This document provides a new Digital Forensics and Incident Response (DFIR) framework dedicated to Operational Technology. This framework expands the traditional technical steps of IT Incident Response by giving an Incident Response procedure based on event escalation and provides techniques for OT Digital Forensics. The document begins with an overview of OT DFIR while discussing DFIR terms in general and explaining the unique properties of DFIR in OT. Later, the document describes the needed preparations for OT DFIR, such as an IRT establishment and Digital Forensics lab tools. Finally, the document provides the suggested OT DFIR framework with a detailed explanation of its phases and steps.
Digital Forensics and Incident Response (DFIR) are two common terms in cybersecurity initially developed for Information Technology (IT) systems, based on technical steps including preparation, detection, containment, eradication, recovery, and post-incident activity [1]. Each step can be detailed to many technical actions which require high skills to perform.
Operational Technology (OT) describes a family of systems used to manage, monitor, and control industrial operations focusing on the physical devices and processes they use (e.g., electricity, water, pharmaceutical). Implementing DFIR methods for these systems requires a series of dedicated extensions of procedures and techniques due to some unique aspects of OT.
1.1.1. Main Incident Response challenge in OT
Traditional Incident Response steps mainly focus on the technical aspects of the process and not on the procedure that leads the process. This issue is not a problem while dealing with an event in IT environments because, in most cases, the IT system is under the full responsibility and control of one department, the IT department. However, this is not the case in OT [2]. A primary aspect that affects incident handling in OT is the number of stakeholders (e.g., operators, maintenance teams, engineers, cyber analysts) doing some level of analysis in the system. As a result, a lack of clear procedures, lack of coordination, and lack of clear definitions of responsibility and authority can lead to failures when managing a real-time cyber incident.
Moreover, although OT systems are considered reliable, non-cyber incidents such as technical malfunctions or process anomalies are not rare. Therefore, there is always a challenge to balance between edge approaches: On one hand, addressing every technical issue as a standard technical event and providing technical support that can take a long period of time while getting the risk of missing actual cyber events. On the other hand, addressing every technical issue as a potential cyber incident while getting the risk of having many false positives, which will erode the Incident Response Team.
1.1.2. Main Digital Forensic challenge in OT
At a very fundamental meaning, Digital Forensics is about analyzing data with tools and techniques to answer questions such as what happened in the system, how it occurred, and what the impact was. The levels of analysis differ in the types of data and tools, the level of needed skill, and the time invested.
Unique devices and data types in OT require unique knowledge and skills to accomplish Digital Forensics. In addition, OT is a type of system that has a strong connection to the physical world. There is great importance in understanding the possible implications for safety and operation resulting from any forensic-related action performed in the system. Therefore, there must be a strong connection between technical OT personnel and Digital Forensics analysts.
1.2. Purpose and Scope
The purpose of this document is to provide an OT Digital Forensics and Incident Response (DFIR) framework. This framework expands the traditional technical steps by giving an Incident Response procedure based on the event escalation and provides additional techniques for OT Digital Forensics.
The scope of this document includes an overview of DFIR and its implementation within OT environments. Its goal is to provide the whole picture as a starting point for the organizations to establish their own OT DFIR capabilities.
This document will not dive deeply into the bits and bytes or describe specific protocols, logs, or tools instructions. This level of technical details depends on each organization’s particular equipment, vendors, and systems. Each organization should use the methods proposed in this document to build its dedicated technical procedures.
1.3. Audience
This document’s audience includes OT Incident Handlers, who should be familiar with three main fields: Cybersecurity, OT/Industrial Control System (ICS) engineering, and Digital Forensics. Practically, engineers of this type rarely exist in organizations. That is why OT Incident Handlers must work as part of a team, which may include: Cyber OT Engineers (Engineers who are familiar with both fields: OT/ICS Systems and OT Cybersecurity), Industrial Control Engineers, IT professionals, researchers, analysts, Process Engineers, Safety Engineers, and Managers who are responsible for OT.