PLC-SEIFF: A programmable logic controller security incident forensics framework based on automatic construction of security constraints

Over the past two decades, with the SCADA systems connected to corporate networks or the Internet, the programmable logic controller (PLC) have suffered a large-scale and catastrophic network attacks for the controlling and monitoring physical industrial and infrastructure processes in the industrial control networks, due to their crucial character and safe characteristic. However, the PLC‘s inferior computing power, restricted storage capacity, “scan-cycle” operating mode, and client’s violent private demand has made it challenging to find forensics framework with the capacity to depress the storage requirement and enhance practicality and robustness strikingly. In an effort to address these challenges, through the establishing the attack model against PLC in a view of the security incident forensics, this paper proposed a PLC security incident forensics framework named PLC-SEIFF. This framework implemented the automatic construction of security constraints rules from PLC control logic STL program, filtering and identifying of irrelevant incident records according by correlation analysis on the basis of multi-sources data.