Presented at
Black Hat USA 2016,
Aug. 4, 2016, 9 a.m.
(25 minutes).
Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause.
This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC.
This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.
Presenters:
-
Chris Sistrunk
- FireEye
Chris Sistrunk is a Senior Consultant at Mandiant, focusing on cyber security for industrial control systems (ICS) and critical infrastructure. Prior to joining Mandiant, Chris was a Senior Engineer at Entergy (over 11 years) where he was the Subject Matter Expert (SME) for Transmission & Distribution SCADA systems. Chris helped organize the first ICS Village, which debuted at DEF CON 22 and was featured at RSAC and SANS ICS Summit. He is a Senior Member of IEEE, member of the DNP Users Group, President of Mississippi Infragard, and also is a registered PE in Louisiana. He holds a BS in Electrical Engineering and MS in Engineering and Technology Management from Louisiana Tech University. Chris also founded and organizes BSidesJackson, Mississippi's only cyber security conference.
-
Josh Triplett
- FireEye
Josh Triplett is a Senior Reverse Engineer on the FireEye Labs Advanced Reverse Engineering Team. He joined FLARE after six years in the U.S. Navy. His military experience included malware analysis, Red Team operations, and software development.
Links:
Similar Presentations: