Forensic Analysis of Industrial Control Systems

Industrial Control Systems (ICS) contribute to our safety and convenience every day, yet remain unseen and unnoticed. From oil refineries to traffic lights, from the elevators we ride to the electric power plants that keep our lights on, they provide the control and monitoring for our essential services. ICS have served reliably for decades, but a changing technological environment is exposing them to risks they were not designed to handle. Internet connectivity, vulnerability assessment tools, and attacks by criminal and nation-state organizations are part of this changing picture. Along with this higher-risk environment comes the certainty that some of our ICS will be compromised. In order to prevent recurring attacks, security professionals must be able to discover where the compromise originated, how it was carried out, and, if possible, who was responsible. Many types of ICS run on proprietary hardware, so commonly accepted forensic techniques must be adapted for use in an ICS environment. In order to detect a compromise, baseline configurations should be documented. Networks should be monitored for unauthorized access and activity. In addition, a response plan should be in place to maintain service and streamline recovery. Techniques for forensic analysis were adapted and tested on live ICS, resulting in recommendations for successful detection and recovery after an incident. With adequate preparation and the appropriate response planning and execution, it is possible to successfully perform a forensic analysis for an ICS compromise.