Wednesday, 30 November 2011

CNII Forensics

The promotion of IT security must be at national and international level. This promotion can be built-in the Critical National Information Infrastructure (CNII) program. The program can combine the initiative at the level of organization, national and international cooperation.

The CNII program is tedious but indispensable. A lot of coordination must be executed and collaboration among the stakeholders must be improved. The awareness campaign and cyber drill are an admirable kick off with the intention more people are concerned of the complications and disastrous impact.

Jennex [1] wrote on incident response. The author said the guideline must be devised in any organization because incidence is unpredicted. The organization business has to resume and crisis management has to be effective.

In addition on the above, digital forensics has become more prevalent and must be part of the incident response. In fact, Gavin Reid, leader of the Computer Security Incident Response Team at Cisco Systems has mentioned digital forensics and also malware forensics are two of the critical skills in incident response. This is to investigate the root cause of the incident and with malware forensics capability; reverse engineering can be conducted in order to determine the hazard. E.g. Stuxnet…some of the capabilities are as follows.

• Spreads through network and removable media
• Infects Windows systems by installing rootkit
• Using special process to avoid detection
• Targets Siemens WinCC Scada
• Injects command on PLC and the best part is; self removeable, hidden, reinfect and capable of communicating with peer

As such, during this semester break, I’ll be quite busy doing some research on CNII in Australia perspective and how we can apply digital forensics in the incident response. Most probably there will be 7 parts altogether. I will break it down as follows.

1. The correct CNII description (most people talked about Scada security and this nomenclature might be inaccurate), standards, regulations and perspective according to country i.e. Australia.
2. Study on industrial network incidents, perhaps according to country experience. Malaysia can be included, e.g. recent Empire shopping complex gas leakage explosion.
3. Study on core networks and protocols, e.g. Modbus, ICCP, DNP3 and etc.
4. The control electronics and operational parts, i.e. IED, RTU, PLC and etc.
5. Study on the above 3 & 4 weaknesses, hacking, threat, anomaly and etc.
6. Security strategy, e.g. network design deployment, segregation, monitoring and cyber drill.
7. Last but not least CNII forensics (network forensics) including malware forensics to reveal the outcome of the investigation of an incident.

[1] M.E.Jennex. “A Model for Emergency Response Systems,” in Cyber Warfare and Cyber Terrorism, L.J.Janczewski and M.Colarik, Hershey, PA: Information Science Reference, 2008, pp. 383-389.