[SCADASEC] SCADA, control systems and forensic

Bob Radvanovsky rsradvan at unixworks.net
Thu Feb 7 16:04:19 CST 2008 

Interesting.  The SCADA Honeynet Project is based off the current Honeynet Project, using the 'honeyd' (http://www.honeyd.org/index.php) development tool.  Wonder what changes they made to simulate PLCs.

Sounds like a grand idea, Ken.  Would you consider offering your honeynet for public testing?

-rad

----- Original Message -----
From: Ken Møller [mailto:KENM at StatoilHydro.com]
To: scadasec at news.infracritical.com
Subject: Re: [SCADASEC] SCADA, control systems and forensics


> 
> I'm tempted to install a 'standalone' honeypot with a tempting systemname to
> have log/audit files probably not tampered with.
> Been thinking of a backdoor zone keeping snapshots of sytem logfiles
> constantly are mirrored and kept for a suitable time.
> 
> -ken..(norway)
> 
> -----Original Message-----
> From: scadasec-bounces at news.infracritical.com
> [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Bob
> Radvanovsky
> Sent: 7. februar 2008 21:01
> To: scadasec at news.infracritical.com
> Subject: [SCADASEC] SCADA, control systems and forensics
> 
> One of the issues that I have raised within the 'CIP' community has been
> *how* to identify threats (and their attempts) post-facto; meaning, how do I
> perform a forensics analysis on something that is, for sake of better terms,
> 'dumber than a door knob'?  It's one thing to conduct post-facto forensics
> best practices on a server, or within an IT environment, but this isn't
> 'IT'.  Older protocols don't include date and/or time stamps within the
> communications packets, and often times, comm packets are terse (if that). 
> So...how do *we*, as SCADA professionals define and establish methods for
> performing post-facto forensics analysis and management of a given control
> system environment?
> 
> I'd like to get some feedback from the list.  The entire premise here is to
> encourage discussion.  OK -- here's your opportunity...  ;)
> 
> -rad
> 
> P.S. This message will self-destruct in 5 seconds...
> 
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
> 
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
> 
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
> 
> 
> -------------------------------------------------------------------
> The information contained in this message may be CONFIDENTIAL and is
> intended for the addressee only. Any unauthorised use, dissemination of the
> information or copying of this message is prohibited. If you are not the
> addressee, please notify the sender immediately by return e-mail and delete
> this message.
> Thank you.
> 
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
> 
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
> 
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
>

More information about the scadasec mailing list