Making digital forensics a critical part of your cyber security defenses

Do you know your ICSs well enough to recognize when something is happening that shouldn’t be? That knowledge is critical to your defensive strategy, and represents the biggest advantage you have over attackers. See step-by-step cyber security table with tools, tactics, and tips.

By Robert M. Lee, Matthew E. Luallen January 15, 2014

Using digital forensic techniques with your industrial control systems (ICSs) and their networks is a hugely powerful defensive tool, yet it is one of the least understood concepts in cyber security. When people hear the term “digital forensics,” they often think of TV shows like CSI and assume it is a practice used solely for criminal investigations in a reactive mode. Nothing could be further from the truth. Digital forensics is a key component to defense, no different than mechanical, electrical, and chemical studies. When your people understand how the concepts work, they will lead to a higher level of reliability.

Digital forensics is a branch of forensic science that focuses on the digital domain. It includes fields such as computer forensics, network forensics, and mobile forensics. It is a fairly new field in relation to other sciences and engineering; thus it is important to break it down and attempt to understand the topic more fully.

Forensic science is a method of gathering and examining information. It’s all about formulating a question and searching for an answer. When that thought process is applied to digital forensics, the focus is not simply on malicious activity and network break-ins but also on understanding general system and network activity and why certain events happen. The process and science of digital forensics leads to a better understanding of the operating environment and what constitutes normal.

Imagine a simple example: Say the data historian did not collect commands sent from the SCADA (supervisory control and data acquisition) server to the RTU (remote terminal unit). Why not? Is there malicious activity going on within a network? Are there network abnormalities, failures, or misconfigurations that could lead to costly mistakes? These are questions well suited for digital forensic investigations.

With the increasingly interconnected nature of ICS environments, there are bound to be network and device configuration issues. There are also going to be malicious actors that break into networks to cause havoc or steal sensitive data. Verizon’s 2013 Data Breach Investigation Report showed that of the 47,000+ network intrusions observed in the past year, 20% involved manufacturing, transportation, and utilities. Of those intrusions, 66% took months or years to discover. Attackers, especially those who do not fully understand the unique nature of control systems, can cause significant damage with months to access sensitive networks. In reality, though, there has been and there will continue to be a lot of hype around cyber threats. Determining how much security is enough security is an ongoing decision that can take time and money away from core business operations. The costs associated with defending against threats are high while yielding limited returns. At the same time, one of the benefits of digital forensics is that the same steps needed to enable it are those that asset owners must take to ensure the reliability of operations. In this way digital forensics can be a force multiplier, or a mechanism to serve as an increase in revenue instead of just a business detractor.

To realize these benefits, it is crucial to have processes and procedures in place to identify the appropriate personnel in your organization or to know who to call outside your organization. The Verizon report mentioned above also cited that 69% of breaches were spotted by an external party with only 9% being identified by internal resources.

First key step

Using digital forensics effectively requires that you understand your own networks. Once that is firmly in hand, it is easier to spot intrusions and reduces the need for outside teams. Additionally, if outside digital forensic investigators are needed, a solid understanding of your network and where your critical data exists will drastically reduce the time, and thus cost, associated with an investigation. 

Understanding your network is the one aspect of digital defense a defender has that an attacker should never have. The fact that only the people within your company know the details of your networks and your attacker doesn’t is the single most important aspect of defense. The full knowledge of your network, what is on it, and how it operates is the foundation for all network security including digital forensics. When forensic teams attempt to identify and track down issues in the network, malicious or not, their hardest and most time-consuming job is often identifying how the network looks and what devices exist.

In the conventional IT world, usually an investigator only needs to have knowledge of MS Windows- and Linux-based systems, as well as a variety of web applications and servers. Although this can be a challenge, there are plenty of tools and well-rehearsed methodologies in place for acquiring evidence and mapping out the network.

For ICS-related investigations, compiling that information can be an incredibly daunting task to identify and understand all the different RTUs, historians, PLCs, embedded devices, HMI workstations, and other assets that are not considered traditional IT equipment. Additionally, viable forensic tools are not as common for ICS devices and networks. As automated as many plants are, identification of all those ICS assets often only exists in spreadsheets, blueprints, and paper logs. This information is usually maintained more for logistics and compliance reasons than for understanding the network. If a team of analysts wants to see how these devices are connected, they usually have to follow the wires and fiber connecting the devices. As wireless communication paths proliferate, that job is even harder. This is not the position you want to be in when an incident occurs and time is of the essence.

When asset owners and ICS team members invest the time to understand their network environment, it benefits operations in numerous ways. As previously mentioned, mapping out the networks and identifying devices that operate on them is a huge help to digital forensic teams. In addition, it enables operators and engineers to take part in the digital forensic process. With a better view into the network, the people who run operations can quickly identify things that are out of place. Users of the network can begin thinking like investigators and ask questions when they see odd things happening:

  • Why are there new devices on the network that are not documented?
  • Should that internal device be communicating and sending data offsite to a foreign location?
  • The latency and connectivity loss of that device is higher than expected. Is it about to fail?

Individuals who know what is supposed to be happening can identify when things aren’t living up to their expected behavior. Every user on the network becomes a sensor monitoring network health. But this doesn’t happen without the right understanding and knowledge. Getting your people trained is a major step toward a proactive approach to security and reliability.

What steps should you take to protect your environment better, enable greater system reliability, and prepare for digital forensics? The most critical step is to inventory the cyber security skill sets of the individuals involved within the daily operations, emergency management, engineering, IT, and management of the control environment and business office. This skill analysis is a tactical step to understand where there are sufficient skills and gaps that need to be filled.

The U.S. DHS report, Homeland Security Advisory Council: Cyber Skills Task Force Report, pertaining to skills assessment performed at a national level, may help you understand how to perform this internally. Working with your own HR department, regardless of its size, is a good start as you try to understand who can do what. This list of resources will be necessary in forming your cyber incident response capability, whether in-house or outsourced. The second critical step is to identify what mechanism is being used to protect your sensitive information. If there is no mechanism, create one. As you learn about digital assets and document their interactions, you will develop a baseline of information that will need to be protected. Consider how you will protect it when it is stored, how you will determine who you share it with, how it will be communicated to others, and how those recipients will handle it.

With the understanding that you have achieved the first two requirements, the next task is to identify what is needed to establish a detection and response capability at your site. It is important to recognize that each of the steps that we will outline includes its own challenges. To keep this article focused, we are only giving you the overview. A few of the necessary steps are in the table below.

Digital forensics in an ICS environment is an emerging field. There is much research to be done into tools, processes, and methodologies that can better enable the ICS community to face modern-day challenges. However, it is not necessary to wait for advancements to take advantage of the already established benefits. Documenting a firm baseline of your ICS environment that is readily retrievable and can be used as a reference during a suspected incident is required to assure timely recovery. Cyber and information technology operate your ICS environment. They cannot be decoupled from the larger business environment as they currently define a large success factor of a modern competitive enterprise. Forensics and incident response mean planning for the worst and hoping for the best. They mean creating methodologies and understanding that is critical to your critical assets. The digital battlefield is growing, and the expertise to zero-in on industrial targets is expanding. The time to assure that you have the knowledge necessary to respond appropriately in the midst in a cyber attack has never been greater, and the knowledge to help you do it is expanding rapidly.

Robert M. Lee is a co-founder of Dragos Security LLC, a cyber security company that develops tools and research to enable the industrial control system community. He is also an active-duty U.S. Air Force cyberspace operations officer.

Matthew E. Luallen is a cyber security columnist for Control Engineering. He is also a co-founder of Dragos Security LLC, and Cybati.


See related Control Engineering webcast on cyber security.

See related stories on cyber security below.

Key concepts:

  • Determining how attackers are breaking into your industrial networks is difficult without an intimate knowledge of your network architecture.
  • The ability to recognize when something is wrong depends on understanding what normal is.
  • The knowledge you have of your own systems is key to maintaining your defenses.