Digital Forensic Readiness in Critical Infrastructures: A Case of Substation Automation in the Power Sector

  • Asif IqbalEmail author
  • Mathias Ekstedt
  • Hanan Alobaidli
Conference paper
Part of the Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering book series (LNICST, volume 216)


The proliferation of intelligent devices has provisioned more functionality in Critical Infrastructures. But the same automation also brings challenges when it comes to malicious activity, either internally or externally. One such challenge is the attribution of an attack and to ascertain who did what, when and how? Answers to these questions can only be found if the overall underlying infrastructure supports answering such queries. This study sheds light on the power sector specifically on smart grids to learn whether current setups support digital forensic investigations or no. We also address several challenges that arise in the process and a detailed look at the literature on the subject. To facilitate such a study our scope of work revolves around substation automation and devices called intelligent electronic devices (IEDs) in smart grids.


Digital forensics Forensic readiness Substation automation Smart grid Forensic investigation Critical infrastructures 



This work has received funding from the Swedish Civil Contingencies Agency (MSB) through the research center Resilient Information and Control Systems (RICS).


  1. 1.
    U.S. General Accounting Office: Cyber security guidance is available, but more can be done to promote its use (2011).
  2. 2.
    Alcaraz, C., Zeadally, S.: Critical infrastructure protection: requirements and challenges for the 21st century. Int. J. Crit. Infrastruct. Prot. 8, 53–66 (2015)CrossRefGoogle Scholar
  3. 3.
    U.S. Department of Homeland Security: What is critical infrastructure? (2016).
  4. 4.
    Critical infrastructure sectors (2016).
  5. 5.
  6. 6.
    Trend Micro Incorporated: Report on cybersecurity and critical infrastructure in the americas (2015).
  7. 7.
    SANS ICS: Analysis of the cyber attack on the Ukrainian power grid (2016).
  8. 8.
    Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)CrossRefGoogle Scholar
  9. 9.
    CESG National Technical Authority for Information Assurance: Good practice guide: Forensic readiness (2015).
  10. 10.
    Ammann, R.: Network forensic readiness: a bottom-up approach for IPv6 networks. Ph.D. dissertation, Auckland University of Technology (2012)Google Scholar
  11. 11.
  12. 12.
    Eden, P., Blyth, A., Burnap, P., Cherdantseva, Y., Jones, K., Soulsby, H., Stoddart, K.: A cyber forensic taxonomy for SCADA systems in critical infrastructure. In: Rome, E., Theocharidou, M., Wolthusen, S. (eds.) CRITIS 2015. LNCS, vol. 9578, pp. 27–39. Springer, Cham (2016). Google Scholar
  13. 13.
    Cook, A., Nicholson, A., Janicke, H., Maglaras, L.A., Smith, R.: Attribution of cyber attacks on industrial control systems. EAI Endorsed Trans. Indust. Netw. Intellig. Syst. 3(7), e3 (2016). Google Scholar
  14. 14.
    van der Knijff, R.M.: Control systems/SCADA forensics, what’s the difference? Digit. Invest. 11(3), 160–174 (2014). ISSN 1742-2876CrossRefGoogle Scholar
  15. 15.
    Etalle, S., Gregory, C., Bolzoni, D., Zambon, E.: Self-configuring deep protocol network whitelisting. Security Matters (2013).
  16. 16.
    Pauna, A., May, J., Tryfonas, T.: Can we learn from SCADA security incidents? – ENISA, 09 October 2013.
  17. 17.
    Ahmed, I., Obermeier, S., Naedele, M., Richard III, G.G.: SCADA systems: challenges for forensic investigators. Computer 45(12), 44–51 (2012). CrossRefGoogle Scholar
  18. 18.
    Wu, T., Pagna Disso, J.F., Jones, K., Campos, A.: Towards a SCADA forensics architecture. In: Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research, pp. 12–21 (2013)Google Scholar
  19. 19.
    Fabro, M., Cornelius, E.: Recommended practice: creating cyber forensics plans for control systems. DHS Control Systems Security Program (2008). Accessed 15 May 2017
  20. 20.
    Iqbal, A.: [Extended Abstract] Digital Forensic Readiness in Critical Infrastructures: Exploring substation automation in the power sector. Stockholm (2017).
  21. 21.
    Kilpatrick, T., Gonzalez, J., Chandia, R., Papa, M., Shenoi, S.: An architecture for SCADA network forensics. In: Olivier, M.S., Shenoi, S. (eds.) DigitalForensics 2006. IAIC, vol. 222, pp. 273–285. Springer, Boston, MA (2006). CrossRefGoogle Scholar
  22. 22.
    Valli, C.: SCADA forensics with Snort IDS. In: Proceedings of the 2009 International Conference Security and Management (SAM 2009), pp. 618–621. CSREA Press (2009)Google Scholar
  23. 23.
    Sohl, E., Fielding, C., Hanlon, T., Rrushi, J., Farhangi, H., Howey, C., Carmichael, K., Dabell, J.: A field study of digital forensics of intrusions in the electrical power grid. In: Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy (CPS-SPC 2015), pp. 113–122. ACM, New York (2015)Google Scholar
  24. 24.
  25. 25.
    Hunt, R., Slay, J.: Achieving critical infrastructure protection through the interaction of computer security and network forensics. In: 2010 Eighth Annual International Conference on Privacy Security and Trust (PST), pp. 23–30. IEEE (2010)Google Scholar
  26. 26.
    Langner, R.: Robust Control System Networks: How to Achieve Reliable Control after Stuxnet. Momentum Press, New York (2011)CrossRefGoogle Scholar
  27. 27.
    IEEE C37.118.1-2011: IEEE Standard for Synchrophasor Measurement for Power SystemsGoogle Scholar
  28. 28.
    NASPI Technical Report: Time Synchronization in the Electric Power System, USA, March 2017.
  29. 29.
    IEEE Standard for Synchrophasor Data Transfer for Power Systems. In: IEEE Std C37.118.2-2011 (Revision of IEEE Std C37.118-2005), pp. 1–53, 28 December 2011Google Scholar
  30. 30.
    Beasley, C., Zhong, X., Deng, J., Brooks, R., Venayagamoorthy, G.K.: A survey of electric power synchrophasor network cyber security. In: IEEE PES Innovative Smart Grid Technologies, Europe, Istanbul, pp. 1–5 (2014)Google Scholar
  31. 31.
    Almas, M.S., Vanfretti, L.: Impact of time-synchronization signal loss on PMU-based WAMPAC applications. In: 2016 IEEE Power and Energy Society General Meeting (PESGM), Boston, MA, pp. 1–5 (2016)Google Scholar
  32. 32.
    Almas, M.S., Vanfretti, L., Singh, R.S., Jonsdottir, G.M.: Vulnerability of synchrophasor-based WAMPAC applications’ to time synchronization spoofing. IEEE Trans. Smart Grid 8(99), 1 (2017)CrossRefGoogle Scholar
  33. 33.
    SEL: Protection Relays by Schweitzer Engineering Laboratories.
  34. 34.
    SEL-5030 acSELerator QuickSet Software.

Copyright information

© ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2018

Authors and Affiliations

  1. 1.School of Electrical EngineeringKTH Royal Institute of TechnologyStockholmSweden
  2. 2.Athena LabsDubaiUAE

Personalised recommendations