Incident Analysis & Digital Forensics in SCADA and Industrial Control Systems

SCADA and industrial control systems have been traditionally isolated in physically protected environments. However, developments such as standardisation of data exchange protocols and increased use of IP, emerging wireless sensor networks and machine-to-machine communication mean that in the near future related threat vectors will require consideration too outside the scope of traditional SCADA security and incident response. In the light of the significance of SCADA for the resilience of critical infrastructures and the related targeted incidents against them (e.g. the development of stuxnet), cyber security and digital forensics emerge as priority areas. In this paper we focus on the latter, exploring the current capability of SCADA operators to analyse security incidents and develop situational awareness based on a robust digital evidence perspective. We look at the logging capabilities of a typical SCADA architecture and the analytical techniques and investigative tools that may help develop forensic readiness to the level of the current threat environment requirements. We also provide recommendations for data capture and retention

Digital forensics for Investigating Control-logic Attacks in Industrial Control Systems

Programmable logic controllers (PLC) are required to handle physical processes and thus crucial in critical infrastructures like power grids, nuclear facilities, and gas pipelines. Attacks on PLCs can have disastrous consequences, considering attacks like Stuxnet and TRISIS. Those attacks are examples of exploits where the attacker aims to inject into a target PLC malicious control logic, which engineering software compiles as a reliable code. When investigating a security incident, acquiring memory can provide valuable insight such as runtime system activities and memory-based artifacts which may contain the attacker\u27s footprints. The existing memory acquisition tools for PLCs require a hardware-level debugging port or network protocol-based approaches, which are not practical in the real world or provide partial acquisition of memory. This research work provides an overview of different attacks on PLCs. This work shows what embodies these three different approaches. These novel approaches leaves PLCs vulnerable that can unleash mayhem in the physical world. The first approach describes denial of engineering operations (DEO) attacks in industrial control systems, referred to as a denial of decompilation (DoD) attack. The DoD attack involves obfuscating and installing a (malicious) control logic into a programmable logic controller (PLC) to fail the decompilation function in engineering software required to maintain control logic in PLCs. The existing seminal work on the DEO attacks exploits engineering software\u27s improper input validation vulnerability. On the other hand, the DoD attack targets a fundamental design principle in compiling and decompiling control logic in engineering software, thereby affecting the engineering software of multiple vendors. We evaluate the DoD attack on two major PLC manufacturers\u27 PLCs, i.e., Schneider Electric Modicon M221 and Siemens S7-300. We show that simple obfuscation techniques on control logic are sufficient to compromise the decompilation function in their engineering software, i.e., SoMachine Basic and TIA Portal, respectively. The second approach propose two control-logic attacks and a new memory acquisition framework for PLCs. The first attack modifies in-memory firmware such that the attacker takes control of a PLC\u27s built-in functions. The second attack involves obfuscating and installing a malicious control logic into a target PLC to fail the decompilation process in engineering software. The proposed memory acquisition framework remotely acquires a PLC\u27s volatile memory while the PLC is controlling a physical process. The main idea is to inject a harmless code that essentially copies the protected memory fragments to protocol-mapped memory space, which is acquirable over the network. Since the proposed memory acquisition allows access to the entire memory, we can also show the evidence of the attacks. The third approach propose an attack which doesn\u27t involve alteration or injection of PLC\u27s control logic. Return Oriented Programming(ROP) is an exploiting technique which can perform sophisticated attacks by utilizing the existing code in the memory of the PLC. This attack doesn\u27t involves injecting code which makes this technique unique and hard to discover. This work is the first attempt to introduce ROP attack technique successfully on PLC without disrupting the control logic cycle. We evaluate the proposed methods on a gas pipeline testbed to demonstrate the attacks and how a forensic investigator can identify the attacks and other critical forensic artifacts using the proposed memory acquisition method

Digital forensics challenges to big data in the cloud

As a new research area, Digital Forensics is a subject in a rapid development society. Cyber security for Big Data in the Cloud is getting attention more than ever. Computing breach requires digital forensics to seize the digital evidence to locate who done it and what has been done maliciously and possible risk/damage assessing what loss could leads to. In particular, for Big Data attack cases, Digital Forensics has been facing even more challenge than original digital breach investigations. Nowadays, Big Data due to its characteristics of three “V”s (Volume, Velocity, and Variety), they are either synchronized with Cloud (Such as smart phone) or stored on the Cloud, in order to sort out the storage capacity etc. problems, which made Digital Forensics investigation even more difficult. The Big Data-Digital Forensics issue for Cloud is difficult due to some issues. One of them is physically identify specific wanted device. Data are distributed in the cloud, customer or the digital forensics practitioner cannot have a fully access control like the traditional investigation does. The Smart City technique is making use of ICT (information communications technology) to collecting, detecting, analysing and integrating the key information data of core systems in running the cities. Meantime, the control is making intelligent responses to different requirements that include daily livelihood, PII (Personally identifiable information) security, environmental protection, public safety, industrial and commercial activities and city services. The Smart City data are Big Data, collected and gathered by the IoT (Internet of Things). This paper has summerised our review on the trends of Digital Forensics served for Big Data. The evidence acquisition challenge is discussed. A case study of a Smart City project with the IoT collected services Big data which are stored at the cloud computing environment is represented. The techniques can be generalised to other Big Data in the Cloud environment

Anomaly diagnosis in industrial control systems for digital forensics

Over several decades, Industrial Control Systems (ICS) have become more interconnected and highly programmable. An increasing number of sophisticated cyber-attacks have targeted ICS with a view to cause tangible damage. Despite the stringent functional safety requirements mandated within ICS environments, critical national infrastructure (CNI) sectors and ICS vendors have been slow to address the growing cyber threat. In contrast with the design of information technology (IT) systems, security of controls systems have not typically been an intrinsic design principle for ICS components, such as Programmable Logic Controllers (PLCs). These factors have motivated substantial research addressing anomaly detection in the context of ICS. However, detecting incidents alone does not assist with the response and recovery activities that are necessary for ICS operators to resume normal service. Understanding the provenance of anomalies has the potential to enable the proactive implementation of security controls, and reduce the risk of future attacks. Digital forensics provides solutions by dissecting and reconstructing evidence from an incident. However, this has typically been positioned from a post-incident perspective, which inhibits rapid triaging, and effective response and recovery, an essential requirement in critical ICS. This thesis focuses on anomaly diagnosis, which involves the analysis of and discrimination between different types of anomalous event, positioned at the intersection between anomaly detection and digital forensics. An anomaly diagnosis framework is proposed that includes mechanisms to aid ICS operators in the context of anomaly triaging and incident response. PLCs have a fundamental focus within this thesis due to their critical role and ubiquitous application in ICS. An examination of generalisable PLC data artefacts produced a taxonomy of artefact data types that focus on the device data generated and stored in PLC memory. Using the artefacts defined in this first stage, an anomaly contextualisation model is presented that differentiates between cyber-attack and system fault anomalies. Subsequently, an attack fingerprinting approach (PLCPrint) generates near real-time compositions of memory fingerprints within 200ms, by correlating the static and dynamic behaviour of PLC registers. This establishes attack type and technique provenance, and maintains the chain-of-evidence for digital forensic investigations. To evaluate the efficacy of the framework, a physical ICS testbed modelled on a water treatment system is implemented. Multiple PLC models are evaluated to demonstrate vendor neutrality of the framework. Furthermore, several generalised attack scenarios are conducted based on techniques identified from real PLC malware. The results indicate that PLC device artefacts are particularly powerful at detecting and contextualising an anomaly. In general, we achieve high F1 scores of at least 0.98 and 0.97 for anomaly detection and contextualisation, respectively, which are highly competitive with existing state-of-the-art literature. The performance of PLCPrint emphasises how PLC memory snapshots can precisely and rapidly provide provenance by classifying cyber-attacks with an accuracy of 0.97 in less than 400ms. The proposed framework offers a much needed novel approach through which ICS components can be rapidly triaged for effective response

Forensic Attacks Analysis and the Cyber Security of Safety-Critical Industrial Control Systems

Industrial Control Systems (ICS) and SCADA (Supervisory Control And Data Acquisition) applications monitor and control a wide range of safety-related functions. These include energy generation where failures could have significant, irreversible consequences. They also include the control systems that are used in the manufacture of safety-related products. In this case bugs in an ICS/SCADA system could introduce flaws in the production of components that remain undetected before being incorporated into safety-related applications. Industrial Control Systems, typically, use devices and networks that are very different from conventional IP-based infrastructures. These differences prevent the re-use of existing cyber-security products in ICS/SCADA environments; the architectures, file formats and process structures are very different. This paper supports the forensic analysis of industrial control systems in safety-related applications. In particular, we describe how forensic attack analysis is used to identify weaknesses in devices so that we can both protect components but also determine the information that must be analyzed during the aftermath of a cyber-incident. Simulated attacks detect vulnerabilities; a risk-based approach can then be used to assess the likelihood and impact of any breach. These risk assessments are then used to justify both immediate and longer-term countermeasures

Security and computer forensics in web engineering education

The integration of security and forensics into Web Engineering curricula is imperative! Poor security in web-based applications is continuing to cost organizations millions and the losses are still increasing annually. Security is frequently taught as a stand-alone course, assuming that security can be 'bolted on' to a web application at some point. Security issues must be integrated into Web Engineering processes right from the beginning to create secure solutions and therefore security should be an integral part of a Web Engineering curriculum. One aspect of Computer forensics investigates failures in security. Hence, students should be aware of the issues in forensics and how to respond when security failures occur; collecting evidence is particularly difficult for Web-based applications