Digital forensics and incident response management model for IoT based agriculture

Abstract

The Internet of Things (IoT) has been revolutionizing the agricultural industry by providing farmers with unprecedented opportunities to monitor and control their crops, livestock, and farm equipment in real-time, which is named as IoT based Agriculture (Ag-IoT). Ag-IoT relies on the use of communication technology, internet, and other wireless technologies which makes it prone to various cyber attack and cyber crimes. To address the growing security and forensic challenges in Ag-IoT, we propose a Digital Forensics and Incident Response Management Model (DFIRMM). The proposed model focuses on the identification, analysis, and mitigation of security incidents, along with support for the investigation of digital forensics tailored to the unique requirements of Ag-IoT. The proposed model is validated through a case study on MQTT enabled smart agriculture network with machine learning based analysis. We believe this proposed model will redefine how security incidents are handled in smart agriculture industries and impact their growth.

Introduction

The Internet of Things (IoT) contributes to the development of a more resilient and sustainable agricultural sector^1,2. The use of digital technology in agriculture involves the use of IoT, artificial intelligence, robotics, and unmanned aerial vehicles³ is known as IoT based agriculture (Ag-IoT). Ag-IoT uses IoT to collect data from sensors installed in agriculture fields to collect information about soil conditions, weather patterns, crop health, and livestock behavior. It processes the data and makes smart decisions on irrigation, fertilization, pest control, and other agricultural practices⁴. It offers real-time monitoring and control, enabling efficient resource management, improved livestock management, and data-driven decision-making. These benefits of Ag-IoT include increased productivity, resource efficiency, sustainability, and improved food supply chain⁵. Though Ag-IoT offer various benefits it poses different cyber attack and cybercrime (CACC) challenges⁶. Physical security risks at Ag-IoT is a significant challenge, as IoT devices deployed in remote areas or exposed environments are susceptible to theft, tampering, or physical damage. Due to its open access, Ag-IoT is vulnerable to emerging attacks by misusing the UART port⁷. Attacks such as DDoS can disrupt Ag-IoT, affecting productivity and functionality. The limited computing resources, outdated software, and hardware or software vulnerabilities can lead to unauthorized access, data manipulation, and disruption of Ag-IoT systems⁸. The lack of standardized security practices introduces challenges for stakeholders, as different security implementations across different devices, platforms, and vendors can lead to inconsistencies and hinder interoperability. Insider threats and social engineering attacks also cause human-centric security risks, the consequences can be CACC on Ag-IoT⁹.

In the past years, the food supply chain has faced several cyber attacks and agribusiness has been affected in different ways. The world’s largest meat processing company, JBS Foods¹⁰, was attacked by REvil ransomware in the supply chain by a ransomware attack in May 2021, causing a loss in business of million dollars¹¹. An Iowa agriculture cooperation was hit by ransomware that disrupted networks and was responsible for the feeding schedules of chickens, hogs, and cattle, which caused problems in the food supply chain¹². The facility was shut down due to a malware attack on wool sales by an Australian and New Zealand company¹³. The digital agriculture market is growing rapidly. In 2025, Ag-IoT has the potential to create an annual economic impact ranging from 50 to 200 billion dollars¹⁴. The global market value of smart agriculture is projected to increase from approximately 15 billion US dollars in 2022 to 33 billion US dollars in 2027¹⁵. It can be a lure for attackers, and the consequences of those attacks can be disruption in agribusiness, economic loss, and impact on the food supply chain. Jonathan Braley, a security expert and the director of threat intelligence at IT-ISAC says that food and agriculture industry is hypothetically at risk due to increasing cyberattacks on IoT, OT and IIOT¹⁶.

It is an urgent requirement to design and employ the DFIRMM to make the agricultural industry more secure and sustainable. It helps maintain business continuity by addressing incidents, restoring normal operations, and minimizing downtime. Building stakeholder trust is crucial to the success of agricultural businesses. Developing a DFIRMM can improve security controls, update policies, and share best practices within the agricultural community, contributing to continuous improvement and collective knowledge. The primary objectives of this research are as follows.

• To present a comprehensive review of existing DFIR models and investigate the potential sources for digital evidence in an Ag-IoT environment.

• To propose a digital forensics incident response management model tailored to Ag-IoT.

• To present a case study on real-world scenarios to demonstrate the effectiveness and applicability of the proposed model in Ag-IoT.

This article is organized as follows. Section “Literature review” presents relevant studies on existing digital forensic techniques and incident response management models. Section “DFIRMM for Ag-IoT” describes the proposed DFIRMM for Ag-IoT. Section “Experimental evaluation and results” presents an experimental evaluation of the proposed model through a case study on MQTT enabled smart agriculture network. Section “Conclusion” concludes the article.

Literature review

The use of Ag-IoT is increased recently in agricultural industry; consequently, it has increased the rate of cyber attacks and cyber crime; which demands a specific DFIRMM for Ag-IoT. Very few articles have been based on a specific DFIRMM on Ag-IoT, which calls for the proposal of a specific DFIRMM as paramount. According to IBM Web Article 2022, organizations that have an incident response model can reduce costs of data breaches by $2.66 million compared to organizations without a DFIRMM¹⁷. The 2014 Federal Information Security Modernization Act (FISMA)¹⁸ characterizes an incident as an event that puts the confidentiality, integrity, or availability of information at risk without proper authorization or that breaches laws, security protocols, or acceptable usage policies. There are different incident response models available; few of those are combined with digital forensics.

National Institute of Standards and Technology (NIST 2012)¹⁹ published a guide for handling computer security incidents. This model provides a structured approach to incident response that includes four abstract stages, i.e., preparation, detection, analysis, containment, eradication, and recovery. It also provides limited legal and regulatory advice and requires a lot of resources to implement.

The IR management handbook²⁰ is designed to provide IT professionals and managers with the knowledge necessary to establish incident response policies, standards, and teams in their organizations. It contains six steps and gives an overview of all the stages. It contains a checklist for incident handlers to ensure the correct execution of incident response procedures.

ISO/IEC 27035:2023²¹ provides additional advice on the management of incidents in response to the specific risks that an organization is experiencing. It provides guidance to IT organizations to strategize and prepare for the management of information security incidents. This includes developing policies, organizing teams, creating plans, receiving technical assistance, and providing awareness and skills training. It involves continuously monitoring and improving system vulnerabilities, prompt responses to information security incidents, and taking actions to prevent, eradicate, and recover from any impacts on the system. In addition, it emphasizes the importance of learning from each incident.

ENISA²², an agency of the European Union for cyber security, designed a CERT guide (Computer Emergency Response Team) to handle incidents related to computer network and information security. It elaborates on different phases of incident management. This guide contains the details that define constituency and roles, incident handling, policies, different corporations in the world working in IRM, outsourcing, presentation, and management. ENISA also²³ developed a Security Incident Maturity Model (SIM3), suggesting a regular check and update of the incident response handling model.

Few incident management frameworks include forensic investigation. The DFIR management model should be very specific and dedicated to different industries due to the different causes of its specific properties, such as hardware and software involved in the different types of industry, and the priority criteria for deciding incident can be different.

NIST²⁴ proposed a specific DFIR framework in relation to Operational Technology (OT). This framework improves the conventional technical procedures of IR in IT organizations by introducing incident response strategies focused on event escalation and offers strategies for digital forensics in OT. The DFIRM models mentioned above are discussed in Table 1.

Table 1.

Literature review on DFIR management model.

DFIR Model	IRM phases	Definition	Work covered in each phase	Hardware and software
19NIST.SP. 80061 r2 Computer Security	1. Preparation	Designing IR in a manner that the industry should prompt to act for an incident by ensuring that systems, networks, and applications are secure enough to prevent incidents	IR Team communication and coordination facilities Availability of hardware, software, and resources for incident analysis Software related to incident mitigation	Laptops for activities such as analyzing data, sniffing packets, and writing reports
	2. Detection	Define the attack based on attack vector and follow specific analysis based on the target area of the incident	Suggested to define a specific attack vector and its specific IR strategies Attack signature and behavior List of sources of precursors and indicators Incident prioritization, notification, analysis, documentation	Intrusion detection System such as IDS, IPS, SIEM, Honeypots, Antivirus
	3. Containment Eradication and Recovery	Containing and eradicating the incident to restrict more infection in the organization and act for recovery of the system to get back to its normal functionality	Containment strategy Evidence collection and preservation Identify attacking sources address	Evidence Collection accessories, Workstations and Backup devices Protocol analyzers and Packet sniffers. Digital forensic tools for disk image analysis. Printer to print Logs for analysis. Risk Assessment Tools. Tools for Host Security and VPN Networks Malware prevention. Jump kit/bag
	4. Post-Incident Activity	To adapt to incorporate new risks, advances in technology, and insights gained	Lesson learnt and system update. Using collected incident data for a better attack detection system. Evidence handover procedure	Tools for System Update. Feedback form about IR.
20SANS Incident handler’s Handbook IT Organizations to define their own IR management Model	1. Preparation	Preparing IR team to be equipped to manage an incident	Define Policies within the organization Strategies to handle the incident IR Team communication and coordination facilities Documentation about IR which would be utilized for the lesson learned phase or if investigation is required Access control management about permissions Tools required Training for IR team	Jump kit/bag
	2. Identification	To identify and confirm that an Incident occurs.	Basic description	N/A
	3. Containment	To prevent any damage from the incident	Short term Containment System Back-Up Long-term containment	Disk images using Clonezilla or Symantec Ghost
	4. Eradication	To remove and restore the affected systems	Not much elaboration	Anti-virus program (Kaspersky) Anti-malware tools Windows registry scanner for keys to detect malware
	5. Recovery	To reintegrate affected systems back into the production environment cautiously to prevent the occurrence of another incident	Recovery operations time and date To test and verify that the compromised system is completely functional The duration of monitoring to observe for abnormal behaviors	Tools for testing, monitoring, and validating system behavior
	6. Report	To finalize documentation that was not completed during the incident, along with any extra documentation that could be useful for investigating future incident	After the incident, call for a meeting to learn the lesson from IR Review the Strategy to update the System	Feedback Collection
22ENISA 2010: Incident 5 Guide A guide to managing incidents in computer network and information security	1. Define Constituency and Roles	Define the Framework	Define constituency Power and Responsibilities Organizational framework Service types Roles and Responsibilities	IP addresses ranges AS (autonomous system) numbers domain names as per organization or country
	2. Incident Handling	To handle the incident by detecting it	Detection Triage Analysis Incident Response	Network Monitoring Tools IR Procedures Tools Digital Investigation
	3. Policies		General Policies Policies for Human Resource Code of practices
	4. Different Corporations in the World working in IRM Policies	There is required to cooperate with national or international corporations outside of their own organization and constituency	Bilateral cooperation, National cooperation, Critical infrastructure protection, Sectoral cooperation
	5. Outsourcing	Guide for outsourcing (does/don’t)	Need not to outsorce Requirement to outsource How to do outsourcing
	6. Presentation and Management	What, how often, and how to present the report	What How Frequently How to
28ISO_27035: 2023 Information IR management	1. Preparation	Develop a strategy to prepare for IRM	Encompassing policies Describe organizational structure. Technical assistance, Awareness, Skills training	N/A
	2. Detection	Detect the attack	Detect Attack Report to IR Team Identify vulnerabilities responsible for Incident	N/A
	3. Contain, Eradicate and Recover	Take an action for IR with triggering suitable measures to prevent, mitigate, and restore	Contain, Eradicate, Mitigate Recover Attack	N/A
	4. Report	Prepare a document related to recovered IR		N/A
	5. Lessons Learnt	Learn from Incidents, enforce and validate precautionary measures	Update the preparation phase
24NIST DFIR Management Framework for OT	1. Routine	It includes Asset Identification and Remote Data Collection, Process Monitoring, and Event Logging throughout the regular operations	Stakeholders (i.e. Operators, local support teams, control systems engineers, Incident Response Teams, management)	Safety Toolkit IR Workstations: data collection and analysis. Network and forensics analysis tools High Volume Storage Auxiliaries (connectors, cables, camera) Virtual Machine
	2. Initial Identification and Reporting	Detect the Incident and confirm it	Assessment of situation Incident suspicion Activate IRM
	3. Cyber Incident Analysis and Response	Activate IR Team	Data Acquisition Forensics Investigation and IR Continuous Situation Assessment IR end?
	4. End of IR	Incident Recovery and lessons learnt	End of Incident Assessment of recovery, Lesson learnt Closing a Ticket, Completion of final report
	5. Post Incident	Update the existing system based on the Recommendation and provide training and awareness	Awareness, Update based on recommendations Advanced level forensics Supervised routine

The emergency to recover IoT networks after attacks necessitates the development of suitable DFIR models tailored to the constrained environments. This reduces the potential loss and risk in the sensitive applications such as smart agriculture. The scarce literature and resources on Ag-IoT forensics and incident response demand the attention of researchers to propose new methodologies tailored for smart agriculture technology.

Ag-IoT encompasses a wide spectrum of applications, including precision agriculture, livestock monitoring, supply chain management, and environmental sensing, all of which are based on interconnected sensors, actuators, and control systems. Attacking the agriculture sector is cheap, but protecting it is very expensive, according to the Internet Security Alliance (ISA)²⁵. Many industries have their own specific DFIRMM due to its distinct implementation of the system and the wide variety of equipment used in that. An operational technology system follows a specific DFIRMM^24,26. A specialized DFIRMM is crucial for Ag-IoT. Ag-IoT integrates IoT technology into agriculture, using devices such as sensors, drones, and automated machinery to improve agriculture. Ag-IoT includes numerous devices, such as soil sensors, climate monitors, and drones, each with its own data formats and protocols. Ag-IoT functions in real-time, demanding rapid incident handling. Ag-IoT collects critical data on crop health and soil conditions. The model addresses data breaches and unauthorized access. Ag-IoT ranges from small farms to extensive operations, according to which DFIRMM should be adjusted to different scales. Incident handling in Ag-IoT requires knowledge of agriculture and IoT. The model involves experts equipped with the necessary expertise. As Ag-IoT evolves, so do threats. The DFIR model is updated to address new challenges, maintaining effective response practices. A comparison between the existing models and the proposed model is given in Table 2.

Table 2.

Summary of DFIR models comparison.

Phases /	Pre-Incident		Incident		Post-Incident						Digital forensics phase-II
DFIR model	Technical		Detection		1		3		5		7		9
		Management		Notify		2		4		6		8
NIST.SP. 80061 r219	No	Yes	Yes	Yes	No	No	Yes	Yes	Yes	Yes	No	No	No
SANS IRM20	No	Yes	Yes	No	No	No	Yes	Yes	Yes	Yes	No	No	No
ENISA 2010 IR22	No	Yes	Yes	Yes	Yes	No	Yes	Yes	Yes	No	No	No	No
ISO 27035: 2023 IRM28	No	Yes	Yes	No	No	No	Yes	Yes	Yes	Yes	No	No	No
NIST DFIR for OT24	No	Yes	Yes	Yes	Yes	No	Yes	Yes	Yes	Yes	Yes	Yes	Yes
Holistic IoT DFIR29	No	No	Yes	No	Yes	Yes	No	No	No	No	Yes	Yes	Yes
Proposed DFIR for Ag-IoT	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes	Yes

1. Collection, 2. Preservation, 3. Containment, 4. Eradication, 5. Recovery, 6. Leasson Learnt, 7. Examination, 8. Analysis, 9. Presentation

DFIRMM for Ag-IoT

We propose a DFIRMM for Ag-IoT as an extended version of our previous study²⁷, and its architecture is represented in Fig. 1. This model guides incident response and forensic investigation teams in making decisions to identify evidence, eradicate, recover, and investigate the incident encountered in smart agriculture. DFIRMM merges conventional incident response tasks such as planning and practice, documenting IT setups, and creating action plans with specialized digital forensic methods. The proposed DFIRMM consists of four main phases. The first phase is pre-incident, which defines the preparation before any incident occurs; second phase is incident, where any cyber security incidents takes place; third phase is post-incident, in which the incident response is to be performed. The fourth and last phase involves an investigation in which the examination and analysis of preserved evidence is performed.

Fig. 1.

Digital forensics and incident response management model for Ag-IoT.

The methodology of the proposed DFIRMM is described in Algorithm 1.

Algorithm 1.

Digital Forensics and Incident Response Management Model for Ag-IoT Systems.

Pre-incident

The Pre-Incident phase defines the proactive preparedness for any security incidents in Ag-IoT. It includes designing policies in the context of technical and management and developing a comprehensive and proactive strategy to reduce the likelihood of security breaches. The pre-incident phase is classified into two parts, technical and management as presented.

Technical

The technical phase contains all technical details about the Ag-IoT system and its functionality, probable different incident list, data sources or assets at risk, and the security policy framework. The possible list of incidents, data sources, and security policies will help the DFIR team to design cost-effective and time-effective strategies for containment, eradication, or investigation.

Incidents list: The list of incidents covers incidents that could be occurring due to cyberattacks and anomalies that can potentially affect the security goals of smart agricultural data and activities. These incidents can range from external adversities by malicious individuals to internal problems such as human errors, system malfunctions, sabotage, or other relative affect such as jeopardize. The list of various attacks is discussed in⁶ and³⁰. The list of most relevant incidents pertaining to different layers of Ag-IoT application stack is listed in Table 4. Data Sources: The data sources in Ag-IoT can be available in a memory, storage media, flash memory and computing source. These sources are prone to threats and can become target points for attackers while very significant for the investigation purposes. Data sources at risk should be identified first, so they must be targeted to restrict them from corruption and data loss. The list of these sources may also be useful for identification and preservation in an incident. The list of different data sources in Ag-IoT^31–33 are categorized in Table 5.

Table 4.

List of Security Incidents in Ag-IoT⁶.

Layer 1	Device/ technology2	Description3	Application4	Possible attacks5
Device layer	Soil Moisture Sensors	Measure the moisture content in the soil	Irrigation decisions to optimize water usage	Physical tampering, Sensor spoofing
	Drones with Camera	Aerial devices equipped with camera for capturing high-resolution images	Monitor crop health, estimate yields, and detect pests or diseases	Hijacking, Unauthorised access
	Climate Sensors	Measure environmental parameters such as temperature, humidity, and CO2 levels	Environmental monitoring to adjust farming practices accordingly	Data manipulation, Eavesdropping
Edge layer	Edge Gateways	Intermediate devices that collect sensor data before it is sent to the cloud	Pre-process data for local real-time analysis and decision-making	Man-in-the-middle attacks, Data tampering.
	Smart Agriculture Cameras	Cameras with built-in processing to analyse images on-site.	Immediate pest detection and health monitoring without the need for cloud processing	Privacy breaches, Unauthorised data access
Network layer	LPWAN Gateways	Low Power Wide Area Network gateways provide connectivity for sensors and devices over long distances	Transmit sensor data over large agricultural fields to central systems for analysis	Eavesdropping, Spoofing attacks
	Cellular Routers	Use cellular networks to connect devices and sensors to the Internet	Provide internet access in remote areas, enabling data transmission to cloud or fog layers	Denial of Service (DoS), Unauthorised access
Fog layer	Fog Computing Nodes	Intermediate servers that provide significant computing resources closer to the edge, but not in the cloud	Aggregate data from multiple sources for localized processing and analytics	Data integrity attacks, resource exhaustion
	Data Aggregation Systems	Systems designed to compile and aggregate data from various edge devices	Analyse and process data from multiple sensors/devices before sending to the cloud	Man-in-the-middle, Data falsification
Cloud layer	Cloud Storage Services	Platforms that offer scalable data storage solutions	Store vast amounts of data collected from the Ag-IoT ecosystem for long-term analysis	Data breaches, Cloud malware injection
	Machine Learning Platforms	Cloud-based platforms that provide AI and machine learning capabilities	Analyse historical and real-time data to predict crop yields, optimize resource use, and identify disease patterns	Model poisoning, Data privacy breaches

Layers of Ag-IoT Architecture. Devices/ Technology used in the layer. Description about the Device/ Technology. Applications of the Device/ Technology. Layer vise Possible Attacks.

Table 5.

Ag-IoT assets and data sources.

Sensors in agriculture	Boards used	Communication technologies	Cloud services	Power supply and storage	Actuators and functions
Soil Moisture Sensor	Arduino Raspberry Pi ESP8266	Wi-Fi LoRa	Thingspeak Microsoft Azure	Solar/LiPo / Hydro	Water Pump— Moves water for irrigation
Temperature & Humidity Sensor			Xively Plotly Carriots Exosite GroveStream ThingWorx Nimbits	LiFePO4	Valve—Controls the flow of fluids
pH Sensor	Waspmote	IEEE 802.15.4/LR-WPAN (ZigBee) Ethernet	Huawei Cloud Platform	Solar	Lighting— Provides illumination
Electrical Conductivity Sensor	MICAZ	2.4 GHz/415 MHz	Ubidots	Alkaline Batteries	Ventilation— Manages air flow
NDVI Sensor (Drone Mounted)	IRIS	4G/ADSL	SEnviro	Main Supply	Fertiger— Applies fertilisers
Weather Station	Telosb	Underground WSN	SensorDB	NiMH Batteries / 12V Lead-acid Battery	Air Condition— Regulates temperature
Flow Meter	EasyPIC v7	NB-IoT	Generic Cloud	LiPo	Alert—Sends notifications or warnings
Leaf Wetness Sensor Radiation Sensor Wind Speed & Direction Sensor	Particle Electron Moteino RFM95 IPex12 LoPy4 SCADA Custom Build	Intel Galileo Gen2 Intel Edison Beagle Bone Black Electric Imp 003 ARM mbed NXP LPC1768	LoRa/Wi-Fi, Amazon Web Services, CloudSense	Firebase	Connecterra Axeda Yaler AMEE Aekessa Paraimpu Pyhytech & Repeller Device— Deters pests or animals
Infrared Temperature Sensor	STM32L431	GSM/IEEE 802.15.4 WiMAX			Humidification— Controls moisture levels
Plant Canopy Analyzer	S3C6410 ARM11				Stepper Motor - Moves in precise increments
Optical Rain Gauge	nRF24L01	LoRa/TVWS			Pesticide Sprinkler— Applies pesticides
CO2 Sensor	HELTEC WiFi LoRa	RFID GPS

Security Policies: Security policies establish a systematic approach to safeguarding confidential information, ensuring reliability, identifying and mitigating possible weaknesses, and efficiently reacting to security breaches in Ag-IoT. It includes policies on access control, data protection and privacy, network security, physical security, device security, third-party security, backup and recovery, software and application security, compliance and legal, and others. The security policies and its aim and method is discussed in Table 3.

Table 3.

Security policies.

Security policy	Aim and method
Access Control Policy	To regulate access to data and system assets for legitimate users such as farmers, farm administrators, or any authorized technical personnel
Data protection and privacy policy	To protect the data from unauthorized access and implement prevailing privacy laws governing the agriculture sector
Network Security Policy	To secure the network infrastructure by using firewalls, IDS/IPS, secure VPNs for remote access, and consistent monitoring to identify and address threats promptly
Physical Security Policy	To deter unauthorized physical entry that can jeopardize the Ag-IoT system by implementing robust physical security to protect IoT devices and servers from tampering, theft, or harm
Device Security Policy	The implementation of secure practices for managing devices, such as frequent firmware updates, secure configuration, and the use of secure boot procedures due to remote and open locations of the Ag-IoT system
Third-Party Security Policy	To make detailed criteria for evaluating the security status of third-party suppliers to Ag-IoT System, setting up secure communication channels, and verifying that third-party services adhere to the organization’s security protocols

Management

In the management phase, it is necessary to define the procedure, policies within the Ag-IoT environment, incident response strategy, communication channel, IR team specification, jump bag specification and training or IR team, and awareness for the stakeholders³⁴.

Procedure: Procedures should incorporate clearly outlined communication and notification protocols, as well as documentation and reporting requirements. These elements are essential to ensure the smooth flow of information during an incident, ensure that stakeholders receive proper updates, and maintain a record of all activities for legal, regulatory, and enhancement objectives. Different factors should be followed as a part of preparedness, as shown in Fig. 2.

Fig. 2.

Procedure during preparation phase in DFIR.

The response strategy should define the priority of incidents based on their impact on the Ag-IoT environment depending on the frequency of containment, impact ratio, and the area of disruption of agricultural operations. There should be established predetermined communication channels that are reliable and secure. It is important to clearly identify both internal and external stakeholders who need to be informed in case of an incident. Notification templates should be created to communicate with different parties to speed up information exchange, which can communicate the required information effectively. There must be deployed an Incident Command System (ICS) to consolidate communication and decision-making processes to define roles and duties, guaranteeing that all communication is well-coordinated and uniform. A structured document must be defined to maintain all information about the incidents. It may include time, date, current status of the machine, and last operation instructed to the system, number of people present during incident, incident observed by whom, and changes in the operation in the Ag-IoT functionality.

Roles and Responsibilities: It is vital to ensure that all individuals understand their responsibilities in maintaining the efficiency and security of these systems. In the field of Ag-IoT, the DFIRMM requires a multidisciplinary approach due to the complex nature of Ag-IoT systems. The Ag-IoT combines cyber and physical components in different agricultural environments, and each member of the team contributes different skills and points of view that are crucial to the effective handling and reduction of incidents. The different roles and responsibilities are categorized in Table 6.

Table 6.

Roles and responsibility.

Role	Responsibility
Human Resources (HR) Representatives	To communicate with affected personnel, implement disciplinary measures when needed, and ensure that response procedures adhere to labor regulations and company policies
Incident Manager (IM)/ Coordinator	Supervising incident response procedure, making crucial judgments, and ensuring efficient communication within the team and with external parties
Technical Specialists/IT Staff	Recognizing the technical specifics of an event, mitigating risks, and returning impacted systems to their regular functionality
Legal Advisors	To ensure that incident response procedures comply with relevant laws and safeguard evidence for potential legal proceedings
Digital Investigation Team	Handling the evidence in a forensically sound way to support both the incident investigation and any potential legal actions
Agricultural Specialists	Evaluate the effects of events on agricultural procedures and provide valuable information on the restoration procedure to reduce interruptions in agricultural operations
Cyber Security Experts	To evaluate the wider consequences of an event on the organization’s security stance and to update security structures and protocols

Incident

An incident is an event that has been intentionally initiated in the digital world to cause harmful outcomes for a specific entity^35,36. In the context of Ag-IoT, interruption in the usual functioning of Ag-IoT operations or its malfunction is a cause of cyberattack on its devices, data, memory, or any computing resources. The incident phase contains two steps: detection and notification of the stakeholders.

Detection: The farm’s security team notices abnormal network activity and dubious behavior within the IoT device management system. The IDS, IPS, and antivirus help the system to prevent attacks from effecting the functioning of the system. However, the Ag-IoT system may fail due to the high impact of the security attacks. The IR-Team should determine the actual cause behind the non-functioning of the Ag-IoT system, as it may fail due to other reasons than cyber attacks such as failure of the power supply, and disconnectivity of the machines, climate disaster. The Ag-IoT administrator must detect the incident and confirm it. The transition from normal operation to an incident state involves few critical steps. These steps are to verify that observed indicators constitute a security or operational incident that requires a response, to assess the scope, impact, and severity of the incident, and to mobilize the incident response team (IRT) and activate incident response plans customized to the nature of the incident.

Notify Stakeholder: Once the Incident is detected, it should be notified to the stakeholder. The stakeholders can be farmers, agribusiness companies, Ag-IoT Device manufacturers, or software and platform providers.

Post-incident

The Incident response team gets activated to settle the incident, is a post-incident phase. This phase consists of two parts: Digital Forensics Phase I (DF-I) and Incident Response. The proposed DFIRMM is responsible for Digital Forensics parallel to the incident response. For this reason, DF-I plays a crucial role in evidence collection and preservation during incident response. DF-I is very significant as the effectiveness of subsequent forensic investigations will be directly affected if any data is overlooked. DF-I comprises two stages: collection and preservation.

Collection

At first, the process involves recognizing possible sources of digital evidence that can help in the investigation. The identification process must be performed meticulously by a technical expert specializing in IoT devices, microcontrollers, networks, cloud computing, a programmer, or computers. Failure to uncover crucial evidence during the identification phase can make it challenging to trace the perpetrator and discern their intentions. For Ag-IoT, this might include information from sensors, gadgets, networking tools, and even cloud platforms that retain or handle agricultural data. Possible data sources in Ag-IoT are discussed in Table 5 that could be used to identify evidence.

The collection phase ensures that digital evidences are clearly identified and collected accurately and thoroughly in a way that maintains its integrity, allowing efficient analysis at a later stage of the incident response procedure. The collection process includes recognizing, tagging, documenting, and obtaining data from various possible sources of pertinent information. This encompasses digital gadgets, storage devices, and network data while adhering to protocols for collecting data from both volatile and non-volatile data sources. The Request for Comments (RFC) 3227³⁷ document presents a sample of volatile data in order to standard systems. The collection in Ag-IoT includes the following mandatory tasks that must be followed.

Volatility Order: There are specific protocols for the collection of volatile evidence, with an emphasis on following the order-of-volatility principle, where the most volatile evidence is prioritized for collection before less volatile evidence. The volatility of digital evidence in Ag-IoT is discussed in Table 6. Evidence that is higher in volatility must be targeted to identify, collect, and preserve first.

Actions to Refrain from: Few actions are prohibited during the collection phase, which can affect the evidence or loss of the integrity of the evidence. The prohibited actions can be such as not powering off the system before finishing the collection of evidence, not relying on the software installed on the system, And executing programs that alter the access time of all files within the system.

Collection Procedure: Collection Procedure must be comprehensive and thorough. Some significant questions must be considered during the collection procedure. These questions are: list out the systems involved in the event and specify the sources from which evidence will be collected; determine what is probable to be pertinent and acceptable; for each system, determine the appropriate level of volatility and collect evidence based on volatility; what other types of evidence could be identified as you progress through the collection procedures? Recall to consider the individuals involved in the incident. Chain of Custody: Documentation for evidence handling should include details on the location, date, and individual responsible for the discovery and collection of evidence. It should also specify the place, date, and person involved in handling or examining the evidence. Furthermore, it should describe the custodian of the evidence, the duration of custody, and the storage method used. Additionally, it should describe the process and date of transfer of custody, including any relevant information, such as shipping numbers. The Archive: During the collection process, a large amount of external storage should be kept. The storage medium might be required to store the image of the collected evidence. Required Tools: The tools used for collection should be authentic and reliable. The table containing the tools is discussed in Table 7.

Table 7.

List of evidence sources in Ag-IoT for forensic investigation.

Device/ component	Purpose/ use	Potential evidence	Collection tools/ methods
Sensors	Collect environmental, soil, and crop data	Time-stamped measurements, configuration settings	FTK Imager, Guymager for imaging; specialized scripts for proprietary formats
Actuator	Control devices based on sensor data or remote commands	Logs of actuation commands, response times, and errors	Physical examination, logic analyzers for signal tracing
Flash Memory	Store configuration data, program code, and/or operational data	Device firmware, user data, error logs	Write blockers, FTK Imager, and Guymager for creating bit-for-bit copies
Microcontroller	Central processing unit for many IoT devices that execute the control logic	Program logic, execution history, debugging information	JTAG, SWD interfaces for memory dumping; forensic microcontroller readers
Network	connect devices for data exchange, including Internet access	Logs of data transmission, access records, IP addresses	Network sniffers (Wireshark), log extractors, and Nmap for network mapping
Cloud	Host services and storage for data processing and analysis	Stored data, access logs, user interactions, and configuration changes	Cloud data extraction tools (Oxygen Forensics), API- based data collection
Applications	Interface for user interaction, data presentation, and remote device management	User actions, configuration changes, and logs of device interactions	Forensic browsers, mobile device extraction tools (Cellebrite UFED)

Data Acquisition: After collecting potential evidence devices, the next stage involves obtaining data from these sources. This process can involve physically accessing devices to retrieve data, collecting data remotely from network devices, or requesting data logs from cloud service providers.

The data source defines data in three forms in the Ag-IoT system: Data at Rest (ROM), Data in Use (Sensor, Flash Memory, Microcontroller, Cloud, Router), and Data in Transit (Network, Cloud). These different categories of data in Ag-IoT is classified in Table 8.

Table 8.

Data at Rest/ Use/ Transit: Sources, Types, and Extracted data.

Data category	Data source/ media	Type of data stored	Primary use case	Type of data extracted
Data at rest	On-device Storage	Sensor data, operational records	Stores data directly on IoT devices like soil moisture sensors or drones for later access	Sensor Data, Imagery and Video Data
	Data Loggers	Sensor data over time	collect and retain data from various sensors for periods, used for subsequent analysis	Sensor Data
	On-premise Servers	Aggregated IoT device data	Aggregates and stores data from various IoT devices across the farm for processing and analysis	Sensor Data, Operational Data, Machine Data
	Cloud Storage Services	Diverse IoT device data	Provides scalable and convenient data storage in the cloud, staying idle until required	Sensor Data, Imagery and Video Data, Operational Data, Machine Data, Financial Data, Environmental and Climate Data, Research and Experimental Data
	Database Systems (On-site and Cloud)	Structured agricultural data (crop yields, sensor data, operational records)	Acts as centralized storage for extensive agricultural data, facilitating organized access and querying	Sensor Data, Operational Data, Machine Data, Financial Data, Research and Experimental Data
	External Hard Drives and USB Drives	Temporary or transportable agricultural data	Used for temporary storage or transportation of agricultural data, suitable for smaller operations or specific data collection tasks	Sensor Data, Imagery and Video Data, Operational Data, Financial Data
	SSDs and HDDs in Farm Servers	Large volumes of IoT device data (soil moisture levels, weather data, crop health images, etc.)	Provides rapid data retrieval and ample storage space for large amounts of data gathered from IoT devices	Sensor Data, Imagery and Video Data, Machine Data, Environmental and Climate Data
	Cloud Storage Solutions	Extensive IoT device data (sensor data, drone images, machinery operational info)	Utilises cloud scalability and accessibility for storing large volumes of data from IoT devices, offering adaptability	Sensor Data, Imagery and Video Data, Operational Data, Machine Data, Financial Data, Environmental and Climate Data, Research and Experimental Data
	Flash Memory and SD Cards in IoT Devices	Directly collected device data (sensor and camera data)	Allows direct data collection and retention on IoT devices until transferred to a more permanent storage system	Sensor Data, Imagery and Video Data
	Database Systems	Historical records, operational data, analytical findings	Organises and stores structured data from various sources, providing a systematic way to access static data	Operational Data, Machine Data, Financial Data, Research and Experimental Data
	Network-attached storage (NAS)	Static data for centralized access within a local network	Serves as centralized storage within a local network, allowing convenient access to static data	Sensor Data, Operational Data, Machine Data, Financial Data
Data in use	Device Logs	Logs of activities, malfunctions, system notifications	Maintain records of device activities, system health, and communication	Timestamps, device actions, communication details, system status updates
	Sensor Data	Physical attributes measurements	Measure and log environmental and physical conditions through IoT sensors	Temperature, movement, humidity, light, sound
	Communication Data	Command and control messages	Facilitate interaction between IoT devices and servers/ applications, tracking operational capabilities	Device interactions, operational capabilities
	Geolocation Data	Location information	Provide precise tracking of device location over time, useful in various scenarios including legal	Device locations, movement history
	Device Configuration and State Information	Configuration details, firmware versions, installed apps, device condition	Offer insights into device performance and security status at specific times	Device setup, firmware versions, app installations, current condition
	Audio and Video Data	Audio and visual recordings	Capture and store audio and visual information for surveillance or evidence in investigations	Audio recordings, video footage
Data in transit	Sensor Data	Environmental and health measurements	Monitor environmental conditions and health statuses using agricultural sensors	Soil moisture, temperature, humidity, pH levels, crop health, livestock health
	Equipment Data	Machinery operational details	Track the functioning and status of agricultural machinery and equipment	GPS coordinates, operational status, maintenance logs, instructions to machinery
	Communication Protocols	Data transfer methods	Understand and secure the methods of data transfer between devices and systems	Protocols used (MQTT, CoAP, HTTPS, LoRaWAN, Zigbee), potential weaknesses, interception techniques
	Timestamps and Sequencing Information	Timing and order of data packets	Create timelines, identify data loss or insertion, understand sequences of actions	Timing, sequence of data packets, event timelines, data integrity issues
	Network Infrastructure and Topology	Network components and data flow	Identify potential vulnerabilities in the network where data could be compromised	Network components (routers, gateways, servers), data flow, weak spots in network
	Authentication and Encryption Mechanisms	Security measures for data in transit	Protect data during transit, identify vulnerabilities for unauthorized access or data modification	Encryption types, authentication methods, identified vulnerabilities.
	Anomaly Detection Logs	Unusual network or data activities	Detect and investigate potential security breaches or data integrity issues	Unusual traffic patterns, irregularities in data transmission, device IDs, IP addresses, user accounts
	Error Logs and System Messages	System health and error reports	Signal data transmission issues, security breaches, or system malfunctions	Error descriptions, system messages, indicators of transmission issues or security vulnerabilities

Imaging: Once acquisition is done, a bit-by-bit copy of the data must be created called imaging, so that the original data is contained before proceeding with any operation on the actual image.

Preservation

It is essential not to manipulate the original data to ensure the preservation of the evidence. Once digital evidence has been identified, collected, and imaged, the integrity of data should be maintained using different methods. This preservation process requires the use of encrypted storage methods and the enforcement of stringent access controls to restrict access only to authorized forensic examiners. Furthermore, the secure storage facility must protect the evidence from environmental risks such as extreme temperatures, moisture, and electromagnetic interference, which have the potential to compromise the digital evidence³⁸. Hashing or blockchain based digital evidence preservation tools can be utilized during this phase^39,40.

The main and significant part of the post-incident response is the incident response, which consists of the following phases.

Incident response

This critical phase aims to limit the spread of an incident, remove the threat, and restore normal operations. It includes implementing containment strategies to isolate affected systems, identifying the source of the attack, and taking actions to eradicate the threat and recover affected systems.

Containment

The fundamental aim of containment in the Ag-IoT incident response process is to minimise the impact and prevent additional damage from spreading across smart systems. This critical phase consists of several key steps, each indispensable for effectively mitigating the incident, preventing further damage, and protecting evidence for potential legal proceedings or analysis during the review phase⁴¹. The containment can be done in two forms based on duration. The short-term containment focuses on rapidly curtailing the extent of damage within the Ag-IoT infrastructure. Actions can range from isolating affected network segments of compromised IoT devices to shutting down breached servers and redirecting data flow to secure backup systems. This step is designed as a provisional measure to control the situation and prevent it from escalating. The long-term containment strategy involves ensuring that compromised systems are temporarily secure. The main objective is to remove any unauthorized access or backdoors created by attackers, implement essential security patches, and implement additional measures to prevent the incident from worsening. These actions allow regular agricultural activities to continue while preparations are made for a complete system reconstruction²⁰. Containment within Ag-IoT involves physically disconnecting impacted systems. This could mean detaching network cables from compromised IoT devices or powering down specific network devices to segment off compromised parts of the network. Such actions help to localize the problem, preventing the spread of malware across the agricultural network and reducing the risk of additional systems being compromised, thus ensuring the integrity of the agricultural production process.

Eradication

The main goal of this step is to eliminate the root cause of the incident and the threat is completely removed from the system to prevent the recurrence of incidents. It involves comprehensive analysis to determine how the security breach or incident has occurred. Some indicative approaches are collecting the firmware and analyzing for malware, tracing back the exploited vulnerabilities from the nature of the attack, or any suitable technique that uncovers the methods used by attackers to launch attacks. Cleansing infected IoT devices or gateways and ensuring from malicious code from firmware and software and patching vulnerabilities up. During eradication, the IR team must ensure that the operations of agricultural activities are not disrupted for a long period of time and also the forensic artifacts are preserved for further investigation.

Recovery

The recovery stage is crucial to guarantee the secure and effective restoration of systems to their regular operations after an incident. It involves carefully reinstating the impacted systems into the operational environment to avoid repeated incidents. The scheduling of recovery operations includes establishing a precise time and date to initiate the restoration of compromised systems. This is especially critical in Ag-IoT due to the time-critical aspect of agricultural activities. Delay in the recovery process can result in missed opportunities for planting or harvesting, affecting both yield and financial results. Therefore, planning recovery operations requires thoughtful consideration of agricultural schedules to ensure that systems are reinstated at a moment that reduces interference with farming tasks.

After recovering the Ag-IoT system, the breaches have been fixed or reconstructed. It is crucial to perform comprehensive testing to confirm its full functionality. This process includes validating the proper operation of all elements, such as sensors, actuators, communication networks, and data processing units. Functional testing should simulate real agricultural situations to ensure that the systems can operate effectively under normal conditions. Furthermore, security assessments must be performed to verify that vulnerabilities have been resolved and that systems are no longer prone to the same attacks that caused the initial compromise.

Lesson learnt

This phase plays a critical role in improving the resilience and security of the agricultural technology ecosystem. This phase focuses on extracting insight and actionable information from incidents to improve future responses and system robustness. A comprehensive assessment is required to be performed to pinpoint the strengths and weaknesses of the existing incident response (IR) strategy. This evaluation should result in a clear set of lessons to take away, such as recognizing vulnerabilities that were exploited, assessing the efficacy of containment measures, and assessing timeliness and teamwork within the IR team. The knowledge gained should then be used to review and improve the security protocols, software, and hardware components of the Ag IoT system⁴².

feedback

To finalize the documentation that was not completed during the incident, along with any additional documentation that could be useful for incidents in the future, call for a meeting after the incident recovered to learn from IR, review the strategy to update the system and collect feedback using a common form or template.

Digital forensics phase-II

Digital Forensics Phase-II (DF-II) follows DF-I during the post-incident phase of the proposed DFIRMM. DF-II is focused on the examination, analysis, and documentation of evidence. Ag-IoT is a sophisticated technology that encompasses other technologies to facilitate connectivity, communication, data storage, multimedia, and cloud services. The use of diverse technologies span the problem of IoT forensics to other dimensions as shown in Figure 3. All these dimensions are used in holistic IoT^29,43,44 and, with respect to Ag-IoT, are discussed in the thesis⁴⁵. The classified sources of a variety of forensic tools are discussed in Table 7 DF-II requires additional personnel from forensic experts and an intensive effort to identify the case law. Due to this reason, the DF-II phase in the proposed DFIRMM is optional. This phase can be activated or initiated if the incident is very dangerous and costs a large amount of business loss or jeopardizes.

Fig. 3.

Dimensions of Ag-IoT forensics.

DF-II contains the core steps to confirm the perpetrator based on data examination, evidence analysis, and reports prepared to prove it in a court of law. These phases are further discussed in Fig. 1.

Examination

In the examination phase, a forensic analyst scrutinizes the evidence collected to understand the details of the cyber incident. Given the diverse and interconnected nature of Ag-IoT systems, which can include everything from soil moisture sensors to autonomous tractors and cloud-based data analytics platforms, the examination process must be both thorough and adaptable. Forensic tools can be utilized to analyze data stored on Ag-IoT devices, including logs, sensor data, configuration files, and communication records with other devices and servers. Network traffic logs and patterns should be examined to identify suspicious activities, such as unauthorized access or data exfiltration attempts.

Analysis

Ag-IoT encompasses a wide array of devices, including sensors, drones, automated irrigation systems, and cloud-based data analytics platforms, making the analysis both crucial and complex. A secure and isolated analysis environment should be established to prevent any potential contamination of evidence or the introduction of biases in the data. The appropriate digital forensic tools should be utilized to handle the specific types of data generated by Ag-IoT devices. This may include specialized software for network analysis, data carving, and log analysis. It is required to construct timelines of events from logs and metadata to understand the sequence of actions leading up to and following the incident. The reconstruction of the events should be performed for fragmented data pieces into meaningful information. Examine data transmissions between Ag-IoT devices and external networks to identify any unauthorized access or data exfiltration attempts. Different applications, such as machine learning or statistical analysis tools, can be utilized to identify anomalies in data patterns that could indicate malicious activity or system malfunctions. Thus, the correlated data can be arranged in a chronological manner from different sources (e.g., devices, logs, network traffic) to construct a comprehensive view of the incident. The patterns or events can be analyzed that could indicate the method and timeline of the attack or breach.

Presentation

The presentation stage involves documenting the procedures followed throughout the investigation, the results obtained from the examination and analysis stages, and any inferences made. The results, proofs, and inferences are consolidated into a detailed, customized report for the target audience, which could consist of technical personnel, legal representatives, law enforcement officials, and senior executives. The report must effectively convey the details of the case, supported by evidence, and might also propose measures to avert potential events.

Experimental evaluation and results

To evaluate the proposed incident response model, we conducted a case study based analysis on MQTT enabled smart Agriculture network. We assume that all the managerial operations mentioned in the model are followed. Detailed information on the experimental setup, the data set, analysis, and suggested incident response is given below.

Smart agriculture setup

The adoption of advanced technologies such as the Internet of Things (IoT) has greatly transformed agricultural methods. Farmers use IoT devices, including soil moisture sensors, water level sensors, temperature and humidity sensors, light sensors, CO2 gas sensors, motion sensors, and actuators such as motor pumps to improve crop production and efficiently use resources. In addition, alarm systems are established to alert farmers about potential dangers such as fires, animal intrusions, or unauthorized entry into farm areas.

In our analysis, we consider a smart irrigation and monitoring setup that incorporates various sensors and actuators, as depicted in Fig. 4. These sensors deliver instantaneous soil condition data, facilitating targeted irrigation management tailored to the specific requirements of different agricultural zones. Communication between sensors and actuators is conducted using the MQTT protocol. Installed in irrigation reservoirs or tanks, water level sensors keep track of water quantities to guarantee a sufficient irrigation supply. They issue warnings when water levels drop, necessitating refilling or water saving actions. Temperature and humidity sensors monitor vital environmental parameters such as temperature and humidity, which are essential to evaluate crop vitality and vulnerability to diseases. The immediate feedback from these sensors enables farmers to modify irrigation timings and apply cultivation methods suited to specific climates. Light sensors assess the intensity of ambient light, offering information on sunlight exposure in the farm. These data are crucial for optimal crop arrangement and the tailoring of irrigation plans for light-dependent plants, improving even growth, and maximising agricultural output. CO2 gas sensors assess carbon dioxide concentrations in the atmosphere, reflecting photosynthetic activity and the general health of plants. By evaluating CO2 levels together with other environmental factors, farmers can detect unintended fires in their crops. Motion sensors identify movements on the farm, acting as a preventive measure against intruders or animals. These sensors activate alarms or send notifications to inform farm staff immediately about possible security violations. Actuators, such as motor pumps, control water distribution based on sensor readings and irrigation plans, streamlining the irrigation process to provide exact water quantities to plants, thus reducing water and energy use. A security system equipped with sensors for detecting fires, animal entries, or unauthorized access monitors the farm’s safety. It notifies farmers or security personnel about potential dangers, allowing prompt actions to reduce risks. The benefits of this system include water conservation, improved crop yield and quality, cost savings, and improved security.

Fig. 4.

Smart irrigation and monitoring using Ag-IoT.

Attack scenarios and datasets

Given the critical nature of the Ag-IoT setup, attacks are possible with the inherent vulnerabilities of networks and communication protocols. In this study, we considered DoS and DDoS attacks on the smart agriculture system that disrupt its operations. These attacks are launched using different open-source tools such as MQTT-malaria, IoT-Flock, and MQTTSA⁴⁶.

We used MQTTset⁴⁶ dataset that is collected from the MQTT based network environment that resembles the smart agriculture setup described above. In addition to this, we also analysed a similar dataset, DoS/DDoS-MQTT-IoT⁴⁷. The details of both datasets are given in Table 9.

Table 9.

Datasets and attack categories.

Dataset	Attack category	Attack
DoS/DDoS-MQTT-IoT	DoS/DDoS	Basic Connect Flooding
		WILL Payload Flooding
		Delayed Connect Flooding
		Invalid Subscription Flooding
		SYN TCP Flooding
MQTTset	Benign	Normal Traffic
	DoS	Bruteforce
		Flood
		Malaria
		Malformed
		Slowite
	Benign	Normal Traffic

Pre-incident phase

In this phase, we prepare the Ag-IoT system technically to identify a list of incidents, data sources, and security policies as shown in Table 10. As stated earlier, we assume that all managerial steps are followed as described in section “Pre-incident”.

Table 10.

Technical preparation.

S.No	Incident	Pattern	Data source	Security policy
1	Physical Intrusion	Presence of people in the farm during unexpected timings	Motion Sensor Data	Match the time of motion sensor data with a predefined time
2	Fire Accident	High level of Temperature and CO2, Presence of unexpected people	CO2 and Temperature Data, Motion Sensor Data	Check the sensor data for abnormal values and presence of unwanted people
3	Farm Control Hijack	Brute-force Authentication with Multiple unsuccessful CONNECT requests	Network Traffic	Threshold on number of successive attempts to login by a client
4	Denial of Service	Bruteforce Authentication, Flooding with CONNECT, PUBLISH and WILL payload messages, TCP flooding, SYN Flooding	Network Traffic	Threshold on number of successive requests by a client
5	Distributed Denial of Service	Similar to DoS and multiple attacker/compromised nodes are involved	Network Traffic	Threshold on the number of successive requests by a client(s)

Incident phase

We used four machine learning techniques to classify MQTT network traffic for the attacks listed in Table 9. Based on the security policies identified for different incidents, we statistically analyzed network traffic from the MQTT datasets to detect the incidents (3,4,5) listed in Table 10. The average results are given in Figs. 5, 6 and Table 11. The results show that among the four algorithms used, KNN performed better with both datasets. Once an incident is detected, it is reported to the system stakeholders for necessary action.

Fig. 5.

Classification performance of MQTTSet dataset.

Fig. 6.

Classification performance of DoS/DDoS-MQTT-IoT dataset.

Table 11.

Attack classification results for two datasets using different ML algorithms.

Dataset	Algorithm	Accuracy (%)	Precision (%)	Recall (%)	Specificity (%)	F1-Score (%)
MQTTset46	DT	91.55	92.83	91.75	91.30	92.29
	RF	93.63	92.37	91.25	95.16	91.81
	SVM	95.43	96.47	95.15	95.77	95.81
	KNN	97.33	98.37	96.08	98.50	97.21
DoS/DDoS-MQTT-IoT47	DT	97.27	98.13	98.65	89.73	98.39
	RF	97.63	96.97	97.34	97.84	97.15
	SVM	96.72	97.37	98.12	93.05	97.74
	KNN	99.73	99.57	99.55	99.81	99.56

Post-incident phase

As presented in the proposed model, this phase focuses on two activities, namely digital forensics and incident response. Digital forensic investigation is conducted in two phases while the first phase acts as a preparation to incident response. Based on incidents detected, relevant data sources are collected and preserved for post-incident analysis.

Digital forensics phase-I

Based on the information collected during incident detection, we identified relevant artifacts from network traffic and preserved them for analysis. The list of identified artifacts is given in Table 12.

Table 12.

List of Artifacts for different Attacks.

Dataset	Attack	Artifact type	Attack details
DoS/DDoS-MQTT-IoT	Basic Connect Flooding	Network Traffic	Network traffic originated from nodes with IP addresses from 192.168.90.100, 192.168.90.101, and 192.168.90.102
	WILL Payload Flooding	Network Traffic
	Delayed Connect Flooding	Network Traffic
	Invalid Subscription Flooding	Network Traffic
	SYN TCP Flooding	Network Traffic
MQTTset	Bruteforce	Network Traffic	Traffic from nodes with IP addresses 192.168.1.90 and 192.168.1.91
	Flood	Network Traffic	Traffic from nodes with IP addresses 10.16.100.73 and 192.168.1.100
	Malaria	Network Traffic	Traffic from nodes with IP addresses 192.168.1.90 and 192.168.1.91
	Malformed	Network Traffic	Network traffic originated from nodes with IP addresses from 192.168.1.90 and 192.168.1.91
	Slowite	Network Traffic	Network traffic originated from nodes with IP addresses from 10.16.120.44 and 10.16.120.72

Incident response

We propose a Quality of Service (QoS) based incident response to address different priorities of the target system. MQTT offers three levels (0,1,2) of QoS with varying impacts on the network⁴⁸. The QoS recommendations for different categories of attacks are given in Table 13. Pre-QoS and Post-QoS represent the QoS levels in the network before and after attack detection, respectively.

Table 13.

Quality of Service (QoS) based incident response recommendations.

S.No	Incident	Pre-QoS	Post-QoS	Justification	Containment / eradication
1	Control Hijack	0	0	To prevent further impact	Enforce advanced Authentication Mechanisms such as salt and hash based authentication
		1	0	To prevent further impact
		2	0/1	To reduce further impact
2	DoS	0	0	To prevent further impact	Filter/Restrict Suspicious traffic through firewall or throttling (setting a limit on the number of messages a client can send in a given time period)
		1	0	To prevent further impact
		2	0	To prevent further impact
3	DDoS	0	0	To prevent further impact	Enforce client level traffic monitoring and throttling
		1	0	To prevent further impact
		2	0	To prevent further impact

Containment

Considering the DoS/DDoS attacks in place, one of the important measures to limit the spread or impact of the attacks is to regulate the network traffic. To achieve this, for each incoming request, the IP address of the client is monitored on the MQTT broker to identify the number and frequency of the requests. Requests originating from a suspicious client(s) must be blocked if necessary. For example, MQTT uses TCP, and any UDP traffic from random clients can be safely blocked to avoid flooding attacks. Similarly, any traffic directed towards unauthorized ports may be blocked. Traffic throttling is another way to limit traffic from suspicious clients. In addition, the QoS level can be adapted accordingly to limit the number of message exchanges between clients and the broker.

Eradication

Once security experts identify the root cause of vulnerabilities that open the doors for attacks, the next step is to eradicate it. Sometimes, immediate security patches may not be readily available; hence, it is recommended to change the security configurations to safeguard the system from further exploitation. For example, a strong authentication mechanism can be enforced in the target system using client certificates or OAuth. To address attacks targeting the network bandwidth, message size can be limited by enforcing a policy on the MQTT broker.

Recovery

Once recommended steps are taken, the system can be restarted to perform its functions. Although the system might have recovered from major impacts, any unaddressed vulnerabilities still cause recurring incidents. In this phase, it is recommended to perform close monitoring of the system.

Lessons learned

A detailed analysis of the attack patterns and eradication mechanisms gives us useful insight to improve the overall security of the system. It also helps to educate farmers to follow best security practices. The lessons learned from the statistical analysis and the case study are listed below.

• Series of DoS and DDoS attacks are launched on the MQTT network.

• Major attacks exploited the vulnerabilities in weak authentication policy of MQTT network.

• Flooding DoS contributes to the highest attack traffic.

• Policies concerning authentication and traffic filtering will address the root problem in the MQTT network.

Feedback

Finally, the insights of the incident response case study are used to improve overall security as well as to prepare for the next iteration of the incidents with more sophisticated approaches.

Digital Forensics Phase-II

We analyzed the artifacts collected during the earlier digital forensics phase and detected the malicious communication patterns between the attacker and victim nodes in the network. As described in Table 12, attacks were launched from different IP addresses targeting other IoT devices and MQTT brokers in the network.

Conclusion

The integration of IoT into agriculture has transformed monitoring and control practices and also raised concerns about potential hypothetical cyber attacks. A DFIRMM establishes a solid foundation for safeguarding and strengthening Ag-IoT systems against emerging cyber-attacks, ensuring resilience in the future agriculture industry. This article proposed a DFIR management model for Ag-IoT to address the unique challenges of Ag-IoT sector by prioritizing prompt incident detection, analysis, and recovery while preserving the evidence for future use in digital forensics. The case study presented in this article demonstrates the practical relevance of the proposed model in a real-time Ag-IoT setup. We believe that the proposed DFIRMM empowers stakeholders in the agricultural sector to protect their IoT ecosystems and ensure the integrity, confidentiality, and availability of critical agricultural data and services.

Author contributions

S.R: Conceptualization, Methodology, & Writing - original draft, Writing - review and editing. P.R: Supervision, Resources, Validation, Writing - review & editing. L.S: Investigation, Resources, Writing - review & editing.

Data availability

The datasets analysed during the current study are available in the Kaggle repository, MQTTset, DoS/DDoS-MQTT-IoT

Competing interests

The author(s) declare no competing interests.