Cyber Forensic Tool Kit for Machinery Control
Navy STTR 2016.A - Topic N16A-T013
NAVSEA - Mr. Dean Putnam - dean.r.putnam@navy.mil
Opens: January 11, 2016 - Closes: February 17, 2016

N16A-T013 TITLE: Cyber Forensic Tool Kit for Machinery Control

TECHNOLOGY AREA(S): Information Systems

ACQUISITION PROGRAM: PEO Ships AM, Acquisition Management

OBJECTIVE: Develop live digital forensics that, at run time, provide a cyber-protection strategy and aid in identification of malfunctions due to malicious and non-malicious events, while ensuring minimal impact on overall system performance.

DESCRIPTION: Shipboard machinery control systems utilize SCADA to monitor and control these systems. Common components of the SCADA systems include human-machine interfaces (HMI), remote terminal units (RTU), input/output devices (I/O), programmable logic controllers (PLC), and communication networks. Digital forensics, consisting of activities associated with the collection and analysis of digital data from various sources, is an essential part of an overall cyber defense strategy both prior to and after a breach of security. For SCADA systems, forensics is not only a vital part of the protection strategy but also can aid in the troubleshooting and identification of non-malicious events that cause the system to malfunction.

A number of unique challenges exist for the forensic analysis of SCADA based systems. Components of a SCADA system are often resource constrained. The opportunity to run forensic resources on devices in the SCADA system depends on the availability of processor, memory, I/O, and other system resources. Many systems running in the field have legacy hardware and lack the computing capabilities of modern hardware systems. The collection of log data in SCADA systems is often inadequate. In particular, immediately following an incident, the collection of log data is critical to being able to re-create the sequence of events leading up to the incident. There are currently no effective methods for capturing the volatile data that exists in the control system registers, cache, memory, routing tables, and temporary file systems. Much of the data that exists in SCADA systems is at the lower layers of the architecture making it more difficult to access. At those layers, sometimes there is such a large amount of data that analysis becomes challenging due to scale and dimensionality.

The solution sought should incorporate data acquisition tools used to support forensics analysis that has minimal impact on the overall operation of the control system. The application must be able to operate as a plug in to an open source forensic tool kit such as Autopsy and have an open system architecture. The application should enable reconstruction and replay of the state of the SCADA system to support incident response. The government will be responsible for scheduling testing and certification of the application in a land based SCADA test facility prior to transition. It is essential that the proposed solution performs live forensics at run time with minimal impact on overall system performance.

PHASE I: The company will investigate and develop an architectural design of a forensic tool set for SCADA including identification of an Application Program Interface (API), for the plug in interface, and functional requirements. The company will define and develop a concept for forensic tools for SCADA that can meet the performance constraints listed in the description. They will perform modeling and simulation to provide initial assessment of concept performance and feasibility. Phase I Option, if awarded, would include the initial layout and capabilities description to build the system in Phase II.

PHASE II: Based on the results of Phase I and the Phase II Statement of Work (SOW), the company will develop and demonstrate a prototype forensic tool kit for SCADA based on the interface and functional requirements developed in Phase I. Testing will be conducted in a land based SCADA test facility. The prototype should be delivered at the end of Phase II, ready to be integrated by the government. The Phase II effort will likely require secure access.

PHASE III DUAL USE APPLICATIONS: The company will assist the Navy in transitioning the forensic tool set for SCADA specified in Phase I and prototyped in Phase II to a Navy lab for operational analysis. After Navy laboratory assessment, the company will assist with the integration of the forensic tool kit and demonstrate the complete system shipboard. The company will transition the technology to SCADA. The Cyber forensic tool kit will be applicable to control systems cyber analysis across the government. The cybersecurity tool will also be applicable to all manufacturing, energy production, and oil and mineral processing facility machinery and engine control systems.

REFERENCES:

1. Taveras, Perdo N., Pontificia Universidad Católica Madre y Maestra, Dominican Republic, "SCADA Live Forensics: Real Time Data Acquisition Process To Detect, Prevent Or Evaluate Critical Situations" Proceedings of 1st Annual International Interdisciplinary Conference, AIIC 2013, 24-26 April, Azores, http://eujournal.org/index.php/esj/article/download/1457/1466Portugal,

2. Kirkpatrick, T., Gonzalez, J., Chandia, R., Papa, M and Shenoi, S (2008) 'Forensic analysis of SCADA systems and networks', Int. J. security and Networks, Vol. 3, No. 2, pp. 95-102, http://www.inderscienceonline.com/doi/abs/10.1504/IJSN.2008.017222?journalCode=ijsn

3. Irfan Ahmed, Sebastian Obermeier, Martin Naedele, Golden G. Richard III, 'SCADA Systems: Challenges for Forensic Investigators', Computer Cover Feature December 2012, Published by the IEEE Computer Society 0018-9162/12/$31.00 © 2012 IEEE, http://cs.uno.edu/~irfan/Publications/ieee_computer_2012.pdf

KEYWORDS: Cybersecurity; forensics of cyber-attacks; SCADA; forensic tool set; WeaselBoard; PLC

TPOC-1: Frank Ferrese

Phone: 215-897-8716

Email: frank.ferrese@navy.mil

TPOC-2: Rocco Arizzi

Phone: 215-897-1479

Email: rocco.arizzi@navy.mil

Questions may also be submitted through DoD SBIR/STTR SITIS website.

** TOPIC AUTHOR (TPOC) **
DoD Notice:  
Between December 11, 2015 and January 10, 2016 you may talk directly with the Topic Authors (TPOC) to ask technical questions about the topics. Their contact information is listed above. For reasons of competitive fairness, direct communication between proposers and topic authors is
not allowed starting January 11, 2016 , when DoD begins accepting proposals for this solicitation.
However, proposers may still submit written questions about solicitation topics through the DoD's SBIR/STTR Interactive Topic Information System (SITIS), in which the questioner and respondent remain anonymous and all questions and answers are posted electronically for general viewing until the solicitation closes. All proposers are advised to monitor SITIS (16.1 Q&A) during the solicitation period for questions and answers, and other significant information, relevant to the SBIR 16.1 topic under which they are proposing.

If you have general questions about DoD SBIR program, please contact the DoD SBIR Help Desk at 800-348-0787 or sbirhelp@bytecubed.com