Security Basics: Control System Forensics

(This article was originally published on the Findings From the Field blog.)

Most network administrators recognize the term computer forensics as the discipline of collecting evidence from computers for use in court. What may not be apparent is that computer forensics practices and technologies are also useful tools for general trouble-shooting. Forensic records are detailed enough to identify the cause of intrusions and other causes for litigation. As a result, these records are almost always detailed enough to identify causes of other kinds of problems, from performance anomalies to operator and administrator errors and omissions. But what kinds of real-time forensics are appropriate to deploy on industrial control systems?


CIP-002-4 Is Coming

NERC announced earlier this month that long-debated changes to the NERC CIP-002 standard have passed ballot and are being submitted to the NERC board for approval. The changes introduce a "bright line rule" defining Critical Assets and Critical Cyber Assets. The rule eliminates the discretion NERC entities had in versions 1-3 to define their own risk-based assessment methodologies to identify Critical Assets. The changes should result in a much larger pool of assets being identified as critical and so subject to CIP standards. It remains to be seen though, whether utilities will take this opportunity to strengthen their security programs in light of recent advanced threats to control systems.


Review: Tofinosecurity.com’s Stuxnet Central

The Byres Security Tofinosecurity.com site has a useful page called Stuxnet Central. Some of the materials on the page require that you become a member of the site to access them, but once you have a password, you have access to everything. On Stuxnet Central, Tofinosecurity.com has links to all of their own Stuxnet materials, including a handy list of links to all of the Stuxnet-related Practical SCADA Security blog entries. There are also links to a nice cross-section of external resources, everything from Microsoft's vulnerability reports, to representative articles from the popular press, to detailed technical discussions of the worm. If you are coming up to speed on Stuxnet, or if you have been following along and want to know there is nothing you missed, I can recommend Tofino's Stuxnet Central. If you've never looked through the page in detail, there are a couple of interesting surprises...


Industrial Defender Updates Stuxnet Whitepaper

Industrial Defender has released their updated Stuxnet Whitepaper: The Stuxnet Worm and Defenses for Advanced Threats. You do need to register to access the paper, but once registered you will have access to all of Industrial Defender’s archived papers and webinars. The updated whitepaper assumes you understand control systems, and provides control systems engineers with the information needed to evaluate their security programs in light of advanced threats. The whitepaper uses the Stuxnet example to illustrate how products from the Industrial Defender security suite react to advanced threats. The paper concludes that given the apparent success of recent attacks, it is only reasonable to expect new advanced attacks in the months ahead.