Cyber Forensics Basics

As usual, Joe Weiss writing at Control Global.com provides some thoughtful contributions to the cyber security debate. Earlier this week he had a brief posting about the topic of cyber forensics that is well worth reading. For readers of this blog that are not control system cognoscenti a better understanding of Joe’s comments will require another brief session of Control System 101. Process Forensics Computer based control systems have evolved over time and a large part of that evolution has been driven by the memory available in those computers. As available memory has increased over time, so has the complexity of the instructions, the number of devices controlled and the amount of information retained in the system. With the first computer control system that I worked with we could go back and query the system and obtain information about weights, temperature and pressure at any point in the process for a particular manufacturing batch as long as we did it before the next batch was started; the memory had to be cleared before the next process could begin. This information was an important tool in diagnosing process upsets. The next system that was installed at the facility provided that same information to a data historian, a separate computer program that recorded the information in a data base that could be accessed for a much longer time. This increased the utility of the information, but it was still restricted to measurement data; it provided no data on the inputs to the processing system that affected the system. You could, for example, tell that a batch temperature increased, but you could not tell why. Was it because a steam valve was left open too long? Or, was it because an undesirable side reaction was taking place? The information provided could tell us what went wrong, but not why. The next computer upgrade provided significantly more memory and allowed us to begin to tie operating controls into the system in a new way; we could begin to tie control device status into the data historian. This meant that we could track when valves opened and closed; or it did when we replaced the existing valves with more complex (read expensive) ones that had the capability to communicate their status to the control systems. This was the introduction of smart controls in our facility. The next software upgrade allowed us to track the operator commands used to control the system. We could then track when an operator told the steam valve to close, when it started to respond and when that valve was completely closed. This allowed us to gain finer control over batch quality as the time lag between command and operation affected key parameters of the process. All of the above deal with process forensics, being able to go back and look at what occurred during the manufacturing process that caused the product to turn out the way that it did. Process forensics are a critical tool for the process engineer or process chemist to diagnose process upsets and to make the manufacturing process more efficient. Cyber Forensics Cyber forensics is the next step in the industrial control system development process. As process automation allows for more and more computer decision making in the manufacturing process it becomes important to be able to analyze how that control is executed. Ideally the systems engineer will need to know what inputs the computer received from smart devices, the instructions/commands received from outside of the computer, and what instructions/commands the computer actually executed. Unfortunately, we are still at the equivalent of the “weights, temperature and pressure” stage of cyber forensics. Until systems engineers have tools similar to what are currently available to process engineers, they will have to make semi-educated guesses about root causes for control systems failures. And that makes it very difficult to differentiate between an internal system error, a system-system interaction error, a system-human interaction error, and a cyber attack.