Friday, May 1, 2009

Cyber Forensics

There is an interesting, if brief, blog by Joe Weiss over on It takes a look at an intriguing issue, how do we know that there have been ‘attacks’ on the control systems for the electric power industry? He references a CSPAN radio interview with Siobhan Gorman, the writer from the Wall Street Journal who broke the story. Joe notes that she said that “the intelligence agencies installed special detection mechanisms that picked up the evidence, not the power companies”. Why Cyber Forensics? Joe goes on to make the comment that the “control system cyber forensics [emphasis added] for power companies, and other industries, are marginal at best”. Just what does the term ‘cyber forensics’ mean? It is basically a combination of software and hardware system components that allows an investigator to go back and determine how and why the control system did what it did. Many control systems have some cyber forensics capability. In the chemical facility where I worked it was a fairly routine part of incident investigations for all sorts of process upsets. We would go back and look what commands operators entered into the control system for the process involved. This was a good way to find some of the operator errors that led to or complicated the incidents under investigation. What Joe is talking about in his blog is a bit more complicated than just looking at keyboard command logging. It potentially includes looking at records of all of the system communication; that is communications between the various components that make up the control system. This is the basic reason that the comprehensive forensics capability is lacking in most software; maintaining a record of all of the communications is memory intensive and does little to help process engineers and chemists do their jobs of process monitoring and process improvement. Requiring Cyber Forensics Capability Joe asks a good question at the end of his blog: “If the intelligence agencies do have this capability [to install special detection mechanisms], why isn’t [it] being used throughout critical infrastructure?” There are, of course, many easy answers to that question. The first is that there is no legal basis for requiring that such a capability be installed in any non-governmental cyber system. Additionally, many organizations would be reluctant to give the government that degree of insight into their processes. Finally there is the question of who will pay for this capability. Many of these questions could be answered by requiring cyber forensic capability in all critical control systems in what ever cyber security legislation comes out of Congress this year. For high-risk chemical facilities this issue could also be addressed in upcoming re-authorization legislation for CFATS, but that would require a fundamental restructuring of the risk-based performance standards basis for the current program. Cyber Forensics will not Prevent an Attack One important thing to remember though is that cyber forensics capability will not prevent an attack. It only allows one to go back and determine, after the fact, that an attack has taken place, how the attack was carried out, and potentially allowing investigators to determine (and hopefully prove) who conducted the attack. Even the hardware and software capability is not sufficient to allow these determinations to be made; it still requires a trained investigator to sift through the recorded information. Lacking a trained computer forensics investigator at every critical facility what is needed is a software expert system that can identify unexpected communications with the system and the ability to alert the facility computer security officer (CSO). This will still require that the CSO will at least have basic forensic training to evaluate the situation and determine if expert assistance is required. While this still does not stop an attack, it may allow for timely mitigation of the effects of the attack. CSO Action Required While Congress needs to look at the cyber forensics issue, the CSO at high-risk chemical facilities can take some actions to enhance facility cyber forensics capability. First, contact your control system vendor and see what forensic capability already exists in your system. Ask the vendor what cyber forensic support or training they offer. Finally, ask what system upgrades are available for your system to enhance the cyber forensics capability. The answers to all of these questions need to be fed back into your site security plan development.

1 comment:

chemical engineering said...

nice to see a another chemical blogger ...

/* Use this with templates/template-twocol.html */