Anomaly Detection and Encrypted Programming Forensics for Automation Controllers
Abstract
Securing the critical infrastructure of the United States is of utmost importance in ensuring the security of the nation. To secure this complex system a structured approach such as the NIST Cybersecurity framework is used, but systems are only as secure as the sum of their parts. Understanding the capabilities of the individual devices, developing tools to help detect misoperations, and providing forensic evidence for incidence response are all essential to mitigating risk. This thesis examines the SEL-3505 RTAC to demonstrate the importance of existing security capabilities as well as creating new processes and tools to support the NIST Framework. The research examines the potential pitfalls of having small-form factor devices in poorly secured and geographically disparate locations. Additionally, the research builds a data-collection framework to provide a proof of concept anomaly detection system for detecting network intrusions by recognizing the change in task time distribution. Statistical tests distinguish between normal and anomalous behavior. The high true positive rates and low false positive rates show the merit of such an anomaly detection system. Finally, the work presents a network forensic process for recreating control logic from encrypted programming traffic.
Document Details
- Document Type
- Technical Report
- Publication Date
- Mar 25, 2021
- Accession Number
- AD1134131
Entities
People
- Robert W. Mellish
Organizations
- Air Force Institute of Technology