Supervisory Control and Data Acquisition (SCADA) System Forensics Based on the Modbus Protocol


  • John Onyiego School of Computing and Informatics, University of Nairobi, Kenya,Elinsco systems, Nairobi, Kenya
  • Odira Elisha Abade School of Computing and Informatics, University of Nairobi, Kenya,Scala Institute of Advanced Computing and Digital Literacy, Nairobi, Kenya.




Supervisory Control and Data Acquisition (SCADA) has been at the cored of Operational Technology (OT) used in industries and process plants to monitor and control critical processes, especially in the energy sector. In petroleum sub-sector, it has been used in monitoring transportation, storage and loading of petroleum products. It is linked to instruments that collect and monitor parameters such as temperature, pressure and product densities. It gives commands to actuators by the use of the application programs installed on the programmable logic controllers (PLCs). Earlier SCADA systems were isolated from the internet, hence protected by an airgap from attacks taking place on interconnected systems. The recent trend is that SCADA systems are becoming more integrated with other business systems using Internet technologies such as Ethernet and TCP/IP. However, TCP/IP and web technologies which are predominantly used by IT systems have become increasingly vulnerable to cyberattacks that are experienced by IT systems such as malwares and other attacks.  It is important to conduct vulnerability assessment of SCADA systems with a view to thwarting attacks that can exploit such vulnerabilities. Where the vulnerabilities have been exploited, forensic analysis is required so as to know what really happened. This paper reviews SCADA systems configuration, vulnerabilities, and attacks scenarios, then presents a prototype SCADA system and forensic tool that can be used on SCADA. The tool reads into the PLC memory and Wireshark has been to capture network communication between the SCADA system and the PLC.


. Kilpatrick, T., Gonzalez, J., Chandia, R., Papa, M., Shenoi, S, “An architecture for SCADA network forensics, in Advances in Digital Forensics II,,” Springer, Boston, Massachusetts,, p. pp. 273–285 , 2006.

. E. Ancillotti, R. Bruno, M. Conti, “The role of communication systems in smart grids: architectures, technical solutions and research challenges,,” Computers and Communication, vol. 36, p. 1665–1697, 2013.

. Stouffer, Keith, Joe Falco, and Karen Scarfone., “Guide to industrial control systems (ICS) security,” NIST special publication, vol. 800, no. 82, pp. 16-16, 2011.

. SaranyanSenthivel,IrfanAhmed,VassilRoussev, “SCADA network forensics of the PCCC protocol,” Digital investigations, vol. 22, pp. S57-S65, 2017.

. Abraham Serhane, Mohamad Raad, Willy Susilo,, “Programmable logic controllers-based systems (PLC-BS): vulnerabilities and threats,,” SN Applied Sciences, vol. 1, 2019.

. Nicolas Falliere, Liam O Murchu, and Eric Chien, “W3.Stuxnet DOssier v1.4,” Symantec security response, 2011.

. Vinay M. Igure,Sean A. Laughter, Ronald D. Williams, “Security issues in SCADA networks.,” Computers and Security , vol. 25, p. 498–506, 2006;25(7):.

. Joe Stirland, Helge Janicke,Kevin Jones, Tina Wu, “Developing Cyber Forensics for SCADA Industrial Control Systems,” in The International Conference on Information Security and Cyber Forensics , Kuala Terengganu, Malaysia, 2014.

. Z. Zhang, W. Susilo and R. Raad, “Mobile ad-hoc network key management with certificateless cryptography,,” in 2nd International Conference on Signal Processing and Communication Systems, , Gold Coast,, 2008.

. S. K. a. M. Wei, “SCADA Testbed for Vulnerability Assessments, Penetration Testing and Incident Forensics,,” in 7th International Symposium on Digital Forensics and Security (ISDFS),, Barcelos, Portugal, , 2019, pp. 1-6,.

. Syed Ali Qasim, Juan Lopez,Irfan Ahmed, “Automated Reconstruction of Control Logic for Programmable Logic Controller Forensics,” in 22nd Information Security Conference (ISC’19), , New York, 2019.

. Asif Iqbal, Farhan MAhmood, Mathias Ekstedt, “Digital Forensic Analysis of Industrial Control:Systems Using Sandboxing,” vol. 12, 2019.

. Irfan Ahmed, Sebastian Obermeier, Golden G. Richard III, Martin Naedele, “SCADA Systems: Challenges for Forensic Investigators,” in Computer, vol. 45, pp. 44-51, 2012.

. Umit Karabiyik,Faruk Yildiz, James Holekamp,,Khaled Rabieh, “Forensic Analysis of SCADA/ICS System with Security and Vulnerability Assessment,” in ASEE Annual Conference & Exposition, 2018.

. Vinay M. Igure,Ronald D. Williams Sean A. Laughter, “Security issues in SCADA networks. Computers and Security,” 200.

. Joe Stirland, Kevin Jones,Helge Janicke, Tina Wu, “Developing Cyber Forensics for SCADA Industrial Control Systems,” in The International Conference on Information Security and Cyber Forensics (InfoSec2014, 2014.




How to Cite

Onyiego, J. ., & Abade, O. E. . (2020). Supervisory Control and Data Acquisition (SCADA) System Forensics Based on the Modbus Protocol. International Journal of Computer (IJC), 38(1), 209–221. Retrieved from