Live forensic analysis on an ICS / SCADA

Abstract

The production of goods on a large scale is carried out in industrial control systems (ICS according to its acronym in English). They consist of a network of industrial automata that control the equipment that executes the production processes. They are supervised in computer terminals called SCADA. ICS are very robust systems, designed for continuous operation, but they are not designed to be safe. Therefore, connect them to corporate networks and also to the Internet, leaving their vulnerabilities exposed. In the face of cybersecurity incidents, computer forensics is presented as a tool that allows the analysis of events, but the background on these systems is very scarce. In addition, since continuous operation is important in these systems, the analysis must be carried out without stopping their operation. This paper details the performance of a forensic analysis on these systems, through live acquisition and without stopping the system's operation. The results are promising.