Abstract: ICS Forensic Plan RP

Cyber forensics has been in the popular mainstream for some time, and has matured into an information-technology capability that is common among modern information security programs. Although scalable to many information technology domains, especially modern corporate architectures, developing a cyber forensics program can be a challenging task when being applied to nontraditional environments, such as control systems. Modern IT networks, through data exchange mechanisms, data storage devices, and general computing components provide a good foundation for creating a landscape used to support effective cyber forensics. However, modern control systems environments are not easily configurable to accommodate forensics programs. Nonstandard protocols, legacy architectures that can be several decades old, and irregular or extinct proprietary technologies can all combine to make the creation and operation of a cyber forensics program anything but a smooth and easy process.

This document takes the traditional concepts of cyber forensics and provides direction regarding augmentation for control systems operational environments. The goal is to provide guidance to the reader with specifics relating to the complexity of cyber forensics for control systems, guidance to allow organizations to create a self-sustaining cyber forensics program for their control systems environments, and guidance to support the maintenance and evolution of such programs.

This document is organized into three major sections:

  • Section 1, Traditional Forensics and Challenges to Control Systems
  • Section 2, Creating a Cyber Forensics Program for Control Systems Environments
  • Section 3, Activating and Sustaining a Cyber Forensics Program.

The document addresses the issues encountered in developing and maintaining a cyber forensics plan for control systems environments. This recommended practice supports forensic practitioners in creating a control systems forensics plan, and assumes evidentiary data collection and preservation using forensic best practices. The goal of this recommended practice is not to reinvent proven methods, but to leverage them in the best possible way. As such, the material in this recommended practice provides users with the appropriate foundation to allow these best practices to be effective in a control systems domain.
Full Document (PDF)