Out of Control: SCADA HMI Forensics with IFACT

on

 

Out of Control: SCADA Investigations with HMI Forensics and IFACT

Organized by: International Forensic Scientist Awards
Website: forensicscientist.org

14th Edition of Forensic Scientist Awards 26-27 September 2025 | Mumbai, India

In today’s industrial world, Programmable Logic Controllers (PLCs) and Supervisory Control and Data Acquisition (SCADA) systems are the backbone of automation. They manage everything from power grids and manufacturing plants to water systems and transportation networks. But as these systems become more interconnected with corporate and public networks, their exposure to cyber threats has skyrocketed.

Why SCADA Security Matters

SCADA systems were originally designed for reliability and performance, not cybersecurity. Now, with the rapid global deployment of these technologies, managing their security has become one of the biggest challenges facing industries worldwide. Cyberattacks on these systems can cause devastating disruptions — not just to business, but to entire societies.

The Role of HMI Forensics

At the heart of SCADA systems are Human-Machine Interfaces (HMIs), which operators use to monitor and control processes. These HMIs generate and store digital artifacts that can hold valuable forensic evidence. Investigating them provides unique insights into system states, operator actions, and potential security incidents.

Investigating Ignition: A Popular SCADA Platform

Our research focuses on Ignition, a widely used SCADA software platform developed by Inductive Automation. By conducting deep forensic analysis of Ignition HMIs, we uncover how data is stored, transmitted, and preserved within the system. This allows investigators to identify not only what happened during a cyber incident, but also how long key evidence persists in memory.

The HMI Forensics Framework

To guide this process, we developed a generic forensic analysis framework tailored for HMI environments. This framework outlines the key steps investigators should follow when examining SCADA systems, from memory capture to disk and network analysis.

Introducing IFACT

To make investigations faster and more efficient, we created the Ignition Forensics Artifact Carving Tool (IFACT). This tool automatically parses forensic data from Ignition HMIs, helping analysts recover critical information such as:

  • PLC utilization and configurations

  • Tag activity and state changes

  • Historical system interactions

Key Takeaways

  • SCADA security is becoming increasingly important as these systems expand worldwide.

  • HMI forensics offers powerful insights into the state of industrial systems during and after cyber incidents.

  • IFACT streamlines investigations, making it easier for researchers and security professionals to uncover hidden forensic data.

By bridging the gap between industrial control systems and digital forensics, our work empowers investigators to respond more effectively to cyber threats targeting critical infrastructure.🔗 Learn more and apply at:

https://forensicscientist.org/

Nominations Open Now: Click here

–––––––––––––––––––––––––––––––––––––

Get Connected Here:

🔹You Tube: Watch on YouTube

🔹Twitter: Follow on Twitter

🔹Instagram:  Follow on Instagram

Comments

Post a Comment