HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Conference papers

Lightweight Journaling for Scada Systems via Event Correlation

Abstract : Industrial control systems are not immune to cyber incidents. However, the support for incident responders and forensic investigators is low. In particular, there are limited journaling capabilities for operator actions. Barring the preservation of full packet captures and operator workstation security logs, which can generate unmanageable amounts of data on production networks, it is generally not possible to attribute control events (e.g., opening a valve or operating a breaker) to individual operators. This information can be necessary to perform security investigations, especially in cases involving malicious insider activities. This chapter presents a lightweight journaling system for SCADA networks based on event correlation. By correlating network events and operating system logs, a journal is generated of all Modbus protocol write events along with the usernames of the operators who performed the actions. The journal is much more compact than a full packet capture, achieving compression ratios of around 570 to 1 in conservative conditions and more than 2,000 to 1 in typical operating conditions, allowing for the preservation of valuable information for security investigations.
Document type :
Conference papers
Complete list of metadata

Cited literature [11 references]  Display  Hide  Download

Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Wednesday, October 11, 2017 - 3:00:07 PM
Last modification on : Monday, March 19, 2018 - 10:38:02 PM
Long-term archiving on: : Friday, January 12, 2018 - 3:01:47 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Antoine Lemay, Alireza Sadighian, Jose Fernandez. Lightweight Journaling for Scada Systems via Event Correlation. 10th International Conference on Critical Infrastructure Protection (ICCIP), Mar 2016, Arlington, VA, United States. pp.99-115, ⟨10.1007/978-3-319-48737-3_6⟩. ⟨hal-01614870⟩



Record views


Files downloads