Forensic readiness of industrial control systems under stealthy attacks

Cyberattacks against Industrial Control Systems (ICS) can have harmful physical impacts. Investigating such attacks can be difficult, as evidence could be lost to physical damage. This is especially true with stealthy attacks ; i.e., attacks that can evade detection. In this paper, we aim to engineer Forensic Readiness (FR) in safety-critical, geographically distributed ICS, by proactively collecting potential evidence of stealthy attacks. The collection of all data generated by an ICS at all times is infeasible due to the large volume of such data. Hence, our approach only triggers data collection when there is the possibility for a potential stealthy attack to cause damage. We determine the conditions for such an event by performing predictive, model-based, safety checks. Furthermore, we use the geographical layout of the ICS and the safety predictions to identify data that is at risk of being lost due to damage, i.e., relevant data. Finally, to reduce the control performance overhead resulting from real-time data collection, we select a subset of relevant data to collect by performing a trade-off between expected impact of the attack and the estimated cost of collection. We demonstrate these ideas using simulations of the widely-used Tennessee- Eastman Process (TEP) benchmark. We show that the proposed approach does not miss relevant data and results in a reduced control performance overhead compared to the case when all data generated by the ICS is collected. We also showcase the applicability of our approach in improving the efficiency of existing ICS forensic log analysis tools.