[SCADASEC] SCADA, control systems and forensics
Ken Møller
KENM at StatoilHydro.com
Thu Feb 7 15:52:15 CST 2008
I'm tempted to install a 'standalone' honeypot with a tempting systemname to have log/audit files probably not tampered with.
Been thinking of a backdoor zone keeping snapshots of sytem logfiles constantly are mirrored and kept for a suitable time.
-ken..(norway)
-----Original Message-----
From: scadasec-bounces at news.infracritical.com [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Bob Radvanovsky
Sent: 7. februar 2008 21:01
To: scadasec at news.infracritical.com
Subject: [SCADASEC] SCADA, control systems and forensics
One of the issues that I have raised within the 'CIP' community has been *how* to identify threats (and their attempts) post-facto; meaning, how do I perform a forensics analysis on something that is, for sake of better terms, 'dumber than a door knob'? It's one thing to conduct post-facto forensics best practices on a server, or within an IT environment, but this isn't 'IT'. Older protocols don't include date and/or time stamps within the communications packets, and often times, comm packets are terse (if that). So...how do *we*, as SCADA professionals define and establish methods for performing post-facto forensics analysis and management of a given control system environment?
I'd like to get some feedback from the list. The entire premise here is to encourage discussion. OK -- here's your opportunity... ;)
-rad
P.S. This message will self-destruct in 5 seconds...
_______________________________________________
To unsubscribe from this mailing list, please visit:
http://news.infracritical.com/mailman/listinfo/scadasec
To review our privacy statement, please visit:
http://www.infracritical.com/privacy.html
scadasec at news.infracritical.com
http://news.infracritical.com/mailman/listinfo/scadasec
-------------------------------------------------------------------
The information contained in this message may be CONFIDENTIAL and is
intended for the addressee only. Any unauthorised use, dissemination of the
information or copying of this message is prohibited. If you are not the
addressee, please notify the sender immediately by return e-mail and delete
this message.
Thank you.
More information about the scadasec
mailing list