Cyber-Physical Systems Forensics

Cyber-Physical Systems (CPS) provide beneficial connections between the physical world (systems, environments, and humans) and the cyber world. They offer smart features for improving the physical world such as enhancing and optimizing reliability, quality, safety, health, security, efficiency, operational costs, and maintainability of a specific physical system or environment. CPS are implemented with a set of distributed software and hardware components that are embedded in physical systems and environments or attached to humans. Many CPS applications are being implemented for a variety of applications. However, CPS are vulnerable to hacking attempts and criminal activities as any other computerized and distributed system. As a result, CPS must incorporate security measures in addition to suitable forensics capabilities that could support investigations of any hacking attempts or criminal activities. This paper defines and discusses the emerging area of CPS forensics, highlights its issues, and reviews some proposed approaches. In addition, it discusses future research and development directions in this area.


INTRODUCTION
Cyber-physical Systems (CPS) provide useful integration and interactions between the physical and the cyber worlds [1]. CPS offer promising technology that adds many capabilities to different physical-based applications in diverse domains. CPS can be used to enhance automation capabilities in manufacturing processes for better productivity, efficiency, accuracy, safety, and reliability [2] [3]. It can be used in healthcare applications to provide useful real-time services for patients and healthcare professionals [4] [5]. CPS can be used in large commercial and residential buildings to improve energy efficiency and living/working conditions [6] [7]. It can also be used in transportation systems to enhance safety and efficiency [8]. CPS utilize and integrate numerous technologies, features, and ideas from networking, distributed systems, sensors, embedded systems, software systems, and hardware devices such as microcontrollers and actuators. CPS also encompasses different disciplines such as mechanical, bio medical, construction, systems, and electrical engineering along with healthcare, transportation and energy fields to add value to applications in the physical world [9].
While CPS can offer many smart enhancements for improving physical systems and processes, they are, like any other computerized and distributed system, vulnerable to cyber-attacks and criminal activities. Unlike other systems, security vulnerabilities may cause not only data, software and hardware damages but also major physical damages. These physical damages may include human deaths and injuries, infrastructure damages, loss of resources, and machine breakdowns or malfunctions. As the applications of CPS are rapidly developed and deployed in different critical domains, various security measures are considered and included to protect them. However, it is extremely important that CPS also include suitable and effective forensics capabilities that support investigations of hacking attempts or criminal activities. This paper defines and discusses the emerging area of CPS forensics, highlights its challenges, and reviews some proposed approaches. Furthermore, the paper provides some discussion of potential future research and development directions towards achieving better CPS forensics techniques and capabilities.
The rest of the paper is organized as follows. Section II provides background information about CPS including their objectives, roles, and risks. Section III introduces CPS forensics from three different perspectives: technical, organizational, and legal. The approaches for enabling CPS forensics are discussed in Section IV. Section V provides some discussion regarding potential future research and development directions and Section VI concludes the paper.

II. BACKGROUND
CPS are networked embedded systems, categorized by solid and constant interactions between physical and cyber components [9]. CPS are being progressively utilized everywhere to enhance the physical domains. A great part of CPS is developed to support smart and context-aware mission-critical applications [1]. Predefined objectives of the related application domain are realized through the monitoring and control processes, as provided by CPS. The control decisions are usually performed by the cyber world using smart algorithms constructed by software. Unlike regular embedded systems, CPS are networked embedded systems that feature distributed components and processing capabilities. Examples of these components are sensors, actuators and microcontrollers. These devices are linked by means of wired or wireless networks and are tightly attached to their physical environment. The three main steps in any CPS are: monitoring using sensors, making decisions using smart software, and applying actions using actuators [10]. These three main steps are connected in a feedback loop as shown in Figure 1. When CPS also include the use of cloud computing to implement smart algorithms to operate the systems, such systems are named cyber-physical cloud systems (CPCS).
Implementing and deploying CPS solutions benefit many applications; however, they have major risks if they are exposed to cyberattacks. These risks may escalate to the levels of resulting in human deaths, infrastructure damages, and negative economic impact. Table 1 provides a summary of major CPS applications covering their main objectives and potential risks.

III. CPS FORENSICS
The former director of the Defense Computer Forensics Laboratory defined digital forensics as "The application of computer science and investigation procedures for a legal purpose involving the analysis of digital evidence (information of probative value that is stored or transmitted in binary form) after proper search authority, chain of custody, validation with mathematics (hash functions), use of validation tools, repeatability, reporting and possible expert presentation" [11]. Digital forensics advanced substantially in the past several years. Several digital forensics types were developed. These include computer forensics, network forensics, virtual machine forensics, mobile devices forensics, and cloud computing forensics [12]. Unlike other digital forensics types, CPS forensics is a new type that is less developed and deserves more attention. CPS forensics is a cross discipline of CPS (cyber and physical systems) and digital forensics. It can also be considered a special forensics field that overlaps with network forensics as CPS are usually networked systems. Network forensics is the process of collecting and analyzing network messages and tracking network traffic using a systematic approach [13]. Furthermore, CPS forensics also incorporate elements from all the other types depending on the extent of its deployment and the components included. For example, if the CPS uses cloud services, then cloud forensics will apply, while the integration with physical infrastructures or human subjects will dictate the need for the physical criminal forensics.
To analyze the CPS forensics, we will adopt the framework used by [14] for analyzing cloud forensics. In this framework, there are three dimensions to consider: technical, organizational, and legal. In each of these dimensions, we will highlight some important issues related to CPS forensics.

A. Technical Dimension
The technical dimension involves the processes, techniques, methodologies, and tools required to conduct the forensics processes in CPS environments. These include data gathering; creating virtualized, emulated, and simulated environments; and including proactive measures. Data gathering is the procedure of recognizing, marking, and acquiring forensics data. Unlike other digital forensics types, data gathering in CPS forensics involves gathering data about the digital components along with the corresponding physical environment as this environment may be directly harmed due to digital crimes. The tools used to gather CPS forensics data differ based on the technologies used to implement the CPS. Sources of data will also be extremely different from traditional systems as there will be multiple sources with differing characteristics. Therefore, the data gathering tools need to be adequate for such environments.
Interaction between the cyber and physical worlds is one of the main characteristics of CPS. Therefore, CPS forensics tools also need to include the physical aspects of the system. In this regard, virtualization, emulation, and simulation techniques can be used as enablers for CPS forensics. In addition, incorporating proactive measures can considerably enable CPS forensics investigations. For example, logging the exchanged messages, control signals and access activities can facilitate the forensics processes in case of an attack. Furthermore, the digital forensics used must also be in some way compatible (or complimentary) to the physical forensics that can be conducted on such CPS environments.
One important aspect of enabling CPS security and of CPS forensics is using intrusion detection techniques that can be included within the CPS subsystems [15]. There are several intrusion detection techniques developed specifically for CPS applications [16]. These techniques are designed to overcome the security and other challenges of CPS applications. Using intrusion detection with CPS applications enables collecting and analyzing different data related to CPS activities as well as other data related to the interactions among different subsystems within a specific CPS. This information help evaluate current security status and, in case of an attack, provide digital trails to help solve the problem. In addition, more data can be collected and analyzed in relation to the usage of the CPS different parts and the environment. This data can be used to not only enable the CPS forensics processes but also to enhance future CPS designs to be better protected against future security attacks.

B. Organizational Dimension
In some CPS applications, CPS components may be controlled by external clients or organizations rather than the CPS owners. For example, in a smart grid, customers have smart meters that report power consumption measures that help the smart grid make efficient and robust decisions about operating the smart grid and controlling energy production, distribution, and pricing. In another example, in some CPS implementations, systems from a third party are used to provide advanced services to the CPS. These can be network and communication infrastructures and cloud and fog computing services. In such systems, it is important to maintain the integrity of gathered data with clearly defined isolation of functions and resources among the clients, the external companies and organizations, and the CPS owners. The used forensics processes should not violate any regulations or laws applicable to all parties involved.
Governance creates various issues when it comes to CPS forensics. When an attack occurs and the CPS, its environment and all supporting systems are under one governing body, clearances, privacy and access issues are determined by the governing body and apply to all parts of the system. However, realistically, most CPS are implemented and deployed with the support of various organizations and service providers. Access to audit trails, historical usage data and any relevant forensics data will have to be orchestrated across all entities involved. Data privacy, access controls, data integrity, and data protections must be preserved and proper controls and policies should be enforced.

C. Legal Dimension
The legal dimension of CPS forensics involves the extension of laws and regulations to include CPS forensics activities and evidence. Furthermore, principles, procedures, and policies for CPS forensics should be developed to make sure that forensics activities do not break any laws and regulations. Thus, CPS forensics should maintain clients' confidentially and privacy policies during CPS forensics activities for any systems that involve external clients. This relates in some ways to the governance component since individually owned and operated CPS can be analyzed and forensics data gathered internal. However, legal aspects across different entities owning and operating a CPS will create problems regarding the chains of custody, warrants, and other regulations. However, even internally if the evidence is to be used in criminal charges, the same policies imposed by the legal system must be applied.
CPS forensics can also lead to multi-jurisdictional challenges if the CPS components are distributed across multiple states or countries. For example, the physical components for a certain CPS application may be in one country, while the cloud services are accessed through cloud infrastructures residing in another country. In some cases, the infrastructures of the used cloud are available in multiple countries. In such systems, CPS data can be stored in one country while other cloud services can be performed in another country. In addition, a cloud service can use another service available in another country. Consequently, forensics activities in such systems must be conducted with the considerations for multi-jurisdiction practice and the conflicts of the laws.

IV. ENABLING CPS FORENSICS
CPS are very complex systems, thus forensic investigations are also very complex processes. There are some research efforts in developing mechanisms and methods to integrate forensics principles and aspects into the design and implementation of CPS to enable forensics investigation processes. This approach is known as a Forensics-by-Design framework. One example of these efforts is to apply this in medical CPS (MCPS) to enable forensics investigations for criminal medical cases and attacks on medical CPS components (equipment, software, patients, etc.) [17].
In another example, the forensics-by-design framework is proposed to be used for cyber-physical cloud systems (CPCS) [18]. In this work, the authors used this framework to integrate forensic requirements into the CPCS design and development phases. The importance of this work is that while cloud computing can provide many benefits for CPS, this integration generates issues relevant to ensuring data confidentially, integrity, and availability. Due to involving multiple systems, physical components, and networks in developing CPCS, they are more exposed to potential cyberattacks. Attacks can be conducted from the CPS components, from the networks that link the CPS with the cloud, or from the cloud. There are six factors defined in the proposed framework to confirm that a CPCS is designed to enable forensics investigations. These are risk management principles and practices, forensics readiness principles and practices, incident-handling principles and practices, laws and regulations, CPCS hardware and software requirements, and industry-specific requirements. In addition, the authors also highlighted the importance of validation and verification to ensure the reliability of CPCS forensics design and development.
Generally, the forensics-by-design framework can help recognize security breaches including their sources and types. In addition, it maintains and examines evidential data and draws conclusions. This facilitates answering the six key forensics questions -what, why, how, who, when, and where. Moreover, the forensics-by-design framework is a very important direction as it provides a base for facilitating forensics processes in CPS. Unlike other regular systems that have many commercial forensics software and tools that can be used for security incidents, developing forensics tools for CPS can be extremely complex. Consequently, employing the proposed forensics-bydesign framework offers significant help. Although this approach may increase the implementation costs and development complexity, it will provide many benefits to enable forensics investigations and protect the CPS. This can easily lead to a high ROI (Return On Investment) for the CPS during operations. These benefits are also extremely important as most CPS are used for critical applications and applications that involve the human well-being. Failures, attacks and tampering with these systems could potentially result in loss of lives, injuries, in addition to the possible infrastructure and information losses and breaches. Examples include the smart grids, smart cities, smart water networks, smart transportation systems, and smart factories.

V. FUTURE DIRECTIONS
As CPS continue to develop and more CPS applications are being implemented and deployed, techniques for CPS security and CPS forensics will need to be developed as well. There are different possible directions for such development. This section discusses future directions of CPS forensics.
One direction is that CPS forensics and CPS security will be driven by data like other science fields. Data can be used to build more accurate models that can then be used for different evaluation and analysis processes including risks in CPS applications. Data-driven security and forensics for CPS can include different aspects such as: 1. Data driven science for attack detection and mitigation.
This aspect can provide solutions for some CPS security and forensics systems such as intrusion detection and prevention systems (IDPSs) and in dealing with challenging CPS security situations such as advanced persistent threats (APTs) [19] and low and slow vectors [20]. There are different possible approaches that can be used for this aspect including context representation and sharing, detecting attacks by reasoning, detecting attacks using graph grammars, detecting attacks using streambased classification [21].
2. Foundations for data trustworthiness, and policy-based sharing. Here, there are different possible directions for data trustworthiness, and sharing including trustworthiness of data based on provenances, formal policy analysis, and security experiments reproducibility. This will require relying on approaches that can establish and maintain trust relationships between the different components of the CPS applications and other systems interacting with them. One possible method is using blockchain to enhance trust and secure transactions [22].
3. Risk-based approach to security metrics [21]. This aspect includes different possible directions for security risk analysis including modeling attacks, user and network risks, and defensive strategies and using game theoretic models for holistic risk assessments.
In addition, for CPS applications that have human involvement and interactions, it is possible to use data-driven approaches to understand the relationship between human behavior and vulnerability to different types of attacks [23]. This can have high impact on the design of different types of CPS applications as it helps discover some unknown factors through observations and collective data analytics. While it was difficult to have such applications a few years ago due to the unavailability of the needed datasets, it is possible now as many applications and systems collect an enormous amount of data as they operate. So we have more data about different CPS applications to analyze and find interesting and beneficial observations. Data-driven approaches can be reused to find other observations related to CPS security attacks. These observations can be utilized in different ways: 1. They can be used by CPS development companies as a data source to help them plan for their future security solutions and services for different CPS applications.
2. They can be used by government security agencies to define their CPS security measures, requirements, standards, and policies.
3. They can be used by other companies and organizations that use CPS applications to define their security policies to avoid any potential for any security risks.
Adopting some or all of these approaches will help improve the application and utilization of better security and forensics mechanisms and solutions to protect different types of systems including CPS. It is expected that more academic and industrial research will be conducted over the coming years to find applicable, practical and efficient solutions. These include finding better ways to collect, share, clean, and analyze security data [21] and identifying more security monitoring and risk mitigation approaches to use. In addition, faster data-driven mechanisms will be developed to find new observations including finding zero-day attacks. Furthermore, some new security and forensics solutions will be significantly developed to provide better security measures and analyses including context-aware security solutions that incorporate information about the current environment context in dealing with security threats [24] and human behavior-based security solutions that incorporate human behaviors in providing more secure CPS applications [25].
Another important future aspect of CPS forensics is that many of them rely heavily on intelligent algorithms and machine learning techniques to support CPS applications and optimize operations and processes. Examples of these CPS applications are smart buildings, self-driving cars, smart water networks, smart manufacturing, smart grids, smart traffic light controls. These smart CPS applications rely on learning from massive amounts of collected data and intelligently making decisions to improve its operations, accuracy, efficiency, and cost-effectiveness.
As a result, these systems become more vulnerable to security risks and could be exposed to security threats. For example, attackers may have the capability to add some false data that negatively influences the learning process, thus downgrade the performance of these smart systems. It is important to protect the used machine learning algorithms from any threats including altering their efficiency or safety aspects. These threats can be classified as security threats against the training phase and security threats against the testing/inferring phase [26]. One important attack of security threats against the training phase is the poisoning attack, which disrupt the availability and the integrity of the machine learning processes via introducing adversarial samples to the training data set. The poisoning attacks can be classified into two groups: poisoning without modifying features or labels and poisoning with modifying features or labels.
Fortunately, there are different defensive approaches for intelligent algorithms and machine learning. These approaches can be either reactive defenses or proactive defenses. Different countermeasures were discussed in [26] including those used in the training phase and in the testing/inferring phase. However, this will require developing CPS forensics mechanisms and tools that are capable of dealing with artificial intelligence and machine learning algorithms. In these situations, it may also be feasible to exploit artificial intelligence and machine learning techniques to detect and stop security attacks and provide better investigative tools for CPS forensics if attacks actually occur. Furthermore, it is also important to investigate how these techniques can help plan for and minimize the damages caused by security attacks in addition to providing enough forensic evidence to trace and solve occurring attacks.

VI. CONCLUSION
In this paper, we defined and discussed a new type of forensics, cyber-physical systems forensics (CPS Forensics). We discussed CPS forensics principles and issues in terms of technological, organizational, and legal aspects. Based on the current work in this field, we realize there is a strong need to further address this topic and provide effective CPS forensics measures. Efforts to develop suitable methodologies, procedures, tools, regulations, and policies for this important forensics type are extremely important. One possible approach that offers some promising contribution is the forensics-bydesign approach, where forensics efforts are enabled as built-in capabilities in CPS and CPCS incorporated throughout the development process. As a result, when an incident occurs, the CPS equipped with these techniques will have built-in measures to provide investigators with the necessary data for the forensics process. The paper also discussed future development and research directions for improving CPS security and forensics capabilities and processes.