Conference Paper

Security Controls and Forensic Readiness in the Nuclear Context: Analysis Results of an Operational I&C Server System

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Due to the fact that both forensic investigation and incident response are highly knowledge based, useful/effective ways to document and visualize this knowledge are needed. One example includes application security controls (ASCs), a semi-formalized and standardized format introduced by the ISO/IEC in the 27034 series of standards. We analyze the data format on forensic applicability, present extensions to the model, which are required within the nuclear context, and look at other related and already existing solutions and data formats that may be incorporated into the structure of ASCs. Additionally, we present the analysis results of an operational I&C server system, and develop, implement, and explain model-based examples. Examples will also incorporate information on associated assets and requirements. The result will be a set of ASCs that can detect and (optionally) prevent attacks on the considered system. Security content will be taken from existing hardening and best-practices guides that can be gradually adopted and improved to eventually cover all life-cycle phases of a critical product.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

Thesis
With Industrial Control Systems being increasingly networked, the need for sound forensic capabilities for such systems increases, including reliable log file analysis as a vital part of such investigations. However, manipulating log files is one of the steps a knowledgeable attacker can take to prevent visibility on system events and hiding traces of attacker actions in those systems. Therefore, secure logging is advisable for an effective preparation of digital forensics investigations. In addition, implementing digital forensics readiness in nuclear power plants allows efficient digital forensics investigations and proper gathering of digital forensics evidence while minimizing investigation costs. These capabilities are necessary to adequately prevent and quickly detect any security incident and perform further digital forensics investigations with complete evidence. If an attacker is able to modify log entries or blocks of log entries, critical digital evidence is lost. Within this thesis, we first evaluate the presence of digital forensics readiness in critical infrastructures, including nuclear power plants and briefly discuss existing digital forensics readiness approaches. As systems in critical infrastructures are sophisticated, such as ones in nuclear power plants, adequate preparedness is essential in order to respond to cybersecurity incidents before they happen. Due to the importance of safety in these systems, manual approaches are more favored compared to automated techniques. All required tasks and activities and expected results must be also properly documented. Application Security Controls can be one of the approaches to properly document forensic controls. However, Application Security Controls must be evaluated further to ensure forensic applicability as considerable alternatives also exist. In order to demonstrate the value of such forensic Application Security Controls, we analyze a server system of an Operational Instrumentation & Control system in terms of digital evidence. Based on the analysis results, we derive recommendations to improve the overall digital forensic readiness and the security hardening of Linux server systems in the Operational Instrumentation & Control system. Then, we introduce our formal system model and type of attackers that can access and manipulate logs and logging device. Here, we also give a brief overview of some existing secure logging approaches and compare them between each other. The goal is to standardize requirements of secure logging approaches and analyze which unified security guarantees are realized by these existing approaches under strong attacker models. Later, we extend our secure logging model by using blockchain as secure logging protocol, apply the new model to industrial settings, and build a simple prototype as proof of concept. In an evaluation of the new model and the corresponding prototype, we show the potential, but also the challenges, of this approach. Further, we take a deeper look into existing algorithms for secure logging and integrate them into a single parameterized algorithm. This log authentication and verification algorithm contains a combination of security guarantees and their parametrization returns the set of previous algorithms. Even with different file formats and common purpose, log files generally have similar structures. To this end, we evaluated three common log file types (syslog, windows event log and SQLite browser histories). Based on this evaluation, we developed a simple unified representation of log files and perform analysis independently of their format. As visualization of log files is helpful to find proper evidence, we have developed a simple log file visualization tool. This tool helps to identify evidence of system time manipulation.
ResearchGate has not been able to resolve any references for this publication.