A study on command block collection and restoration techniques through detection of project file manipulation on engineering workstation of industrial control system

Abstract

Major control systems such as ICS/SCADA are currently being used in the key infrastructures of our society, notably in the energy, transportation, and healthcare sectors. The PLC, which is located in the lowest layer of the control system, is directly connected to diverse field devices including sensors and actuators. In the event of a cyber-attack on the PLC, the potential ripple effects, such as a collapse of the national infrastructure, could be very large, making a high level of cyber safety essential. Therefore, it is necessary to apply digital forensic technology to the PLC to respond to cyber-attacks against the control system. However, conventional methods of directly investigating the PLC, such as network and memory forensics, have practical difficulties as they could compromise the availability of the control system. As such, this paper proposes a method of detecting and restoring logic data when the logic data are changed as a result of a cyber-attack, by using the digital forensic technology developed for the Engineering Workstation (EWS), which has been used to develop, manage and set the control system program logic.