the development of a cross disciplinary approach in industrial control system computer forensics n.
Skip this Video
Loading SlideShow in 5 Seconds..
The Development of a Cross-Disciplinary Approach in Industrial Control System Computer Forensics PowerPoint Presentation
Download Presentation
The Development of a Cross-Disciplinary Approach in Industrial Control System Computer Forensics

Loading in 2 Seconds...

play fullscreen
1 / 42

The Development of a Cross-Disciplinary Approach in Industrial Control System Computer Forensics - PowerPoint PPT Presentation

  • Uploaded on

The Development of a Cross-Disciplinary Approach in Industrial Control System Computer Forensics. A Thesis: b y Theora Rice. Speaker Background. Undergraduate degree – University of Idaho 2013 Computer Science Scholarship for Service recipient Idaho Falls National Laboratory intern

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'The Development of a Cross-Disciplinary Approach in Industrial Control System Computer Forensics' - adora

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
the development of a cross disciplinary approach in industrial control system computer forensics

The Development of a Cross-Disciplinary Approach in Industrial Control System Computer Forensics

A Thesis:

by Theora Rice

speaker background
Speaker Background
  • Undergraduate degree – University of Idaho 2013
    • Computer Science
  • Scholarship for Service recipient
  • Idaho Falls National Laboratory intern
    • Craig Rieger – Industrial Control Systems
  • Pacific Northwest National Laboratory
    • Dr. David Manz and Thomas Edgar - determinism



The Problem Space

Those who Use ICS Systems

A New Methodology



introduction objective
Introduction - Objective
  • Forensics in Industrial Control Systems (ICS)
    • Importance
      • Analysis
      • Maintaining future resilience
    • Challenges
    • Cross-disciplinary focus
introduction a lens
Introduction – A Lens
  • Lack of comprehensive technical material
    • Less skill-specific
  • Industrial Control Systems
    • Multiple professions involved
    • Multiple vocabularies
background ics
Background - ICS

“The framework of interdependent networks and systems comprising identifiable industries, institutions (including people and procedures), and distribution capabilities that provide a reliable flow of products and services essential to the defense and economic security of the United States, the smooth functioning of government at all levels, and society as a whole.” [14]

“[Control systems are] and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters” [23].

background ics components
Background – ICS: Components
  • Monitoring [17]
    • Master Terminal Unit (MTU)
    • Control server
    • Input/Output (IO) servers
    • Data Historians
    • HMIs
background ics components1
Background – ICS: Components
  • Sensing [17]
    • Remote Terminal Units (RTUs)
    • Programmable Logic Controllers (PLCs)
    • Intelligent Electronic Devices (IEDs)
background ics security concerns
Background – ICS: Security Concerns
  • Legacy [3]
    • 15+ years
    • Proprietary technology, little support
    • Older technologies are more vulnerable
  • Modern [3]
    • 15- years
    • Proprietary and open, fully supported
    • Interconnectivity, also vulnerable
  • Problems [6][2]
    • Maroochy
    • Stuxnet, Duqu
background forensics
Background - Forensics

“The process of applying scientific methods to collect and analyze data and information that can be used as evidence” [4].

background forensics1
Background - Forensics

Evidence to present in a court of law

Verification of system problems

Study of malicious activity

Different from incident response and recovery

background forensics components
Background – Forensics: Components
  • Collection [20]
    • Developing initial plan
    • Choosing resources
  • Analysis [20]
    • Risk review
    • Risk mitigation
    • Data extraction and analysis
  • Reporting [20]
    • Organized account of all findings
the problem space technical problems
The Problem Space – Technical Problems
  • Availability
    • Static vs. Live analysis
  • Large amounts of data [15]
    • Volatile data and inadequate labeling [20]
  • Proprietary and little-known hardware and software [20]
    • Lack of standardization
  • Time and resource effect [12]
    • Ping sweep accident [17]
the problem space man and machine
The Problem Space – Man and Machine
  • Many disciplines needed in ICS development, implementation, and maintenance
  • Natural disaster
    • Engineers – resilient systems
    • Computer scientists – recoverable systems
    • Operators – enact emergency procedures
    • Financiers and human engineers – emergency funding and efficient worker tools
the problem space financial cost
The Problem Space – Financial Cost
  • Salaried computer forensics professional

Salaried computer forensics professional

Data logging – hardware cost

New software/hardware – development and implementation costs

the problem space security vulnerabilities 19
The Problem Space – Security Vulnerabilities [19]
  • Malware
    • Stuxnet, Duqu [6][2]
  • Internal threats
    • Employees
  • External threats
    • Malicious attackers
  • Phishing scams
  • Industrial espionage
  • Extortion
the problem space in the courts
The Problem Space – In the Courts
  • Specific rules in gathering evidence
  • Digital copies [4]
    • Hashing
    • Live analysis
      • Tampering?
      • System may change during data capture
those who use ics systems engineers
Those who Use ICS Systems - Engineers
  • System engineers [1]
    • Designing, developing, implementing
    • Physical resilience
    • Consistent, continuous production
    • Determinism
    • System algorithms
those who use ics systems computer scientists
Those who Use ICS Systems – Computer Scientists

DiFrank Functional Enterprise Computing Model, derived from [11]

those who use ics systems operators
Those who Use ICS Systems – Operators
  • Variables [22]
    • Manipulated
    • Disturbances
    • Controlled
  • Four elements [22]
    • Process
    • Measurement
    • Evaluation
    • Control
those who use ics systems human factors
Those who Use ICS Systems – Human Factors
  • Enhance performance, increase safety, and increase user satisfaction [5]
    • Study human comprehension and develop new methods or tools in system
  • Data overload
    • Prioritize and filter information [9]
  • Emergency situations
    • Minimize distractions and maximize operator training [9]
those who use ics systems cross disciplinary resources
Those who Use ICS Systems – Cross-Disciplinary Resources
  • System engineers
    • There must be logging ability in the system, at many levels [11]
    • Probing accident-resistant systems [21]
  • Computer scientists
    • More specific log data, documentation, and specialized security
  • Operators
    • Must now at least the basic resources required
  • Human factors
    • How forensic considerations can be integrated into incident recovery without undue complication
a new methodology
A New Methodology
  • Operators trained to perform certain pre-investigation forensics tasks
    • Precedents exist in cross-discipline training for Cyber Security and incident response
    • Emergency situation, operators most likely to be available
    • Data collection cannot always come after crisis, but must be collected during
    • Training and automation optimization
a new methodology training
A New Methodology - Training
  • Risk analysis
    • What data is crucial, and when may it be lost?
  • Documentation: Descriptions and Diagrams
    • System communications
    • Infrastructure
    • Critical configurations
    • Process procedures
    • Device logic
    • Incident response actions taken
    • Timestamps
a new methodology training1
A New Methodology - Training
  • Volatile data collection
    • Automation
    • “Flushing” & rebooting [12]
  • Legal briefing
    • Chain of evidence [16]
  • Hands-on experience [10]
a new methodology multi skilling
A New Methodology – Multi-Skilling

“A way of working where the traditional divisions between work areas and separate disciplines are removed, and individuals are given responsibility for a range of different types of task” [7].

a new methodology multi skilling1
A New Methodology – Multi-Skilling
  • Problems - Implementation
    • Attempts to reduce staff members
      • Maintain proper amount of staff members
    • Lack of coordination and error checking
      • Establish clear leadership and training
  • Multi-skilling problems
    • Specialized errors
a new methodology automation
A New Methodology - Automation
  • Storage for data
    • Additional servers and other storage devices
  • Network traffic logs
    • Physical network traffic logging devices
    • Logging software that gathers and labels ICS network traffic packets
  • Individual device images
    • Critical or heavily effected device configurations can be copied for later analysis
  • High data integrity
    • Store traffic in an SIEM system, on secure servers, and even printed on physical media
a new methodology automation1
A New Methodology - Automation
  • Real-time adaptive security software
    • React to cyber security incidents while recording forensics
    • Intrusion Detection System, Intrusion Prevention System, firewalls
  • Honeypots
    • “Value lies in being probed, attacked, or compromised” [18]
    • Lure malicious attacks and record everything that happens
a new methodology human factors and automated design
A New Methodology – Human Factors and Automated Design
  • Signal processing [13]
    • How a human identifies a change in the system
    • Signal for forensics must be recognizable, and solution should be readily apparent
  • Stress reactions [13]
    • Every action becomes related to “one’s perceived state of progress towards or away from one’s goals”
    • Specifically automate software
a new methodology human factors and automated design1
A New Methodology – Human Factors and Automated Design

Diagram of emergent units in a given situation [12]

analysis benefits
Analysis - Benefits
  • Forensics training for system operators
    • Immediate data collection in a volatile environment
  • Continuous data collection during incident
    • Large amount of recorded traffic and memory data
  • Sharing power with the operations employees
    • Stimulates good interactions with forensic staff
  • Development of intuitive forensics tools
    • Invigorates research in operator-interaction based systems in ICS
analysis drawbacks
Analysis - Drawbacks
  • Added operator stress
    • Careful consideration of candidates
    • Good training, and optimizing system automation
  • Insufficient operator specialization
    • Well trained supervisors and hands-on training
  • Funding
    • Building a business case [17]
  • Implementing new hardware and software
    • Cross-disciplinary team work and flexible structures
  • Amount of time needed for development
    • Time and research
  • Tendency towards remote facilities
    • Remote activation software
  • Future Work
    • Training material development
      • Hand outs, text, etc.
    • Test training sessions
    • Hands-on practice in a test SCADA facility
    • Evaluation of produced test material by a forensics professional
    • Human factors research
    • Research and development in hardware and software

[1] A. Miller, "Trends in process control systems security," Security & Privacy, IEEE , Sept.-Oct. 2005, pp.57,60, doi: 10.1109/MSP.2005.136

[2] B. Bencsáth et al., "Duqu: Analysis, Detection, and Lessons Learned," EuroSec '12, Bern, Switzerland, April 2012.

[3] B. Galloway and G.P. Hancke, "Introduction to Industrial Control Networks," Communications Surveys & Tutorials, IEEE, vol.15, no.2, pp.860,880, Second Quarter 2013.

[4] B. Nelson et al., Guide to Computer Forensics and Investigations, 4th ed. Boston, MA: Course Technology, 2010.

[5] C. D. Wickens et al., An Introduction to Human Factors Engineering, 2nd ed. Upper Saddle River, NJ: Prentice Hall, ch. 16,18 pp. 433-434, 474.

[6] C. Nachenberg, "A Forensic Dissection of Stuxnet," Symantec Corporation, 2011.

[7] C.R.J. Horbury and M.S. Wright, "Multi-skilling: research implications on control room operations," Human Interfaces in Control Rooms, Cockpits and Command Centers, 2001. People in Control. The Second International Conference on (IEE Conf. Publ. No. 481), 2001, pp.141,146.

[8] Critical infrastructure sectors, Department of Homeland Security,

[9] D.I. Gertman, "Human factors and data fusion as part of control systems resilience," Human System Interactions, 2009. HSI '09. 2nd Conference on, May 2009, pp.642,647, 21-23.

[10] E. Sitnikova et al., "The Power of Hands-On Exercises in SCADA Cyber Security Education," Information Processing, IFIP International Federation for, 2013, 83-94.

[11] G. DiFrank, "The Power of Automation," IEEE Industry Applications Magazine, Vol 14, No. 2, March-April 2008, pp. 49-57.

[12] I. Ahmed et al., "SCADA Systems: Challenges for Forensic Investigators," Computer, vol.45, no.12, Dec. 2012, pp.44,51.

[13] J. A. Jacko, The Human-Computer Interaction Handbook, 3rd ed. Boca Raton, FL: CRC Press, 2012.

[14] J. Motef and P. Parfomak, "Critical Infrastructure and Key Assets: Definition and Identification," Congressional Research Service, 2004

[15] J. Slay and E. Sitnikova, “The Development of a Generic Framework for the Forensic Analysis of SCADA and Process Control Systems,” Forensics in Telecommunications, Information, and Multimedia, M. Sorrell, ed., Springer, 2009, pp. 77-82.

[16] K. Kent et al., Guide fo Integrating Forensic Techniques into Incident Response, 1st ed., National Institute of Standards and Technology, 2006.

[17] K. Stouffer et al., Guide fo Industrial Control Systems (ICS) Security, 1st ed., National Institute of Standards and Technology, 2011.

[18] L. Spitzner, "The String: My Fascination with Honeypots," Honeypots: Tracking Hackers, Boston, MA: Pearson Education, 2003, ch. 1., pp. 23.

[19] M. E. Luallen, "SANS SCADA and Process Control Security Survey," SANS Analyst Program, SANS Institute, 2013, pp. 1-18.

[20] M. Fabro and E. Cornelius, “Recommended practice: Creating computer forensics plans for control systems,” Idaho National Laboratory (INL), Aug. 2008.

[21] S. Bennett, "A brief history of automatic control," Control Systems, IEEE , vol.16, no.3, pp.17,25, Jun 1996 doi: 10.1109/37.506394

[22] T. Hughes, Measurement and Control Basics, 3rd Ed., ISA Press, 2002.

[23] United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, P.L. 107-56 (2001)