Digital Forensics and Incident Response (DFIR) for IT systems has been around quite a while, but what about Industrial Control Systems (ICS)? This talk will explore the basics of DFIR for embedded devices used in critical infrastructure such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and controllers. If these are compromised or even have a misoperation, we will show what files, firmware, memory dumps, physical conditions, and other data can be analyzed in embedded systems to determine the root cause.
This talk will show examples of what and how to collect forensics data from two popular RTUs that are used in Electric Substations: the General Electric D20MX and the Schweitzer Engineering Labs SEL-3530 RTAC.
This talk will not cover Windows or *nixbased devices such as Human Machine Interfaces (HMIs) or gateways.
Chris Sistrunk is a Senior Consultant at Mandiant, focusing on cyber securityfor industrial control systems (ICS) and critical infrastructure. Prior tojoining Mandiant, Chris was a Senior Engineer at Entergy (over 11 years) wherehe was the Subject Matter Expert (SME) for Transmission & Distribution SCADAsystems. Chris helped organize the first ICS Village, which debuted at DEF CON22 and was featured at RSAC and SANS ICS Summit. He is a Senior Member ofIEEE, member of the DNP Users Group, President of Mississippi Infragard, andalso is a registered PE in Louisiana. He holds a BS in Electrical Engineeringand MS in Engineering and Technology Management from Louisiana TechUniversity. Chris also founded and organizes BSidesJackson, Mississippi's onlycyber security conference.
Josh Triplett is a Senior Reverse Engineer on the FireEye Labs AdvancedReverse Engineering Team. He joined FLARE after six years in the U.S. Navy.His military experience included malware analysis, Red Team operations, andsoftware development.