Lesley Carhart Nov 27, 2022

If I answered some questions about Industrial Control System cybersecurity and cyberattacks during my downtime today, what would you like to know?

Some background - my expertise is in incident response and digital forensic investigation of hacking of infrastructure systems - like power, water, manufacturing, oil and gas, transportation, agriculture, etc. There aren’t a lot of people who specialize in this. My company provides consulting and products to do cybersecurity for weird stuff that powers critical infrastructure like PLCs and SCADA. These networks are quite different than enterprise IT, and doing security in them can be challenging.

My own background is pretty left field as expected, with degrees in Networks, Electronics, and Avionics. I’ve been doing this for a while now. What would you like to know?

#cybersecurity #DFIR #ics #CriticalInfrastructure #ICSCybersecurity #IndustrialControl

Show threadMike ShewardNov 27, 2022
@hacks4pancakes what are the two biggest differences between forensics in these networks and ‘traditional’ enterprise networks
Show threadLesley Carhart Nov 27, 2022

@SecureOwl Yeah, so we have to be a lot more gentle with industrial devices and process networks because the real life consequences of altering or modifying them can be life, safety, and damage. We don't want to cause worse consequences than the adversaries doing DFIR. So that means we have to be way more light touch and passive in our investigations - and often times we cannot even install things on machines without risking them or voiding a warranty.

The second thing that''s wildly different is the technologies. There's no XDR/EDR or agent-based forensics in most of these networks. It would cause those problems that I talked about. There's a ton of legacy devices, sometimes back to Windows 3.1 that are still doing critical functions. So a lot of gentle, legacy forensics, manually and by hand, system by system. Very different from most modern IR.

Finally, as @MisuseCase points out, we also have to be able to do forensics on niche documented/undocumented legacy network protocols and their process impact, as well as low-level devices (not usually level 0) that don't run Linux or Windows, like PLCs and RTUs.

Show threadMike FinchNov 27, 2022
@hacks4pancakes How do you secure systems running Windows 3.1 (no security updates for.. 30 years?) *and* without being able to install anything (to avoid voiding the warranty)? I wouldn’t even know where to begin with those restrictions.
Show threadLesley Carhart Nov 27, 2022
@mkfnch you honestly get very creative with architecture, detection, and traffic control.
Show threadMike Finch
@hacks4pancakes I’m so glad there are smart people like you focused on these insanely-critical edge cases. 😆
Nov 27, 2022 at 7:22pmWeb