A Survey on Industrial Control System Digital Forensics: Challenges, Advances and Future Directions

Operational Technology (OT) systems have become increasingly interconnected and automated, consequently resulting in them becoming targets of cyber attacks, with the threat towards a range of critical national infrastructure (CNI) sectors becoming heightened. This is particularly the case for Industrial Control Systems (ICS), which control and operate the physical processes in CNI sectors such as water treatment, electrical generation and manufacturing. Unlike information technology (IT) systems, ICS have unique cyber-physical characteristics and related safety requirements, making them an attractive target for attacks given the physical consequences that can occur. As a result, the requirement to respond and learn from previous and new attacks is also increasing, with digital forensics playing a significant role in this process. The aim of this paper is to discuss the main issues and existing limitations related to ICS digital forensic. The field of ICS digital forensics is relatively under-developed and does not have the same levels of maturity as IT digital forensics. Although the amount of research on cyber security for ICS is increasing, many unique challenges still exist that pose as barriers to the development and deployment of ICS forensic capabilities. We provide an extensive discussion on these challenges, categorising them into technical, socio-technical, and operational and legal themes. Furthermore, the relationship between these challenge themes as well as the inter-challenge dependencies are also examined. Furthermore, this work discusses ICS forensic advances in relation to the digital forensics life chain, specifically forensic readiness and investigations. The areas of digital forensic training and processes models for ICS are given particular focus. Moreover, we assess the technologies and tools that have been either applied to or developed for ICS components and networks, giving special attention to forensic acquisition and analysis methods. An examination into the specific ICS digital forensic data sources and artefacts is also presented, highlighting that until recently, this was limited to descriptions of generic data formats. In addition, this paper provides an overview of several key ICS attacks, summarising the specific techniques used, data artefacts of interest, and proposing lessons learnt. Finally, this paper presents open discussions on future ICS digital forensics research directions and on-going issues, covering both short and long-term areas that can be addressed to improve the ICS digital forensics capability.