A Framework for Incident Response in Industrial Control Systems

Roman Schlegel, Ana Hristova, Sebastian Obermeier


Industrial control systems are used to control and supervise plants and critical infrastructures. They are crucial for operation of many industries and even society at large. However, despite efforts to secure such systems, there are frequent reports of incidents that lead to problems because of human error (e.g., installing unauthorized software on a mission-critical machine) or even cyber attacks. While such incidents should be prevented in the first place, it is not feasible to achieve 100% security; therefore, operators should be prepared to deal with incidents promptly and efficiently if they occur. In this paper, we present a general methodology and framework for investigating incidents in industrial control systems. The methodology is supported by a tool to automate an investigation, especially to efficiently determine the state of files on a device after an incident. This enables faster recovery from incidents by being able to identify suspicious files and focus on the files that have been modified compared to the initially installed files, or a previously taken baseline. An evaluation confirms the applicability of the methodology for an embedded industrial controller and for an industrial control system.


  1. Ahmed, I., Obermeier, S., Naedele, M., and Richard, G. G. (2012). Scada systems: Challenges for forensic investigators. Computer, 45(12):44-51.
  2. Brandle, M. and Naedele, M. (2008). Security for process control systems: An overview. IEEE Security & Privacy, 6(6):24-29.
  3. Breeuwsma, I. M. (2006). Forensic imaging of embedded systems using jtag (boundary-scan). Digital Investigation, 3(1):32 - 42.
  4. Chawathe, S. (2009). Effective whitelisting for filesystem forensics. In Intelligence and Security Informatics, 2009. ISI 7809. IEEE International Conference on, pages 131-136.
  5. Cohen, M., Bilby, D., and Caronni, G. (2011). Distributed forensics and incident response in the enterprise. Digital Investigation, 8, Supplement(0):101 - 110. The Proceedings of the 11th Annual Digital Forensic Research Workshop (DRFWS 7811).
  6. Dzung, D., Naedele, M., von Hoff, T., and Crevatin, M. (2005). Security for industrial communication systems. Proceedings of the IEEE, 93(6):1152-1177.
  7. Hadeli, H., Schierholz, R., Braendle, M., and Tuduce, C. (2009). Leveraging determinism in industrial control systems for advanced anomaly detection and reliable security configuration. In Proceedings of the 14th IEEE International Conference on Emerging Technologies & Factory Automation, ETFA'09, pages 1189-1196, Piscataway, NJ, USA. IEEE Press.
  8. Kilpatrick, T., Gonzalez, J., Chandia, R., Papa, M., and Shenoi, S. (2008). Forensic analysis of scada systems and networks. Int. J. Secur. Netw., 3(2):95-102.
  9. Kornblum, J. (2006). Identifying almost identical files using context triggered piecewise hashing. Digital Investigation, 3, Supplement(0):91 - 97. The Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS 7806).
  10. Langner, R. (2011). Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy, 9(3):49-51.
  11. Marlin, J. (2013). Alternate Data Streams in NTFS. Online: http://blogs.technet.com/b/askcore/archive/2013/03/2 4/alternate-data-streams-in-ntfs.aspx.
  12. Moser, A. and Cohen, M. I. (2013). Hunting in the enterprise: Forensic triage and incident response. Digital Investigation, 10(2):89 - 98. Triage in Digital Forensics.
  13. Naedele, M. (2007). Addressing IT security for critical control systems. In HICSS, page 115.
  14. National Institute of Standards and Technology (NIST) (2009). National Software Reference Library.
  15. Rao Kalapatapu (2004). SCADA Protocols and Communication Trends. ISA EXPO.
  16. Roussev, V. (2009). Hashing and data fingerprinting in digital forensics. Security Privacy, IEEE, 7(2):49-55.
  17. Shaw, R. and Atkins, A. (2010). Unified forensic methodology for the analysis of embedded systems. Proceedings of 4th International Conference on Advanced Computing & Communication Technologies.

Paper Citation

in Harvard Style

Schlegel R., Hristova A. and Obermeier S. (2015). A Framework for Incident Response in Industrial Control Systems . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 178-185. DOI: 10.5220/0005510001780185

in Bibtex Style

author={Roman Schlegel and Ana Hristova and Sebastian Obermeier},
title={A Framework for Incident Response in Industrial Control Systems},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},

in EndNote Style

JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - A Framework for Incident Response in Industrial Control Systems
SN - 978-989-758-117-5
AU - Schlegel R.
AU - Hristova A.
AU - Obermeier S.
PY - 2015
SP - 178
EP - 185
DO - 10.5220/0005510001780185