Cyber security forensics tool for industrial control systems

Analysis software helps detect and unearth threats to critical infrastructure systems after and even before cyber incidents.

August 19, 2010

Guidance Software, Inc. has announced a new partnership with Lofty Perch, Inc., to provide a new cyber forensics solution for industrial control and SCADA systems, designed to help organizations quickly expose, respond to, and recover from security incidents, including advanced persistent threats.

Lofty Perch will use Guidance Software’s EnCase Cybersecurity platform to give companies – such as those in the utilities and energy space – the ability to discover malicious or improper files and expedite restorative activities in industrial automation environments through a forensic-based critical infrastructure security solution.

“There is a clear need for cyber forensics and incident analysis management capabilities for industrial automation,” says Bob Radvanovsky, SCADA security consultant and co-founder of Infracritical, a provider of research and information security awareness programs. “This effort will combine the expertise of Lofty Perch and Guidance Software to deliver a first-of-its-kind capability to address the emerging problem of cyber forensics within the industrial automation domain.”

As Lofty Perch characterizes it, until now, industrial control and SCADA system asset owners and operators have struggled with finding appropriate methods to perform forensics tasks without taking mission-critical systems offline. With EnCase technology, operators can perform forensic analysis while systems are operational with little impact on performance and availability.

“One requirement that is consistent in ongoing research for ICS, DCS, and SCADA system forensics is that we need to look at live systems,” says Mark Fabro, Lofty Perch president and chief scientist. “There are very few cases where we’ve been able to evaluate dead systems, and that’s typically after a total, catastrophic system failure, which has allowed investigators to get in there and grab artifacts. With most of the systems under investigation, asset owners or even law enforcement people are not going to have the luxury of being able to take the system down or off line. Those opportunities aren’t plausible. This solution addresses the need for availability of the system.”

The control systems running many industrial facilities are often more than 10 years old and were not designed to be exposed to external domains. Recent convergence of formerly disparate and isolated systems has opened this older critical infrastructure to security threats and vulnerabilities traditionally only found in IT sectors. The recent Stuxnet worm showcases the growing threat, with the emergence of customized malicious software that exploits zero-day vulnerabilities and specifically targets industrial control and SCADA systems. Due to high availability and performance requirements, combined with legacy technologies, these systems often lack the capability to support forensic analysis after an incident or system failure. Investigators are not allowed to shut down these systems when they want. As a result, administrators are unable to determine if the system experienced a normal failure or a security attack. Lofty Perch will offer cyber security solutions that include EnCase Cybersecurity enterprise software to help determine whether abnormal system behavior or failures are the result of a cyber attack or benign system nuances.

Potential users might wonder how current forensics analysis tools that emerged from the IT sector can be used to analyze software that may have been running, at least in some cases, for decades. Part of that solution is the expertise the Lofty Perch brings to the partnership, but part relates to the nature of control system architecture. “One of the great things about these control systems, at least from our point of view, is that they’re fairly predictable, unchanging systems,” says Anthony Di Bello, Guidance Software product manager. “One of the capabilities that we provide through our cyber security product is one that will allow the exposure of anomalies through regular audits against that known state. Control systems make that possible due to their static and predicable nature.”

Di Bello adds that the need for forensic analysis does not begin only after an incident because malicious activity can be going on before it’s obviously visible. “We’ve seen instances where highly-motivated external hackers research control systems and put code on those systems that doesn’t do anything,” he says. “They’re just waiting to see if the operators or information security team notices that it’s there. They do that before they deliver their payload, which could be stealing intellectual property or bringing down the system. Often they’re in there months before they deliver their payload, and that’s the time to detect the activity.”

Jim Butterworth, senior director of cyber security for Guidance Software says that it is critical to be able to determine what is really happening in a control system. He explains, “Despite the fact that the process control industry, including electric, water, oil, and gas are prime targets of malicious cyber security attacks, many of these organizations don’t have the post-incident cyber analysis tools to distinguish between a normal system failure and malicious activity. Security solutions that can detect and mitigate these events are critical. Our new relationship with Lofty Perch delivers a solution to investigate cyber events in SCADA and control system domains to accurately expose malicious activity and prevent future events from occurring.”

Edited by Peter Welander, pwelander@cfemedia.com
Control Engineering

Visit the Control Engineering Process Control Channel.