SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. - - PowerPoint PPT Presentation

scada and other dangerous things
SMART_READER_LITE
LIVE PREVIEW

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. - - PowerPoint PPT Presentation

Nov 26, 2022 132 likes •305 views

SCADA and Other Dangerous Things Professor Andrew Blyth, PhD. University of South Wales, UK. E-Mail: andrew.blyth@southwales.ac.uk SCADA and Ukraine SCADA Hacking Typical SCADA Critical Infrastructure Architecture 4 SCADA and IPC Forensic

slide-1
SLIDE 1

Professor Andrew Blyth, PhD. University of South Wales, UK. E-Mail: andrew.blyth@southwales.ac.uk

SCADA and Other Dangerous Things

slide-2
SLIDE 2

SCADA and Ukraine

slide-3
SLIDE 3

SCADA Hacking

slide-4
SLIDE 4

4

Typical SCADA Critical Infrastructure Architecture

slide-5
SLIDE 5

SCADA and IPC Forensic Challenges

➢ Why do challenges exist?

➢ IPC/SCADA systems designed to automate, monitor and control

Critical Infrastructure were originally designed for isolated, air gapped networks

➢ Now interconnected with many networks and communicating via

Internet

➢ Span huge geographical areas ➢ Include many proprietary and legacy devices and protocols ➢ Lack of security mechanisms in SCADA protocols ➢ No real guidance or methodologies for data acquisition at the control

level

5

slide-6
SLIDE 6

SCADA Forensic Challenges

➢ Data Sources

➢ Variety of data sources, amount of data sources

➢ Live Acquisition ➢ Verification ➢ Response Time ➢ Logging and Storage ➢ Absence of Dedicated Forensic Tools

6

slide-7
SLIDE 7

SCADA Forensic Challenges

➢ Data Sources ➢ Live Acquisition

➢ Latency, interference and OOV (Order of Volatility)

➢ Verification ➢ Response Time ➢ Logging and Storage ➢ Absence of Dedicated Forensic Tools

7

slide-8
SLIDE 8

SCADA Forensic Challenges

➢ Data Sources ➢ Live Acquisition ➢ Verification

➢ Calculating hash values

➢ Response Time ➢ Logging and Storage ➢ Absence of Dedicated Forensic Tools

8

slide-9
SLIDE 9

SCADA Forensic Challenges

➢ Data Sources ➢ Live Acquisition ➢ Verification ➢ Response Time

➢ Span huge geographical areas, many field sites

➢ Logging and Storage ➢ Absence of Dedicated Forensic Tools

9

slide-10
SLIDE 10

SCADA Forensic Challenges

➢ Data Sources ➢ Live Acquisition ➢ Verification ➢ Response Time ➢ Logging and Storage

➢ Audit/logging functions disabled, minimal storage

➢ Absence of Dedicated Forensic Tools

10

slide-11
SLIDE 11

SCADA Forensic Challenges

➢ Data Sources ➢ Live Acquisition ➢ Verification ➢ Response Time ➢ Logging and Storage ➢ Absence of Dedicated Forensic Tools

➢ No real methodologies for data acquisition from PLCs

11

slide-12
SLIDE 12

IPC/SCADA Forensic Incident Response Model

12

slide-13
SLIDE 13

➢Stage 1: Prepare

➢ Understand system architecture ➢ Understand system requirements ➢ Understand potential attacks

13

SCADA Forensic Incident Response Model

slide-14
SLIDE 14

➢Stage 2: Detect

➢ Determine type of attack ➢ Determine infected areas

➢Stage 3: Isolation

➢ Containment of infected areas in relation to business

  • perations

14

SCADA Forensic Incident Response Model

slide-15
SLIDE 15

➢Stage 4: Triage

➢ Identify data sources ➢ Prioritize data sources

➢Stage 5: Respond

➢ Perform data acquisition ➢ Perform data analysis

15

SCADA Forensic Incident Response Model

slide-16
SLIDE 16

➢Stage 6: Report

➢ Review findings ➢ Create report ➢ Update system architecture ➢ Update system requirements

16

SCADA Forensic Incident Response Model

slide-17
SLIDE 17

Questions

17