Pratum Blog

Digital Forensics: Solving Puzzles with Missing Pieces

To understand what makes a successful digital forensics investigation, imagine assembling a jigsaw puzzle—without the box to show you the image you’re trying to create. Pratum Founder and CEO Dave Nelson compares an investigator’s first steps to dumping all the pieces of a mystery puzzle onto a table.

“Sometimes you don’t know what picture you’re trying to assemble,” Dave says. “Sometimes you get a few pieces together and realize that the pieces aren’t even from the same puzzle. The more we know about what the puzzle should look like, the easier it gets to know we have the right pieces.”

To a top-notch investigator, the pieces on the table start revealing a picture based largely on what isn’t in a data log. And they can quickly zero in on what’s missing if a company followed digital forensics best practices before the breach. In a typical case, our clients call us with an idea of what happened and ask us to confirm whether it really occurred. But a good digital forensics investigator knows to look in the gaps.

“It would be great if we could do an investigation and see when it started, who was involved and what was impacted,” Dave says. “But that never happens. There’s always something missing. We have to ask why. Was the data never created in the first place? Or did someone delete it?”

Reading missing tea leaves becomes especially critical in legal proceedings stemming from a data breach. In a civil court case, you could be held liable for something that probably happened, even if no one can prove that it definitely happened.* As you write your company’s security policy, consider the following tips from digital forensics investigators to get your data house in order before your next breach happens.

“There’s a reason why digital forensics in a poorly prepared organization can get so expensive,” Dave says. “It’s like pulling a string on a sweater.” If your data policies leave an investigator blindly searching for clues, the hours quickly pile up. But, Dave warns, “You don’t want to look like you stopped too soon. That’s worse than going deep and finding something worse.”

Why Missing Data Worries Digital Forensics Investigators

Good investigators see red flags when steps go missing in an expected chain of actions. “Sometimes we never see the user log in, but we see them log out,” Dave says. “That makes us question what happened. Was there a malfunction? Has the user been logged in for a very long time, meaning the attack may have happened outside of the short window we’re looking at?”

Clues like missing logins/logouts lead to more questions: Did the hacker wipe out other critical information? Are normal day-to-day activities missing? To an alert investigator, that feels like a jungle where the birds have gone silent, meaning a panther could be skulking around somewhere down there.

The lack of data can be more concerning than when you see a specific act.

Dave Nelson CEO- Pratum

Potential Legal Problems

Along with costing you operational time, breaches can trigger potential fines and lawsuits. In breach situations, the key legal concept is “burden of proof.” Most people know the phrase “beyond a reasonable doubt” from courtroom dramas, but that’s a criminal case standard. Data breaches are typically civil cases, where the burden of proof is much lower: a “preponderance of evidence.”

“All someone has to prove is that there’s more than a 50/50 chance that something happened,” Dave says. “If you have no logs to prove it didn’t happen, there can be problems.”

Let’s say you’re certain that a hacker got into your system, but there’s no sign that they exfiltrated data. Time to relax, right? Not quite. Can you prove that they didn’t steal information? If your data logs have big gaps, a plaintiff may convince a jury that something could have happened in that fog.

Your defense could get even more difficult if a regulatory agency gets involved. “In those situations,” Dave says, “you could face the very subjective opinion of the regulator deciding whether they think you did what you should to protect the data.”

Even without a smoking gun, you need enough evidence to show that it’s more likely that nothing was stolen than that something was stolen.

Due Diligence Matters

Your actions before and after the breach also can help your civil case involving a breach. Your defense gets stronger if you can demonstrate that you showed due diligence both in preparing for breaches and in dealing with those that actually happen.

Before a breach occurs, you need written information security policies and proof that you actually enforce them throughout your organization. Make sure you’re following your industry’s best practices for information security.

Once a breach occurs, make every reasonable effort to fully investigate what happened. Acting quickly is a great way to show that you’re taking it seriously. So is following up on suspicious activity. Maybe your forensics investigator looks at a compromised server and finds no evidence that data was tampered with. Don’t stop there. Did the hacker jump to another server? Did they exfiltrate data to other files, workstations, etc.?

How to Prepare in Advance

Talk with a digital forensics team like Pratum’s in advance about the kind of data and audit logs they would want to see in an investigation. (You can connect with our incident response team here.) Windows and Linux enable many useful tracking settings by default, but that still won’t capture the whole story. On the flip side, tracking everything on your network would create an unusable flood of data (and a big data storage bill). So it’s critical to make smart choices about what to track.

By building a profile in advance, you know what should show up in an audit log. If elements are missing, you know that either your system failed or that someone intentionally tampered with the log to hide their actions.

For help with creating your overall information security policy and deciding how to create accurate data logs, contact Pratum.

* Pratum’s consultants are not attorneys, and the information in this article should not be construed as legal advice. Consult your attorney for specific legal guidance.

Attacks on our electrical grid aren’t just the stuff of doomsday movies and war games. Hackers dreaming of taking down our economy and national security know that few offensives could be more devastating than pulling our collective plug. And the grid’s risk factor just keeps climbing as the number of Internet of Things (IoT) devices in the grid keeps growing, presenting an ever-expanding selection of potential doorways.

To protect this centerpiece of national security, the power industry and the government are creating new teams and regulations to step up security. In December 2020, the Department of Energy announced the creation of a new subcommittee focused on grid security.

The North American Electric Reliability Corporation (NERC) implemented new standards on July 1, 2020, establishing revised guidelines for companies throughout the electrical system’s supply chain. NERC, in case you don’t recognize the acronym, is a non-profit regulatory authority that issues reliability standards to protect the bulk power system in the United States, Canada and part of Mexico. While you may not think of your company as part of the power supply industry, NERC’s guidelines may impact you more than you think. If your company provides parts, materials, or services anywhere in an energy company’s supply chain, NERC guidelines and other standards probably apply to you. Two recent developments may affect how you do business—and provide resources you need to improve security:

  • The updated NERC CIP-013 standard deserves a careful review for how it impacts your business. Most companies in this industry already have basic CIP plans but will require significant improvement to meet CIP-013.
  • The recently expanded CRISP (Cybersecurity Risk Information-sharing Program) provides companies with the latest threat information through a partnership of NERC and Department of Energy.

How CIP-013 Affects You

In 2020, President Trump issued an executive order for the bulk power system (BPS), which applies to any company or equipment that generates or distributes major power within the United States. That order restricted the use of foreign components in order to reduce the risk of “built-in” entry points. Think of it as an “offensive” order. On the “defensive” side, NERC CIP-013 standard focuses on the supply chain risk within the BPS' electric components (known as the BES). The goal is to reduce overall risk in the supply chain. (This document describes how CIP-013-1 should be implemented.)

The NERC update defines affected companies (“responsible entities”) as those with medium to high risk, according to the CIP-002-5 categorization process. The key takeaway is that NERC guidelines affect companies well beyond those that actually supply energy. If you have contracts anywhere within the energy supply chain, renewing them may depend on your compliance with CIP-013. Energy companies will be enforcing the standards on all of their suppliers because NERC slaps a “high risk” label on any energy company with 10-15% of their BES assets failing to meet the requirements.

  • Requirement 1 (R1) focuses on proactively analyzing, monitoring and disclosing the risks involved with your products, services and system. This includes knowing the risks your own vendors might pose. NERC will require responsible entities to create a plan that addresses these issues and highlights the steps taken to reduce threats.
  • R2 is the implementation of the plan you came up with in R1. It requires that you follow through with your “supply chain cybersecurity risk management plan.” Failing to meet the standards could produce a fine up to $1 million.
  • R3 requires a designated CIP senior manager in your company to approve the plan, and it should be reevaluated every 15 months. These evaluations guarantee that your program is working and keeping the threats to your system at a minimum.

What CRISP Expansion Means for You

In late 2020, NERC also announced the expansion of CRISP, which is dedicated to sharing data on system traffic and cyber threats among energy sector stakeholders. CRISP, which started in 2014, is a voluntary program managed by a division of NERC: The Electricity Information Sharing and Analysis Center (E-ISAC). This expansion is a massive step in the cybersecurity/energy intersection as CRISP is now partnering with the U.S. Department of Energy to grow awareness of grid safety in the coming years.

CRISP’s partnership with DOE aims to use operational technology to identify potential threats to the grid. Two newly announced pilot steps will use sensor systems already installed across the United States to recognize any risks. DOE will use operational and information technology data to identify patterns and understand the grid state and then share that with CRISP participants.

The CRISP expansion closes the information-sharing gap between private companies and federal US intelligence. Participating companies will use information gained from the program to better defend the grid against hackers. Membership is free, and members receive insightful resources, like reports of cyberattacks or guidance on the latest CIP updates.

Although the core concept behind NERC has a strong bipartisan history, a new presidential administration could obviously create changes. Some observers believe that while the Trump administration focused on targeting foreign countries with aggressive orders, such as limiting foreign components for the BPS, Biden’s team may issue more system regulations like CIP-013, especially in the private sector.

For help understanding exactly how the current regulatory environment affects your business and how you can comply efficiently, contact a Pratum advisor.

What IoT Means for the Smart Power Grid

Internet of Things (IoT) devices get a lot of press, as you’d expect from a category planning to put about 41 billion devices in play within the next few years. For most of us, the face of IoT is consumer devices such as Internet-enabled smartwatches, security systems, doorbells, fridges, etc. But the smart power grid may present IoT’s most game-changing application—and industry regulators are scrambling to keep up.

What IoT Means for the Grid

As our blog post on “The Security Challenges of IoT” describes, the things that make IoT devices effective (they’re highly connected, inexpensive and pervasive) frequently make them a security problem. To recap, IoT includes anything that collects, processes, and shares data via the Internet. Innovations such as RFID tags, expanded broadband access and cheap, low-power processors have all led to a mindset that “anything that can be connected will be connected.” The wide rollout of 5G will only accelerate the trend.

America’s electrical system has raced into this space. Utilities companies are the world’s largest users of IoT devices, thanks largely to smart electrical meters attached to homes. That’s bad news for the world’s remaining meter readers, but a boon for companies and consumers wanting constant, instant information about power usage. Gartner estimates that utility companies have 1.37 billion IoT devices in service right now, well ahead of the second-place physical security industry’s total of 1.09 billion devices.

Further up the electrical supply chain, IoT is proving just as valuable. With data constantly flowing in from every corner of the industry generating and transmitting electricity, a smart grid will:

  • Reduce power outages
  • Restore service faster
  • Integrate renewable energy
  • Increase transmission efficiency/reduce energy loss
  • Reduce overall costs
  • Provide consumer access to data and usage

For one example of IoT’s potential, consider how a smart grid can mitigate the impact of a power outage. IoT devices can detect the source of the outage, isolate the problem and reroute power to places with the greatest need, such as hospitals or telephone lines. Massive amounts of real-time data will also carry advantages such as making it easier to store and transport renewable energy, decreasing our carbon footprint and reliance on fossil fuels.

The Risky Side of More Connections

Of course, the good guys aren’t the only ones who can take advantage of an electrical grid connected to everything. In the pre-IoT world, compromising the grid required physical access. To hack anything, you would need to physically access a power plant, substation or transformer to plug into the controlling systems. If you simply wanted to wreak some old-school havoc, you just needed to get close enough to destroy a transformer or other equipment. From an information security standpoint, most of the grid was effectively air-gapped and isolated from the next component in the process.

Billions of new IoT devices, however, create a seemingly infinite attack surface. Any IoT device can become an entry point a hacker uses to pivot into a larger system. And with most IoT devices carrying notoriously weak, outdated security measures, that’s a legitimate everyday threat.

The smart grid creates issues in the following areas:

1. Access Points – IoT devices create millions of doorways that hackers could use to, at least in theory, access the entire U.S. grid.

2. Trust – The companies and products used throughout the grid will need to prove their dependability and certify that they are as secure as they say.

3. Communication – Internet communications within the grid must be protected from interception.

4. Privacy – Regulations must control how companies and the government use the vast amounts of information collected through IoT devices.

How to Secure Your Connections to the Grid

With an industry moving as fast as IoT, the industry and government are forever playing catch-up with regulations that keep America’s grid secure. In part 2 of this blog series, you can read about the latest regulatory guidelines issued to protect the grid.

The new regulations are significant enough that some of Pratum’s clients are restructuring their operations specifically to better manage new compliance factors. For example, one electrical company that manufactures electrical relay products decided to spin off the relay operations into a standalone company so that the larger company wouldn’t have to manage extensive new rules affecting that category.

The best way to understand your exposure and legal obligations in this space is to bring in a security consultant to evaluate your specific situation. Pratum’s risk assessment, penetration testing and vulnerability scanning services identify exactly what openings may exist in your systems. Our consultants also specialize in helping companies understand how government standards apply to them and prepare their compliance strategy. Many of our clients have learned that taking a leadership position in cybersecurity gives them a competitive advantage.

Large customers (including the government itself) increasingly award contracts to companies who can prove their cybersecurity strategy is up to date right now. Contact Pratum for help in understanding the rapidly evolving world of electrical IoT and planning your next steps.

Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.