This Title All WIREs
How to cite this WIREs title:
WIREs Forensic Sci

Industrial IoT cross‐layer forensic investigation

Full article on Wiley Online Library:   HTML PDF

Can't access this content? Tell your librarian.

Cross‐layer forensic investigation is addressed for Industrial Internet of Things (IIoT) device attacks in Critical Infrastructure (CI) applications. The operational motivation for cross‐layer investigation is provided by the desire to directly correlate bit‐level network anomaly detection with physical layer (PHY) device connectivity and/or status (normal, defective, attacked, etc.) at the time of attack. The technical motivation for developing cross‐layer techniques is motivated by (a) having considerable capability in place for Higher‐Layer Digital Forensic Information exploitation—real‐time network cyberattack and postattack analysis, (b) having considerably less capability in place for Lowest‐Layer PHY Forensic Information exploitation—the PHY domain remains largely under exploited, and (c) considering cyber‐physical integration as a means to jointly exploit higher‐layer digital and lowest‐layer PHY forensic information to maximize investigative benefit in IIoT cyber forensics. A delineation of higher‐layer digital and lowest‐layer PHY elements is provided for the standard network Open Systems Interconnection model and the specific Perdue Enterprise Reference Architecture commonly used in IIoT Industrial Control System/Supervisory Control and Data Acquisition applications. A forensics work summary is provided for each delineated area based on selected representative publications and provides the basis for presenting the envisioned cross‐layer forensic investigation. This article is categorized under: Digital and Multimedia Science > Cyber Threat Intelligence Digital and Multimedia Science > IoT Forensics
Functional overlap and interdependencies between broader IoT and the IIoT subset supporting cyber forensic physical systems and infrastructure exploitation using financial, medical, and vehicular systems as examples (physical expanse of graphic elements not to scale)
[ Normal View | Magnified View ]
Forensic investigative surface comprised of SCADA zones with representative elements available for forensic analysis. The architecture is based on the framework presented in Eden et al. () with the control zone expanded to highlight elements of higher‐digital and lowest‐physical elements
[ Normal View | Magnified View ]
General IIoT network architecture consisting of Internet, wide area network (WAN), local area network (LAN), and personal area network (PAN) connections. Wired and/or radio frequency (RF) wireless interconnectivity provides access for bit‐level data/packet sniffing, logging, historian, network forensic analysis and PHY‐based radio frequency fingerprinting (RFF) processes
[ Normal View | Magnified View ]
Relationship between the open systems interconnection (OSI) seven‐layer model (Johnson, ) and six‐layer perdue enterprise reference architecture (PERA) (Didier et al., ) showing layer association to digital, physical, and cross‐layer forensic information domains
[ Normal View | Magnified View ]
Digital forensic process flow diagram with flow attributed to the [1] Reith, Carr, and Gunsch (), [2] Stirland et al. (), [3] Wu et al. (), and [4] Shrivastava, Sharma, and Kumari () references as indicated. Shaded boxes denote Proactive phase elements and nonshaded boxes denote Reactive phase elements according to Shrivastava () and Shrivastava et al. ()
[ Normal View | Magnified View ]

Browse by Topic

Digital and Multimedia Science > IoT Forensics
Digital and Multimedia Science > Cyber Threat Intelligence

Access to this WIREs title is FREE for members of registered institutions.

Register Your Institution Now!

The latest WIREs articles in your inbox

Sign Up for Article Alerts