Abstract Over the past two decades, with the SCADA systems connected to corporate networks or the Internet, the programmable logic controller (PLC) have suffered a large-scale and catastrophic network attacks for the controlling and monitoring physical industrial and infrastructure processes in the industrial control networks, due to their crucial character and safe characteristic. However, the PLC‘s inferior computing power, restricted storage capacity, “scan-cycle” operating mode, and client’s violent private demand has made it challenging to find forensics framework with the capacity to depress the storage requirement and enhance practicality and robustness strikingly. In an effort to address these challenges, through the establishing the attack model against PLC in a view of the security incident forensics, this paper proposed a PLC security incident forensics framework named PLC-SEIFF. This framework implemented the automatic construction of security constraints rules from PLC control logic STL program, filtering and identifying of irrelevant incident records according by correlation analysis on the basis of multi-sources data.

中文翻译：

---

PLC-SEIFF：一种基于安全约束自动构建的可编程逻辑控制器安全事件取证框架

摘要 在过去的二十年里，随着 SCADA 系统连接到企业网络或互联网，可编程逻辑控制器 (PLC) 遭受了大规模和灾难性的网络攻击，用于控制和监视工业控制中的物理工业和基础设施过程。网络，由于它们的关键特性和安全特性。然而，PLC的计算能力差、存储容量受限、“扫描周期”操作模式以及客户强烈的私人需求，使得寻找能够显着降低存储需求并显着增强实用性和鲁棒性的取证框架具有挑战性。为了应对这些挑战，从安全事件取证的角度，通过建立针对 PLC 的攻击模型，本文提出了一种名为PLC-SEIFF的PLC安全事件取证框架。该框架实现了从PLC控制逻辑STL程序自动构建安全约束规则，在多源数据的基础上通过关联分析过滤识别不相关的事件记录。