OT/ICS/SCADA Forensics New York

OT/ICS Forensics in the New York Legal Context

Operational technology forensics occupies a specialized intersection between industrial engineering and digital forensics that most computer forensic practices are not equipped to address. The devices that control physical processes in New York's utilities, transportation systems, and industrial facilities were designed for deterministic real-time control, not for the kind of logging, audit trails, and forensic accessibility that IT systems provide. A Siemens S7 PLC managing breaker coordination at a Con Edison substation does not maintain the kind of event logs that a Windows server does. An Allen-Bradley ControlLogix controller governing a wastewater pump station at a NYC DEP facility stores its operational data in formats that require vendor-specific diagnostic tools and technical expertise to access and interpret. A historian server collecting process data from a Long Island manufacturing facility's distributed control system holds information that can reconstruct exactly what the plant was doing minute by minute, but that data lives in proprietary database structures that must be decoded correctly to be admissible evidence.

Attorneys who bring industrial control system matters to NYCF are typically dealing with one of several categories of dispute. Property damage claims arising from process failures at industrial facilities require documentation of what the control system was commanded to do, what it actually did, and how those two things differed during the relevant time window. Cyber incident investigations involving suspected intrusions into utility or manufacturing OT networks require reconstruction of the attacker's path through the IT/OT boundary and identification of which control system assets were accessed or modified. Regulatory proceedings before the NY Public Service Commission or NYDFS require forensic documentation of incident scope, affected assets, and remediation actions that meets the evidentiary standards of those forums. Construction and procurement disputes involving industrial automation projects may require forensic examination of PLC programs and historian configurations to determine whether the installed system conforms to the contracted specifications. In each of these contexts, NYCF's role is to provide technically rigorous forensic analysis and clear expert documentation; the attorney and client apply that analysis to the legal theory of the case.

New York's regulatory environment adds layers of complexity that attorneys in other jurisdictions do not encounter. Con Edison and other investor-owned utilities in New York are regulated by the NY Public Service Commission, which has its own incident reporting and documentation requirements. The NYDFS cybersecurity regulation at 23 NYCRR 500 extends to financial institutions that operate OT systems, including certain energy trading and commodities firms with significant physical infrastructure. The Port Authority of New York and New Jersey, which operates transportation infrastructure across the region including the George Washington Bridge and major airports, is subject to federal TSA security directives with specific OT cybersecurity provisions. MTA, as a state authority, operates under its own security framework as well as federal requirements applicable to public transportation. NYCF understands how these overlapping regulatory obligations affect the scope and documentation requirements for forensic work in each of these environments.

Evidence Sources in OT Environments: What NYCF Examines

The evidence architecture of an industrial control system is fundamentally different from a corporate IT environment. Where an IT forensic examiner looks to email servers, file shares, endpoint logs, and network flow data, an OT forensic examiner must work across a much more heterogeneous set of data sources, each with its own access methodology, data format, and evidentiary limitations. NYCF maps available evidence sources at the outset of each engagement, documenting for the retaining attorney what each source contains, how it can be collected, what the limitations are, and what questions it can and cannot answer in the context of the specific legal matter.

Programmable logic controllers are the operational core of most industrial processes, and their internal memory contains the most direct evidence of what the system was instructed to do. A PLC's CPU memory holds the currently executing control program, the current values of all input and output registers, internal timer and counter states, and any retentive data that persists across power cycles. Reading this data requires connecting to the PLC through its vendor-specific programming port using the appropriate software, typically Rockwell's Studio 5000 for Allen-Bradley controllers, Siemens TIA Portal or STEP 7 for Siemens equipment, GE's Proficy Machine Edition for GE PLCs, or Schneider Electric's EcoStruxure for Modicon hardware. NYCF's examiners document the exact software version, connection method, and commands used to acquire each data element, and a hash of the acquired program file is recorded as part of the chain-of-custody documentation.

Human-machine interfaces are the operator workstations through which plant personnel interact with the control system, and they retain evidence of operator actions in alarm acknowledgment logs, operator comment records, setpoint change histories, and application event logs. Most HMIs run on Windows-based platforms using software such as Wonderware InTouch, Ignition by Inductive Automation, Rockwell FactoryTalk View, or vendor-specific platforms. The Windows forensic artifacts from an HMI include the HMI application's own logs, Windows event logs, prefetch files, and registry entries that document what users were logged in, when the HMI application was accessed, and what other software was run on the workstation. These Windows-level artifacts are often important in OT intrusion investigations because an attacker who compromised an engineering workstation connected to the OT network would leave traces in both the Windows environment and any connected PLC configuration files accessed through it.

Process historians, particularly OSIsoft PI Server deployments, represent the most comprehensive data source in most industrial environments for reconstructing what a process was actually doing over time. A historian continuously records tag values from thousands of sensors and control system data points at configured intervals, creating a time-series database that documents temperature, pressure, flow, valve position, motor speed, alarm states, and any other measured or calculated value in the process. For litigation requiring a precise reconstruction of plant operating conditions before, during, and after an alleged event, the historian is often the single most important data source. Acquiring historian data while preserving its integrity requires exporting it through authenticated interfaces that document the query parameters used, the time range covered, and the version of the historian software. NYCF also examines the historian's audit log for evidence of data deletion, backdating, or configuration changes that might affect the completeness or accuracy of the historical record.

SCADA servers, which aggregate data from field devices and provide the system-wide supervisory view that plant operators rely on, maintain alarm journals, event logs, user action records, and communication logs. The SCADA alarm journal in particular is forensically significant in equipment failure and process upset investigations because it records every alarm condition with a timestamp, the process variable value that triggered the alarm, and the operator acknowledgment record, including whether one occurred and when. Gaps in the alarm journal, unusual patterns of alarm suppression, or configuration changes that raised alarm thresholds shortly before a process upset can all be documented through forensic examination of the SCADA server's database and configuration files.

Control Logic and Firmware Forensic Analysis

The control program running on a PLC is, in engineering terms, the specification of how a physical process is supposed to behave. In forensic terms, it is a document that can be examined for unauthorized modifications, compared against prior versions to establish when and how it changed, and analyzed to determine if the control logic as written would have caused or allowed the process condition at issue in the litigation. NYCF's examiners perform this analysis by extracting the current program from the PLC, obtaining the project baseline from the engineering change management system, version control archive, or backup media, and conducting a structured comparison of the two using both automated diffing tools and manual technical review.

Ladder logic programs, the most common control language in American industrial installations, encode control decisions in a visual format derived from relay logic diagrams. A rung of ladder logic that should close a valve when a high-pressure setpoint is exceeded and that has been modified to use a different pressure threshold, or to include an additional condition that prevents the close command from executing, represents a documented deviation from the design intent that may be directly relevant to a process failure claim. NYCF documents such deviations with specificity sufficient for a technical expert to explain to a jury or regulatory panel what the modification means in terms of process behavior, without characterizing the cause or intent behind the change, which is a question for the attorney and fact-finder.

Structured text and function block diagram programs, which are more common in Siemens and European-origin equipment, receive the same structured comparison treatment. For matters involving Siemens S7-300, S7-400, or S7-1500 controllers, NYCF uses TIA Portal's built-in comparison and documentation features alongside binary-level analysis of the compiled program blocks to identify modifications that may not be fully visible through the vendor tools alone. Certain classes of modifications to a compiled PLC program, including changes to specific memory offsets within a function block's data structure, may not be apparent through the standard project comparison view and require binary analysis to detect.

Firmware integrity verification is a distinct but related analysis applicable to PLCs, RTUs, remote I/O modules, and other field devices where the device's operating software resides in flash memory. An attacker with physical or network access to a PLC can modify its firmware to alter how the device responds to commands from the SCADA master, change the behavior of its communication stacks, or implant code that executes independently of the control program. NYCF compares extracted firmware images against reference images obtained from the device manufacturer or from verified baseline copies held by the asset owner, using binary comparison and hash verification to identify any deviations. Where differences are identified, NYCF documents the specific offset locations and binary content involved, providing the technical foundation for a determination of whether the difference represents a vendor update, an authorized site modification, or an unauthorized alteration.

OT Network Forensics: Tracing Intrusions Through the IT/OT Boundary

Industrial control networks were historically isolated from corporate IT networks and from the internet, making network-based intrusions essentially impossible. That isolation has eroded significantly over the past two decades as SCADA systems acquired remote access capabilities for vendor support, as corporate reporting and efficiency initiatives pushed for historian data integration with business intelligence systems, and as internet-connected components began appearing in industrial installations at all levels of the Purdue model hierarchy. New York's infrastructure operators are not exempt from these trends, and attorneys handling OT intrusion matters in the SDNY or EDNY frequently encounter fact patterns where an attacker traversed from a corporate email server compromise through a VPN into an industrial DMZ and ultimately reached field devices.

Reconstructing this lateral movement requires different evidence depending on where in the network the attacker traveled. At the IT/OT boundary, firewall logs, VPN authentication records, and jump server session logs document when connections were made from corporate network ranges into industrial network segments, what credentials were used, and what remote desktop or industrial protocol sessions were initiated. NYCF's network forensic analysts work through these boundary-layer records using tools and methodologies consistent with the standards applicable to federal court proceedings, ensuring that the reconstruction of a connection path through multiple network hops is documented with the specificity required for a technical evidence foundation under FRE 702 and 901.

Within the OT network itself, traffic patterns in properly segmented industrial networks are highly regular. A SCADA master polls its field devices on fixed schedules using specific protocol function codes, and the devices respond with predictable data. Industrial network monitoring systems that capture this traffic, such as Claroty, Dragos Platform, or Nozomi Networks sensors, provide a baseline against which anomalous communications can be identified. When forensic analysts examine an OT network capture from around the time of a suspected incident, communications that deviate from the baseline, such as a workstation that does not normally communicate with PLCs initiating connections to PLC programming ports, or command-type function codes being sent outside of normal programming windows, represent anomalies that require explanation. NYCF documents these anomalies in terms of the specific protocol behavior observed, without characterizing what caused them or who was responsible, leaving those determinations to the attorney, client, and fact-finder.

Industrial protocol forensics requires familiarity with the specific behaviors of protocols including Modbus TCP, DNP3, EtherNet/IP (CIP), Siemens S7comm and S7comm-Plus, OPC-UA, IEC 61850 GOOSE and MMS, and BACnet. Each protocol has specific function codes, data structures, and normal usage patterns that must be understood to distinguish legitimate traffic from anomalous or malicious activity. A DNP3 direct operate command sent to a field device outside of normal control cycles, a Modbus write-multiple-registers command targeting configuration registers rather than normal process data addresses, or an S7comm program download request from an unauthorized source address are each technically specific observations that NYCF documents with the precision a forensic report requires.

NYC Critical Infrastructure: Forensic Analysis for New York's Specific Systems

New York City operates infrastructure on a scale and with a configuration that creates forensic evidence scenarios attorneys in smaller markets rarely encounter. The Con Edison electrical distribution system, which serves Manhattan, the Bronx, Brooklyn, and Queens, uses a dense network of substations, transmission lines, and automated switching systems controlled by SCADA and distribution management systems. When a property owner in Manhattan or Brooklyn suffers losses from a power quality event, a substation failure, or a supply interruption that they attribute to Con Edison's negligence or a third party's interference with the grid, the forensic evidence lies in Con Edison's SCADA event logs, protective relay fault records, and distribution automation system data, all of which require OT forensic expertise to access, authenticate, and interpret for litigation before the NY Supreme Court or in a CPLR Article 78 proceeding challenging a PSC determination.

The MTA's subway and commuter rail operations depend on control systems that span one of the most complex rail networks in the world. The subway's signaling system, which uses a combination of older fixed-block relay logic installations and newer communications-based train control (CBTC) on newer lines, generates forensic evidence in relay logic fault records, wayside controller logs, and CBTC data server records when a signaling anomaly or incident occurs. For personal injury matters arising from train-to-train collisions, derailments, or signal-related delays in SDNY or EDNY federal court, or in NY Supreme Court, NYCF provides forensic analysis of the control system evidence with the technical depth that MTA operational data requires. The Long Island Rail Road and Metro-North operations add further layers of complexity, including positive train control (PTC) onboard event data that requires vendor-specific extraction tools and careful authentication procedures.

The New York City Department of Environmental Protection operates one of the largest water supply and wastewater treatment systems in the country. Water treatment plant SCADA systems control chemical dosing, filtration, UV disinfection, and distribution pumping across facilities in the Bronx, Brooklyn, Queens, and Staten Island, with extensive telemetry from the upstate watershed and aqueduct systems. When water quality incidents, distribution system failures, or alleged unauthorized access to water treatment SCADA systems become the subject of litigation or administrative proceedings under the Safe Drinking Water Act, NYC DEP internal regulations, or investigations by the NYC Law Department, the forensic evidence is in the SCADA historians, PLC configurations, and network logs of those treatment and distribution facilities. NYCF's OT forensic practice is equipped to work within the operational and security constraints of NYC DEP facilities, coordinating with facility management and the NYC Law Department as appropriate for the engagement structure.

The Port Authority of New York and New Jersey operates the George Washington Bridge, the Lincoln and Holland Tunnels, and the region's major airports under control systems that include automated toll collection, traffic signal management, bridge structural monitoring, and tunnel ventilation control. When an incident at a Port Authority facility generates litigation, the control system evidence from these facilities may be relevant to both liability and causation analysis. The Port Authority's facilities are subject to federal TSA security directives, and forensic work at these facilities must be conducted in coordination with the Port Authority's security and technology departments. NYCF has experience working within the coordination and access protocols required for forensic analysis at Port Authority facilities and similar regulated infrastructure environments.

Long Island's industrial corridor, running through Nassau and Suffolk counties, includes food manufacturing, pharmaceutical manufacturing, aerospace components manufacturing, and specialty chemical production facilities. These facilities operate industrial control systems that range from simple PLCs managing single production lines to complex distributed control systems governing multi-stage batch processes. When a manufacturing defect, product recall, or process upset at a Long Island facility generates product liability claims, workplace injury litigation, or commercial disputes about production quantities or quality specifications, process historian data and PLC event logs frequently contain the most technically precise record of what the production system was doing during the relevant batch or time window. NYCF provides forensic analysis of manufacturing OT evidence for Long Island matters in Nassau and Suffolk County Supreme Court and in EDNY federal proceedings.

New York Regulatory Context: PSC, NYDFS, NERC CIP, and CIRCIA

New York's critical infrastructure operators face a regulatory compliance environment that is among the most demanding in the country, and forensic documentation of OT incidents must be structured with those regulatory obligations in mind. Attorneys who retain NYCF for OT forensic work in the context of a regulatory investigation or enforcement proceeding receive analysis formatted to address the specific documentation requirements of the applicable regulatory framework, not a generic forensic report that must be reformatted for regulatory submission.

The New York Department of Financial Services cybersecurity regulation, 23 NYCRR 500, applies to a broader population than many regulated entities initially recognize. Financial institutions with physical infrastructure components, including energy trading firms with pipeline or generation assets, insurance companies with large real estate portfolios containing building automation systems, and banks operating data centers with sophisticated HVAC and power conditioning control systems, may have OT components within the scope of a NYDFS-regulated entity's covered systems. A cybersecurity event affecting those OT components triggers the 72-hour notification obligation at 23 NYCRR 500.17 and the incident response documentation requirements at 23 NYCRR 500.16. NYCF's forensic analysis for NYDFS-regulated entities is structured to support both the timely notification obligation and the more comprehensive post-incident documentation that NYDFS examiners may review in a subsequent examination or enforcement investigation.

Bulk electric system operators in New York, including transmission owners and certain large generation operators, are subject to NERC CIP standards that impose specific requirements for incident response, evidence preservation, and reporting. NERC CIP-008 requires a documented cybersecurity incident response plan and mandates reporting of reportable cyber security incidents to the Electricity Information Sharing and Analysis Center (E-ISAC) and CISA. CIP-010 requires configuration change management and monitoring that generates the baseline records NYCF uses for comparison when examining whether a PLC or other BES cyber system asset was modified. An attorney defending a NERC CIP enforcement action or prosecuting a civil claim against a grid operator who failed to comply with CIP requirements benefits from forensic analysis that maps the evidence to the specific CIP standard provisions at issue.

The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed in 2022 with implementing regulations being developed by CISA, will impose mandatory reporting timelines of 72 hours for covered cyber incidents and 24 hours for ransomware payments across sixteen critical infrastructure sectors. New York operators in the energy, water, transportation, and manufacturing sectors will be subject to these reporting obligations once CIRCIA implementing regulations are finalized. NYCF structures OT forensic documentation to support CIRCIA-compliant incident reports, including the technical specifications of affected systems, the timeline of the incident, and the indicators of compromise that CIRCIA reports are expected to include.

The NY Public Service Commission has authority over utilities providing electric, gas, and steam service in New York, and its proceedings may involve questions of technical performance, regulatory compliance, and incident response adequacy that require forensic analysis of OT system evidence. In a PSC rate case or service quality proceeding, historical SCADA data and operational event records may be relevant to establishing a utility's actual performance against regulatory benchmarks. In a PSC investigation following a significant service interruption, forensic analysis of the utility's control system evidence may be relevant to both the PSC's findings and any related civil litigation. NYCF's analysts are familiar with the PSC's technical evidence requirements and can provide expert analysis suitable for use in PSC evidentiary proceedings.

OT Forensics for Industrial Disputes: Long Island Manufacturing and Process Industries

Commercial disputes arising from industrial automation projects, manufacturing process failures, and supply chain interruptions generate OT forensic needs that differ in focus from cyber incident investigations but require the same technical expertise. Long Island and Westchester manufacturing facilities, pharmaceutical production operations, and specialty chemical plants generate litigation in NY Supreme Court and EDNY that turns on questions about what a control system was programmed to do, what it actually did, and how the resulting process output compared against specifications. These disputes include construction and commissioning disputes between system integrators and facility owners, product liability claims where the manufacturing process is alleged to have deviated from quality control parameters, and commercial contract disputes about production quantities or batch quality metrics.

In a construction dispute involving an industrial automation project, the as-built PLC configuration and historian setup are documents that can be compared against the contract specifications and engineering drawings to establish whether the installed system conforms to what was specified. NYCF's forensic analysis of the control system as installed documents the actual program logic, setpoint values, alarm thresholds, and historian tag configurations in a format that can be compared against the project's functional design specification and factory acceptance test records. Deviations between the as-built system and the contract specifications are documented with technical precision; characterizing those deviations as a breach of contract or a cognizable deficiency is a legal determination for the attorney and court.

In product liability or product recall matters, process historian data from the period during which the allegedly defective product was manufactured contains the most technically precise record of the production process parameters. Batch historians that record temperature profiles for pharmaceutical manufacturing or mixing sequence data for food production can establish with considerable precision what the process was doing during each production lot. NYCF extracts and analyzes this data for attorneys representing plaintiffs or defendants in product liability cases, providing a technically defensible reconstruction of the manufacturing process that is documented to withstand scrutiny under FRE 702 and NY CPLR Article 45 authentication requirements. The forensic report characterizes what the data shows about the process; the attorney and expert witnesses apply that characterization to the liability and causation theories in the case.

NYCF also provides forensic analysis for matters involving alleged sabotage or deliberate manipulation of industrial control systems. When a disgruntled employee, a departing contractor, or an external actor is alleged to have intentionally altered a control program or manipulated process parameters to cause a production upset, the forensic evidence in the PLC program history, engineering workstation remote connection logs, and historian data provides the technical basis for the investigation. NYCF documents what the evidence shows about what was changed, when it was changed, and through what interface, without characterizing intent or identifying a responsible party, which are determinations for the attorney, law enforcement, and fact-finder. Matters with potential criminal dimensions are coordinated with counsel to ensure that forensic collection procedures preserve the chain of custody required for federal court proceedings or NYPD and FBI investigations.

Attorneys handling OT/ICS/SCADA matters in New York should contact NYCF at (212) 561-5860 or through the contact form to discuss the forensic requirements of their specific matter. All consultations are confidential and conducted through counsel. NYCF serves attorneys in Manhattan, Westchester, and Long Island for matters in NY Supreme Court, SDNY, EDNY, and before the NY Public Service Commission, NYDFS, and other New York regulatory forums. NYCF does not provide cybersecurity consulting or remediation services as part of forensic engagements, maintaining the independence of its forensic analysis function from operational security advisory roles.