Investigating Attacks on Industrial Control Systems Using Deterministic Replay Simulation

2019-06-10T20:47:05Z (GMT) by Gregory Walkup
From factories to power grids, industrial systems are increasingly being digitally controlled and networked. While networking these systems together improves their efficiency and convenience, it also opens them up to attack by malicious actors. When these attacks occur, forensic investigators need to quickly be able to determine what was compromised and which corrective actions should be taken. In this thesis, a method is proposed for investigating attacks on industrial control systems by simulating the logged inputs of the system over time using a model constructed from the control programs that make up the system. When evaluated, this led to the detection of attacks which perturbed the normal operation of the system by comparing the simulated output to the actual output. It also allowed for dependency tracing between the inputs and outputs of the system, so that attacks could be traced from their unwanted effects to their source and vice-versa. This method can thus greatly aid investigators in recovering the complete attack story using only logs of inputs and outputs to an industrial control system.