An Incident Response Model for Industrial Control System Forensics Based on Historical Events

  • Ken YauEmail author
  • Kam-Pui Chow
  • Siu-Ming Yiu
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 570)


Cyber attacks on industrial control systems are increasing. Malware such as Stuxnet, Havex and BlackEnergy have demonstrated that industrial control systems are attractive targets for attackers. However, industrial control systems are not limited to malware attacks. Other attacks include SQL injection, distributed denial-of-service, spear phishing, social engineering and man-in-the-middle attacks. Additionally, methods such as unauthorized access, brute forcing and insider attacks have also targeted industrial control systems. Accidents such as fires and explosions at industrial plants also provide valuable insights into the targets of attacks, failure methods and potential impacts.

This chapter presents an incident response model for industrial control system forensics based on historical events. In particular, representative industrial control system incidents – cyber attacks and accidents – that have occurred over the past 25 years are categorized and analyzed.The resulting incident response model is useful for forensic planning and investigations. The model enables incident response teams and forensic investigators to decide on the expertise, techniques and tools to be applied to ensure sound evidence acquisition, analysis and reporting.


Industrial control systems incident response forensics 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    A. Abbasi and M. Hashemi, Ghost in the PLC: Designing an undetectable programmable logic controller rootkit via pin control attack, presented at Black Hat Europe, 2016Google Scholar
  2. 2.
    N. Ben Aloui, Industrial Control Systems Dynamic Code Injection, Cybersecurity Labs, DCNS Toulon, Toulon, France (, 2015Google Scholar
  3. 3.
    N. Carr, Development of a Tailored Methodology and Forensic Toolkit for Industrial Control Systems Incident Response, M.S. Thesis, Cyber Systems and Operations, Naval Postgraduate School, Monterey, California, 2014Google Scholar
  4. 4.
    A. Dar, Protecting industrial control networks – It’s not just about SCADA security, Cyberbit Blog, February 10, 2017Google Scholar
  5. 5.
    M. Dzwiarek, An analysis of accidents caused by improper functioning of machine control systems, International Journal of Occupational Safety and Ergonomics, vol. 10(2), pp. 129–136, 2004CrossRefGoogle Scholar
  6. 6.
    P. Eden, A. Blyth, P. Burnap, Y. Cherdantseva, K. Jones, H. Soulsby and K. Stoddart, A forensic taxonomy of SCADA systems and approach to incident response, Proceedings of the Third International Symposium for ICS and SCADA Cyber Security Research, pp. 42–51, 2015Google Scholar
  7. 7.
    M. Fabro and E. Cornelius, Recommended Practice: Creating Cyber Forensic Plans for Control Systems, INL/EXT-08-14231, Idaho National Laboratory, Idaho Falls, Idaho, 2008Google Scholar
  8. 8.
    N. Falliere, L. O’Murchu and E. Chien, W32.Stuxnet Dossier, Version 1.4, Symantec, Mountain View, California, 2011Google Scholar
  9. 9.
    Government of the Hong Kong Special Administrative Region, EMSD releases technical investigation report on escalator incident at Langham Place, Press Release, Hong Kong, China (, June 9, 2017
  10. 10.
    K. Kent, S. Chevalier, T. Grance and H. Dang, Guide to Integrating Forensic Techniques into Incident Response, NIST Special Publication 800-86, National Institute of Standards and Technology, Gaithersburg, Maryland, 2006Google Scholar
  11. 11.
    S. Lau and J. Ngo, Seven injured in lift accident in North Point building, South China Morning Post, March 3, 2013Google Scholar
  12. 12.
    D. McMillen, Security Attacks on Industrial Control Systems: How Technology Advances Create Risks for Industrial Organizations, IBM Security, International Business Machines, Somers, New York, 2015Google Scholar
  13. 13.
    Ministry of the Environment, Energy and the Sea, Lessons Learnt from Industrial Accidents, 12th Seminar, Paris, France (, 2017
  14. 14.
    Public Safety Canada, Critical Infrastructure, Ottawa, Canada (, 2018Google Scholar
  15. 15.
    Radio Television Hong Kong, Langham Place escalator malfunctions, injuring 18, RTHK News, March 25, 2017Google Scholar
  16. 16.
    K. Sacha, Translatable finite state time machine, in Design for Dependable Systems, E. Gaudin, E. Najm and R. Reed (Eds.), Springer, Berlin Heidelberg, Germany, pp. 117–132, 2007Google Scholar
  17. 17.
    N. Sayfayn and S. Madnick, Cybersafety Analysis of the Maroochy Shire Sewage Spill, Working Paper CISL# 2017-09, Cybersecurity Interdisciplinary Systems Laboratory, Sloan School of Management, Massachusetts Institute of Technology, Cambridge, Massachusetts, 2017Google Scholar
  18. 18.
    J. Slay and M. Miller, Lessons learned from the Maroochy water breach, in Critical Infrastructure Protection, E. Goetz and S. Shenoi (Eds.), Springer, Boston, Massachusetts, pp. 73–82, 2007Google Scholar
  19. 19.
    M. Souppaya and K. Scarfone, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, NIST Special Publication 800-83, Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, 2013Google Scholar
  20. 20.
    R. Spenneberg, M Bruggemann and H Schwartke, PLC-Blaster: A worm living solely in the PLC, presented at Black Hat USA, 2016Google Scholar
  21. 21.
    B. Sperber, Solutions emerge to prevent control system cyber-attacks, Automation World, May 23, 2012Google Scholar
  22. 22.
    T. Spyridopoulos, T. Tryfonas and J. May, Incident analysis and digital forensics in SCADA and industrial control systems, Proceedings of the Eighth IET International System Safety Conference Incorporating the Cyber Security Conference, 2013Google Scholar
  23. 23.
    K. Stouffer, J. Falco and K. Scarfone, Guide to Industrial Control Systems (ICS) Security, NIST Special Publication 800-82, National Institute of Standards and Technology, Gaithersburg, Maryland, 2011Google Scholar
  24. 24.
    P. van Vliet, M. Kechadi and N. Le-Khac, Forensics in industrial control system: A case study, in Security of Industrial Control Systems and Cyber Physical Systems, A. Becue, N. Cuppens-Boulahia, F. Cuppens and S. Katsikas (Eds.), Springer, Cham, Switzerland, pp. 147–156, 2016Google Scholar
  25. 25.
    C. Wueest, Targeted Attacks Against the Energy Sector, Version 1.0, Symantec, Mountain View, California, 2014Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.University of HongHong KongChina

Personalised recommendations