TY - GEN
T1 - A Digital Forensic Taxonomy For Programmable Logic Controller Data Artefacts
AU - Shahbi, Feras
AU - Gardiner, Joseph
AU - Adepu, Sridhar
AU - Rashid, Awais
PY - 2023/7/31
Y1 - 2023/7/31
N2 - The growing complexity of industrial control systems (ICS) and increasing cyber attacks targeting critical infrastructures demand bespoke forensics techniques for Programmable Logic Controllers (PLCs). As they control their critical physical processes, PLCs form the backbone of many ICS. However, due to their unique characteristics and constraints, which include heterogeneous architectures, proprietary technologies and stringent real-time operational requirements, traditional digital forensic techniques may not be directly applicable.PLCs are intricate embedded devices with numerous distinct internal data artefacts, ranging from proprietary firmware to logic codes, safety logs, and process I/O values. Therefore, those tasked with PLC investigation must understand these intricacies and their underlying implications to effectively answer the forensic questions in the aftermath of an incident.To address this need, our paper presents the first tailored taxonomy for digital forensics on PLCs, systematically categorizing the various characteristics, forensic processes and considerations based on the stages involved in a forensic investigation. Furthermore, we employ our developed taxonomy to establish mappings between identified PLC data artefacts and their corresponding attributes, offering a contextualised interrelationships between these artefacts and the PLC forensic investigation steps.
AB - The growing complexity of industrial control systems (ICS) and increasing cyber attacks targeting critical infrastructures demand bespoke forensics techniques for Programmable Logic Controllers (PLCs). As they control their critical physical processes, PLCs form the backbone of many ICS. However, due to their unique characteristics and constraints, which include heterogeneous architectures, proprietary technologies and stringent real-time operational requirements, traditional digital forensic techniques may not be directly applicable.PLCs are intricate embedded devices with numerous distinct internal data artefacts, ranging from proprietary firmware to logic codes, safety logs, and process I/O values. Therefore, those tasked with PLC investigation must understand these intricacies and their underlying implications to effectively answer the forensic questions in the aftermath of an incident.To address this need, our paper presents the first tailored taxonomy for digital forensics on PLCs, systematically categorizing the various characteristics, forensic processes and considerations based on the stages involved in a forensic investigation. Furthermore, we employ our developed taxonomy to establish mappings between identified PLC data artefacts and their corresponding attributes, offering a contextualised interrelationships between these artefacts and the PLC forensic investigation steps.
KW - PLC Forensics
KW - ICS Security
KW - Cyber forensics
U2 - 10.1109/EuroSPW59978.2023.00040
DO - 10.1109/EuroSPW59978.2023.00040
M3 - Conference Contribution (Conference Proceeding)
SN - 9798350327212
T3 - IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
SP - 320
EP - 328
BT - 2023 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)
PB - Institute of Electrical and Electronics Engineers (IEEE)
ER -