The Need for Control System Cyber Forensics
I have a control system cyber incident database with more than 200 incidents identified to date. Very few of the incidents were identified as cyber. Moreover, many of the incidents, particularly the most significant ones in terms of impact, did not violate IT security policies or were logged as cyber intrusions. Consequently, they would not be identified by IT monitoring systems. At the 2009 ACS conference, two control system engineers from two different utilities spoke about their new plant distributed control system implementations, each from a different control system vendor. Each control system vendor assured the utilities their systems were secure and had adequate cyber forensics. However, each plant suffered multiple control system cyber incidents, one shutting down a coal-fired power plant. Neither utility had indications of when and where the cyber impacts occurred. At this year’s ACS Conference, I had a system integrator discuss case histories from two different steel mills and associated power plants with malware on their control system networks. The logging in each facility was not able to identify the time or location of the infections.
The lack of control system cyber forensics can have significant implications for operations, safety, compliance and even national security. Without adequate control system forensics, it may not be possible to meet the compliance requirements of the NERC CIPs and NRC. The military is depending on attribution for response to a cyber attack. This may not be currently possible.
There are numerous software tools including SEIM (security information and event management), ARCSite, etc. that are available. Unfortunately, they depend on the input which doesn’t exist. There is a need for a coordinated effort between control system domain experts and cyber forensic experts to develop appropriate control system cyber forensics based on actual and expected control system cyber incidents.