Protocol-Aware Enforcement-Point Postcards and Collector Feedback for OT/ICS Forensic Readiness and Closed-Loop Defense

Author

• Haden FowlerFollow

Date of Graduation

5-2026

Document Type

Thesis

Degree Name

Bachelor of Science in Computer Science

Degree Level

Undergraduate

Department

Computer Science and Computer Engineering

Advisor/Mentor

Kevin Jin

Committee Member

Chris Farnell

Second Committee Member

Qinghua Li

Abstract

In this work, we apply P4-programmable switches to Operational Technology (OT) and Industrial Control System (ICS) traffic with the objective of turning enforcement decisions into structured forensic evidence that can also support fast, scoped feedback. OT investigations often rely on later correlation of endpoint logs, passive packet traces, and historian data, but those sources can be incomplete, hard to align in time, and missing the decision made at the enforcement point. We address this gap by implementing a P4-based enforcement switch that parses Modbus/TCP write traffic, applies protocol-aware policy checks, and exports protocolaware postcards to a collector. The collector stores these postcards for reconstruction and, when needed, installs temporary rules back into the switch through P4Runtime. The switch remains responsible for bounded inline enforcement, while the collector performs longer-history reasoning outside the data plane. We demonstrate two capabilities. Case Study 1 shows that postcards preserve decision information and denied-write evidence that device logs and passive monitoring do not preserve together. Case Study 2 shows that the same postcard stream can feed a detector at the collector and drive a temporary ceiling rule without moving long-history analytics into the switch. In our software testbed, median time from ingress to exported postcard is 725 us for allowed writes and 1831 us for denied writes, and median P4Runtime rule installation is 0.57 ms. These results suggest that a programmable enforcement point can both enforce policy and generate the main evidence records needed for OT/ICS forensic readiness, without requiring endpoint modification or pushing complex analytics into the data plane.

Keywords

Operational Technology, Industrial Control Systems, Forensic Readiness, P4, Modbus, Programmable Networks, Telemetry Postcards

Citation

Fowler, H. (2026). Protocol-Aware Enforcement-Point Postcards and Collector Feedback for OT/ICS Forensic Readiness and Closed-Loop Defense. Electrical Engineering and Computer Science Undergraduate Honors Theses Retrieved from https://scholarworks.uark.edu/elcsuht/34