Abstract
Most security analyzers operate on system state that is far removed from end-point components in cyber-physical systems (CPS) identified as level 0‐1 in the Purdue Architecture Reference Architecture (PERA) [1]. For example, many operate on system logs and other data dumps to disks. Tremendous value that can be gained in cyber security forensics if low level details such as dynamic changes to volatile memory can be extracted and provided to more sophisticated analysis tools. However, obtaining detailed and dynamic system state at the level of volatile memory is extremely challenging [2]. Here, we attempt to apply IT memory forensic mechanisms to CPS end-point devices and statistically evaluate them. Our focus is to extract volatile and dynamically changing internal information form CPS 0‐1 level devices, and design preliminary schemes to exploit that extracted information. This new capability of generating a sequence of volatile memory snapshots for offline, detailed and sophisticated analysis opens a new class of cyber security schemes for CPS forensic analysis. As a case study for our ongoing research, we apply the proposed methodology to Modicon PLC using Modbus protocol. We extract the memory layout and subject the device to read operations at the most critical regions of memory. Similarly, write operations are initiated to carefully determine memory locations (for example, bytes that hold the firmware version number). This capability of generating a sequence of volatile memory snapshots for offline, detailed and sophisticated analysis opens a new class of cyber security schemes for CPS forensic analysis. Also, the ability to dynamically make controlled modifications to specific memory locations opens the potential for new mechanisms such as taint analysis and watermarking.
