Assessment and Forensics for Large-Scale Smart Grid Networks
The infrastructure that supports the power grid is vulnerable to attack by intruders who could potentially take control of certain points and cause great damage to systems. The SCADA systems and other components in the smart grid are complex, and many systems rely on information from other sources. An embedded system, such as a breaker, could be compromised and set to report false information. As a result of such a compromise, analyses from monitoring systems and logging would be incorrect, as they would be based on falsified data. Stuxnet and Flame have shown that entities exist that are willing and able to create extremely sophisticated attacks. The Flame malware showed that even an immensely large and complex attack can run undetected for years. The sophisticated rootkits employed by Stuxnet and Flame showed that the current standard of detection software is easily defeated. Sophisticated, targeted attacks such as Stuxnet are inevitable, and both detection of such attacks and development of a deep understanding of what happened are critically important. If machines such as those in SCADA are compromised, we want to know as much about the attacks as possible, and understand what the effects will be on the power grid. The objective of this activity was to integrate forensics techniques in the monitoring process to ensure the integrity of the applications involved and the information acquired. We created the Forenscope framework, a memory forensics platform that can perform memory analysis, capture, and sanitization on critical systems outside of the execution context of malware; the platform can be extended to perform any number of forensic tasks. We also created Cafegrind, a memory analysis tool that analyzes applications to determine what information is available in memory for forensic investigation. It monitors every instance of every data structure created by an application and monitors all accesses, when the instance is freed, and when the memory in which it was stored was overwritten. Finally, in order to better understand the structure of an application’s memory, we created visualization tools to provide insight into how we might model memory. Ultimately, we see forensics facilities as an addition to an overall SCADA monitoring framework that enhances and informs security within cyberinfrastructure.