SCADA network forensics of the PCCC protocol

SCADA network forensics of the PCCC protocol

Most SCADA devices have few built-in self-defence mechanisms, and tend to implicitly trust communications received over the network. Therefore, monitoring and forensic analysis of network traffic is a critical prerequisite for building an effective defense around SCADA units. In this work, we provide a comprehensive forensic analysis of network traffic generated by the PCCC(Programmable Control...

An Architecture for SCADA Network Forensics

Towards a SCADA Forensics Architecture

With the increasing threat of sophisticated attacks on critical infrastructures, it is vital that forensic investigations take place immediately following a security incident. This paper presents an existing SCADA forensic process model and proposes a structured SCADA forensic process model to carry out a forensic investigations. A discussion on the limitations of using traditional forensic inv...

Graded security forensics readiness of SCADA systems

Security event logs are major indicators for the timely discovery of cyberattacks and during security incident examinations. Collection of sufficient logs of events associated with security incident time is critical for effective investigation. SCADA systems logging capabilities are intended for identifying and detecting process disruptions, not security incidents, and are frequently not suitab...

Accurate Modeling of the Siemens S7 SCADA Protocol for Intrusion Detection and Digital Forensics

The Siemens S7 protocol is commonly used in SCADA systems for communications between a Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). This paper presents a model-based Intrusion Detection Systems (IDS) designed for S7 networks. The approach is based on the key observation that S7 traffic to and from a specific PLC is highly periodic; as a result, each HMI-PLC chann...