Abstract
Security aspects of SCADA environments and the systems within
are increasingly a center of interest to researchers and security
professionals. As the rise of sophisticated and nation-state malware
targeting such systems flourishes, traditional digital forensics
tools struggle to transfer the same capabilities to systems lacking
typical volatile memory primitives, monitoring software, and the
compatible operating-system primitives necessary for conducting
forensic investigations. Even worse, SCADA systems are typically
not designed and implemented with security in mind, nor were
they purpose-built to monitor and record system data at the granularity
associated with traditional IT systems. Rather, these systems
are often built to control field devices and drive industrial processes.
More succinctly, SCADA systems were not designed with a
primary goal of interacting with the digital world. Consequently,
forensics investigators well-versed in the world of digital forensics
and incident response face an array of challenges that prevent
them from conducting effective forensic investigation in environments
with vast amounts of critical infrastructure. In order to bring
SCADA systems within the reach of the armies of digital forensics
professionals and tooling already available, both researchers and
practitioners need a guide to the current state-of-the-art techniques,
a road-map to the challenges lying on the path forward, and insight
into the future directions R&D must move towards. To that end,
this paper presents a survey into the literature on digital forensics
applied to SCADA systems. We cover not only the challenges to
applying digital forensics to SCADA like most other reviews, but
also the range of proposed frameworks, methodologies, and actual
implementations in literature.
