Forensic Readiness for SCADA/ICS Incident Response

Peter Eden; Andrew Blyth; Pete Burnap; Yulia Cherdantseva; Kevin Jones; Hugh Soulsby; Kristan Stoddart

doi:10.14236/ewic/ICS2016.16

Forensic Readiness for SCADA/ICS Incident Response

Peter Eden, Andrew Blyth, Pete Burnap, Yulia Cherdantseva, Kevin Jones, Hugh Soulsby, Kristan Stoddart

Allbwn ymchwil: Pennod mewn Llyfr/Adroddiad/Trafodion Cynhadledd › Cyfraniad i gynhadledd › adolygiad gan gymheiriaid

Crynodeb

The actions carried out following any cyber-attack are vital in limiting damage, regaining control and determining the cause and those responsible. Within SCADA and ICS environments there is certainly no exception. Critical National Infrastructure (CNI) relies heavily on SCADA systems to monitor and control critical processes. Many of these systems span huge geographical areas and contain thousands of individual devices, across an array of asset types. When an incident occurs, those assets contain forensic artefacts, which can be thought of as any data that provides explanation to the current state of the SCADA system.
Knowing what devices exist within the network and the tools and methods to retrieve data from them are some of the biggest challenges for incident response within CNI. This paper aims to identify those assets and their forensic value whilst providing the tools needed to perform data acquisition in a forensically sound
manner. It will also discuss the key stages in which the incident response process can be managed.

Iaith wreiddiol	Saesneg
Teitl	Proceedings of the 4th International Symposium for ICS & SCADA Cyber Security Research 2016
Man cyhoeddi	Swindon, UK
Cyhoeddwr	BCS Learning Development Ltd.
Tudalennau	1-9
Nifer y tudalennau	9
ISBN (Argraffiad)	978-1-78017-3573
Dynodwyr Gwrthrych Digidol (DOIs)	https://doi.org/10.14236/ewic/ICS2016.16
Statws	Cyhoeddwyd - Awst 2016
Digwyddiad	4th International Symposium for ICS & SCADA Cyber Security Research 2016 - Queen's University Belfast , Belfast, Y Deyrnas Unedig Hyd: 23 Awst 2016 → 25 Awst 2016 Rhif y gynhadledd: 4th

Cyfres gyhoeddiadau

Enw	ICS-CSR '16
Cyhoeddwr	BCS Learning Development Ltd.

Cynhadledd

Cynhadledd	4th International Symposium for ICS & SCADA Cyber Security Research 2016
Teitl cryno	ICS-CSR 2016
Gwlad/Tiriogaeth	Y Deyrnas Unedig
Dinas	Belfast
Cyfnod	23/08/16 → 25/08/16

Mynediad at Ddogfen

10.14236/ewic/ICS2016.16Trwydded: CC BY-NC-ND

Dyfynnu hyn

@inproceedings{ccf10bf7dc0e463e96bb374503ab4754,

title = "Forensic Readiness for SCADA/ICS Incident Response",

abstract = "The actions carried out following any cyber-attack are vital in limiting damage, regaining control and determining the cause and those responsible. Within SCADA and ICS environments there is certainly no exception. Critical National Infrastructure (CNI) relies heavily on SCADA systems to monitor and control critical processes. Many of these systems span huge geographical areas and contain thousands of individual devices, across an array of asset types. When an incident occurs, those assets contain forensic artefacts, which can be thought of as any data that provides explanation to the current state of the SCADA system.Knowing what devices exist within the network and the tools and methods to retrieve data from them are some of the biggest challenges for incident response within CNI. This paper aims to identify those assets and their forensic value whilst providing the tools needed to perform data acquisition in a forensically soundmanner. It will also discuss the key stages in which the incident response process can be managed.",

keywords = "SCADA, SCADA forensics, critical infrastructure, digital forensics, incident response",

author = "Peter Eden and Andrew Blyth and Pete Burnap and Yulia Cherdantseva and Kevin Jones and Hugh Soulsby and Kristan Stoddart",

year = "2016",

month = aug,

doi = "10.14236/ewic/ICS2016.16",

language = "English",

isbn = "978-1-78017-3573",

series = "ICS-CSR '16",

publisher = "BCS Learning Development Ltd.",

pages = "1--9",

booktitle = "Proceedings of the 4th International Symposium for ICS & SCADA Cyber Security Research 2016",

note = "4th International Symposium for ICS & SCADA Cyber Security Research 2016, ICS-CSR 2016 ; Conference date: 23-08-2016 Through 25-08-2016",

}

Eden, P, Blyth, A, Burnap, P, Cherdantseva, Y, Jones, K, Soulsby, H & Stoddart, K 2016, Forensic Readiness for SCADA/ICS Incident Response. yn Proceedings of the 4th International Symposium for ICS & SCADA Cyber Security Research 2016. ICS-CSR '16, BCS Learning Development Ltd., Swindon, UK, tt. 1-9, 4th International Symposium for ICS & SCADA Cyber Security Research 2016, Belfast, Y Deyrnas Unedig, 23/08/16. https://doi.org/10.14236/ewic/ICS2016.16

Forensic Readiness for SCADA/ICS Incident Response. / Eden, Peter; Blyth, Andrew; Burnap, Pete et al.

Proceedings of the 4th International Symposium for ICS & SCADA Cyber Security Research 2016. Swindon, UK : BCS Learning Development Ltd., 2016. t. 1-9 (ICS-CSR '16).

Allbwn ymchwil: Pennod mewn Llyfr/Adroddiad/Trafodion Cynhadledd › Cyfraniad i gynhadledd › adolygiad gan gymheiriaid

TY - GEN

T1 - Forensic Readiness for SCADA/ICS Incident Response

AU - Eden, Peter

AU - Blyth, Andrew

AU - Burnap, Pete

AU - Cherdantseva, Yulia

AU - Jones, Kevin

AU - Soulsby, Hugh

AU - Stoddart, Kristan

N1 - Conference code: 4th

PY - 2016/8

Y1 - 2016/8

N2 - The actions carried out following any cyber-attack are vital in limiting damage, regaining control and determining the cause and those responsible. Within SCADA and ICS environments there is certainly no exception. Critical National Infrastructure (CNI) relies heavily on SCADA systems to monitor and control critical processes. Many of these systems span huge geographical areas and contain thousands of individual devices, across an array of asset types. When an incident occurs, those assets contain forensic artefacts, which can be thought of as any data that provides explanation to the current state of the SCADA system.Knowing what devices exist within the network and the tools and methods to retrieve data from them are some of the biggest challenges for incident response within CNI. This paper aims to identify those assets and their forensic value whilst providing the tools needed to perform data acquisition in a forensically soundmanner. It will also discuss the key stages in which the incident response process can be managed.

AB - The actions carried out following any cyber-attack are vital in limiting damage, regaining control and determining the cause and those responsible. Within SCADA and ICS environments there is certainly no exception. Critical National Infrastructure (CNI) relies heavily on SCADA systems to monitor and control critical processes. Many of these systems span huge geographical areas and contain thousands of individual devices, across an array of asset types. When an incident occurs, those assets contain forensic artefacts, which can be thought of as any data that provides explanation to the current state of the SCADA system.Knowing what devices exist within the network and the tools and methods to retrieve data from them are some of the biggest challenges for incident response within CNI. This paper aims to identify those assets and their forensic value whilst providing the tools needed to perform data acquisition in a forensically soundmanner. It will also discuss the key stages in which the incident response process can be managed.

KW - SCADA

KW - SCADA forensics

KW - critical infrastructure

KW - digital forensics

KW - incident response

U2 - 10.14236/ewic/ICS2016.16

DO - 10.14236/ewic/ICS2016.16

M3 - Conference contribution

SN - 978-1-78017-3573

T3 - ICS-CSR '16

SP - 1

EP - 9

BT - Proceedings of the 4th International Symposium for ICS & SCADA Cyber Security Research 2016

PB - BCS Learning Development Ltd.

CY - Swindon, UK

T2 - 4th International Symposium for ICS & SCADA Cyber Security Research 2016

Y2 - 23 August 2016 through 25 August 2016

ER -

Forensic Readiness for SCADA/ICS Incident Response

Crynodeb

Cyfres gyhoeddiadau

Cynhadledd

Mynediad at Ddogfen

Ôl bys

Dyfynnu hyn