[SCADASEC] SCADA, control systems and forensics
Mark Fabro
fabro at loftyperch.com
Thu Feb 7 15:41:49 CST 2008
Ahhh...forensics for SCADA/PCS. A subject near and dear to my heart.
These are good ideas Bob, as performing the analysis is non-trivial due
to so many issue like reading fault tables properly, timing sources, and
the ever present problem with volatile memory that eats all your
artifacts in a millisecond. A lot of the successful investigations would
have to have vendor interaction.
The ideas floating around right now are all about developing categories
for system types and ages, thus allowing for standard practices to be
augmented according to categorization. Sounds complicated but it is what
is the trend right now, and it seems to scale fairly well especially in
the newer (5 to 10 years old) systems.
But, of course, there are so many factors to consider including inherent
authentication for operator access to systems as well as point
authorization for actual commands. All of these provide specific nuances
to the investigation as it is based on vendor applications that leverage
the core OS security features.
Mark
-----Original Message-----
From: scadasec-bounces at news.infracritical.com
[mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Bob
Radvanovsky
Sent: Thursday, February 07, 2008 3:01 PM
To: scadasec at news.infracritical.com
Subject: [SCADASEC] SCADA, control systems and forensics
One of the issues that I have raised within the 'CIP' community has been
*how* to identify threats (and their attempts) post-facto; meaning, how
do I perform a forensics analysis on something that is, for sake of
better terms, 'dumber than a door knob'? It's one thing to conduct
post-facto forensics best practices on a server, or within an IT
environment, but this isn't 'IT'. Older protocols don't include date
and/or time stamps within the communications packets, and often times,
comm packets are terse (if that). So...how do *we*, as SCADA
professionals define and establish methods for performing post-facto
forensics analysis and management of a given control system environment?
I'd like to get some feedback from the list. The entire premise here is
to encourage discussion. OK -- here's your opportunity... ;)
-rad
P.S. This message will self-destruct in 5 seconds...
_______________________________________________
To unsubscribe from this mailing list, please visit:
http://news.infracritical.com/mailman/listinfo/scadasec
To review our privacy statement, please visit:
http://www.infracritical.com/privacy.html
scadasec at news.infracritical.com
http://news.infracritical.com/mailman/listinfo/scadasec
More information about the scadasec
mailing list