[SCADASEC] IBM is offering 'SCADA security best practices'...

[Jake Brodsky]

The kernel has to be simple to make hashing work.  It might be a very 
good way to handle Virtualization, though.

With decent virtualization, one can then maintain a main and a 
diagnostic image ready for context switch.  Should an attack be 
detected, one has only to make a context switch, and dump the image of 
the attacked software to disk. Hand the disk to a forensics team, load a 
new image from a known safe backup, and then keep on running.

Another thing: I envision SAN type disk array storage to be more 
applicable here.  It makes it easy to hand the raw history over to 
authorities whenever requested, without missing a beat.

Is this the sort of thing you're looking for Mark?

Jake Brodsky

Mark Fabro wrote:
> The area of forensics in control domains is becoming a hot discussion 
> topic. Just to put it out there, what are the thoughts on kernel hashing 
> to help uncover activity? Many agree that forensics must be done in real 
> time, so what are the mechanisms that people can use to embed a 
> capability prior to an event? Also, how are people suggesting to handle 
> the issue of disparate clocking/timing channels? There has been some 
> chatter, figured I would pick it up again.