A Survey on Industrial Control System Digital Forensics: Challenges, Advances and Future Directions

IF 34.4 1区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

IEEE Communications Surveys and Tutorials Pub Date : 2023-04-11 DOI:10.1109/COMST.2023.3264680

Marco Cook;Angelos Marnerides;Chris Johnson;Dimitrios Pezaros

{"title":"A Survey on Industrial Control System Digital Forensics: Challenges, Advances and Future Directions","authors":"Marco Cook;Angelos Marnerides;Chris Johnson;Dimitrios Pezaros","doi":"10.1109/COMST.2023.3264680","DOIUrl":null,"url":null,"abstract":"Operational Technology (OT) systems have become increasingly interconnected and automated, consequently resulting in them becoming targets of cyber attacks, with the threat towards a range of critical national infrastructure (CNI) sectors becoming heightened. This is particularly the case for Industrial Control Systems (ICS), which control and operate the physical processes in CNI sectors such as water treatment, electrical generation and manufacturing. Unlike information technology (IT) systems, ICS have unique cyber-physical characteristics and related safety requirements, making them an attractive target for attacks given the physical consequences that can occur. As a result, the requirement to respond and learn from previous and new attacks is also increasing, with digital forensics playing a significant role in this process. The aim of this paper is to discuss the main issues and existing limitations related to ICS digital forensic. The field of ICS digital forensics is relatively under-developed and does not have the same levels of maturity as IT digital forensics. Although the amount of research on cyber security for ICS is increasing, many unique challenges still exist that pose as barriers to the development and deployment of ICS forensic capabilities. We provide an extensive discussion on these challenges, categorising them into technical, socio-technical, and operational and legal themes. Furthermore, the relationship between these challenge themes as well as the inter-challenge dependencies are also examined. Furthermore, this work discusses ICS forensic advances in relation to the digital forensics life chain, specifically forensic readiness and investigations. The areas of digital forensic training and processes models for ICS are given particular focus. Moreover, we assess the technologies and tools that have been either applied to or developed for ICS components and networks, giving special attention to forensic acquisition and analysis methods. An examination into the specific ICS digital forensic data sources and artefacts is also presented, highlighting that until recently, this was limited to descriptions of generic data formats. In addition, this paper provides an overview of several key ICS attacks, summarising the specific techniques used, data artefacts of interest, and proposing lessons learnt. Finally, this paper presents open discussions on future ICS digital forensics research directions and on-going issues, covering both short and long-term areas that can be addressed to improve the ICS digital forensics capability.","PeriodicalId":55029,"journal":{"name":"IEEE Communications Surveys and Tutorials","volume":"25 3","pages":"1705-1747"},"PeriodicalIF":34.4000,"publicationDate":"2023-04-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"4","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Communications Surveys and Tutorials","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10100622/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 4

Abstract

Operational Technology (OT) systems have become increasingly interconnected and automated, consequently resulting in them becoming targets of cyber attacks, with the threat towards a range of critical national infrastructure (CNI) sectors becoming heightened. This is particularly the case for Industrial Control Systems (ICS), which control and operate the physical processes in CNI sectors such as water treatment, electrical generation and manufacturing. Unlike information technology (IT) systems, ICS have unique cyber-physical characteristics and related safety requirements, making them an attractive target for attacks given the physical consequences that can occur. As a result, the requirement to respond and learn from previous and new attacks is also increasing, with digital forensics playing a significant role in this process. The aim of this paper is to discuss the main issues and existing limitations related to ICS digital forensic. The field of ICS digital forensics is relatively under-developed and does not have the same levels of maturity as IT digital forensics. Although the amount of research on cyber security for ICS is increasing, many unique challenges still exist that pose as barriers to the development and deployment of ICS forensic capabilities. We provide an extensive discussion on these challenges, categorising them into technical, socio-technical, and operational and legal themes. Furthermore, the relationship between these challenge themes as well as the inter-challenge dependencies are also examined. Furthermore, this work discusses ICS forensic advances in relation to the digital forensics life chain, specifically forensic readiness and investigations. The areas of digital forensic training and processes models for ICS are given particular focus. Moreover, we assess the technologies and tools that have been either applied to or developed for ICS components and networks, giving special attention to forensic acquisition and analysis methods. An examination into the specific ICS digital forensic data sources and artefacts is also presented, highlighting that until recently, this was limited to descriptions of generic data formats. In addition, this paper provides an overview of several key ICS attacks, summarising the specific techniques used, data artefacts of interest, and proposing lessons learnt. Finally, this paper presents open discussions on future ICS digital forensics research directions and on-going issues, covering both short and long-term areas that can be addressed to improve the ICS digital forensics capability.

查看原文本刊更多论文

工业控制系统数字取证研究:挑战、进展与未来方向

作战技术（OT）系统变得越来越互联和自动化，因此成为网络攻击的目标，对一系列关键国家基础设施（CNI）部门的威胁也越来越大。工业控制系统（ICS）尤其如此，它控制和操作CNI部门的物理过程，如水处理、发电和制造。与信息技术（IT）系统不同，ICS具有独特的网络物理特性和相关的安全要求，考虑到可能发生的物理后果，使其成为有吸引力的攻击目标。因此，响应和从以前和新的攻击中学习的要求也在增加，数字取证在这一过程中发挥着重要作用。本文的目的是讨论ICS数字取证的主要问题和存在的局限性。ICS数字取证领域发展相对不足，不具备与IT数字取证相同的成熟度。尽管ICS的网络安全研究数量正在增加，但仍存在许多独特的挑战，这些挑战阻碍了ICS取证能力的开发和部署。我们对这些挑战进行了广泛的讨论，将其分为技术、社会技术、运营和法律主题。此外，还研究了这些挑战主题之间的关系以及挑战之间的依赖关系。此外，这项工作还讨论了ICS在数字取证生命链方面的取证进展，特别是取证准备和调查。特别关注ICS的数字取证培训和流程模型领域。此外，我们评估了已应用于ICS组件和网络或为其开发的技术和工具，特别关注取证获取和分析方法。还介绍了对特定ICS数字取证数据源和人工制品的审查，强调直到最近，这还仅限于对通用数据格式的描述。此外，本文概述了几种关键的ICS攻击，总结了所使用的具体技术、感兴趣的数据伪像，并提出了经验教训。最后，本文对ICS未来的数字取证研究方向和正在进行的问题进行了公开讨论，涵盖了可以提高ICS数字取证能力的短期和长期领域。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE Communications Surveys and Tutorials COMPUTER SCIENCE, INFORMATION SYSTEMS-TELECOMMUNICATIONS

CiteScore

80.20

自引率

2.50%

发文量

审稿时长

6 months

期刊介绍： IEEE Communications Surveys & Tutorials is an online journal published by the IEEE Communications Society for tutorials and surveys covering all aspects of the communications field. Telecommunications technology is progressing at a rapid pace, and the IEEE Communications Society is committed to providing researchers and other professionals the information and tools to stay abreast. IEEE Communications Surveys and Tutorials focuses on integrating and adding understanding to the existing literature on communications, putting results in context. Whether searching for in-depth information about a familiar area or an introduction into a new area, IEEE Communications Surveys & Tutorials aims to be the premier source of peer-reviewed, comprehensive tutorials and surveys, and pointers to further sources. IEEE Communications Surveys & Tutorials publishes only articles exclusively written for IEEE Communications Surveys & Tutorials and go through a rigorous review process before their publication in the quarterly issues. A tutorial article in the IEEE Communications Surveys & Tutorials should be designed to help the reader to become familiar with and learn something specific about a chosen topic. In contrast, the term survey, as applied here, is defined to mean a survey of the literature. A survey article in IEEE Communications Surveys & Tutorials should provide a comprehensive review of developments in a selected area, covering its development from its inception to its current state and beyond, and illustrating its development through liberal citations from the literature. Both tutorials and surveys should be tutorial in nature and should be written in a style comprehensible to readers outside the specialty of the article.