[SCADASEC] SCADA, control systems and forensic
Mark Fabro
fabro at loftyperch.com
Thu Feb 7 16:12:37 CST 2008
We tried all the kung fu that was out there to do this. And, once again, Matt needs to chime in as this was his baby.
MATT!!!!!
-----Original Message-----
From: scadasec-bounces at news.infracritical.com [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Bob Radvanovsky
Sent: Thursday, February 07, 2008 5:04 PM
To: scadasec at news.infracritical.com
Subject: Re: [SCADASEC] SCADA, control systems and forensic
Interesting. The SCADA Honeynet Project is based off the current Honeynet Project, using the 'honeyd' (http://www.honeyd.org/index.php) development tool. Wonder what changes they made to simulate PLCs.
Sounds like a grand idea, Ken. Would you consider offering your honeynet for public testing?
-rad
----- Original Message -----
From: Ken Møller [mailto:KENM at StatoilHydro.com]
To: scadasec at news.infracritical.com
Subject: Re: [SCADASEC] SCADA, control systems and forensics
>
> I'm tempted to install a 'standalone' honeypot with a tempting systemname to
> have log/audit files probably not tampered with.
> Been thinking of a backdoor zone keeping snapshots of sytem logfiles
> constantly are mirrored and kept for a suitable time.
>
> -ken..(norway)
>
> -----Original Message-----
> From: scadasec-bounces at news.infracritical.com
> [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Bob
> Radvanovsky
> Sent: 7. februar 2008 21:01
> To: scadasec at news.infracritical.com
> Subject: [SCADASEC] SCADA, control systems and forensics
>
> One of the issues that I have raised within the 'CIP' community has been
> *how* to identify threats (and their attempts) post-facto; meaning, how do I
> perform a forensics analysis on something that is, for sake of better terms,
> 'dumber than a door knob'? It's one thing to conduct post-facto forensics
> best practices on a server, or within an IT environment, but this isn't
> 'IT'. Older protocols don't include date and/or time stamps within the
> communications packets, and often times, comm packets are terse (if that).
> So...how do *we*, as SCADA professionals define and establish methods for
> performing post-facto forensics analysis and management of a given control
> system environment?
>
> I'd like to get some feedback from the list. The entire premise here is to
> encourage discussion. OK -- here's your opportunity... ;)
>
> -rad
>
> P.S. This message will self-destruct in 5 seconds...
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
>
>
> -------------------------------------------------------------------
> The information contained in this message may be CONFIDENTIAL and is
> intended for the addressee only. Any unauthorised use, dissemination of the
> information or copying of this message is prohibited. If you are not the
> addressee, please notify the sender immediately by return e-mail and delete
> this message.
> Thank you.
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
>
_______________________________________________
To unsubscribe from this mailing list, please visit:
http://news.infracritical.com/mailman/listinfo/scadasec
To review our privacy statement, please visit:
http://www.infracritical.com/privacy.html
scadasec at news.infracritical.com
http://news.infracritical.com/mailman/listinfo/scadasec
More information about the scadasec
mailing list