SBIR-STTR Award

The objective of STTR Topic N16A-T013, Cyber Forensic Tool Kit for Machinery Control, is to develop live digital forensics that, at run time, provide a cyber-protection strategy and aid in identification of malfunctions due to malicious and non-malicious events, while ensuring minimal impact on overall system performance. A proposal has been prepared by TDI Technologies, Inc., a small business based in King of Prussia, PA, which includes the following tasks: Phase I Base: Task 1 Define applicable policies for target SCADA system; Task 2 Obtain and analyze data samples for system and protocol operations; Task 3 Model system using graph-based FSMs and identify live forensic requirements; Task 4 Perform feasibility analysis for implementing live forensic requirements as LKMs; Task 5 Perform feasibility analysis for extending existing open-source forensic frameworks; Task 6 - Design and layout CyFT; Task 7 - Testing and validation for feasibility demonstration; Task 8 - Prepare a final report. Phase I Option: Task 9 - Define and develop security and cyberforensic ontologies; Task 10 - Define a comprehensive and portable framework for vulnerability assessment; Task 11 - Develop an open system architecture framework for CyFT; Task 12 Prepare a final report.

Benefit:
ANTICIPATED BENEFITS The R&D conducted in Phase I will lay the foundation for the work to be done in Phase II. Phase I will essentially evaluate the proposed solution frameworks approach and demonstrate a proof-of-concept simulation and/or analytical model for testing and validation. Based upon the needs assessment at the end of Phase I, the solution will be optimized and necessary modifications will be incorporated to all relevant aspects of the solution framework, including but not limited to policy, algorithms, techniques, and implementation. The framework will be tested and validated rigorously on a more realistic test bed in order to fine tune the various components integrated into the CyFT framework, and make all necessary calibration adjustments. The completion of Phase I will also provide us the opportunity to conduct an actual vulnerability assessment on the prototype solution. This will provide critical feedback on any security vulnerabilities that exist. In addition, proof of concept testing and validation will provide feedback of the software, when working in conjunction with the MCS, which introduces any new vulnerability(s), expands the attack surface, or offers new attack vectors. All this information will be used during Phase II and the solution framework will be modified with recalibration of various subsystems/components to meet the expected requirements lightweight, portable cyberforensics toolkit for conducting effective live forensics analysis on SCADA system. POTENTIAL COMMERCIAL APPLICATIONS A recent market report published by Transparency Market Research viz. Supervisory Control and Data Acquisition (SCADA) Market - Global Industry Analysis, Size, Share, Growth, Trends and Forecast, 2014 -2020, the SCADA market was valued at USD 23.20 billion in 2013, which is expected to reach USD 32.70 billion by 2020, growing at a Compound Annual Growth Rate of 5.0% from 2014 to 2020. While this SBIR topic and subsequent project is specifically issued by US Navy ONR, TDI believes this technology is well suited and would provide benefit to the entire several industry verticals including the Department of Defense, Energy, Automative, and Pharmaceuticals. For defense related land or sea-based C4ISR system the implementation of a portable, lightweight cyber forensic toolkit such as CyFT, could be very beneficial. Modern military aircraft and complex military communication systems could also benefit through the use of the proposed CyFT. In the commercial world, energy providers would be able to determine if there were malicious acts on their equipment, whether it be from a typical consumer trying to beat their bill or a foreign attack on one of their power generating stations, including nuclear, electric and gas. The automotive industry would be another good candidate as the new generation of cars have onboard recording (black boxes) of events and some have very large storage areas. Similarly as competition among drug manufacturers increase, and as the rush towards building solutions to address HIV, Cancer, Ebola, the Pharmaceuticals industry sector will increasingly become vulnerable to cyber attacks. CyFT will be able to secure the industry from such cyber attacks. TDI plans to pursue these Commercialization opportunities by leveraging our contacts in the SCADA community, and through various other marketing efforts, including conferences and trade shows.

Keywords:
Supervisory Control And Data Acquisition (SCADA)., Supervisory Control And Data Acquisition (SCADA)., cyber-attacks, cyber-forensics, forensic tool set, Machinery Control System (MCS), cyber-security, Finite State Machines (FSM), Loadable Kernel Modules (LKM)

The objective of this project is to develop a portable and lightweight cyber forensics software toolkit with advanced capabilities for supporting live forensics on SCADA Machinery Control Systems (MCSs). The lack of standards, coupled with extensive reliance on proprietary solutions and protocols, essentially prevent the ready adoption and utilization of current forensic tools and methods. Additionally, the unique requirements of legacy and proprietary components, protocols, and the likes, within SCADA MCS, necessitate an open architecture design in order to functionally test various tool components to be integrated into the CyFT framework. Based on our Phase I feasibility study, we feel confident and encouraged to propose developing an Open Systems Architecture-based Cyber Forensics Toolkit (CyFT) Framework. Tools developed with cyber forensics capabilities can be seamlessly integrated into CyFT framework. Some of the key factors evaluated for suitability and feasibility of available alternatives for adoption during Phase II prototype implementation are as follows: 1. Design Alternatives Modular vs Integral; 2. Solution Architecture Closed vs Open; 3. API Specifications Open Standard vs Custom; 4. Evaluation Models Formal/Abstract vs Simulation/Prototype; and 5. Tool Execution Memory Resident (e.g., Terminate & Stay Resident (TRS)) vs Disk Resident.

Benefit:
The R&D conducted in Phase I will lay the foundation for the work to be done in Phase II. Phase I will essentially evaluate the proposed solution frameworks approach and demonstrate a proof-of-concept simulation and/or analytical model for testing and validation. Based upon the needs assessment at the end of Phase I, the solution will be optimized and necessary modifications will be incorporated to all relevant aspects of the solution framework, including but not limited to policy, algorithms, techniques, and implementation. The framework will be tested and validated rigorously on a more realistic test bed in order to fine tune the various components integrated into the CyFT framework, and make all necessary calibration adjustments. The completion of Phase I will also provide us the opportunity to conduct an actual vulnerability assessment on the prototype solution. This will provide critical feedback on any security vulnerabilities that exist. In addition, proof of concept testing and validation will provide feedback of the software, when working in conjunction with the MCS, which introduces any new vulnerability(s), expands the attack surface, or offers new attack vectors. All this information will be used during Phase II and the solution framework will be modified with recalibration of various subsystems/components to meet the expected requirements lightweight, portable cyberforensics toolkit for conducting effective live forensics analysis on SCADA system. POTENTIAL COMMERCIAL APPLICATIONS A recent market report published by Transparency Market Research viz. Supervisory Control and Data Acquisition (SCADA) Market - Global Industry Analysis, Size, Share, Growth, Trends and Forecast, 2014 -2020, the SCADA market was valued at USD 23.20 billion in 2013, which is expected to reach USD 32.70 billion by 2020, growing at a Compound Annual Growth Rate of 5.0% from 2014 to 2020. While this SBIR topic and subsequent project is specifically issued by US Navy ONR, TDI believes this technology is well suited and would provide benefit to the entire several industry verticals including the Department of Defense, Energy, Automative, and Pharmaceuticals. For defense related land or sea-based C4ISR system the implementation of a portable, lightweight cyber forensic toolkit such as CyFT, could be very beneficial. Modern military aircraft and complex military communication systems could also benefit through the use of the proposed CyFT. In the commercial world, energy providers would be able to determine if there were malicious acts on their equipment, whether it be from a typical consumer trying to beat their bill or a foreign attack on one of their power generating stations, including nuclear, electric and gas. The automotive industry would be another good candidate as the new generation of cars have onboard recording (black boxes) of events and some have very large storage areas. Similarly as competition among drug manufacturers increase, and as the rush towards building solutions to address HIV, Cancer, Ebola, the Pharmaceuticals industry sector will increasingly become vulnerable to cyber attacks. CyFT will be able to secure the industry from such cyber attacks. TDI plans to pursue these Commercialization opportunities by leveraging our contacts in the SCADA community, and through various other marketing efforts, including conferences and trade shows.

Keywords:
Machinery Control System (MCS), cyber-security, Loadable Kernel Modules (LKM), Finite State Machines (FSM), forensic tool set, Supervisory Control And Data Acquisition (SCADA)., cyber-forensics, cyber-attacks