Title: Forensic analysis of SCADA systems and networks

Authors: T. Kilpatrick, J. Gonzalez, R. Chandia, M. Papa, S. Shenoi

Addresses: The University of Tulsa, Tulsa, Oklahoma 74104, USA. ' The University of Tulsa, Tulsa, Oklahoma 74104, USA. ' The University of Tulsa, Tulsa, Oklahoma 74104, USA. ' The University of Tulsa, Tulsa, Oklahoma 74104, USA. ' The University of Tulsa, Tulsa, Oklahoma 74104, USA

Abstract: Supervisory Control and Data Acquisition (SCADA) systems are commonly used to automate and control industrial processes. Modern SCADA protocols leverage TCP/IP to transport sensor data and control signals. Also, corporate IT infrastructures now interconnect with previously isolated SCADA networks, raising serious security issues. This paper describes an architecture that supports the forensic analysis of SCADA systems and networks. The architecture is implemented in a prototype networked environment using the popular Modbus TCP protocol. In addition to supporting forensic investigations, the architecture incorporates mechanisms for monitoring process behaviour and analysing trends that can help improve plant performance.

Keywords: distributed control systems; DCSs; inforensics; network forensics; industrial environments; Modbus; network monitoring; SCADA; supervisory control; data acquisition; security; process monitoring.

DOI: 10.1504/IJSN.2008.017222

International Journal of Security and Networks, 2008 Vol.3 No.2, pp.95 - 102

Published online: 19 Feb 2008 *

Full-text access for editors Access for subscribers Purchase this article Comment on this article