Incident Analysis & Digital Forensics in SCADA and Industrial Control Systems

SCADA and industrial control systems have been traditionally isolated in physically protected environments. However, developments such as standardisation of data exchange protocols and increased use of IP, emerging wireless sensor networks and machine-to-machine communication mean that in the near future related threat vectors will require consideration too outside the scope of traditional SCADA security and incident response. In the light of the significance of SCADA for the resilience of critical infrastructures and the related targeted incidents against them (e.g. the development of stuxnet), cyber security and digital forensics emerge as priority areas. In this paper we focus on the latter, exploring the current capability of SCADA operators to analyse security incidents and develop situational awareness based on a robust digital evidence perspective. We look at the logging capabilities of a typical SCADA architecture and the analytical techniques and investigative tools that may help develop forensic readiness to the level of the current threat environment requirements. We also provide recommendations for data capture and retention

A ‘criminal personas’ approach to countering criminal creativity

This paper describes a pilot study of a ‘criminal personas’ approach to countering criminal creativity. The value of the personas approach has been assessed by comparing the identification of criminal opportunity, through ‘traditional’ brainstorming and then through ‘criminal personas’ brainstorming The method involved brainstorm sessions with Computer Forensics Practitioners and with Product Designers, where they were required to generate criminal scenarios, select the most serious criminal opportunities, and propose means of countering them. The findings indicated that there was merit in further research in the development and application of the ‘criminal personas’ approach. The generation of criminal opportunity ideas and proposal of counter criminal solutions were both greater when the brainstorm approach involved the group responding through their given criminal personas

Medical Cyber-Physical Systems Development: A Forensics-Driven Approach

The synthesis of technology and the medical industry has partly contributed to the increasing interest in Medical Cyber-Physical Systems (MCPS). While these systems provide benefits to patients and professionals, they also introduce new attack vectors for malicious actors (e.g. financially-and/or criminally-motivated actors). A successful breach involving a MCPS can impact patient data and system availability. The complexity and operating requirements of a MCPS complicates digital investigations. Coupling this information with the potentially vast amounts of information that a MCPS produces and/or has access to is generating discussions on, not only, how to compromise these systems but, more importantly, how to investigate these systems. The paper proposes the integration of forensics principles and concepts into the design and development of a MCPS to strengthen an organization's investigative posture. The framework sets the foundation for future research in the refinement of specific solutions for MCPS investigations.Comment: This is the pre-print version of a paper presented at the 2nd International Workshop on Security, Privacy, and Trustworthiness in Medical Cyber-Physical Systems (MedSPT 2017

Automating Vendor Fraud Detection in Enterprise Systems

Fraud is a multi-billion dollar industry that continues to grow annually. Many organizations are poorly prepared to prevent and detect fraud. Fraud detection strategies are intended to quickly and efficiently identify fraudulent activities that circumvent preventative measures. In this paper, we adopt a DesignScience methodological framework to develop a model for detection of vendor fraud based on analysis of patterns or signatures identified in enterprise system audit trails. The concept is demonstrated by developing prototype software. Verification of the prototype is achieved by performing a series of experiments. Validation is achieved by independent reviews from auditing practitioners. Key findings of this study are: (a) automating routine data analytics improves auditor productivity and reduces time taken to identify potential fraud; and (b) visualizations assist in promptly identifying potentially fraudulent user activities. The study makes the following contributions: (a) a model for proactive fraud detection; (b) methods for visualizing user activities in transaction data; and (c) a stand-alone Monitoring and Control Layer (MCL) based prototype