The Need for Control System Cyber Forensics

There is a perception that control systems, including field devices, have cyber forensic capabilities similar to those of IT systems. That perception is wrong. A control system generally has a Microsoft front-end human-machine interface (HMI) that should have adequate cyber forensics. The critical part of control systems are the field devices that automatically measure and control the processes, for example, the controllers that Stuxnet attacked. They generally do not have cyber forensics. A difference between IT and control systems is that when an IT system is hacked, it is often known, but the impact may not be known. With a control system, when there is an impact, such as loss of power or a plant shutting down, it is obvious. However, it is generally not possible to know if a cyber attack is involved. From a cyber perspective, control systems are engineering systems with electronic communications that should act in a certain manner. When they don’t, there should be clues as to why, but the clues often deal with how the control systems are responding.  This means those analyzing the attack have to have an understanding of the appropriate domain (control systems).I have a control system cyber incident database with more than 200 incidents identified to date. Very few of the incidents were identified as cyber.  Moreover, many of the incidents, particularly the most significant ones in terms of impact, did not violate IT security policies or were logged as cyber intrusions. Consequently, they would not be identified by IT monitoring systems. At the 2009 ACS conference, two control system engineers from two different utilities spoke about their new plant distributed control system implementations, each from a different control system vendor. Each control system vendor assured the utilities their systems were secure and had adequate cyber forensics.  However, each plant suffered multiple control system cyber incidents, one shutting down a coal-fired power plant. Neither utility had indications of when and where the cyber impacts occurred. At this year’s ACS Conference, I had a system integrator discuss case histories from two different steel mills and associated power plants with malware on their control system networks. The logging in each facility was not able to identify the time or location of the infections. The lack of control system cyber forensics can have significant implications for operations, safety, compliance and even national security. Without adequate control system forensics, it may not be possible to meet the compliance requirements of the NERC CIPs and NRC. The military is depending on attribution for response to a cyber attack. This may not be currently possible. There are numerous software tools including SEIM (security information and event management), ARCSite, etc. that are available. Unfortunately, they depend on the input which doesn’t exist. There is a need for a coordinated effort between control system domain experts and cyber forensic experts to develop appropriate control system cyber forensics based on actual and expected control system cyber incidents.