Companies that have had their industrial networks attacked from the outside usually don’t realize it at all, or if they do, that knowledge probably comes a year or more after the initial incident. Why? Companies don’t understand their own networks well enough to know when something is happening that shouldn’t be happening. There is no practical way to apply concepts of digital forensic investigation if you don’t understand your own networks. Robert M. Lee and Matthew E. Luallen will discuss how you can analyze and document your systems well enough to perform incident response and learn from those attacks. Your ability to know every detail about your systems is the biggest advantage you have when trying to secure your systems. Put that knowledge to work.

1. Were we Just Hacked? Applying
Digital Forensic Techniques for your
Industrial Control Systems

2. • Matt Luallen , Co-Founder,
Dragos Security LLC
• Robert M. Lee, Co-Founder,
Dragos Security LLC
• Peter Welander, Content
Manager, Control Engineering,
CFE Media
Speakers:

3. Were we Just Hacked? Applying
Digital Forensic Techniques for your
Industrial Control Systems
Matt E. Luallen and Robert M. Lee

4. 1. Identifying a Compromise
• How to determine you’ve been hacked
– What are simple things you can do NOW to
detect
– Capabilities of hackers and general attack
scenario
• Be cautious in performing an active response
immediately!
– Keep in mind that the indication may be an
outcome of months of backdoors or possibly just
a false indicator

5. Hacked – assumptions
• At this time you must assume two things
– Your communications and capabilities are being
eavesdropped upon
– Your assets can be denied service or misused
• Does the hack immediately appear as if it can
impact the entire operation? Could there be
loss of life? Are you authorized to perform
any changes such as the extreme situation of
taking the operations offline? Do you have
an out of band communication capability?

6. 2. What’s Next?
• After you’ve been compromised:
– Tools available to identify and analyze
intrusions
– Handling “too much” data
– Contact the right people
• Internal
• Trusted Peers
• Vendors
• Government

7. Trustworthiness Validation
• Interview personnel for history of odd behavior
– (e.g. strange emails, system behavior, phone calls, control operations)
• Physical facility inspections
– Any devices and attributes that are abnormal
• Review and compare system baselines to active host settings
– Host images (Windows, *nix, Applications)
– Processed logic
– Device firmware
– Network communications
• Review operational logs for indicators
– Historian, OPC, HMI, IT system logging and any other log-enabled device
• Do you have mechanisms to compare active systems to known good images and
communication profiles?
• What if you do not have the capabilities in house?
– Do you have an outsourcing agreement in place to manage incidents?

8. 3. How Do We Prepare?
• Preparing before or after the compromise
– Tools for monitoring traffic
– Creating chokepoints and understanding
– Questions to ask to determine your readiness
• Future Efforts and Research Needed
– PLC/PAC/Embedded Device specific tools
– Validation, customization, and testing of
known methodologies/tools

9. Follow on discussions at:
www.DragosSecurity.com

10. • Matt Luallen , Co-Founder,
Dragos Security LLC
• Robert M. Lee, Co-Founder,
Dragos Security LLC
• Peter Welander, Content
Manager, Control Engineering,
CFE Media
Speakers:

11. Were we Just Hacked? Applying
Digital Forensic Techniques for your
Industrial Control Systems