Computer forensics Masters student James Moos reports on the development of cyber security and forensics for industrial control systems in a post Stuxnet era.

Industrial control systems (ICS) comprise a number of technologies that have allowed automation in industries such as manufacturing and utility. Human involvement with production chains in these industries has become one of oversight and occasional interaction, empowering organisations to improve speed and efficiency.

With ICS being present in everything from manufacturing products right through to critical national infrastructure (CNI), the security of these systems was always set to become a hot topic sooner or later. The events produced by Stuxnet1 and other malware such as Flame2 raised the profile of this issue with cyber professionals across the world.

With extensive media coverage, Stuxnet displayed how a cyber attack could result in physical effects. Key manufacturing components in Iran’s nuclear production lines were destroyed through highly targeted code that made use of four zero-day exploits. This was a huge setback for Iran as it resulted in a large amount of time and money lost.

Control systems are incredibly robust, with many legacy and proprietary systems still in operation today. This, combined with modern systems that encompass newer technologies, provides an enormous challenge for cyber security professionals looking to secure their systems. Matters are only further complicated when you consider the variety of devices in use within these systems.

Be it supervisory control and data acquisition (SCADA), programmable logic controllers (PLC) or distributed control systems (DCS), which are all variants of ICS, traditional computing devices and bespoke equipment both reside on such systems. Each system is likely to be configured individually to the needs of the process it is running, meaning that no two systems are the same.

So how is the application of cyber security and forensics tools progressing when focusing solely on ICS? A number of developments have come about in recent years relating to the application of cyber security for industrial control systems.

Good practice

The initial attempts to make progress in this field came in the form of ‘good practice guides’ and similar publications dedicated to ICS. These were produced by a range of bodies including the US National Institute of Standards and Technology (NIST)3 and researchers from within academia.

The materials provided a level of understanding and robust guidance that was, perhaps, previously lacking. Technical approaches to securing an ICS could be found alongside policies and physical security measures, which should not be overlooked.

There have been a number of developments with regards to cyber security tools for ICS in recent years.

Tofino Security4 provides a tool named MODBUS TCP Enforcer LSM. This allows inspection of ICS-specific protocol (MODBUS) packets. By pre-defining rule sets, this tool can prevent and report any anomalous behaviour.

Snort is an open source network intrusion detection system (NIDS) with which security professionals are already familiar. This tool can be configured to include handling for ICS-specific protocols, providing an inexpensive and highly capable solution.

Just as with many other types of network, honey pots can now be employed as part of an ICS. Tools that can imitate PLCs or SCADA systems are available and provide a wealth of data that aid in the defence of these systems. By collecting and collating attack data, we can understand how to defend these systems better.

Nessus, a powerful network-scanning tool, now includes the ability to detect an ICS presence on a network and produces associated known vulnerabilities. Tenable, the creators of Nessus, have also produced the passive vulnerability scanner (PVS), which supports the passive monitoring of ICS technologies.

AlienVault offer a dedicated variant of their tool for ICS security information and event management (SIEM). This offers a complete solution from vulnerability identification through to intrusion detection and management.

The aforementioned developments summarise the main tools that open source reports indicate can be used when securing industrial control systems, however many smaller, more specific tools are also available.

Post-incident response

While the cyber security of ICS is undoubtedly important, many professionals will say that 100 per cent security simply cannot exist. As a result, post-incident response is just as crucial for dealing with control systems when they have been compromised.

Digital forensics allows the differentiation between technical faults or malicious events. In the latter case, digital forensics can provide the information necessary to identify the ‘what, why, where, who and how’. Once understood, this can assist in adapting security policies and equipment to prevent a similar event occurring and so can be incorporated into the continuous cycle of information security and risk management.

The US has developed a dedicated computer emergency response team, or CERT, dedicated to ICS incidents. As these systems are so complex and different from traditional computing systems, this undoubtedly ensures the specialist skillset of the team.

Traditional digital forensics toolkits such as FTK and EnCase can still be applied during an ICS investigation, although they may have a more limited capability in this environment. Similarly, raw data analysis tools such as hex viewers can be put to use with some of the devices within an ICS. Cyber security tools can also play a part in an investigation. They may provide data, such as network and security logs, which are often important artefacts when investigating any system.

While work has been done to establish what existing digital forensics tools can be used for ICS investigations, there seems to be little, if any, development of dedicated tools, such as seen within the traditional areas of cyber security. As the importance of protecting ICS increases, it will likely pave the way for such tools to be developed.

In terms of techniques, the use of timeline analysis is reportedly still prevalent just as it is with any digital investigation. Furthermore, due to the number of devices that can exist as part of an ICS, using a timeline can help identify which devices should be investigated as a priority. Obtaining a map of the network is key, as it provides an inventory of all devices and can assist in artefact identification and prioritisation.

Assessment of the volatility of different artefacts is also important, as many sources of data within an ICS are volatile in nature. Controllers within an ICS issue so many controls at any given moment that some forms of data may only reside on the system for a matter of seconds. A volatility assessment can be performed following timeline analysis to ensure that the acquisition of potential evidence is performed in an appropriate order.

In summary, the application of cyber security and digital forensics for industrial control systems is still in its infancy, but it is likely to expand in years to come. There is still much to be done with the development of dedicated tools and techniques to adequately protect these systems.

It is understandable that there is a relatively small amount of open source information available at this stage, but with time this should increase as this specialised area expands. As nations increase their cyber offensive capabilities, the next Stuxnet-like event could occur at any moment.

James is a student at the University of South Wales (formerly Glamorgan) reading an integrated master’s degree in computer forensics.


Further reading