1 / 42

The Development of a Cross-Disciplinary Approach in Industrial Control System Computer Forensics

The Development of a Cross-Disciplinary Approach in Industrial Control System Computer Forensics. A Thesis: b y Theora Rice. Speaker Background. Undergraduate degree – University of Idaho 2013 Computer Science Scholarship for Service recipient Idaho Falls National Laboratory intern

adora
Download Presentation

The Development of a Cross-Disciplinary Approach in Industrial Control System Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Development of a Cross-Disciplinary Approach in Industrial Control System Computer Forensics A Thesis: by Theora Rice

  2. Speaker Background • Undergraduate degree – University of Idaho 2013 • Computer Science • Scholarship for Service recipient • Idaho Falls National Laboratory intern • Craig Rieger – Industrial Control Systems • Pacific Northwest National Laboratory • Dr. David Manz and Thomas Edgar - determinism

  3. Outline Introduction Background The Problem Space Those who Use ICS Systems A New Methodology Analysis Conclusion

  4. Introduction - Objective • Forensics in Industrial Control Systems (ICS) • Importance • Analysis • Maintaining future resilience • Challenges • Cross-disciplinary focus

  5. Introduction – A Lens • Lack of comprehensive technical material • Less skill-specific • Industrial Control Systems • Multiple professions involved • Multiple vocabularies

  6. Background - ICS “The framework of interdependent networks and systems comprising identifiable industries, institutions (including people and procedures), and distribution capabilities that provide a reliable flow of products and services essential to the defense and economic security of the United States, the smooth functioning of government at all levels, and society as a whole.” [14] “[Control systems are]...systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters” [23].

  7. Infrastructure sectors [8]

  8. Background – ICS: SCADA

  9. Background – ICS: DCS

  10. Background – ICS: Components • Monitoring [17] • Master Terminal Unit (MTU) • Control server • Input/Output (IO) servers • Data Historians • HMIs

  11. Background – ICS: Components • Sensing [17] • Remote Terminal Units (RTUs) • Programmable Logic Controllers (PLCs) • Intelligent Electronic Devices (IEDs)

  12. Background – ICS: Security Concerns • Legacy [3] • 15+ years • Proprietary technology, little support • Older technologies are more vulnerable • Modern [3] • 15- years • Proprietary and open, fully supported • Interconnectivity, also vulnerable • Problems [6][2] • Maroochy • Stuxnet, Duqu

  13. Background - Forensics “The process of applying scientific methods to collect and analyze data and information that can be used as evidence” [4].

  14. Background - Forensics Evidence to present in a court of law Verification of system problems Study of malicious activity Different from incident response and recovery

  15. Background – Forensics: Components • Collection [20] • Developing initial plan • Choosing resources • Analysis [20] • Risk review • Risk mitigation • Data extraction and analysis • Reporting [20] • Organized account of all findings

  16. The Problem Space – Technical Problems • Availability • Static vs. Live analysis • Large amounts of data [15] • Volatile data and inadequate labeling [20] • Proprietary and little-known hardware and software [20] • Lack of standardization • Time and resource effect [12] • Ping sweep accident [17]

  17. The Problem Space – Technical Problems

  18. The Problem Space – Man and Machine • Many disciplines needed in ICS development, implementation, and maintenance • Natural disaster • Engineers – resilient systems • Computer scientists – recoverable systems • Operators – enact emergency procedures • Financiers and human engineers – emergency funding and efficient worker tools

  19. The Problem Space – Financial Cost • Salaried computer forensics professional Salaried computer forensics professional Data logging – hardware cost New software/hardware – development and implementation costs

  20. The Problem Space – Security Vulnerabilities [19] • Malware • Stuxnet, Duqu [6][2] • Internal threats • Employees • External threats • Malicious attackers • Phishing scams • Industrial espionage • Extortion

  21. The Problem Space – In the Courts • Specific rules in gathering evidence • Digital copies [4] • Hashing • Live analysis • Tampering? • System may change during data capture

  22. Those who Use ICS Systems - Engineers • System engineers [1] • Designing, developing, implementing • Physical resilience • Consistent, continuous production • Determinism • System algorithms

  23. Those who Use ICS Systems – Computer Scientists DiFrank Functional Enterprise Computing Model, derived from [11]

  24. Those who Use ICS Systems – Operators • Variables [22] • Manipulated • Disturbances • Controlled • Four elements [22] • Process • Measurement • Evaluation • Control

  25. Those who Use ICS Systems – Human Factors • Enhance performance, increase safety, and increase user satisfaction [5] • Study human comprehension and develop new methods or tools in system • Data overload • Prioritize and filter information [9] • Emergency situations • Minimize distractions and maximize operator training [9]

  26. Those who Use ICS Systems – Cross-Disciplinary Resources • System engineers • There must be logging ability in the system, at many levels [11] • Probing accident-resistant systems [21] • Computer scientists • More specific log data, documentation, and specialized security • Operators • Must now at least the basic resources required • Human factors • How forensic considerations can be integrated into incident recovery without undue complication

  27. A New Methodology • Operators trained to perform certain pre-investigation forensics tasks • Precedents exist in cross-discipline training for Cyber Security and incident response • Emergency situation, operators most likely to be available • Data collection cannot always come after crisis, but must be collected during • Training and automation optimization

  28. A New Methodology - Training • Risk analysis • What data is crucial, and when may it be lost? • Documentation: Descriptions and Diagrams • System communications • Infrastructure • Critical configurations • Process procedures • Device logic • Incident response actions taken • Timestamps

  29. A New Methodology - Training • Volatile data collection • Automation • “Flushing” & rebooting [12] • Legal briefing • Chain of evidence [16] • Hands-on experience [10]

  30. A New Methodology – Multi-Skilling “A way of working where the traditional divisions between work areas and separate disciplines are removed, and individuals are given responsibility for a range of different types of task” [7].

  31. A New Methodology – Multi-Skilling • Problems - Implementation • Attempts to reduce staff members • Maintain proper amount of staff members • Lack of coordination and error checking • Establish clear leadership and training • Multi-skilling problems • Specialized errors

  32. A New Methodology - Automation • Storage for data • Additional servers and other storage devices • Network traffic logs • Physical network traffic logging devices • Logging software that gathers and labels ICS network traffic packets • Individual device images • Critical or heavily effected device configurations can be copied for later analysis • High data integrity • Store traffic in an SIEM system, on secure servers, and even printed on physical media

  33. A New Methodology - Automation • Real-time adaptive security software • React to cyber security incidents while recording forensics • Intrusion Detection System, Intrusion Prevention System, firewalls • Honeypots • “Value lies in being probed, attacked, or compromised” [18] • Lure malicious attacks and record everything that happens

  34. A New Methodology – Human Factors and Automated Design • Signal processing [13] • How a human identifies a change in the system • Signal for forensics must be recognizable, and solution should be readily apparent • Stress reactions [13] • Every action becomes related to “one’s perceived state of progress towards or away from one’s goals” • Specifically automate software

  35. A New Methodology – Human Factors and Automated Design Diagram of emergent units in a given situation [12]

  36. A New Methodology

  37. A New Methodology

  38. A New Methodology

  39. Analysis - Benefits • Forensics training for system operators • Immediate data collection in a volatile environment • Continuous data collection during incident • Large amount of recorded traffic and memory data • Sharing power with the operations employees • Stimulates good interactions with forensic staff • Development of intuitive forensics tools • Invigorates research in operator-interaction based systems in ICS

  40. Analysis - Drawbacks • Added operator stress • Careful consideration of candidates • Good training, and optimizing system automation • Insufficient operator specialization • Well trained supervisors and hands-on training • Funding • Building a business case [17] • Implementing new hardware and software • Cross-disciplinary team work and flexible structures • Amount of time needed for development • Time and research • Tendency towards remote facilities • Remote activation software

  41. Conclusion • Future Work • Training material development • Hand outs, text, etc. • Test training sessions • Hands-on practice in a test SCADA facility • Evaluation of produced test material by a forensics professional • Human factors research • Research and development in hardware and software

  42. References [1] A. Miller, "Trends in process control systems security," Security & Privacy, IEEE , Sept.-Oct. 2005, pp.57,60, doi: 10.1109/MSP.2005.136 [2] B. Bencsáth et al., "Duqu: Analysis, Detection, and Lessons Learned," EuroSec '12, Bern, Switzerland, April 2012. [3] B. Galloway and G.P. Hancke, "Introduction to Industrial Control Networks," Communications Surveys & Tutorials, IEEE, vol.15, no.2, pp.860,880, Second Quarter 2013. [4] B. Nelson et al., Guide to Computer Forensics and Investigations, 4th ed. Boston, MA: Course Technology, 2010. [5] C. D. Wickens et al., An Introduction to Human Factors Engineering, 2nd ed. Upper Saddle River, NJ: Prentice Hall, ch. 16,18 pp. 433-434, 474. [6] C. Nachenberg, "A Forensic Dissection of Stuxnet," Symantec Corporation, 2011. [7] C.R.J. Horbury and M.S. Wright, "Multi-skilling: research implications on control room operations," Human Interfaces in Control Rooms, Cockpits and Command Centers, 2001. People in Control. The Second International Conference on (IEE Conf. Publ. No. 481), 2001, pp.141,146. [8] Critical infrastructure sectors, Department of Homeland Security, http://www.dhs.gov/critical-infrastructure-sectors [9] D.I. Gertman, "Human factors and data fusion as part of control systems resilience," Human System Interactions, 2009. HSI '09. 2nd Conference on, May 2009, pp.642,647, 21-23. [10] E. Sitnikova et al., "The Power of Hands-On Exercises in SCADA Cyber Security Education," Information Processing, IFIP International Federation for, 2013, 83-94. [11] G. DiFrank, "The Power of Automation," IEEE Industry Applications Magazine, Vol 14, No. 2, March-April 2008, pp. 49-57. [12] I. Ahmed et al., "SCADA Systems: Challenges for Forensic Investigators," Computer, vol.45, no.12, Dec. 2012, pp.44,51. [13] J. A. Jacko, The Human-Computer Interaction Handbook, 3rd ed. Boca Raton, FL: CRC Press, 2012. [14] J. Motef and P. Parfomak, "Critical Infrastructure and Key Assets: Definition and Identification," Congressional Research Service, 2004 [15] J. Slay and E. Sitnikova, “The Development of a Generic Framework for the Forensic Analysis of SCADA and Process Control Systems,” Forensics in Telecommunications, Information, and Multimedia, M. Sorrell, ed., Springer, 2009, pp. 77-82. [16] K. Kent et al., Guide fo Integrating Forensic Techniques into Incident Response, 1st ed., National Institute of Standards and Technology, 2006. [17] K. Stouffer et al., Guide fo Industrial Control Systems (ICS) Security, 1st ed., National Institute of Standards and Technology, 2011. [18] L. Spitzner, "The String: My Fascination with Honeypots," Honeypots: Tracking Hackers, Boston, MA: Pearson Education, 2003, ch. 1., pp. 23. [19] M. E. Luallen, "SANS SCADA and Process Control Security Survey," SANS Analyst Program, SANS Institute, 2013, pp. 1-18. [20] M. Fabro and E. Cornelius, “Recommended practice: Creating computer forensics plans for control systems,” Idaho National Laboratory (INL), Aug. 2008. [21] S. Bennett, "A brief history of automatic control," Control Systems, IEEE , vol.16, no.3, pp.17,25, Jun 1996 doi: 10.1109/37.506394 [22] T. Hughes, Measurement and Control Basics, 3rd Ed., ISA Press, 2002. [23] United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001, P.L. 107-56 (2001)

More Related