Abstract
Critical infrastructure assets are monitored and managed by industrial control systems. In recent years, these systems have evolved to adopt common networking standards that expose them to cyber attacks. Since programmable logic controllers are core components of industrial control systems, forensic examinations of these devices are vital during responses to security incidents. However, programmable logic controller forensics is a challenging task because of the lack of effective logging systems.
This chapter describes the design and implementation of a novel programmable logic controller logging system. Several tools are available for generating programmable logic controller audit logs; these tools monitor and record the values of programmable logic controller memory variables for diagnostic purposes. However, the logged information is inadequate for forensic investigations. To address this limitation, the logging system extracts data from Siemens S7 communications protocol traffic for forensic purposes. The extracted data is saved in an audit log file in an easy-to-read format that enables a forensic investigator to efficiently examine the activity of a programmable logic controller.
Chapter PDF
Similar content being viewed by others
References
D. Beresford, Exploiting Siemens Simatic S7 PLCs, presented at Black Hat USA, 2011.
R. Chan and K. Chow, Forensic analysis of a Siemens programmable logic controller, in Critical Infrastructure Protection X, M. Rice and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 117–130, 2016.
T. Cruz, J. Barrigas, J. Proenca, A. Graziano, S. Panzieri, L. Lev and P. Simoes, Improving network security monitoring for industrial control systems, Proceedings of the IFIP/IEEE International Symposium on Integrated Network Management, pp. 878–881, 2015.
European Union Agency for Network and Information Security, Critical Infrastructures and Services, Heraklion, Greece (enisa.europa.eu/topics/critical-information-infrastructures-and-services), 2017.
T. Hergenhahn, libnodave (sourceforge.net/projects/libnodave), 2014.
J. Klick, S. Lau, D. Marzin, J. Malchow and V. Roth, Internet-facing PLCs – A new back orifice, presented at Blackhat USA, 2015.
J. Malchow, D. Marzin, J. Klick, R. Kovacs and V. Roth, PLC Guard: A practical defense against attacks on cyber-physical systems, Proceedings of the IEEE Conference on Communications and Network Security, pp. 326–334, 2015.
D. Nardella, Step 7 Open Source Ethernet Communications Suite, Bari, Italy (snap7.sourceforge.net), 2016.
PLC-Logger Project, PLC-Logger and Analyzer (sourceforge.net/projects/plclogger), 2014.
Siemens, SIMATIC S7-300 Programmable Controller Quick Start, Primer, Preface, C79000-G7076-C500-01, Nuremberg, Germany, 1996.
Siemens, SIMATIC S7-200 Programmable Controller System Manual, 6ES7298-8FA01-8BH0, Edition 08/2005, Nuremberg, Germany, 2005.
T. Spyridopoulos, T. Tryfonas and J. May, Incident analysis and digital forensics of SCADA and industrial control systems, Proceedings of the Eighth IET International System Safety Conference Incorporating the Cyber Security Conference, 2013.
T. Wiens, S7 Communications (s7comm), Wireshark Wiki (wiki.wireshark.org/S7comm), 2016.
T. Wiens, S7comm Wireshark Dissector Plugin (sourceforge.net/projects/s7commwireshark), 2017.
T. Wu and J. Nurse, Exploring the use of PLC debugging tools for digital forensic investigations of SCADA systems, Journal of Digital Forensics, Security and Law, vol. 10(4), pp. 79–96, 2015.
K. Yau and K. Chow, PLC forensics based on control program logic change detection, Journal of Digital Forensics, Security and Law, vol. 10(4), pp. 59–68, 2015.
K. Yau and K. Chow, Detecting anomalous programmable logic controller events using machine learning, in Advances in Digital Forensics XIII, G. Peterson and S. Shenoi (Eds.), Springer, Heidelberg, Germany, pp. 81–94, 2017.
K. Yau, K. Chow, S. Yiu and C. Chan, Detecting anomalous behavior of a PLC using semi-supervised machine learning, Proceedings of the IEEE Conference on Communications and Network Security, pp. 580–585, 2017.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 IFIP International Federation for Information Processing
About this paper
Cite this paper
Yau, K., Chow, KP., Yiu, SM. (2018). A Forensic Logging System for Siemens Programmable Logic Controllers. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XIV. DigitalForensics 2018. IFIP Advances in Information and Communication Technology, vol 532. Springer, Cham. https://doi.org/10.1007/978-3-319-99277-8_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-99277-8_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-99276-1
Online ISBN: 978-3-319-99277-8
eBook Packages: Computer ScienceComputer Science (R0)
