“Mind the gap” is an advisory message used in the London Underground subway. It reminds passengers to pay attention to the distance between the train and the platform. This same message – “mind the gap” – can also help IT and OT teams better understand the distance between IT and OT cyber forensic analysis and safe restart in a converging IT/OT world.
Cyber forensics – collecting, analyzing, and archiving data – is a mature capability in modern IT security programs. However, the unique characteristics of industrial control systems (ICS) often prohibit the smooth translation of modern IT forensics analysis into OT. Nonstandard protocols, decades-old legacy architectures, irregular proprietary technologies, and inaccurate or missing control system configuration data make creating and operating an OT cyber forensics program challenging.
Control system configuration and change data collection and retention is crucial to OT forensic analysis. As we saw with Triton/Trisis, increasingly savvy OT threat actors are learning how to pivot through and manipulate control system environments. Without good OT system configuration data and change management, changes to process set points go unnoticed. Unauthorized process control configuration changes lead to damage or disruption. Incident root-cause analysis can be nearly impossible. Safe restarts after incidents can take weeks or months, with millions of dollars of revenue lost.
Today, most digital forensic investigation techniques only cover conventional IT system forensics and network investigations. However, OT security professionals need forensic tools and techniques that work in OT environments as well.
In this session, we will: