Programmable logic controller forensics

Abstract

Critical infrastructure assets are monitored and managed by industrial control systems (ICSs). In recent years, these systems have evolved to adopt common networking standards that expose them to cyber attacks. ICS failures may cause critical infrastructure to malfunction, which may result in serious impact on economics, human lives and the environment. Programmable logic controllers (PLCs) are major components of ICSs that are used across the critical infrastructure. Attack and accident investigations involving PLCs rely on forensic techniques to determine the root causes and to develop mitigation strategies. However, one of the key challenges to PLC forensic investigations is that the proprietary architectures, operating systems, filesystems and data formats of PLCs make it difficult to apply traditional digital forensic tools and techniques in investigations of ICS incidents. Furthermore, PLCs operate vital industrial processes and therefore it is infeasible to halt its function for data collection and examination. This thesis proposes several effective techniques and tools to overcome the PLC/ICS forensic challenges. For the purpose of PLC/ICS anomalous detection, one tool is the Control Program Logic Change Detector (CPLCD), which works with a set of Detection Rules (DRs) to detect and capture undesirable incidents interfering with normal operations of PLC. Furthermore, a novel methodology has been developed to capture the values of relevant memory addresses used by a PLC program in a log file, and then apply supervised and semi-supervised machine learning to the logged data to identify anomalous PLC operations. The methodology is applied to a simulated traffic light control system and a simulated water treatment system to demonstrate its effectiveness and utility in performing PLC forensic investigations. Aside from PLC/ICS anomalous detection, this thesis also describes the design and implementation of a novel PLC logging system. Although several tools are available in the industry for generating PLC audit logs, these tools monitor and record the values of PLC memory variables for diagnostic purposes only. The logged information is inadequate for forensic investigations. To address this limitation, the proposed logging system extracts data from Siemens S7 communications protocol traffic for analysis in forensic investigation. The extracted data is saved in an audit log file in an easy-to-read format that enables a forensic investigator to effectively examine the PLC activities. Finally, this thesis presents an incident response model for ICS forensics based on cyber attacks and accidents that occurred in the past 25 years. They are categorized and analyzed to form an incident response model. The resulting model is useful for forensic planning and investigations. The model enables incident response teams and forensic investigators to decide on the expertise, techniques and tools to be applied to ensure sound evidence acquisition, preservation, analysis and reporting. Future research includes to improve attack detection performance using machine learning on large, real-world datasets. Additionally, it will attempt to create a robust forensic investigation model for ICSs. (470 words)