Developing a Framework for Conducting Efficient SCADA HMI Forensic Investigations and The Ignition Forensic Artifact Carving Tool (IFACT)

Author

LaSean A. Salmon, Louisiana State University and Agricultural and Mechanical CollegeFollow

Semester of Graduation

Fall 2024

Degree

Master of Science (MS)

Department

The Department of Computer Science

Document Type

Thesis

Abstract

In the modern industrial control landscape, Supervisory Control and Data Acquisition (SCADA) systems serve as critical intermediaries in automating and managing complex processes across many industries, including energy, manufacturing, and utilities. While maintaining the availability and efficiency of these systems is essential, their increased integration into networked environments has exposed them to a growing array of cyber threats. As SCADA systems continue to grow and be deployed globally, malicious actors are increasingly target critical infrastructure, making security management progressively more challenging. Our research explores the benefits of conducting forensic investigations focused on SCADA Human-Machine Interface (HMI) systems, emphasizing how centralized equipment analysis can help overcome the unique challenges these systems present.

To assist investigators in efficiently collecting system-wide data from SCADA HMI environments, we developed a forensic analysis framework that enables the evaluation of system discrepancies and evidence of potential cyberattacks. Additionally, we present a comprehensive forensic analysis of a SCADA testbed featuring Ignition, a popular SCADA software platform developed by Inductive Automation. Our investigation reveals that SCADA HMI forensics can provide valuable insight into the system's state, allowing for the identification and cross-analysis of critical equipment and operational data across memory, network, and disk. This framework is further supported by the creation of the Ignition Forensic Artifact Carving Tool (IFACT), a SCADA HMI Forensic Analysis Tool designed to assist in extracting artifacts and parsing system information from forensic data sourced from Ignition HMIs. Using IFACT, we achieve accurate insights into device and equipment data in SCADA systems, investigating data persistence in volatile memory and the variability of its lifetime based on the system state.

Date

11-4-2024

Recommended Citation

Salmon, LaSean A., "Developing a Framework for Conducting Efficient SCADA HMI Forensic Investigations and The Ignition Forensic Artifact Carving Tool (IFACT)" (2024). LSU Master's Theses. 6046.
https://repository.lsu.edu/gradschool_theses/6046

Committee Chair

Baggili, Ibrahim