cyber security writing question and need the explanation and answer to help me learn.
Based on the Ransomware attack scenario, you will conduct a forensic investigation to identify, collect and preserve forensic data, extract incident evidence, and analyze forensic evidence in such a way that it preserves the integrity of the evidence collected for effective use in a legal case.
The FBI and DHS have been actively engaged, providing guidance on IoCs to monitor. The team has identified some additional IoCs based on related activity discovered inside the ARC network. The team has discovered that the traffic the FBI identified is not only sourced from the initially identified Platform systems, but also from additional systems that proxy traffic through the Gas systems, that appear to be the source. This infiltration is much larger than first expected.Several of the systems have files that were hidden by assigning them “legitimate” but rarely or never used program names. They appear to be part of the malware used to infect the systems. Additional files appear to be tools used by the attackers. IoCs did not directly help identify the files as it appears the tools had been compiled specifically for this attack. The hidden files were identified as lacking proper hashes and therefore not part of the standard image or system generated files.Now that the team has the files as additional IoCs, they need to determine the full scope of the attack in terms of infected systems. They use a management system to identify which systems contain these hidden files and catalog them, but still have not taken action as the FBI and DHS are keeping the team in a mode of discovery to fully assess the attackers and see if they can figure out attribution to a known or new threat actor group. The hidden files are extracted from a system, copied bit-by-bit as to preserve the evidence for reverse engineering. A copy has been made for the team to learn more about the attack with the assistance of the FBI.The team has been monitoring the exfiltration of data to observe what files were of interest to the attackers. A full packet capture was installed at the ARC as it was not a current capability prior to the FBI and DHS engagement. Although this has been useful to see packet header information and some signalling data, the proxy information captured has been limited to captures of encrypted streams to the data hosting providers. The hosting providers have recently upgraded to TLSv1.3, eliminating the possibility of passive interception with decryption. This means for packet content they can only read headers or deduce fingerprints of encrypted traffic. Otherwise they need to be able to access points of origination and receipt. To obtain the data in cleartext, the systems that are used as proxies have been the most valuable source of information as the files are briefly stored on those systems prior to being sent to the external storage providers. In a few cases, the team was able to copy off the files from backup systems without the attackers noticing their activity.The team has a big problem, since the systems that were the source of the compromise are connected to NG customer locations, the usage, billing and customer identification codes have all been found in the files exfiltrated. The bill rate varies by usage and by contract, but has never been disclosed beyond each individual customer.
Customer Identifier Usage Bill Rate
CSR237645 6789 1.45
CSR431728 7801 1.25
CSR782028 2789 1.75
Table 1. Natural Gas (NG) Customer Usage and Bill Rate
The team also needs to figure out how this information is being used. To date, they have not found files that have been exfiltrated that contain the mapping of the actual customer to the identifier. Although skimming and redirecting funds may be possible from the other information gathered, the analysis currently shows that the information may be solely for the purpose of understanding usage patterns. The team suspects the purpose is likely to conduct outages throughout the Ackme product networks at times that will impact customers, including the airport, when it would be the most detrimental to the highest number of people.The FBI and DHS recommend that the team solidify recovery and remediation plans now that the information gathering has been successful and the malware has been examined for additional information on the threat actors.
Assignment:
Write a Forensic Investigation Report that summarizes the substantive evidence in the Ransomware attack for use in legal proceedings.
The report should be of the following length: between 1250 and 2500 words.
Include ALL of the following components in the Forensic Investigation Report:
Forensic Investigation procedures
Incident forensic data gathering procedures
Incident forensic data protection
Incident forensic analysis procedures
Incident forensic evidence protection
Incident forensic evidence investigation results
Incident forensic investigation conclusion
Requirements: 1200 word | .doc file
H. Ackme Oil & Gas Background Material
A – Current Platform Control Systems Technology
B – Platform Control Systems IO & Communications Protocols
C – Acronyms & References
Introduction
Ackme is a vertically integrated company that extracts natural gas (NG) and Crude Oil from Ocean wells, processes it and then wholesales it to a relatively small number of customers. The wells contain largely NG on a 70% to 30% ratio. Figure 1 below provides a visualization of the enterprise in its operational area.
Figure 1 – H. Ackme Operations & Major Customers
All of Ackme’s field operations use Automated Control Systems (ACS) for monitoring & controlling (M&C) the product processing & flow. There are separate systems for the platforms, refining processes, and distribution. ACSs are the brains and nervous system of Ackme’s operations.
Customers
Ackme supplies natural gas over a large geographical customer base including 2 major metropolitan areas, one an old banking center and the other hosting a number of HQs for large commercial enterprises. Thirty-nine percent of the NG product flowing locally is used for electrical generation, 30% by heavy industry, 13% goes to retail and office buildings, and the remaining 18% to homes. In times when demand is weak Ackme contracts with Liquefied Natural Gas (LNG) operators to ship their gas overseas. Ackme also has a smaller refining operation where its crude oil is processed. It’s primary outputs are jet fuel, delivered to the nearby major airports via pipeline, and diesel fuel, used to power generators on its own platforms with excess sold on the spot market. In times of particularly low demand Ackme will sell their excess crude production to larger refiners.
Gross Revenue from Product
Natural Gas Production from each platform averages 185,000 thousand (185 million) cubic feet per week. With NG prices ranging from $6.50 to $10.00 per thousand cubic feet the platform gross revenue per platform is valued at $72 million annually. Additionally Crude Oil withdrawal averages 13,000 barrels per week. At $60 per barrel platform Oil gross revenue per day is valued at $111, 500 daily or $41 million annually. So a platform produces gross revenue in the neighborhood of $113 million per year, or for all 10 platforms $1.13 billion. A single well produces for 6 years. A platform lifespan is in the neighborhood of 20-40 years.
Figure 2. Average Gas Platform Production per day
Stakeholders
Ackme (ticker AKC) is a publicly traded company on the NASDAQ exchange. Due to the significant increase in natural gas supply from new wells in the Marcellus Shale regions in the Northeast US, the price of NG has fallen. But due to it’s vertical nature in its region, Ackme has a strong hold on local supply and has kept prices higher than elsewhere in the country. Business and political leaders in the Bi-City area have started serious discussions with alternate NG providers, located further inland, about financing new pipeline construction to take advantage of the favorable pricing. Ackme is a big employer in the region with over slightly over 3,000 employees.
Natural Gas Processing & Distribution
After extracted from the well, separated from oil & water on the platform, and transported to shore, the NG is routed to a refining facility. There it is further processed to remove contaminants and become pure methane before being routed directly to customers, or to underground storage. The storage provides the capability to balance flows when production is slow or usage high. The gas is stored in depleted land based subterranean caverns. Total available storage is approximately 3 days high usage for the entire service area. See Figure 3 below for details on the purification process to refine the raw gas to methane.
Figure 3 – Ackme Natural Gas Refining Facility Process
Ackme delivers its NG product via pipeline from its processing facility in large volumes to over 100 major customers in the Old Borough (OB) and New City (NC) Metropolitan Areas. Both OB and NC have metro populations in excess of a million. Ackme’s NG customers include;
large electrical utilities that use it as their primary fuel source for power generation, (39%
large gas distribution utilities that deliver it for heating and cooking to office buildings, commercial areas & homes(31%), and
major industrial sites with a variety of customers where it is used as fuel for heating production materials and for running large generators. (30%)
The Natural Gas Distribution Control System
NG distribution pipelines require constant monitoring and control over pipeline pressure, volume flow/usage, temperature and valve opening/closing. To accomplish this Ackme employs a regional Automatic Metering Infrastructure (AMI). See Figure 4, below. Its components include an extensive network of programmable logic controllers (PLCs), communications equipment, sensors, and actuators. These devices sit along the pipelines at crucial junctions and at points of connection (POCs) also known as “gates” with some customers.
Figure 4 – H. Ackme Natural Gas Automatic Metering Infrastructure (AMI)
More detail on the gates follows in the next section. While Ackme has a little over 100 customers, they only maintain 12 gate stations. Beyond the gate stations, advanced meters are used primarily to track flow, temperature, and pressure. The pressure in the pipeline after the gate station is substantially reduced to from 1,000 to 200psi and then at the meters there is further reduction, depending on demand level requested by the customer. At connection points there is a sophisticated process happening because the gas has to be heated (moving from high to lower pressure produces cooling – the gas can “freeze” – become a solid ). Also an agent is injected at connection points so that the gas has a smell. Methane is normally odorless.
Figure 5. Gate and Meter Connections
All metering connections include safety systems that can open and close valves automatically in emergency situations. The meter usage data is recorded with electro-mechanical sensors and sent through the control system to the Ackme Regional Center (ARC) and then to corporate HQ for billing.
Ackme’s NG technology is considered 3rd Generation, with the most recent technology being 4th generation. The 4th generation has more security by default and also has the capability to place security devices in-line. Generations in control systems technology tend to be quite long compared to end user computer devices.The processing equipment for oil & gas processing is very expensive and once in place it is not unusual for it to be employed for 20 to 40 years along with the same control system hardware and software. But due to radical technology changes and critical infrastructure becoming a cyber target, that cycle is shortening. At Ackme the Automatic Meter Infrastructure (AMI) distribution & control system is all Modbus TCP/IP enabled with a combination of wired ethernet & wireless. It was state of the art 7 years ago. Gate stations are multi-million dollar investments, and advanced meters, tens of thousands with installation.
Gate Station & Meters Technical Detail
Ackme Gas distribution utilizes the Badger Model 2 line of controllers across their entire infrastructure. The controllers are manufactured by the Critical Infrastructure Hardware Corporation (CIHC) with their headquarters in the U.K. Ackme utilizes Badgers in the Gate Station and the Advanced Meter products.
The Badger Gate Station technology monitors & controls all the processes including ball valve opening/closing, pressure regulation, odorant insertion, gas heating, emergency shutdown, leakage monitor, relief valves, and all telecommunication. They require a 120v AC 100 amp power source. See Figure 6 below. The Badger Gate Station Controller Systems were purchased due to their unique technology employing parallel Siemens S-7 200 controllers running the Modbus protocol, a crossover power supply, and the Wind River VxWorks operating system. All gate stations operate using an IP enabled wired ethernet. The OS is configured and the Human Machine Interface (HMI) custom programmed (Python and C++), by Badger software engineers. The controller system has a 12 hour battery backup UPS.
The Badger Advanced Meters use Modbus for reporting, and are remotely programmable to use different protocols, react to changes in line pressure, and modify reporting formats. Routine power to the device is 24v x 30 amp and supplied through an electro mechanical pressure conversion device. The Badger system also contains a 12 hour battery backup.
Figure 6 – Badger Gate Station Technology & Advanced Meter
In both the gate station and advanced meter, if the battery fails after 12 hours, the valves will close, shutting off the gas supply to the customer. They may only be manually turned back on with a special master key, kept by Ackme operators.
Both the Gate station and Advanced Meter controllers have communications modules that can connect via TELCO modems, reserved radio bandwidth, internet service providers, or via satellite. The specific choice of medium is dependent on topography, availability of comm infrastructure at the point of connection, and cost. The communications channels are all directed into the regional center. Some intermittent issues with communications on the AMI network, primarily in the reserved spectrum radio, were experienced in previous months but those issues have ceased.
Ocean Platform Operations
Ackme contracts with drillers to sink wells on the ocean floor and to connect those wells to platforms. The platforms are movable, but are set in one place for years in large oil/gas fields that have been surveyed and contain years of supply. On average ten wells are fed into one platform. New wells are drilled in the same locale when an old well becomes depleted, and a new pipeline is installed to the platform for extraction. Due to its depth 2 miles underground the oil/gas mixture comes to the surface at a pressure of 2,000 pounds per square inch (psi). When the product, an oil, gas, & water mixture, comes to the surface it undergoes a separation process into its components aboard the ocean platforms. From there the oil and compressed NG flow in separate batches through a pipeline to an onshore facility where they are routed for further processing to the NG purification facility or to an oil refinery, respectively. Most of the platforms also have the capability to load the products directly onto transport ships, but scheduling for this must be done months in advance.
Due to the significant cost of laying seafloor pipeline from the platform to the shore, the separated NG and oil must utilize the same pipe from each platform. And where possible the pipelines from two or more platforms are connected on the seafloor. After the crude is run through the separator only either gas or oil can be sent directly to shore. The other product must be stored temporarily, until the required batch in the pipe is completed. Then the pipe is quickly cleaned and the opposite material flow starts. Controlling movement from 100 wells to 10 platforms to connecting links to a shore facility to meet current demand is a complex process.
Once ashore the crude oil is refined into either Diesel or Jet Fuel. The diesel fuel is used primarily to power its own ocean platform generators with excess production sold in bulk to specialty wholesalers. Jet fuel is the primary output at the refinery. Due to its proximity Ackme can offer the fuel at a very attractive price to airlines at both OB and NC airports. As a result, Acme has an 80% market share at those locations.
Ocean Platform Automated Control Systems (ACS)
Figure 6 below provides a view into the automated operations of extracting, processing and transporting their products from the platforms.
In the bottom “control system” layer of the diagram the physical machinery for processing the oil & gas product is shown. See Appendices A & B for specifics regarding each subsystem. Proceeding left to right in the diagram:,
Diesel Power Generators are maintained aboard the platform to supply power to all phases of the operation. The diesel’s piston engine turns a shaft connected to a coil where the electricity is created.
Wells are drilled on the ocean floor and then long flexible piping from each well brings the oil/gas/water product to the platform on the surface.
At the surface, the product is separated into Oil, Natural Gas, and Water. The water is cleaned of contaminants and returned to the Ocean.
The oil or natural gas product flows into storage containers or right into a pipeline for transport to shore, primarily through pipes on the seafloor. Tanker ships docked just off the platform can also be used to transport the product.
As can be seen in the diagram, ACSs include sensors for measurement of flows, temperatures, pressures & actuators that regulate valves, start/stop motors, cameras. Programmable Logic Controllers do the monitoring & regulating using specialized protocols. See Appendix A for details on the subsystems and Appendix B for sensor, actuator, and protocol details. Ackme has tried to maintain a base of Siemens hardware and software where possible. The sensor and activator activity is reported to a local workstation where it is repackaged and sent forward to the Master Control Room(MCR), and then stored in the Server & Data Historian room and sent in small batches to the ARC. While the MCR Workstations are primarily to monitor, they also have the ability to reach down and make adjustments on the subsystem workstations when necessary. There are operators on duty at all times when processing is in progress.
Figure 7 – H. Ackme Ocean Platform Control Systems & SCADA
Ackme Field operations and ACS Personnel
As a billion dollar company Ackme maintains a large staff of skilled labor in engineering and technical control. Generally the personnel tracks are divided into operators, engineers, and support personnel. The diagram below portrays the division of labor by product group. ACS personnel maintain unique skills in high demand.
Figure 8 – Field Operations organization
Ackme ACS operational personnel (operators & engineers) are employed in all phases of Ackme’s operations to oversee, monitor, & control production. At the local and regional centers the control, computer, and communication systems are monitored 24/365. Operators work around-the-clock shifts. Responding to alarms and alerts are a routine part of a typical ACS operator’s day. In some cases the alarms must be handled immediately by field personnel. The ACSs typically have a safety system that allows them to “fail safe.” Nonetheless not having Monitoring & Control (M&C) personnel on duty and/or the inability of operators to access the ACSs, irrespective of location, can present a very dangerous situation. Approximately 100 personnel are continuously stationed at each ocean platform. Of those 100, 35-40 are control systems operators and engineers working rotating shifts at the processing substations, in the Master Control Room, or troubleshooting the equipment. Platform operators & engineers live on the platform for 2 week periods working 80-100 hours per week but are then off for 3 weeks. The pay is lucrative but the time away from home is challenging for families. Being relieved mid-period is only available for exceptional circumstances.
Figure 9 – Platform Operators
image sources: Creative commons
Ackme has a cadre of control systems engineers who work closely with the operators and equipment vendor engineers. Those engineers are stationed largely at the ARC and work a routine 8-5 workday but are also on-call 24/365. They work on updating or new designs and help solve complex M&C challenges. Occasionally they are in the field fine-tuning & replacing ACS equipment or updating & reprogramming the ACS software.
Supervision of the operations personnel fall under the various divisions The ACS engineering staff also falls under the Chief of Field Operations, not Information Technology, and is divided into 5 subgroups as follows with number of personnel in parentheses.
Control & Communications Engineering Groups 1-4 Work out of the ARC near New City. Refining and NG Distribution ACS engineers are on site. There is frequent travel to the remote substations for alert mitigation and fine tuning of the control systems. The ACS groups work closely with the field operators. Due to the large quantity of Siemens equipment, a Siemens engineer is co-located with Acme at the ARC site.
Cyber Incident Response Procedures
Platform workers routinely practice incident response related to the well, separation, & transport procedures. So they know how to shut down and report operational anomalies but they are not necessarily educated or trained in IT. There is an automatic real time digital redundancy on the sub-systems and the processes are designed to fail-safe. However none of the operators are equipped to handle an entire failure of the process computer system (including VOIP phones and the serial controllers) except to just to report it via the hand held radio network. The capability to restore all software is contained on one of the servers in the server room. But personnel for doing the reimaging are not aboard, and it may be 24 hours before they can be brought aboard, primarily due to limited air transportation vehicles and routine scheduling. So telecommunication back to the ARC is vital for the operators in unusual circumstances.
Ackme Regional Center (ARC)
All Ackme operations can be viewed in a centralized command center on the Ackme HQ Campus located near the Airport about 5 miles west of OB and about 30 miles south of New City. A significant number of communications mechanisms are used to receive, forward, collect data and control field operations. The center utilizes Dell, Microsoft Server & workstation, and CISCO technology. Physical Access to the ARC and all Ackme facilities is controlled by the Central Security Service, not Field Operations. The CSS also oversees cameras, physical intrusion detection, and special locked rooms. Ackme has a centralized RFID card access system from Gallagher Corp. New, reassigned and expanded duty employees are given access to areas based upon their position and location. Regretfully the procedures for removing personnel from the system have been lax and during audits this issue has been raised multiple times.
Figure 10. Monitoring & Control Center
ARC Sub-Groups
In the ARC the operators are arranged by groups: Supervisory, Platform & Oil Refining, Gas Refining & Distribution, and Storage and Transportation.
As the “clearinghouse for all Ackme operations the ARC maintains a status reading of all the system components. From there continuous calculations are being made to maximize the efficiency of Ackme operations, matching orders to production while maintaining optimal product levels to meet demand.
Most of the central operation is concerned solely with harvesting summary data from the platforms and refining operations. This would include data such hourly production and storage tank volumes. Detailed data such as temperatures, pressures, etc on the platforms are collected but only stored locally, kept for 90 days and then purged. In the large single large master control room the sub-groups from the NG, Platform, fuels and storage groups can coordinate their operations and make adjustments for perturbations in their chain.
Relationship with IT
Field Ops has its own testing lab for testing potential changes to their infrastructure. They rely upon a small group of embedded device code programmers in the IT department who assist the ACS Group with scripting and occasional code rewrites of HMI browsers, Online Linking & Embedding for Process Control (OPC), or other code when Operating Systems (OS) or other updates are installed. Other than that the Control Engineers handle all MCR, workstation, etc computing issues. Occasionally they work with a contractor, CSC Solutions, to swap aging equipment or perform some maintenance tasks on hardware & software when operations are stressed.
A centralized Information Security Control Board works for all of Ackme. Its members, headed by the IT dept head of IT security are:
Information Technology
Finance & Accounting
Communications Group
Control Systems
Operator Representative
All changes to policy with respect to control systems cybersecurity must go through this board.
Appendix A – Current Platform Control Systems Technology
Platform Networks
Subsystem communication to Master Control Room using SNMP, ProfiNet
Ethernet using CISCO Systems Hardware, IOS and Static IP addressing
Sub-system Switches
Main Router
Server Room
MS-Windows 2008 & 2012 Servers, DNS, SNMP, Active Directory
OSI PI Data Historian
Master Control Room – Monitor & Control of all Platform systems
Operators Desktop: Windows 7 32 bit Professional OS, SP2
Applications: MS-Office 2013, Outlook/Exchange Server; Wonderware
Engineering Workstation:
Platform Subsystems:
Wellheads, Separation, and Platform Storage & Transportation all have similar configurations as follows:
Local HMIs: (Windows XP SP 2 HMI using Wonderware with extended C coding and .net; local and central data storage using OSI Pi cvf
Controllers: Siemens PCS-7 using Profibus RS-485 full Duplex Multipoint Serial Platform to HMI
HMI to Platform Control Center Comm: OPC and .Net Framework 3.0 SP2
Physical Security
CISCO Security Camera & DVR System
Gallagher Corporate Level Physical Access Control System
Operators Desktops: Windows 7 32 bit Professional OS, SP2
Analog Handheld Radio, digital phone system
Physical Plant Engineering Room
Oversight of Johnson Controls HVAC
New Platform
All Fiber optic IP network: sensors/actuators, controllers, local HMIs, switches & routers, platform center, backup wireless capability; Digital IP radio for voice
Appendix B – Platform Control Systems IO & Communications Protocols
*Indicates a secure version is available
Appendix C – Acronyms
ACS – Automated Control System
AMI – Automatic Meter Infrastructure
AMR – Automatic Meter Reading
ARC – Ackme Regional Center
CRAC – Computer Room Air Conditioning
FO – Field Operations
HMI – Human Machine Interface
HVAC – Heating Ventilation & Air Conditioning
ICS – Industrial Control System
IP – Internet Protocol
M&C – Monitoring & Control
NC – New City
NG – Natural Gas
OB – Old Borough
OPC – Online Linking & Embedding for Process Control
PCS – Process Control System
PLC – Programmable Logic Controller
POC – Point of Connection
RTU – Remote Terminal Unit
Appendix D. References
Roach, E. A Primer on Offshore Drilling. May 8, 2014.
Oil: Crude and Petroleum Products Explained.
CISCO, AVEVA & Schneider Electric. Oil and Gas Pipeline Industrial Security Reference Design. January2019.
