Chip delayering is an important technique for hardware security analysis. It allows for reverse engineering of an integrated circuit's structures, finding possible security flaws, and in some cases enabling secret key extraction. This paper presents methods to prepare single subsequent layers of an IC for imaging purposes using a Broad Ion Beam System (BIBS). These methods consist of parameter sets (angle, energy, duration) for the etching process steps which have to be applied in a specific order. These parameter sets were developed by first analysing separately the impact of the single parameters on the etch rate and the IC's surface structures. Development then split into etchrate-matched and direct beam methods aiming both at planar delayering with little operator intervention. Both methods were put to the test on state-of-the-art microcontrollers with 250nm (Chip A) and 180nm (Chip B) feature size.
Through Industrie 4.0, the connectivity of automation or industrial control systems (ICS) is increasing. Simultaneously the frequency and aggressiveness of remote attacks have increased, impacting the risk and vulnerabilities of ICS [1]. For example, a remote attacker can now damage industrial machines or impair the efficiency of production facilities over the Internet. To find evidence and protect oneself against future attacks as well as to minimize risks, it is necessary to be able to investigate or trace down such incidents by performing forensics within ICS. In this paper, we developed a forensic model to plan and perform forensic investigations within Internet-based ICS. For this purpose, we use established classic IT forensic processes as well as existing forensic research for Operational Technology (OT). Our model is compliant with the Industrial Internet Reference Architecture (IIRA) so it can be integrated or applied to existing Internet-based ICS.The approach is validated by showing that it is suitable to detect and analyze a recently published, more sophisticated attack on the OT specific components of typical ICS architectures.
The increasing network connectivity of automation or industrial control systems (ICS) through Industrie 4.0 has led to higher risks of attacks, where remote attackers can compromise industrial devices or networks to maliciously change or inject data, as well as send malicious commands that can damage machines or impair production efficiency. However, evidence gathering for such attacks can be challenging due to the lack of forensic compliant logging capabilities, as well as the high heterogeneity of these devices that makes it difficult to find generalized approaches for collecting evidence or artifacts from an ICS system. Furthermore industrial devices have limited hardware and CPU resources making established IT forensics not applicable to these devices.
