Cyber security forensics tool for industrial control systems

Analysis software helps detect and unearth threats to critical infrastructure systems after and even before cyber incidents.


Guidance Software, Inc. has announced a new partnership with Lofty Perch, Inc., to provide a new cyber forensics solution for industrial control and SCADA systems, designed to help organizations quickly expose, respond to, and recover from security incidents, including advanced persistent threats.

Lofty Perch will use Guidance Software’s EnCase Cybersecurity platform to give companies – such as those in the utilities and energy space – the ability to discover malicious or improper files and expedite restorative activities in industrial automation environments through a forensic-based critical infrastructure security solution.

“There is a clear need for cyber forensics and incident analysis management capabilities for industrial automation,” says Bob Radvanovsky, SCADA security consultant and co-founder of Infracritical, a provider of research and information security awareness programs. “This effort will combine the expertise of Lofty Perch and Guidance Software to deliver a first-of-its-kind capability to address the emerging problem of cyber forensics within the industrial automation domain.”

As Lofty Perch characterizes it, until now, industrial control and SCADA system asset owners and operators have struggled with finding appropriate methods to perform forensics tasks without taking mission-critical systems offline. With EnCase technology, operators can perform forensic analysis while systems are operational with little impact on performance and availability.

“One requirement that is consistent in ongoing research for ICS, DCS, and SCADA system forensics is that we need to look at live systems,” says Mark Fabro, Lofty Perch president and chief scientist. “There are very few cases where we’ve been able to evaluate dead systems, and that’s typically after a total, catastrophic system failure, which has allowed investigators to get in there and grab artifacts. With most of the systems under investigation, asset owners or even law enforcement people are not going to have the luxury of being able to take the system down or off line. Those opportunities aren’t plausible. This solution addresses the need for availability of the system.”

The control systems running many industrial facilities are often more than 10 years old and were not designed to be exposed to external domains. Recent convergence of formerly disparate and isolated systems has opened this older critical infrastructure to security threats and vulnerabilities traditionally only found in IT sectors. The recent Stuxnet worm showcases the growing threat, with the emergence of customized malicious software that exploits zero-day vulnerabilities and specifically targets industrial control and SCADA systems. Due to high availability and performance requirements, combined with legacy technologies, these systems often lack the capability to support forensic analysis after an incident or system failure. Investigators are not allowed to shut down these systems when they want. As a result, administrators are unable to determine if the system experienced a normal failure or a security attack. Lofty Perch will offer cyber security solutions that include EnCase Cybersecurity enterprise software to help determine whether abnormal system behavior or failures are the result of a cyber attack or benign system nuances.

Potential users might wonder how current forensics analysis tools that emerged from the IT sector can be used to analyze software that may have been running, at least in some cases, for decades. Part of that solution is the expertise the Lofty Perch brings to the partnership, but part relates to the nature of control system architecture. “One of the great things about these control systems, at least from our point of view, is that they’re fairly predictable, unchanging systems,” says Anthony Di Bello, Guidance Software product manager. “One of the capabilities that we provide through our cyber security product is one that will allow the exposure of anomalies through regular audits against that known state. Control systems make that possible due to their static and predicable nature.”

Di Bello adds that the need for forensic analysis does not begin only after an incident because malicious activity can be going on before it’s obviously visible. “We’ve seen instances where highly-motivated external hackers research control systems and put code on those systems that doesn’t do anything,” he says. “They’re just waiting to see if the operators or information security team notices that it’s there. They do that before they deliver their payload, which could be stealing intellectual property or bringing down the system. Often they’re in there months before they deliver their payload, and that’s the time to detect the activity.”

Jim Butterworth, senior director of cyber security for Guidance Software says that it is critical to be able to determine what is really happening in a control system. He explains, “Despite the fact that the process control industry, including electric, water, oil, and gas are prime targets of malicious cyber security attacks, many of these organizations don’t have the post-incident cyber analysis tools to distinguish between a normal system failure and malicious activity. Security solutions that can detect and mitigate these events are critical. Our new relationship with Lofty Perch delivers a solution to investigate cyber events in SCADA and control system domains to accurately expose malicious activity and prevent future events from occurring.”

Edited by Peter Welander,
Control Engineering

Visit the Control Engineering Process Control Channel.

No comments
The Top Plant program honors outstanding manufacturing facilities in North America. View the 2013 Top Plant.
The Product of the Year program recognizes products newly released in the manufacturing industries.
The Engineering Leaders Under 40 program identifies and gives recognition to young engineers who...
A cool solution: Collaboration, chemistry leads to foundry coat product development; See the 2015 Product of the Year Finalists
Raising the standard: What's new with NFPA 70E; A global view of manufacturing; Maintenance data; Fit bearings properly
Sister act: Building on their father's legacy, a new generation moves Bales Metal Surface Solutions forward; Meet the 2015 Engineering Leaders Under 40
Cyber security cost-efficient for industrial control systems; Extracting full value from operational data; Managing cyber security risks
Drilling for Big Data: Managing the flow of information; Big data drilldown series: Challenge and opportunity; OT to IT: Creating a circle of improvement; Industry loses best workers, again
Pipeline vulnerabilities? Securing hydrocarbon transit; Predictive analytics hit the mainstream; Dirty pipelines decrease flow, production—pig your line; Ensuring pipeline physical and cyber security
Upgrading secondary control systems; Keeping enclosures conditioned; Diagnostics increase equipment uptime; Mechatronics simplifies machine design
Designing positive-energy buildings; Ensuring power quality; Complying with NFPA 110; Minimizing arc flash hazards
Building high availability into industrial computers; Of key metrics and myth busting; The truth about five common VFD myths

Annual Salary Survey

After almost a decade of uncertainty, the confidence of plant floor managers is soaring. Even with a number of challenges and while implementing new technologies, there is a renewed sense of optimism among plant managers about their business and their future.

The respondents to the 2014 Plant Engineering Salary Survey come from throughout the U.S. and serve a variety of industries, but they are uniform in their optimism about manufacturing. This year’s survey found 79% consider manufacturing a secure career. That’s up from 75% in 2013 and significantly higher than the 63% figure when Plant Engineering first started asking that question a decade ago.

Read more: 2014 Salary Survey: Confidence rises amid the challenges

Maintenance and reliability tips and best practices from the maintenance and reliability coaches at Allied Reliability Group.
The One Voice for Manufacturing blog reports on federal public policy issues impacting the manufacturing sector. One Voice is a joint effort by the National Tooling and Machining...
The Society for Maintenance and Reliability Professionals an organization devoted...
Join this ongoing discussion of machine guarding topics, including solutions assessments, regulatory compliance, gap analysis...
IMS Research, recently acquired by IHS Inc., is a leading independent supplier of market research and consultancy to the global electronics industry.
Maintenance is not optional in manufacturing. It’s a profit center, driving productivity and uptime while reducing overall repair costs.
The Lachance on CMMS blog is about current maintenance topics. Blogger Paul Lachance is president and chief technology officer for Smartware Group.