Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.4.745

A Study on the Possibility for Incident Investigation Using PLC Logs  

Chang, Yeop (The Affiliated Institute of ETRI)
Kim, Taeyeon (The Affiliated Institute of ETRI)
Kim, Woo-Nyon (The Affiliated Institute of ETRI)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.4, 2020 , pp. 745-756 More about this Journal
Abstract
An ICS(industrial control system) is a complex system that safely and efficiently monitors and controls industrial processes such as electric power, water treatment, transportation, automation plants and chemical plants. Because successful cyber attacks targeting ICS can lead to casualties or serious economic losses, it becomes a prime target of hacker groups sponsored by national state. Cyber campaigns such as Stuxnet, Industroyer and TRITON are real examples of successful ICS attacks, and were developed based on the deep knowledge of the target ICS. Therefore, for incident investigation of ICSs, inspectors also need knowledge of control processes and accident investigation techniques specialized for ICSs. Because there is no applicable technology, it is especially necessary to develop techniques and tools for embedded controllers located at cyber and physical boundaries. As the first step in this research, we reviewed logging capability of 4 PLC(Programmable Logic Controller)s widely used in an ICS area, and checked whether selected PLCs generate logs that can be used for digital investigation in the proposed cyber attack scenario.
Keywords
ICS Security; PLC; ICS Forensic;
Citations & Related Records
연도 인용수 순위
  • Reference
1 N. Falliere, L.O. Murchu, and E. Chien, "W32.STUXNET dossier v1.4," Whitepaper, Symantec Security Response, Symantec Corp., Feb. 2011.
2 R. Lee, J. Slowik, B. Miller, A. Cherepanov, and R. Lipovsky, "Industroyer/crashoverride: Zero things cool about a threat group targeting the power grid," Black Hat USA, 2017.
3 A.A. Di Pinto, Y. Dragoni, and A. Carcano, "TRITON: The first ICS cyber attack on safety instrument systems," Black Hat USA, 2018.
4 S. Senthivel, I. Ahmed, and V. Roussev, "SCADA network forensics of the PCCC protocol," Digital Investigation 22 (2017), pp. 57-65, Aug. 2017.
5 G. Denton, F. Karpisek, F. Breitinger, and I. Baggili, "Leveraging the SRTP protocol for over-the-network memory acquisition of a GE fanuc series 90-30," Digital Investigation 22 (2017), pp. 26-38, Aug. 2017.
6 K.A. Stouffer, J.A. Falco, and K.A. Scarfone, "Guide to industrial control systems(ICS) security," SP 800-82 rev. 2, NIST, May 2015.
7 "Security requirements for industrial control System - Part 3: control layer," TTAK.KO-12.0307-part3, Jun. 2012.
8 https://cve.mitre.org/
9 https://www.us-cert.gov/ics
10 K.H. John, and M. Tiegelkamp. "IEC 61131-3: programming industrial automation systems," Springer, 2005.
11 R. Spenneberg, M. Bruggemann, and H. Schwartke, "PLC-blaster: a worm living solely in the PLC," Black Hat Asia, 2016.
12 R.A. Awad, S. Beztchi, J.M. Smith, B. Lyles, and S. Prowell, "Tools, Techniques, and methodologies: A survey of digital forensics for scada systems," Proceedings of the 4th Annual Industrial Control System Security Workshop, pp. 1-8, Dec. 2018.