VCU's Security and Forensics Engineering Lab: Combating Digital Crime
Category Computer Science Saturday - April 29 2023, 04:54 UTC - 10 months ago VCU's Security and Forensics Engineering Lab, under the direction of Irfan Ahmed, focuses on protecting and investigating industrial control systems from malicious cyberattacks. Ahmed's team creates tools and simulations to investigate, detect, and secure an ever-evolving type of cybercrime. Their newly invented solutions are applied in the industrial sector and to assist law enforcement in preventing and responding to both digital and non-digital crimes.
Saturday - April 29 2023, 04:54 UTC - 10 months ago
VCU's Security and Forensics Engineering Lab, under the direction of Irfan Ahmed, focuses on protecting and investigating industrial control systems from malicious cyberattacks. Ahmed's team creates tools and simulations to investigate, detect, and secure an ever-evolving type of cybercrime. Their newly invented solutions are applied in the industrial sector and to assist law enforcement in preventing and responding to both digital and non-digital crimes.
In the never-ending cybersecurity war, Irfan Ahmed, Ph.D., provides the good guys with digital forensic tools—and the knowledge to use them.Ahmed is an associate professor of computer science and director of the Security and Forensics Engineering Lab within VCU Engineering's Department of Computer Science. In the SAFE Lab, he leads a pair of projects aimed at keeping industrial systems safe from the bad guys, and showing how the same tools crafted for investigating cyberattacks can be used to probe other crimes.
Cyberattacks on physical infrastructure may be initiated to cause chaos by disrupting systems and/or to hold systems for ransom. Ahmed's SAFE Lab focuses on protecting industrial control systems used in the operation of nuclear plants, dams, electricity delivery systems and a wide range of other critical infrastructure in the U.S. The problem isn't new: In 2010, the Stuxnet computer worm targeted centrifuges at Iranian nuclear facilities before getting loose and infecting "innocent" computers around the world.
Cyberattacks often target a portion of software architecture known as the control logic, which receives instructions from the user and hands them off to be executed by a programmable logic controller. For instance, the control logic monitoring a natural gas pipeline might be programmed to open a valve if the system detects pressure getting too high. Programmers can modify the control logic—but so can attackers.
One of Ahmed's projects, called "Digital Forensic Tools and Techniques for Investigating Control Logic Attacks in Industrial Control Systems," allows him to craft devices and techniques that cyberdetectives can use in their investigations. He noted that investigation capabilities are an under-researched area, as most emphasis has been on prevention and detection of cyberattacks.
"The best scenario is to prevent the attacks on industrial systems," Ahmed said. "But if an attack does happen, then what? This is where we try to fill the gap at VCU. And the knowledge that we gain in a cyberattack investigation can further help us to detect or even prevent similar attacks." .
In the cat-and-mouse world of cybersecurity, the way criminals work is in constant evolution, and Ahmed's SAFE Lab pays close attention to the latest developments by malefactors. For instance, an attacker may go for a more subtle approach than modifying the original control logic. An attack method called return-oriented programming sees the malefactor using the existing control logic code but artfully switching its execution sequence. Other attackers might insert malware into another area of the controller, programmed to run undetected until it can replace the function of the original control logic.
Attackers are always coming up with new methods, but each attack leaves a trail of evidence. The SAFE Lab examines attack scenarios through simulations. Scale models of physical systems, including an elevator and a belt conveyor system, are housed at the lab to facilitate the work. The elevator is a four-floor model with inside and outside buttons feeding into a programmable logic controller. The conveyor belt is more advanced, equipped with inductive, capacitive and photoelectric sensors and able to sort objects.
The tools and methods applied in fighting cybercrime can be usefultools in other areas of investigation, including fighting terrorism and financial fraud. Ahmed hopes to arm investigators, both in the industrial sector and in law enforcement, with the tools they need to combat crimes both digital and non-digital.