[SCADASEC] The Difference Between Audits, Assessments, and Analysis

Sat Feb 16 09:24:44 CST 2008

(Apologize if this has already been sent in some form)

Thanks or the note Joe. By August, I would assume there will be 3 or 4
forensic items out there from various sources to provide at least a
starting point. Over here we have being doing extensive research on the
forensics issue and have noticed (as would be expected) that the
difficulty in doing an investigation scales with the age of the system. 

We have found that mapping proven forensic methods is a decent start and
hope the community feels the same about not re-inventing the wheel too
much (although there will be a need to create system-specific methods
some time soon). These methods become less and less useful the more aged
or unique the system gets. We have found that things get very
interesting when you start addressing issues such as unified timing
sources, hashing, and the wide landscape of volatile memory types in the
control domain (especially end points/field). We have also worked with
using fault tables and other unique vendor specific 'troubleshooting'
methods but those do not always prove fruitful (especially if the vendor
no longer exists!!) Mapping fault tables to particular events can be an
issue as well, the interpretation and correlation is tricky at many FT
were created to get assist in getting things operational or maintain ops
(rather than after-action investigation).

We have found the lack of available data in the system (analysis target)
and complexity of doing the investigation for forensics scales directly
with the age of the system. Many people assume that the newer the system
is the easier investigation will be, and that (as we have found) is not
always the case. In some instances the vendor has tried to use the
inherent logging and security of the base OS for better 'logging' but
they also add point/instruction authorization and authentication in
there that can often modify how the base logging is done (and thus throw
off your investigative methods). In some cases you can ascertain 'what'
happened but have trouble with cross-correlating the 'who' due to these
unique logging solutions. Please do not interpret that statement as a
sweeping generalization, as many vendors do a great job of aligning base
OS security/logging with their own advance methods.(The scope of _that_
discussion can get way beyond a single post...). I am just commenting on
some of the things we have seen.

Clearly, the new systems are better but overall the challenge regarding
forensics in the industrial domain is really great and interesting
challenge.

We are looking at lot of solution ideas, some blue sky and some pretty
well grounded. I am interested to hear about thoughts on the selection
of unified timing and disparate timing, as well as ideas about embedded
forensics tools in the system that can provide real-time analysis
(without operations interruption) if required. Just some thoughts.

MF 

-----Original Message-----
From: scadasec-bounces at news.infracritical.com
[mailto:scadasec-bounces at news.infracritical.com] On Behalf Of Joe Weiss
Sent: Saturday, February 16, 2008 12:33 AM
To: scadasec at news.infracritical.com
Subject: [SCADASEC] The Difference Between Audits, Assessments, and
Analysis

I would like to make one other point that is somewhat tangential, but
also relevant. That is the area of control system cyber security logging
for forensics. Manylegacy control systems have no logging capability for
cyber security events. Consequently, it is questionable how these legacy
systems will be able to provide appropriate input for forensics.
Tentatively, the FBI will be addressing the issue of control system
forensics at the August Control System Cyber Security Workshop.
Joe 

Joe Weiss PE, CISM
Applied Control Solutions, LLC
Cupertino, CA
(408) 253-7934
(408) 253-7974 Fax
(408) 832-5396 Cell
joe.weiss at realtimeacs.com