TADFICS: A Threat-Aware Digital Forensics Data Model for ICS

TADFICS: A Threat-Aware Digital Forensics Data Model for ICS

연구 분야: Safety

학회: International Conference on Availability, Reliability and Security

The convergence of IT and Operational Technology (OT) increases risks for industrial control systems (ICS), as Internet connectivity enables attackers to remotely issue commands that can disrupt operations or damage equipment. Investigating such attacks requires identification, collection, examination, and analysis of relevant data. However, the mix of IT and OT components, such as field controllers, propertiary, and different technologies, limit the applicability of IT forensics knowledge and results in a lack of defined forensic data in OT environments. In addition, the implementation specific differences between ICS vendors makes finding general approaches difficult, while ICS forensic research remains limited. To address this, we propose TADFICS, a threat-aware forensic relational data model for ICS. The model provides general ICS data types in conjunction with threat knowledge that must be mapped to implementation-specific ICS data, while also specifying the interrelations and attributes of the actual ICS data to be considered. Therefore, our approach enables the systematic identification and mapping of forensically relevant or required data, including the forensic capabilities of an ICS. Once the model is initialized and the mapping completed, it supports in determining the forensic readiness. Furthermore, it assists in an incident, e.g. how specific ICS data can be acquired or examined, by representing the identified data in a way that supports forensic analysis in ICS while taking the forensic challenges into account. We evaluate our model and demonstrate its applicability by executing a Denial-of-Service (DoS) attack against a PLC of a real-world productive Distributed Control System (DCS) based on the ABB 800xA suite of an operational electrical utility. Our work contributes a novel structured approach to enhance forensic readiness and response by allowing system-specific data alignment with threat-informed forensic aspects, covering preparatory and execution forensic phases.