Monday, 17 December 2012

Programmable Logic Controller PLC , SCADA Supervisory Control and Data Acquisition

Programmable Logic Controllers (PLC)
A programmable logic controller (PLC) is a microprocessor based device used for automation processes, such as control of machinery on factory assembly line, or control of boxing machines and conveyor lines. A key feature of a PLC is the facility for input/output (I/O) which connect to sensors and actuators. Through these I/Os, a PLC can read limit switches, analog process variables (such as temperature and pressure), and the positions of complex positioning systems. A PLC can operate electric motors, magnetic relays or solenoids, pneumatic or hydraulic cylinders or analog outputs.
They are one of the most versatile and common device used for industrial automation.
They monitor the inputs, solve logic of a user program and control the outputs.

Data & Communications
A PLC has a wealth of information inside. Information such as math calculations or input state of a device are stored in PLC's data area. Data areas are internal memory registers of a PLC, each with it's own memory address. These data are accessible from external systems via communication ports built in a PLC. Usually, a PLC will have a 9-Pin serial RS232 port with Modbus included as one of the communications protocols. Optionally, they may have Ethernet ports or various filed buses such DeviceNet or Profibus. Example:the running state of a motor is available to the PLC via input 1. Depending on the make of
the PLCs, this input 1 may be addressed by the Modbus address 10001.

PLC & IntegraXor
IntegraXor is a tool to develop HMI/SCADA applications. IntegraXor has the communication drivers to exchange data directly with a PLC via it's communication port.  Apart from PLCs, IntegraXor can also communicate with various other devices such as robots and drives that has the supported communication protocol and port.

SCADA Supervisory Control and Data Acquisition
It generally refers to industrial control systems : a computer system monitoring and controlling a process. The process can be industrial, in infrastructure or facility -based  as described below:

Industrial processes include those of manufacturing , production, power generation, fabrication , and refining and may run in continuous batch, repetitive or discrete modes
Infrastructure processes maybe be public or private which includes water treatment and distribution, water collection and treatment , oil and gas pipeline , electrical power transmission and distribution, wind farms, civil defense siren systems, and large communication systems

Facility processes occur both in public facilities and private ones , including buildings, airports, ships, and space stations. They monitor and control HVAC , access, and energy consumption
Scada system consists of :
  • A human machine interface HMI , this presents process data to a human operator, the human operator monitor and controls the process.
  • A supervisory (computer) system for gathering and acquiring data on the process ans sending commands(controls) to the process
  • Remote Terminal Units RTUs connecting to sensors in the process, converting sensor signals to digital data and sending data to the supervisory system.
  • Programmable Logic controller PLCs used as field devices because they are more economical , versatile, flexible and configurable than special -purpose RTUs

Communication infrastructure connecting the supervisory system t the remote Terminal units

SUB systems of SCADA
SCADA / EMS subsystem
Inter-site Communication ICCP subsystem
Web Subsystem and the security Infrastructure
ISR subsystem HIS
Archve subsystem
Network managements subsystems
video projection systems VPS
Development subsystem
User Interface UI subsystem
GPS Time & Frequency subsystem
WAN subsystem
LAN subsystem
Peripheral Devices

Indepth of Digital Forensics

Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. Since forensic science is the application of a scientific discipline to the law, the essence of all forensic disciplines concerns the principles applied to the detection, collection, preservation, and analysis of evidence to ensure its admissibility in legal proceedings. Computer forensics refers to the tools and techniques to recover, preserve, and examine data stored or transmitted in binary form.

. The computer forensics specialist must approach the retrieval process in a very detailed and methodical manner since any or all evidence discovered can then be used or help during discovery, depositions, or actual litigation. Ryan Purita, one of the leading computer forensic experts in private practice in Canada, and states, “In order for results to hold up in court, the file system under investigation must remain unaltered. If a single file has a time stamp later than the date and time that the file system was surrendered as evidence, an opposing lawyer can call the entire investigation into question. "You screw one little thing up," Purita explains, "and everything else is gone" in the case. Erin Kenneally echoes the importance of “evidence” collection and how meticulous and calculated steps should be taken during the retrieval of such evidence., “Whereas DNA analysis is performed on the original blood evidence, maintaining the sanctity of original evidence is a tenet of computer forensics, and analysis must be conducted on a copy of the original media (with a few, notable exceptions where circumstances preclude a copy being made)“ “Regardless of whether the discipline is computer forensics or fingerprinting, the driving question is not whether evidence exists but, rather, can investigators uncover and contextualize the evidence. Therefore, the challenges are: Where to look? What techniques will make the evidence apparent? And is the evidence admissible?
Though  in many organizations, incident response team already performs some activities of evidence collection, the need for collecting those evidence and preserving it in a systematic proactive approach is still an open issue. In order to investigate anti-forensics, organizations need to decide early what information to collect and preserve in a forensically sound manner.  Live (proactive) forensic investigations are hindered by lack of definitions of live forensics and standard procedures in live investigations. In addition, the authors suggested the automation and activation of evidence-collection tools in live investigations. This automation should involve minimal user intervention to improve the integrity of the evidence. Thus, a multi-component view of the digital forensics investigation process has been proposed. However, it is a high-level view of the investigation and, as such, cannot directly be operationalized to create automated tools. Additionally, the process described contains phases, such as service restoration, that lie outside the scope of the investigation.
It would be unwise to depend upon “audit trails and internal logs” in digital forensics investigation. In addition, note that a future digital forensics investigation process will only be possible if future tools and techniques make a proactive effort at evidence collection and preservation. The quality and availability of the evidence collected in the reactive stage of the investigation is more time consuming to investigate. Conversely, the proactive stage collects only potential evidence, which is less time consuming to investigate. In addition, a high-level proactive forensics system is proposed as ideal.



Computers have become an important part of our lives and as such are involved in almost everything we do from paying bills to booking vacations. However, computer systems have also become the mainstay of criminal activity.
Computer crimes have increased in frequency, and their degree of sophistication has also advanced. An example of such sophistication is the use of anti-forensics methods as in Zeus Botnet Crimeware toolkit that can sometimes counter-act digital forensic investigations through its obfuscation levels. Moreover, volatility and dynamicity of the information flow in such a toolkit require some type of a proactive investigation method or system. The term anti-forensics refers to methods that prevent forensic tools, investigations, and investigators from achieving their goals. Two examples of anti-forensics methods are data overwriting and data hiding. From a digital investigation perspective, anti-forensics can do the following:

  • Prevent evidence collection.
  • Increase the investigation time.
  • Provide misleading evidence that can jeopardize the whole investigation.

  • Prevent detection of digital crime.

To investigate crimes that rely on anti-forensics methods, more digital forensics investigation techniques and tools need to be developed, tested, and automated. Such techniques and tools are called proactive forensics processes. And when the individuals involved are brought before the courts, innocence or guilt is basically decided by testimonies and evidence. Of the two areas, evidence is probably the area most key. And when it comes to “evidence” it is the accuracy of that evidence which may be the difference in determining the outcome of the trail. Relying more and more on the evidence extracted from computer systems to bring about convictions has forged a new means of scientific investigation. The term used to coin this area of investigation is “computer forensics.” It is an area of science that has come under the scrutiny of law enforcement, federal, state, and local government officials. And the reason for the scrutiny revolves around the “cleanliness” of the data being presented.

Digital Forensics

Computer forensics is the use of specialized techniques for recovery, authentication , and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation o technical features of data and computer usage. Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel.
The informal nature of these procedures can prevent verification of the evidence collected, and may diminish the value of the evidence in legal proceedings. the ability of an organization to maximize it potential to use digital evidence while minimizing the costs of an investigation.
Early intervention is key,” Perhaps more compelling are the technical and legal implications that recommend early computer forensics intercession. While there are some costs associated with this preparation, there is the opportunity to actively collect potential evidence in the form of logfiles, emails, back-up disks, portable computers, network traffic records, and telephone records amongst others. This evidence may be collected in advance of a crime or dispute, and can be used to the benefit of the collecting organization. To continue, “ Being prepared to gather and use evidence can also have benefit as a deterrent. A good deal of crime is internal. 
As the courts gain more and more experience regarding the definition of computer records and their submission as “evidence,” it is obvious the forensic specialist has a major responsibility. He or she must take great care in extracting and consolidating all of the data he or she thinks will be pertinent to the lawyers and individuals they are working with.
 Categories of Forensics:
Network Based Forensics
Disk Based Forensics( Investigating the hard drive of the criminal , phone, Flash drive, memory sticks etc)

Authenticity and the Alteration of Computer Records
One thing we do know regarding computers is that, without secure measures, the data stored on these machines can be easily changed. Lawyers are also aware of this fact and allegations as to the authenticity of the computer records will come into question. Ms. Kenneally states, “… the mutability of digital evidence facilitates legal challenges grounded in chain of-custody and evidencetampering arguments “ So how does the court approach the question of tampering and alteration? In the case of the “United States v. Glasser, 773 F.2d 1553, 1559 (11th Cir. 1985)” [14} the courts established the following: "The existence of an air-tight security system [to prevent tampering] is not, however, a prerequisite to the admissibility of computer printouts. If such a prerequisite did exist, it would become virtually impossible to admit computer generated records; the party opposing admission would have to show only that a better security system was feasible." So the courts threw the responsibility on to the opposing party…they must proved that the security provided was inadequate and that a better security system existed.