Skip to main content

Digital Forensic Readiness in Critical Infrastructures: A Case of Substation Automation in the Power Sector

  • Conference paper
  • First Online:
Digital Forensics and Cyber Crime (ICDF2C 2017)

Abstract

The proliferation of intelligent devices has provisioned more functionality in Critical Infrastructures. But the same automation also brings challenges when it comes to malicious activity, either internally or externally. One such challenge is the attribution of an attack and to ascertain who did what, when and how? Answers to these questions can only be found if the overall underlying infrastructure supports answering such queries. This study sheds light on the power sector specifically on smart grids to learn whether current setups support digital forensic investigations or no. We also address several challenges that arise in the process and a detailed look at the literature on the subject. To facilitate such a study our scope of work revolves around substation automation and devices called intelligent electronic devices (IEDs) in smart grids.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. U.S. General Accounting Office: Cyber security guidance is available, but more can be done to promote its use (2011). http://www.gao.gov/assets/590/587529.pdf

  2. Alcaraz, C., Zeadally, S.: Critical infrastructure protection: requirements and challenges for the 21st century. Int. J. Crit. Infrastruct. Prot. 8, 53–66 (2015)

    Article  Google Scholar 

  3. U.S. Department of Homeland Security: What is critical infrastructure? (2016). https://www.dhs.gov/what-criticalinfrastructure

  4. Critical infrastructure sectors (2016). https://www.dhs.gov/critical-infrastructure-sectors

  5. KTH Royal Institute of Technology (2013). Viking: https://www.kth.se/en/ees/omskolan/organisation/avdelningar/ics/research/cc/proj/v/viking-1.407871

  6. Trend Micro Incorporated: Report on cybersecurity and critical infrastructure in the americas (2015). http://www.trendmicro.com/cloudcontent/us/pdfs/securityintelligence/reports/critical-infrastructures-west-hemisphere.pdf

  7. SANS ICS: Analysis of the cyber attack on the Ukrainian power grid (2016). https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

  8. Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Priv. 9(3), 49–51 (2011)

    Article  Google Scholar 

  9. CESG National Technical Authority for Information Assurance: Good practice guide: Forensic readiness (2015). https://www.cesg.gov.uk/content/files/guidancefiles/Forensic%20Readiness%20(Good%20Practice%20Guide%2018)1.2.pdf

  10. Ammann, R.: Network forensic readiness: a bottom-up approach for IPv6 networks. Ph.D. dissertation, Auckland University of Technology (2012)

    Google Scholar 

  11. Sule, D.: Importance of forensic readiness (2014). http://www.isaca.org/Journal/archives/2014/Volume-1/Pages/JOnline-Importance-of-Forensic-Readiness.aspx

  12. Eden, P., Blyth, A., Burnap, P., Cherdantseva, Y., Jones, K., Soulsby, H., Stoddart, K.: A cyber forensic taxonomy for SCADA systems in critical infrastructure. In: Rome, E., Theocharidou, M., Wolthusen, S. (eds.) CRITIS 2015. LNCS, vol. 9578, pp. 27–39. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33331-1_3

    Google Scholar 

  13. Cook, A., Nicholson, A., Janicke, H., Maglaras, L.A., Smith, R.: Attribution of cyber attacks on industrial control systems. EAI Endorsed Trans. Indust. Netw. Intellig. Syst. 3(7), e3 (2016). https://doi.org/10.4108/eai.21-4-2016.151158

    Google Scholar 

  14. van der Knijff, R.M.: Control systems/SCADA forensics, what’s the difference? Digit. Invest. 11(3), 160–174 (2014). https://doi.org/10.1016/j.diin.2014.06.007. ISSN 1742-2876

    Article  Google Scholar 

  15. Etalle, S., Gregory, C., Bolzoni, D., Zambon, E.: Self-configuring deep protocol network whitelisting. Security Matters (2013). http://www.secmatters.com/sites/www.secmatters.com/files/documents/whitepaper_ics_EU.Pdf

  16. Pauna, A., May, J., Tryfonas, T.: Can we learn from SCADA security incidents? – ENISA, 09 October 2013. https://www.enisa.europa.eu/publications/can-we-learn-from-scada-security-incidents

  17. Ahmed, I., Obermeier, S., Naedele, M., Richard III, G.G.: SCADA systems: challenges for forensic investigators. Computer 45(12), 44–51 (2012). https://doi.org/10.1109/mc.2012.325

    Article  Google Scholar 

  18. Wu, T., Pagna Disso, J.F., Jones, K., Campos, A.: Towards a SCADA forensics architecture. In: Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research, pp. 12–21 (2013)

    Google Scholar 

  19. Fabro, M., Cornelius, E.: Recommended practice: creating cyber forensics plans for control systems. DHS Control Systems Security Program (2008). https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/Forensics_RP.pdf. Accessed 15 May 2017

  20. Iqbal, A.: [Extended Abstract] Digital Forensic Readiness in Critical Infrastructures: Exploring substation automation in the power sector. Stockholm (2017). http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-209689

  21. Kilpatrick, T., Gonzalez, J., Chandia, R., Papa, M., Shenoi, S.: An architecture for SCADA network forensics. In: Olivier, M.S., Shenoi, S. (eds.) DigitalForensics 2006. IAIC, vol. 222, pp. 273–285. Springer, Boston, MA (2006). https://doi.org/10.1007/0-387-36891-4_22

    Chapter  Google Scholar 

  22. Valli, C.: SCADA forensics with Snort IDS. In: Proceedings of the 2009 International Conference Security and Management (SAM 2009), pp. 618–621. CSREA Press (2009)

    Google Scholar 

  23. Sohl, E., Fielding, C., Hanlon, T., Rrushi, J., Farhangi, H., Howey, C., Carmichael, K., Dabell, J.: A field study of digital forensics of intrusions in the electrical power grid. In: Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or PrivaCy (CPS-SPC 2015), pp. 113–122. ACM, New York (2015)

    Google Scholar 

  24. CVE Details, Security Vulnerabilities, Promotic. https://www.cvedetails.com/vulnerability-list/vendor_id-649/product_id-22225/Microsys-Promotic.html

  25. Hunt, R., Slay, J.: Achieving critical infrastructure protection through the interaction of computer security and network forensics. In: 2010 Eighth Annual International Conference on Privacy Security and Trust (PST), pp. 23–30. IEEE (2010)

    Google Scholar 

  26. Langner, R.: Robust Control System Networks: How to Achieve Reliable Control after Stuxnet. Momentum Press, New York (2011)

    Book  Google Scholar 

  27. IEEE C37.118.1-2011: IEEE Standard for Synchrophasor Measurement for Power Systems

    Google Scholar 

  28. NASPI Technical Report: Time Synchronization in the Electric Power System, USA, March 2017. https://www.naspi.org/sites/default/files/reference_documents/tstf_electric_power_system_report_pnnl_26331_march_2017_0.pdf

  29. IEEE Standard for Synchrophasor Data Transfer for Power Systems. In: IEEE Std C37.118.2-2011 (Revision of IEEE Std C37.118-2005), pp. 1–53, 28 December 2011

    Google Scholar 

  30. Beasley, C., Zhong, X., Deng, J., Brooks, R., Venayagamoorthy, G.K.: A survey of electric power synchrophasor network cyber security. In: IEEE PES Innovative Smart Grid Technologies, Europe, Istanbul, pp. 1–5 (2014)

    Google Scholar 

  31. Almas, M.S., Vanfretti, L.: Impact of time-synchronization signal loss on PMU-based WAMPAC applications. In: 2016 IEEE Power and Energy Society General Meeting (PESGM), Boston, MA, pp. 1–5 (2016)

    Google Scholar 

  32. Almas, M.S., Vanfretti, L., Singh, R.S., Jonsdottir, G.M.: Vulnerability of synchrophasor-based WAMPAC applications’ to time synchronization spoofing. IEEE Trans. Smart Grid 8(99), 1 (2017)

    Article  Google Scholar 

  33. SEL: Protection Relays by Schweitzer Engineering Laboratories. https://selinc.com/products/421/

  34. SEL-5030 acSELerator QuickSet Software. https://selinc.com/products/5030/

Download references

Acknowledgment

This work has received funding from the Swedish Civil Contingencies Agency (MSB) through the research center Resilient Information and Control Systems (RICS).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Asif Iqbal .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Iqbal, A., Ekstedt, M., Alobaidli, H. (2018). Digital Forensic Readiness in Critical Infrastructures: A Case of Substation Automation in the Power Sector. In: Matoušek, P., Schmiedecker, M. (eds) Digital Forensics and Cyber Crime. ICDF2C 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 216. Springer, Cham. https://doi.org/10.1007/978-3-319-73697-6_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-73697-6_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-73696-9

  • Online ISBN: 978-3-319-73697-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics