Text size
  • Small
  • Medium
  • Large
  • Standard
  • Blue text on blue
  • High contrast (Yellow text on black)
  • Blue text on beige

    Towards a SCADA Forensics Architecture

    1st International Symposium for ICS & SCADA Cyber Security Research 2013 (ICS-CSR 2013)

    Leicester, UK, 16-17 September 2013


    Tina Wu, Jules Ferdinand Pagna Disso, Kevin Jones & Adrian Campos


    With the increasing threat of sophisticated attacks on critical infrastructures, it is vital that forensic investigations take place immediately following a security incident. This paper presents an existing SCADA forensic process model and proposes a structured SCADA forensic process model to carry out a forensic investigations. A discussion on the limitations of using traditional forensic investigative processes and the challenges facing forensic investigators. Furthermore, flaws of existing research into providing forensic capability for SCADA systems are examined in detail. The study concludes with an experimentation of a proposed SCADA forensic capability architecture on the Siemens S7 PLC. Modifications to the memory addresses are monitored and recorded for forensic evidence. The collected forensic evidence will be used to aid the reconstruction of a timeline of events, in addition to other collected forensic evidence such as network packet captures.


    PDF file PDF Version of this Paper 702(kb)

    1st International Symposium for ICS & SCADA Cyber Security Research 2013 cover

    Print copies of ICS-CSR
    ISBN 978-1-780172-32-3
    RRP £85

    Available from the BCS bookshop