{"id":55943,"date":"2024-04-25T16:00:00","date_gmt":"2024-04-25T16:00:00","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/investigating-industrial-control-systems-using-microsofts-icspector-open-source-framework\/"},"modified":"2024-04-25T16:00:00","modified_gmt":"2024-04-25T16:00:00","slug":"investigating-industrial-control-systems-using-microsofts-icspector-open-source-framework","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/investigating-industrial-control-systems-using-microsofts-icspector-open-source-framework\/","title":{"rendered":"\u200b\u200bInvestigating industrial control systems using Microsoft\u2019s ICSpector open-source framework"},"content":{"rendered":"

Industrial Control Systems (ICS) security has been a subject of research for many years, spurred, in part, by recent <\/span>state-sponsored ICS-targeting malware<\/span><\/a> and supply-chain attacks like the <\/span>ZPMC cranes spying concerns<\/span><\/a> that threaten critical infrastructure. Given the potential harm to thousands of people if water treatment facilities, power plants and nuclear reactors or other systems are breached, the stakes are high. Unfortunately, forensics for ICS devices is not as advanced as in IT environments like Windows and Linux. This can stall forensics investigation when incidents occur.<\/span> <\/span><\/p>\n

 <\/span><\/p>\n

To overcome this challenge, Microsoft released <\/span>ICSpector<\/span><\/a>, <\/span>an open-source framework that facilitates the examination of the information and configurations of industrial programmable logic controllers (PLCs). This framework simplifies the process of locating PLCs and detecting any anomalous indicators that are compromised or manipulated. This can assist you in safeguarding the PLCs from adversaries who intend to harm or disrupt their operations.<\/span> <\/span><\/p>\n

 <\/span><\/p>\n

Many operational technology (OT) security tools based on network layer monitoring, such as<\/span> Microsoft Defender for IoT<\/span><\/a>, <\/span>provide network protection for OT\/IoT environments, allowing analysts to discover their devices and respond to alerts on vulnerabilities and anomalous behavior. However, o<\/span>ne of the biggest challenges is<\/span> retrieving the code<\/span> running on the <\/span>PLC and scanning it as part of an incident response<\/span> <\/span>to understand if it was tampered <\/span><\/span><\/span>with<\/span><\/span>. <\/span><\/span><\/span>T<\/span><\/span><\/span>his<\/span><\/span><\/span> act<\/span><\/span><\/span> requires <\/span>caution, because<\/span> <\/span>the PLCs are actively <\/span>operating<\/span><\/span><\/span> vital industrial <\/span>process<\/span>. <\/span>This is where <\/span>I<\/span>CSpector<\/span> can help individuals or facilities perform this task with best practices.<\/span><\/span><\/span><\/p>\n

 <\/span><\/p>\n

Industrial control systems in brief<\/span><\/strong> <\/span><\/span><\/p>\n

Industrial Control Systems (ICS) and Operational Technology (OT) are critical to modern society, powering everything from power grids and water treatment plants to manufacturing facilities and transportation systems. These systems typically rely on a combination of hardware and software components to perform their functions. Programmable logic controllers (PLCs) are used to manage and control the various processes within an industrial environment. As these systems become increasingly digitized and interconnected, they are also becoming more vulnerable to cyberattacks. <\/span> <\/span><\/p>\n

 <\/span><\/p>\n

Due to their critical role in ensuring the smooth operation of industrial processes, and the physical danger or extreme financial losses that could result if attacked, ICS devices are prime targets of cyberattacks, making ICS security an increasingly critical issue in today’s digital landscape.<\/span> <\/span><\/p>\n

 <\/span><\/p>\n

\"FigureFigure 1: Known ICS-targeted cyberattacks that occurred between 2010 and 2022. (Image from Cyber Signals: Risks to critical infrastructure on the rise)<\/span><\/span><\/p>\n

With ICS cyberattacks on the rise, facilities require a holistic solution to address the unique nature of critical infrastructure environments. A common threat involves ICS malware attempting to modify the controller program logic to disrupt operations and cause physical harm.<\/span> <\/span><\/p>\n

 <\/span><\/p>\n

Extracting data from a controller can be challenging, as it requires specialized expertise in communicating with the device and understanding the specific, and at many times proprietary, protocols used to transmit and store data. This expertise is critical for conducting forensic operations because investigators must be able to extract specific data from a controller to identify security risks and determine the root cause of issues. The challenges around securing OT and the potentially large impact from even one controller being infected in a critical environment, highlight the need for effective security measures and forensic tools to investigate and remediate incidents.<\/span> <\/span><\/p>\n

 <\/span><\/p>\n

Challenges in ICS forensics<\/span><\/strong> <\/span><\/span><\/p>\n

ICS forensics differs from standard IT forensics, because ICS environments possess distinctive features that distinguish them. <\/span> <\/span><\/p>\n


<\/span>Cybersecurity forensics in IT environments involves the collection, analysis, and preservation of digital evidence to identify the cause and extent of a security breach or cyberattack. This includes analyzing network traffic, logs, and system data to identify the source of the attack and to patch vulnerabilities. In contrast, forensics in OT environments involves analyzing ICS data, including data from sensors and controllers used in manufacturing and industrial settings.<\/span> <\/span><\/p>\n

 <\/span><\/p>\n

While OT communication protocols and execution methods are based on general principles, each vendor can implement its own protocol for data exchange and management. As a result, there is no universal protocol that applies to all controllers, and researchers must investigate each device separately, from its communication patterns to its internal data structure.<\/span> <\/span><\/p>\n

 <\/span><\/p>\n

Another challenge has to do with talent and tools. Because OT and IT environments were historically isolated and had distinct security operations center teams with different tools, most incident response specialists lack the expertise to analyze OT. And while the IT domain has a variety of forensics tools, such as Autopsy, The Sleuth Kit and FTK, the OT forensics domain is still emerging, lacks a common methodology, and requires OT experts to develop their own solutions.<\/span> <\/span><\/p>\n

 <\/span><\/p>\n

Specialized tools and techniques have started to emerge to address the unique challenges of conducting investigations in ICS environments. These include the<\/span> Top 20 Secure PLC Coding Practices<\/span><\/a>, specific OT protocols implementations available on GitHub, and paid tools for an overview of controller programs for a specific set of protocols. Notably missing from these options has been an open-source solution that provides a comprehensive implementation of OT protocols and gives forensics investigators the ability to analyze extracted data and drill down into informative and suspicious areas within the controller loaded project. <\/span> <\/span><\/p>\n

 <\/span><\/p>\n

ICSpector for industrial engineers and cybersecurity analysts<\/span><\/strong> 
<\/span><\/span>Microsoft aspired to fill the gap in the market by creating the ICSpector framework. Written in Python and available on GitHub, ICSpector is a framework with tools that enable investigators to:<\/span> <\/span><\/p>\n