Abstract
Supervisory control and data acquisition (SCADA) systems are widely used in industrial control and automation. Modern SCADA protocols often employ TCP/IP to transport sensor data and control signals. Meanwhile, corporate IT infrastructures are interconnecting with previously isolated SCADA networks. The use of TCP/IP as a carrier protocol and the interconnection of IT and SCADA networks raise serious security issues. This paper describes an architecture for SCADA network forensics. In addition to supporting forensic investigations of SCADA network incidents, the architecture incorporates mechanisms for monitoring process behavior, analyzing trends and optimizing plant performance.
Chapter PDF
References
American Gas Association, Cryptographic Protection of SCADA Communications; Part 1: Background, Policies and Test Plan, AGA Report No. 12 (Part 1), Draft 5 (www.gtiservices.org/security /AGA12Draft5r3.pdf), April 14, 2005.
American Gas Association, Cryptographic Protection of SCADA Communications; Part 2: Retrofit Link Encryption for Asynchronous Serial Communications, AGA Report No. 12 (Part 2), Draft (www.gtiservices.org/security/aga-12p2-draft-0512.pdf), May 12, 2005.
American National Standards Institute/Instrumentation Systems and Automation Society, Security Technologies for Manufacturing and Control Systems (ANSI/ISA-TR99.00.01-2004), October 2004.
American National Standards Institute/Instrumentation Systems and Automation Society, Integrating Electronic Security into the Manufacturing and Control Systems Environment (ANSI/ISA-TR99.00.02-2004), October 2004.
American Petroleum Institute, API 1164, SCADA Security, American Petroleum Institute, September 1, 2004.
M. Berg and J. Stamp, A Reference Model for Control and Automation Systems in Electric Power, Technical Report SAND2005-1000C, Sandia National Laboratories, Albuquerque, New Mexico, 2005.
S. Boyer, SCADA: Supervisory Control and Data Acquisition (Third Edition), Instrumentation, Systems and Automation Society, Research Triangle Park, North Carolina, 2004.
British Columbia Institute of Technology, Good Practice Guide on Firewall Deployment for SCADA and Process Control Networks, National Infrastructure Security Coordination Centre, London, United Kingdom, 2005.
E. Byres, J. Carter, A. Elramly and D. Hoffman, Worlds in collision: Ethernet on the plant floor, Proceedings of the ISA Emerging Technologies Conference, 2002.
E. Byres, M. Franz and D. Miller, The use of attack trees in assessing vulnerabilities in SCADA systems, Proceedings of the International Infrastructure Survivability Workshop, 2004.
E. Byres and T. Nguyen, Using OPC to integrate control systems from competing vendors, Proceedings of the Canadian Pulp and Paper Association Technical Conference, 2000.
B. Fenner, G. Harris and M. Richardson, The libpcap Project (sourceforge.net/projects/libpcap).
J. Graham and S. Patel, Security Considerations in SCADA Communication Protocols, Technical Report TR-ISRL-04-01, Intelligent System Research Laboratory, Department of Computer Engineering and Computer Science, University of Louisville, Louisville, Kentucky, 2004.
D. Kilman and J. Stamp, Framework for SCADA Security Policy, Technical Report SAND2005-1002C, Sandia National Laboratories, Albuquerque, New Mexico, 2005.
K. Mandia, C. Prosise and M. Pepe, Incident Response and Computer Forensics, McGraw-Hill/Osborne, Emeryville, California, 2003.
Modbus IDA, MODBUS Application Protocol Specification v1.1a (www.modbus.org/specs.php), June 4, 2004.
Modbus IDA, MODBUS Messaging on TCP/IP Implementation Guide v1.0a (www.modbus.org/specs.php), June 4, 2004.
National Institute of Standards and Technology, System Protection Profile — Industrial Control Systems v1.0, Gaithersburg, Maryland, 2004.
K. Shanmugasundaram, H. Bronnimann and N. Memon, Integrating digital forensics in network architectures, in Advances in Digital Forensics, M. Pollitt and S. Shenoi (Eds.), Springer, New York, pp. 127–140, 2005.
K. Shanmugasundaram, N. Memon, A. Savant and H. Bronnimann, Fornet: A distributed forensics system, Proceedings of the Second International Workshop on Mathematical Methods, Models and Architectures for Computer Network Security, 2003.
M. Smith and M. Copps, DNP3 V3.00 Data Object Library Version 0.02, DNP Users Group, September 1993.
M. Smith, and J. McFadyen, DNP V3.00 Data Link Layer Protocol Description, DNP Users Group, June 2000.
J. Stamp, J. Dillinger, W. Young and J. Depoy, Common Vulnerabilities in Critical Infrastructure Control Systems, Technical Report SAND2003-1772C, Sandia National Laboratories, Albuquerque, New Mexico, 2003.
The White House, Presidential Decision Directive 63: Critical Infrastructure Protection, National Security Council, Executive Office of the President, Washington, DC, 1998.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 IFIP Internatonal Federation for Information Processing
About this paper
Cite this paper
Kilpatrick, T., Gonzalez, J., Chandia, R., Papa, M., Shenoi, S. (2006). An Architecture for SCADA Network Forensics. In: Olivier, M.S., Shenoi, S. (eds) Advances in Digital Forensics II. DigitalForensics 2006. IFIP Advances in Information and Communication, vol 222. Springer, Boston, MA. https://doi.org/10.1007/0-387-36891-4_22
Download citation
DOI: https://doi.org/10.1007/0-387-36891-4_22
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-36890-0
Online ISBN: 978-0-387-36891-7
eBook Packages: Computer ScienceComputer Science (R0)