CONFERENCE PROCEEDINGS
Advanced Search
Home > Proceedings > Volume 9458 > Article
Paper
14 May 2015 A prototype forensic toolkit for industrial-control-systems incident response
Nickolas B. Carr, Neil C. Rowe
Author Affiliations +
Proceedings Volume 9458, Cyber Sensing 2015; 945804 (2015) https://doi.org/10.1117/12.2179796
Event: SPIE Defense + Security, 2015, Baltimore, MD, United States
Abstract
Industrial control systems (ICSs) are an important part of critical infrastructure in cyberspace. They are especially vulnerable to cyber-attacks because of their legacy hardware and software and the difficulty of changing it. We first survey the history of intrusions into ICSs, the more serious of which involved a continuing adversary presence on an ICS network. We discuss some common vulnerabilities and the categories of possible attacks, noting the frequent use of software written a long time ago. We propose a framework for designing ICS incident response under the constraints that no new software must be required and that interventions cannot impede the continuous processing that is the norm for such systems. We then discuss a prototype toolkit we built using the Windows Management Instrumentation Command-Line tool for host-based analysis and the Bro intrusion-detection software for network-based analysis. Particularly useful techniques we used were learning the historical range of parameters of numeric quantities so as to recognize anomalies, learning the usual addresses of connections to a node, observing Internet addresses (usually rare), observing anomalous network protocols such as unencrypted data transfers, observing unusual scheduled tasks, and comparing key files through registry entries and hash values to find malicious modifications. We tested our methods on actual data from ICSs including publicly-available data, voluntarily-submitted data, and researcher-provided “advanced persistent threat” data. We found instances of interesting behavior in our experiments. Intrusions were generally easy to see because of the repetitive nature of most processing on ICSs, but operators need to be motivated to look.
© (2015) COPYRIGHT Society of Photo-Optical Instrumentation Engineers (SPIE). Downloading of the abstract is permitted for personal use only.
Citation Download Citation
Nickolas B. Carr and Neil C. Rowe "A prototype forensic toolkit for industrial-control-systems incident response", Proc. SPIE 9458, Cyber Sensing 2015, 945804 (14 May 2015); https://doi.org/10.1117/12.2179796
ACCESS THE FULL ARTICLE
ORGANIZATIONAL
Sign in with credentials provided by your organization.
INSTITUTIONAL
Select your institution to access the SPIE Digital Library.
SELECT YOUR INSTITUTION
PERSONAL
Sign in with your SPIE account to access your personal subscriptions or to use specific features such as save to my library, sign up for alerts, save searches, etc.
PERSONAL SIGN IN
No SPIE Account? Create one
PURCHASE THIS CONTENT
SUBSCRIBE TO DIGITAL LIBRARY
50 downloads per 1-year subscription
Members: $195
Non-members: $335 ADD TO CART
25 downloads per 1 - year subscription
Members: $145
Non-members: $250 ADD TO CART
PURCHASE SINGLE ARTICLE
Includes PDF, HTML & Video, when available
Members: $17.00
Non-members: $21.00 ADD TO CART
PROCEEDINGS
 13 PAGES
DOWNLOAD PAPER SAVE TO MY LIBRARY
GET CITATION
Lens.org Logo
CITATIONS
Cited by 2 scholarly publications.
Advertisement
Advertisement
RIGHTS & PERMISSIONS
Get copyright permission  Get copyright permission on Copyright Marketplace
KEYWORDS
Network security
Control systems
Forensic science
Operating systems
Computer security
Computing systems
Process control
RELATED CONTENT
Deployment and application of lamp website architecture based on docker...
Proceedings of SPIE (December 16 2022)
A federated capability based access control mechanism for Internet of...
Proceedings of SPIE (May 02 2018)
Honeynets
Proceedings of SPIE (February 21 2001)
A case of reliable remote functionality
Proceedings of SPIE (July 15 2008)
Internet firewalls: questions and answers
Proceedings of SPIE (March 12 1996)
Internet roaming: a WLAN/3G integration system for enterprises
Proceedings of SPIE (August 22 2002)
Remote secure observing for the Faulkes Telescopes
Proceedings of SPIE (September 15 2004)
Subscribe to Digital Library
Receive Erratum Email Alert
Back to Top