A Cyber Forensic Taxonomy for SCADA Systems in Critical Infrastructure

  • Peter EdenEmail author
  • Andrew Blyth
  • Pete Burnap
  • Yulia Cherdantseva
  • Kevin Jones
  • Hugh Soulsby
  • Kristan Stoddart
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9578)


SCADA systems are essential for the safe running of critical infrastructure but in recent years have increasingly become the target of advanced cyber-attacks through their convergence with public and corporate networks for easier monitoring and control. Cyber-events within critical infrastructure can have devastating consequences affecting human life, the environment and the economy. Therefore, it is vital that a forensic investigation takes place to provide remediation, understanding and to help in the design of more secure systems. This paper provides an overview of the SCADA forensic process, within critical infrastructure, and discusses the existing challenges of carrying out a SCADA forensic investigation. It also discusses ways in which the process may be improved together with a suggested SCADA incident response model. This paper is part of an ongoing research project that is working towards the creation of best practice guidelines for the forensic handling and incident response of SCADA systems.


SCADA Critical infrastructure Digital forensics Incident response Cyber security lifecycle SCADA forensics 



This work is funded by the Airbus Group Endeavr Wales scheme under the SCADA Cyber Security Lifecycle (SCADA-CSL) programme with the ultimate goal of improving the forensic handling and incident response process for SCADA systems.


  1. 1.
    Miller, B., Rowe, D.C.: A survey of SCADA and Critical Infrastructure Incidents. In: Proceedings of the 1st Annual conference on Research in information technology (2012)Google Scholar
  2. 2.
    Ahmed, I., Obermeier, S., Naedele, M., Richard, G.G.: SCADA systems: challenges for forensic investigators. IEEE Comput. 45(12), 44–51 (2012)CrossRefGoogle Scholar
  3. 3.
    Boyer, S.: SCADA: Supervisory Control and Data Acquisition, 4th edn. ISA, Texas (2009)Google Scholar
  4. 4.
    McNamee, D., Elliott, T.: Secure Historian Access in SCADA Systems. Galios, White Paper, June 2011Google Scholar
  5. 5.
    Stouffer, K., Falco, J., Kent, K.: Guide to Industrial Control Systems (ICS) security. NIST (National Institute of Standards and Technology), U.S, Department of Commerce (2011)Google Scholar
  6. 6.
    Stouffer, K., Falco, J., Kent, K.: Guide to supervisory control and data acquisition (SCADA) and industrial control systems security. NIST (National Institute of Standards and Technology), U.S, Department of Commerce (2006)Google Scholar
  7. 7.
    Wu, T., Disso, J.F.P., Jones, K., Campos, A.: Towards a SCADA Forensics Architecture. In: 1st International symposium for ICS and SCADA cyber security research (ICS-CSR 2013) (2013)Google Scholar
  8. 8.
    McCarthy, J., Mahoney, W.: SCADA threats in the modern airport. Int. J. Cyber Warfare Terrorism 3(4), 32–39 (2013)CrossRefGoogle Scholar
  9. 9.
    Kang, D., Robles, R.J.: Compartmentalization of protocols in SCADA communication. Int. J. Adv. Sci. Tech. 8, 27–36 (2009)Google Scholar
  10. 10.
    Ingure, V.M., Williams, R.D.: A Taxonomy of Security Vulnerabilities in SCADA Protocols. University of Virginia Charlottesville, USA (2007)Google Scholar
  11. 11.
    Stirland, J., Jones, K., Janicke, H., Wu, T.: Developing cyber forensics for SCADA industrial control systems. In: Proceedings of the International Conference of Information Security and Cyber Forensics (2014)Google Scholar
  12. 12.
    Zhu, B., Joseph, A., Sastry, S.: A taxonomy of cyber attacks on SCADA systems. In: Proceedings of the International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing, pp. 380–388. IEEE Computer Society, Washington, DC (2011)Google Scholar
  13. 13.
    Wilhoit, K.: ICS, SCADA, and Non-Traditional Incident Response, Trend Micro, Digital forensics and incident response summit, July 2013Google Scholar
  14. 14.
    van der Knijff, R.M.: Control systems/SCADA forensics, what’s the difference?, digital investigation. Int. J. Digit. Forensics Incident Response 11(3), 160–174 (2014)Google Scholar
  15. 15.
    Fabro, M.E.C.: Recommended practice: creating cyber forensics plans for control systems, Homeland Security, Technical report, August 2008Google Scholar
  16. 16.
    Taveras, P.: Scada live forensics: Real time data acquisition process to detect, prevent or evaluate critical situations. Eur. Sci. J. (3), 253–262 (2013)Google Scholar
  17. 17.
    Techaisle White Paper: The Ageing PC Effect - Exposing Financial Impact for Small Businesses, May 2013.
  18. 18.
    Eden, P., Blyth, A., Burnap, Cherdantseva, Y., P., Jones, K., Soulsby, H., Stoddart, K.: A forensic taxonomy of SCADA systems and approach to incident response. In: Proceedings of the 3rd International Symposium for ICS and SCADA Cyber Security Research (ICS-CSR 2015) (2015)Google Scholar
  19. 19.
    Breeuwsma, I.: Forensic imaging of embedded systems using JTAG (boundary-scan). Digit. Invest. 3(1), 32–42 (2006)CrossRefGoogle Scholar
  20. 20.
    Hoog, A., Forensics, A.: Investigation, Analysis and Mobile Security for Google Android, 1st edn. Syngress, New York (2011)Google Scholar
  21. 21.
    Network Working Group, Internet Engineering Task Force. Guidelines for Evidence Collection and Archiving, RFC 3227 (2002)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Peter Eden
    • 1
    Email author
  • Andrew Blyth
    • 1
  • Pete Burnap
    • 2
  • Yulia Cherdantseva
    • 2
  • Kevin Jones
    • 3
  • Hugh Soulsby
    • 3
  • Kristan Stoddart
    • 4
  1. 1.Faculty of Computing, Engineering and ScienceUniversity of South WalesPontypriddUK
  2. 2.School of Computer Science and InformaticsCardiff UniversityCardiffUK
  3. 3.Cyber Operations, Airbus Group InnovationsNewportUK
  4. 4.Aberystwyth University, Department of International PoliticsAberystwythUK

Personalised recommendations