Cyber security forensics tool for industrial control systems

Analysis software helps detect and unearth threats to critical infrastructure systems after and even before cyber incidents.

08/19/2010


Guidance Software, Inc. has announced a new partnership with Lofty Perch, Inc., to provide a new cyber forensics solution for industrial control and SCADA systems, designed to help organizations quickly expose, respond to, and recover from security incidents, including advanced persistent threats.

Lofty Perch will use Guidance Software’s EnCase Cybersecurity platform to give companies – such as those in the utilities and energy space – the ability to discover malicious or improper files and expedite restorative activities in industrial automation environments through a forensic-based critical infrastructure security solution.

“There is a clear need for cyber forensics and incident analysis management capabilities for industrial automation,” says Bob Radvanovsky, SCADA security consultant and co-founder of Infracritical, a provider of research and information security awareness programs. “This effort will combine the expertise of Lofty Perch and Guidance Software to deliver a first-of-its-kind capability to address the emerging problem of cyber forensics within the industrial automation domain.”

As Lofty Perch characterizes it, until now, industrial control and SCADA system asset owners and operators have struggled with finding appropriate methods to perform forensics tasks without taking mission-critical systems offline. With EnCase technology, operators can perform forensic analysis while systems are operational with little impact on performance and availability.

“One requirement that is consistent in ongoing research for ICS, DCS, and SCADA system forensics is that we need to look at live systems,” says Mark Fabro, Lofty Perch president and chief scientist. “There are very few cases where we’ve been able to evaluate dead systems, and that’s typically after a total, catastrophic system failure, which has allowed investigators to get in there and grab artifacts. With most of the systems under investigation, asset owners or even law enforcement people are not going to have the luxury of being able to take the system down or off line. Those opportunities aren’t plausible. This solution addresses the need for availability of the system.”

The control systems running many industrial facilities are often more than 10 years old and were not designed to be exposed to external domains. Recent convergence of formerly disparate and isolated systems has opened this older critical infrastructure to security threats and vulnerabilities traditionally only found in IT sectors. The recent Stuxnet worm showcases the growing threat, with the emergence of customized malicious software that exploits zero-day vulnerabilities and specifically targets industrial control and SCADA systems. Due to high availability and performance requirements, combined with legacy technologies, these systems often lack the capability to support forensic analysis after an incident or system failure. Investigators are not allowed to shut down these systems when they want. As a result, administrators are unable to determine if the system experienced a normal failure or a security attack. Lofty Perch will offer cyber security solutions that include EnCase Cybersecurity enterprise software to help determine whether abnormal system behavior or failures are the result of a cyber attack or benign system nuances.

Potential users might wonder how current forensics analysis tools that emerged from the IT sector can be used to analyze software that may have been running, at least in some cases, for decades. Part of that solution is the expertise the Lofty Perch brings to the partnership, but part relates to the nature of control system architecture. “One of the great things about these control systems, at least from our point of view, is that they’re fairly predictable, unchanging systems,” says Anthony Di Bello, Guidance Software product manager. “One of the capabilities that we provide through our cyber security product is one that will allow the exposure of anomalies through regular audits against that known state. Control systems make that possible due to their static and predicable nature.”

Di Bello adds that the need for forensic analysis does not begin only after an incident because malicious activity can be going on before it’s obviously visible. “We’ve seen instances where highly-motivated external hackers research control systems and put code on those systems that doesn’t do anything,” he says. “They’re just waiting to see if the operators or information security team notices that it’s there. They do that before they deliver their payload, which could be stealing intellectual property or bringing down the system. Often they’re in there months before they deliver their payload, and that’s the time to detect the activity.”

Jim Butterworth, senior director of cyber security for Guidance Software says that it is critical to be able to determine what is really happening in a control system. He explains, “Despite the fact that the process control industry, including electric, water, oil, and gas are prime targets of malicious cyber security attacks, many of these organizations don’t have the post-incident cyber analysis tools to distinguish between a normal system failure and malicious activity. Security solutions that can detect and mitigate these events are critical. Our new relationship with Lofty Perch delivers a solution to investigate cyber events in SCADA and control system domains to accurately expose malicious activity and prevent future events from occurring.”

Edited by Peter Welander, pwelander(at)cfemedia.com
Control Engineering

Visit the Control Engineering Process Control Channel.



No comments
The Engineers' Choice Awards highlight some of the best new control, instrumentation and automation products as chosen by...
Each year, a panel of Control Engineering editors and industry expert judges select the System Integrator of the Year Award winners.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
Learn how to increase device reliability in harsh environments and decrease unplanned system downtime.
This eGuide contains a series of articles and videos that considers theoretical and practical; immediate needs and a look into the future.
Learn how to create value with re-use; gain productivity with lean automation and connectivity, and optimize panel design and construction.
Go deep: Automation tackles offshore oil challenges; Ethernet advice; Wireless robotics; Product exclusives; Digital edition exclusives
Lost in the gray scale? How to get effective HMIs; Best practices: Integrate old and new wireless systems; Smart software, networks; Service provider certifications
Fixing PID: Part 2: Tweaking controller strategy; Machine safety networks; Salary survey and career advice; Smart I/O architecture; Product exclusives
The Ask Control Engineering blog covers all aspects of automation, including motors, drives, sensors, motion control, machine control, and embedded systems.
Look at the basics of industrial wireless technologies, wireless concepts, wireless standards, and wireless best practices with Daniel E. Capano of Diversified Technical Services Inc.
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
This is a blog from the trenches – written by engineers who are implementing and upgrading control systems every day across every industry.
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.

Find and connect with the most suitable service provider for your unique application. Start searching the Global System Integrator Database Now!

Case Study Database

Case Study Database

Get more exposure for your case study by uploading it to the Control Engineering case study database, where end-users can identify relevant solutions and explore what the experts are doing to effectively implement a variety of technology and productivity related projects.

These case studies provide examples of how knowledgeable solution providers have used technology, processes and people to create effective and successful implementations in real-world situations. Case studies can be completed by filling out a simple online form where you can outline the project title, abstract, and full story in 1500 words or less; upload photos, videos and a logo.

Click here to visit the Case Study Database and upload your case study.