Authors:
            
                    Roman Schlegel
                    
                        
                    
                    ; 
                
                    Ana Hristova
                    
                        
                    
                     and
                
                    Sebastian Obermeier
                    
                        
                    
                    
                
        
        
            Affiliation:
            
                    
                        
                    
                    ABB Switzerland Ltd. and Corporate Research, Switzerland
                
        
        
        
        
        
             Keyword(s):
            Industrial Control System Security, Forensics, Incident Response.
        
        
            
                Related
                    Ontology
                    Subjects/Areas/Topics:
                
                        Critical Infrastructure Protection
                    ; 
                        Digital Forensics
                    ; 
                        Information and Systems Security
                    ; 
                        Intrusion Detection & Prevention
                    
            
        
        
            
                Abstract: 
                Industrial control systems are used to control and supervise plants and critical infrastructures. They are crucial
for operation of many industries and even society at large. However, despite efforts to secure such systems,
there are frequent reports of incidents that lead to problems because of human error (e.g., installing unauthorized
software on a mission-critical machine) or even cyber attacks. While such incidents should be prevented
in the first place, it is not feasible to achieve 100% security; therefore, operators should be prepared to deal
with incidents promptly and efficiently if they occur. In this paper, we present a general methodology and
framework for investigating incidents in industrial control systems. The methodology is supported by a tool
to automate an investigation, especially to efficiently determine the state of files on a device after an incident.
This enables faster recovery from incidents by being able to identify suspicious files and focus on th
                e files that
have been modified compared to the initially installed files, or a previously taken baseline. An evaluation confirms
the applicability of the methodology for an embedded industrial controller and for an industrial control
system.
                (More)