Presented by researchers from the Air Force Institute of Technology (AFIT) and Oak Ridge National Laboratory, this session will addresses the forensics of Internet of Things (IoT) devices with specific focus on the unique challenges associated with the Industrial IoT (IIoT) subset.
Work continues on developing a reliable non-intrusive PHY-based security augmentation for SCADA/ICS systems and providing the impetus for expanding activity into the forensics arena. The focus remains on associating anomalous process (hardware) behavior with network anomaly detection. Pre-attack defense and post-attack forensics improvements for Industrial Internet of Thing (IIoT) devices presents unique challenges when compared to traditional IT systems given that:
Many IIoT devices in SCADA/ICS applications cannot be powered off
Sensing and control data is generally more volatile
Incident discovery may not occur for weeks or even months
Identifying attack attributes requires expertise in SCADA/ICS system architectures.
Regardless of whether or not post-event data is collected to support future defensive (vulnerability protection) or ongoing investigative (attribution, prosecution, etc.) measures, the detection of a cyber incident may go unreported given limited confidence in successful prosecution and/or concern over customers becoming informed and seeking new vendors to provide their service. The progress in PHY-based security augmentation includes extending wired Highway Addressable Remote Transducer (HART) demonstrations by adapting the recently demonstrated Constellation Based DNA (CB-DNA) Fingerprinting method to ZigBee-like WirelessHART signals supporting SCADA/ICS applications. The goal is to achieve similar device hardware and/or operating state discrimination performance that includes verification-based anomaly detection exceeding 90% on a pulse-by-pulse (command-by-command) basis, and nearing 100% when considering multiple sequential pulses (commands).
