Were we Just Hacked? Applying Digital Forensic Techniques for your

Industrial Control Systems

• Matt Luallen , Co-Founder,Dragos Security LLC

• Robert M. Lee, Co-Founder,Dragos Security LLC

• Peter Welander, Content Manager, Control Engineering, CFE Media

Speakers:

Were we Just Hacked? Applying Digital Forensic Techniques for your

Industrial Control Systems

Matt E. Luallen and Robert M. Lee

1. Identifying a Compromise• How to determine you’ve been hacked

– What are simple things you can do NOW to detect– Capabilities of hackers and general attack scenario

• Be cautious in performing an active response immediately!– Keep in mind that the indication may be an

outcome of months of backdoors or possibly just a false indicator

Hacked – assumptions• At this time you must assume two things

– Your communications and capabilities are being eavesdropped upon

– Your assets can be denied service or misused

• Does the hack immediately appear as if it can impact the entire operation? Could there be loss of life? Are you authorized to perform any changes such as the extreme situation of taking the operations offline? Do you have an out of band communication capability?

2. What’s Next?• After you’ve been compromised:

– Tools available to identify and analyze intrusions

– Handling “too much” data– Contact the right people

• Internal• Trusted Peers• Vendors• Government

Trustworthiness Validation• Interview personnel for history of odd behavior

– (e.g. strange emails, system behavior, phone calls, control operations)

• Physical facility inspections– Any devices and attributes that are abnormal

• Review and compare system baselines to active host settings– Host images (Windows, *nix, Applications)– Processed logic – Device firmware– Network communications

• Review operational logs for indicators– Historian, OPC, HMI, IT system logging and any other log-enabled device

• Do you have mechanisms to compare active systems to known good images and communication profiles?

• What if you do not have the capabilities in house? – Do you have an outsourcing agreement in place to manage incidents?

3. How Do We Prepare?• Preparing before or after the compromise

– Tools for monitoring traffic– Creating chokepoints and understanding– Questions to ask to determine your readiness

• Future Efforts and Research Needed– PLC/PAC/Embedded Device specific tools– Validation, customization, and testing of known

methodologies/tools

Follow on discussions at:www.DragosSecurity.com

• Matt Luallen , Co-Founder,Dragos Security LLC

• Robert M. Lee, Co-Founder,Dragos Security LLC

• Peter Welander, Content Manager, Control Engineering, CFE Media

Speakers:

Were we Just Hacked? Applying Digital Forensic Techniques for your

Industrial Control Systems