Inadequate Legal , Regulatory and Technical Guidance for the Forensic Analysis of Cyber - Attacks on Safety - Critical Software

National and international organisations including NIST and ENISA have published guidance that is intended to help organisations respond to, and recover from, cyber incidents. They provide detailed information about contingency planning, about the processes needed to gather and analyse evidence, about appropriate ways to disseminate the findings from forensic investigations. Legal frameworks, including the Federal Rules of Evidence, also help companies to identify ways of preserving a chain of evidence with the digital data gathered in the aftermath of a cyber-attack. It is essential that companies apply these guidelines to increase their resilience to future attacks. However, they provide the least support where they are needed the most. Existing guidelines focus on corporate office-based systems; they cannot be applied to support companies dealing with cyber-attacks on safety-critical infrastructures. This is an important omission. It is impossible to immediately disconnect infected systems where they provide life-critical functions. There are conflicts between the need, for instance, to preserve the evidence contained in volatile memory and the requirement to return safety-critical applications to a safe state before any forensic work can begin. The following pages identify the problems that arise when applying legal, regulatory and technical guidance to the cyber security of safety-critical applications. The closing sections focus on techniques that can be used to support the forensic analysis of cyber incidents and promote recovery from attacks without placing lives at risk.