ICS Forensic Workshop

Presented at BruCON 0x0A (2018), Oct. 5, 2018, 10:30 a.m. (120 minutes)

You are an incident responder working for a nuclear waste management system. An incident has taken place in the industrial environment where a number of valves for the main waste storage tank are sporadically opening and closing. The valves are controlled by a PLC and the local security operations centre (SOC), suspect that it may be due to an attack against the PLC. You are provided a network pcap file and a dump of the data-blocks from the PLC for analysis. You are expected to analyse the data to attempt to determine what occurred and how the behaviour of the valve has been modified.

Presenters:

• Joe Stirland
  Joe Stirland is a senior scientist and technical Lead for the Airbus DTO – ZSCA Cyber Forensics lab and is responsible for state of the art research within the cyber forensics field in support of Airbus (Airbus, Airbus Helicopters, Airbus Defence & Space, and Airbus HQ). He holds a BSc in Computer Forensics from the University of South Wales, obtained in 2009 and is currently working towards a PhD in industrial control systems/SCADA forensics and incident response. He worked in an operational role for a number of years before joining Airbus Group in April 2014, helping to transfer his experience into the research sector. He has a number of additional qualifications within the cyber/forensics area, including: EnCase, GCFA, and a number of Sans accreditations. Joe's current research activities include malware analysis techniques using big data platforms, development of forensic architectures, testing and evaluation of forensic tools, support for Airbus cyber forensics operations (when required) and Cyber Operations in; ICS/SCADA systems and Critical National Infrastructure (CNI). Joe has presented at a number of conferences including conducting a workshop at DefCon 2017 and presenting an ICS/SCADA CTF at RSA 2018. He published a white paper in November 2014 titled "Developing Cyber Forensics for SCADA Industrial Control Systems". This paper received significant attention from CNI companies and UK government, and continues to be a prominent ongoing research topic within Airbus. Joe is also a visiting lecturer at DeMontfort university where he teaches an MSc Introduction to Digital Forensics module.

Links:

• https://brucon0x0a.sched.com/event/GP5X/ics-forensic-workshop

Similar Presentations:

• DEF CON 30 (2022) / Securing Industrial Control Systems from the core: PLC secure coding practices Workshop
• DEF CON 30 (2022) / The Evil PLC Attack: Weaponizing PLCs
• Black Hat USA 2016 / The Risk from Power Lines: How to Sniff the G3 and Prime Data and Detect the Interfere Attack