14 May 2015 A prototype forensic toolkit for industrial-control-systems incident response
Author Affiliations +
Industrial control systems (ICSs) are an important part of critical infrastructure in cyberspace. They are especially vulnerable to cyber-attacks because of their legacy hardware and software and the difficulty of changing it. We first survey the history of intrusions into ICSs, the more serious of which involved a continuing adversary presence on an ICS network. We discuss some common vulnerabilities and the categories of possible attacks, noting the frequent use of software written a long time ago. We propose a framework for designing ICS incident response under the constraints that no new software must be required and that interventions cannot impede the continuous processing that is the norm for such systems. We then discuss a prototype toolkit we built using the Windows Management Instrumentation Command-Line tool for host-based analysis and the Bro intrusion-detection software for network-based analysis. Particularly useful techniques we used were learning the historical range of parameters of numeric quantities so as to recognize anomalies, learning the usual addresses of connections to a node, observing Internet addresses (usually rare), observing anomalous network protocols such as unencrypted data transfers, observing unusual scheduled tasks, and comparing key files through registry entries and hash values to find malicious modifications. We tested our methods on actual data from ICSs including publicly-available data, voluntarily-submitted data, and researcher-provided “advanced persistent threat” data. We found instances of interesting behavior in our experiments. Intrusions were generally easy to see because of the repetitive nature of most processing on ICSs, but operators need to be motivated to look.
© (2015) COPYRIGHT Society of Photo-Optical Instrumentation Engineers (SPIE). Downloading of the abstract is permitted for personal use only.
Nickolas B. Carr, Nickolas B. Carr, Neil C. Rowe, Neil C. Rowe, } "A prototype forensic toolkit for industrial-control-systems incident response", Proc. SPIE 9458, Cyber Sensing 2015, 945804 (14 May 2015); doi: 10.1117/12.2179796; https://doi.org/10.1117/12.2179796


A case of reliable remote functionality
Proceedings of SPIE (July 14 2008)
Bot armies as threats to network security
Proceedings of SPIE (April 08 2007)
Internet firewalls: questions and answers
Proceedings of SPIE (March 11 1996)
Remote secure observing for the Faulkes Telescopes
Proceedings of SPIE (September 14 2004)

Back to Top