Graded security forensics readiness of SCADA systems

Security event logs are major indicators for the timely discovery of cyberattacks and during security incident examinations. Collection of sufficient logs of events associated with security incident time is critical for effective investigation. SCADA systems logging capabilities are intended for identifying and detecting process disruptions, not security incidents, and are frequently not suitable for digital forensic investigation [Ta13]. Nevertheless, logs provide tremendous support during digital forensics investigations as they consist of vast amounts of information, e.g. step-by-step events that occurred in a system in question, including time stamping [AIJ12]. In addition, logging is a major element of forensic readiness. Numerous tools and methods contribute to log monitoring, e.g. evaluating log records and correlating them through various systems. This can assist in incident handling, identifying policy violations, auditing, and other efforts. Within the general context described above and the more specific graded security approach of IEC 62443-x-x, this paper will identify cybersecurity specific SCADA component requirements, preconditions for subsequent forensic investigations, collecting potential digital evidence, graded forensic-related security controls, and forensic readiness during SCADA lifecycle phases.