Guidance Intros Forensics For Live Control Systems

Guidance Software announced Wednesday that it's created the first-ever approach to conducting computer forensics on live industrial control and supervisory control and data acquisition (SCADA) systems.

The company said that the benefit of its new program would be to help organizations with industrial control systems to better determine -- both in real time, and after the fact -- "whether abnormal system behavior or failures are the result of a cyber attack or benign system nuances," without having to take mission-critical systems offline, and with little impact to performance or availability.

"Despite the fact that the process control industry -- including electric, water, oil, and gas -- are prime targets of malicious cybersecurity attacks, many of these organizations don't have the post-incident cyber analysis tools to distinguish between a normal system failure or malicious activity," said Jim Butterworth, senior director of cybersecurity for Guidance Software, in a statement. "Security solutions that can detect and mitigate these events is critical."

The new security offering combines the company's EnCase Cybersecurity software with the efforts of cybersecurity services firm Lofty Perch, which provides information security assessments, training, and best practices development, and participates in the Department of Homeland Security's control systems security program.

Working with control systems presents numerous security challenges. The first is that such systems often run expensive, complex, and dangerous manufacturing environments, and weren't decided to be easily taken offline. Another challenge is that many of these systems weren't designed to be exposed to the Internet or automatically patched.

While IT may see patching as a vulnerability-mitigation hassle, for control systems engineers, the first, second, and third concern -- as the industry saying goes -- is safety. Accordingly, any and all changes to the PCs that run control system environments must be thoroughly vetted before being put into production to ensure that the software changes don't have unintended control environment consequences.

That's one reason why Siemens cautioned against using temporary or workaround patches for the Windows Shell vulnerability that left its SCADA software vulnerable to Stuxnet before thoroughly testing such changes first. Ditto for altering the default passwords that enabled Stuxnet to exploit the Siemens software.

With these types of security issues, testing nuances, and safety concerns, critical infrastructure organizations face unique challenges, and arguably now have to advance the state of their information security and incident response capabilities. In particular, "there is a clear need for cyber forensics and incident analysis management capabilities for industrial automation," said Bob Radvanovsky, co-founder of Infracritical, a critical infrastructure information provider, in a statement.