A PLC-centric Digital Forensic Readiness Framework for Industrial Control Systems

Abstract

The escalating cyber threats targeting critical national infrastructures place unprecedented urgency on their forensic capabilities. Industrial Control Systems (ICS) form the operational backbone of these vital infrastructures, orchestrating everything from energy generation and water treatment to high-value manufacturing and transportation networks. At the heart of these systems lie Programmable Logic Controllers (PLCs) - specialised computing devices that constitute the critical means through which automated physical processes are monitored and controlled. Due to their unique interfacing between the cyber and physical worlds, compromising PLCs offers an attractive ultimate target to trigger cascading disruptions with potentially catastrophic consequences for safety, the environment, and society at large. In fact, the trajectory of documented high-profile cyber attacks that have targeted PLCs demonstrates a global trail of disruptions across diverse CNI sectors and nations.

Unfortunately, investigating PLC-focused attacks remains an underdeveloped and challenging frontier. PLCs are engineered for optimised uptime, safety, and reliability with cyber defense or forensic readiness being, at best, afterthoughts. The result is a landscape where traditional digital forensic techniques struggle to keep up. This complexity is compounded by intricate architectures combining legacy models, proprietary firmware, diverse protocols, and stringent operational
constraints that tolerate little to no downtime. Key forensic assumptions that underpin state-of-the-practice approaches, such as abundant log data, uniform system architectures, or the freedom to image and reboot systems, simply break down in PLC settings. In other words, the very features that make PLC reliable and deterministic preclude the straightforward application of forensic practices that are invariably considered in state-of-the-art approaches for IT systems.

Furthermore, during the unfolding crisis of a PLC incident, limited understanding of constituent data artefact types, coupled with the absence of structured investigative pathways, can fan the fire of fatigue and uncertainty. Under such conditions, investigations may devolve into improvised responses, heightening the risk of oversight, missteps, or even exacerbating the very compromise they seek to resolve.

To bridge these gaps, this thesis puts forward a PLC-centric forensic readiness framework composed of three interdependent contributions. First, a taxonomy of 19 PLC data artefact types is mapped out, thoroughly capturing their forensic relevance, inherent challenges, defining characteristics, and investigative implications. Building on this foundation, the Forensic Value Function (FVF) is introduced as a novel model for assessing and ranking the forensic utility of PLC
artefact types. Through a proactive, attack-agnostic assessment across three dimensions—integrity, volatility, and extraction effort—it defines measurable readiness targets, enabling the prioritisation of high-value artefacts while elevating undervalued ones. Informed by focused engagements with experts in OT cybersecurity and Digital Forensics and Incident Response (DFIR), the FVF
underwent targeted refinements to sharpen its metrics coverage, contextual adaptability, and conceptual rigor. These advances are then operationalised through the PLC Digital Forensic Readiness Playbook (PDF-RP) framework, a value-driven orchestration of investigative procedures. The framework defines the specifications and composable building blocks for codifying playbook instances tailored to the operational realities of PLC environments.

Together, these concerted contributions enable a paradigm shift from today’s largely reactive, ad-hoc investigations toward proactive, value-driven forensic readiness within critical infrastructure systems, addressing longstanding visibility and decision-making gaps overlooked in the state of practice. With a comprehensive taxonomy, a prioritisation model, and guided playbooks, this
work advances the state of PLC forensics and allows responders to better narrow in on what happened, contain threats before they escalate, and learn actionable lessons to prevent future attacks. Ultimately, this fosters greater resilience where it matters most: protecting the critical services that sustain the reliable functioning of modern society.

Date of Award	20 Jan 2026
Original language	English
Awarding Institution	University of Bristol
Sponsors	Saudi Arabian Cultural Bureau in the UK
Supervisor	Awais Rashid (Supervisor) & Joe Gardiner (Supervisor)