[SCADASEC] SCADA, control systems and forensic

Matthew Franz mdfranz at gmail.com
Thu Feb 7 19:11:02 CST 2008 

Actually my collegue at Cisco Venkat Pothamsetty did most of the grunt
work on http://scadahoneynet.sourceforge.net/

And Dale and Landon were intimately involved in
http://www.scadahoneynet.com/ which was a 2nd pass at the concept...

Of course the whole problem with SCADA honeynets on public networks
(at least on the data I saw) is that there were no interesting
attacks.




On Feb 7, 2008 4:12 PM, Mark Fabro <fabro at loftyperch.com> wrote:
> We tried all the kung fu that was out there to do this. And, once again, Matt needs to chime in as this was his baby.
>
> MATT!!!!!
>
> -----Original Message-----
> From: scadasec-bounces at news.infracritical.com [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Bob Radvanovsky
>
> Sent: Thursday, February 07, 2008 5:04 PM
> To: scadasec at news.infracritical.com
> Subject: Re: [SCADASEC] SCADA, control systems and forensic
>
> Interesting.  The SCADA Honeynet Project is based off the current Honeynet Project, using the 'honeyd' (http://www.honeyd.org/index.php) development tool.  Wonder what changes they made to simulate PLCs.
>
> Sounds like a grand idea, Ken.  Would you consider offering your honeynet for public testing?
>
> -rad
>
> ----- Original Message -----
> From: Ken Møller [mailto:KENM at StatoilHydro.com]
> To: scadasec at news.infracritical.com
> Subject: Re: [SCADASEC] SCADA, control systems and forensics
>
>
> >
> > I'm tempted to install a 'standalone' honeypot with a tempting systemname to
> > have log/audit files probably not tampered with.
> > Been thinking of a backdoor zone keeping snapshots of sytem logfiles
> > constantly are mirrored and kept for a suitable time.
> >
> > -ken..(norway)
> >
> > -----Original Message-----
> > From: scadasec-bounces at news.infracritical.com
> > [mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Bob
> > Radvanovsky
> > Sent: 7. februar 2008 21:01
> > To: scadasec at news.infracritical.com
> > Subject: [SCADASEC] SCADA, control systems and forensics
> >
> > One of the issues that I have raised within the 'CIP' community has been
> > *how* to identify threats (and their attempts) post-facto; meaning, how do I
> > perform a forensics analysis on something that is, for sake of better terms,
> > 'dumber than a door knob'?  It's one thing to conduct post-facto forensics
> > best practices on a server, or within an IT environment, but this isn't
> > 'IT'.  Older protocols don't include date and/or time stamps within the
> > communications packets, and often times, comm packets are terse (if that).
> > So...how do *we*, as SCADA professionals define and establish methods for
> > performing post-facto forensics analysis and management of a given control
> > system environment?
> >
> > I'd like to get some feedback from the list.  The entire premise here is to
> > encourage discussion.  OK -- here's your opportunity...  ;)
> >
> > -rad
> >
> > P.S. This message will self-destruct in 5 seconds...
> >
> > _______________________________________________
> > To unsubscribe from this mailing list, please visit:
> > http://news.infracritical.com/mailman/listinfo/scadasec
> >
> > To review our privacy statement, please visit:
> > http://www.infracritical.com/privacy.html
> >
> > scadasec at news.infracritical.com
> > http://news.infracritical.com/mailman/listinfo/scadasec
> >
> >
> > -------------------------------------------------------------------
> > The information contained in this message may be CONFIDENTIAL and is
> > intended for the addressee only. Any unauthorised use, dissemination of the
> > information or copying of this message is prohibited. If you are not the
> > addressee, please notify the sender immediately by return e-mail and delete
> > this message.
> > Thank you.
> >
> > _______________________________________________
> > To unsubscribe from this mailing list, please visit:
> > http://news.infracritical.com/mailman/listinfo/scadasec
> >
> > To review our privacy statement, please visit:
> > http://www.infracritical.com/privacy.html
> >
> > scadasec at news.infracritical.com
> > http://news.infracritical.com/mailman/listinfo/scadasec
> >
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> _______________________________________________
> To unsubscribe from this mailing list, please visit:
> http://news.infracritical.com/mailman/listinfo/scadasec
>
> To review our privacy statement, please visit:
> http://www.infracritical.com/privacy.html
>
> scadasec at news.infracritical.com
> http://news.infracritical.com/mailman/listinfo/scadasec
>



-- 
Matthew Franz
http://www.threatmind.net/

More information about the scadasec mailing list