1200 Easy Book Manual 01/2015
Yau, Ken and Chow, Kam-Pui
"PLC Forensics Based on Control Program Logic Change Detection,"
Journal of Digital Forensics, Security and Law: Vol. 10
, Article 5.
Available at: http://commons.erau.edu/jdfsl/vol10/iss4/5