Analytics //

Security Monitoring

1/20/2015
03:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

New Technology Detects Cyberattacks By Their Power Consumption

Startup's "power fingerprinting" approach catches stealthy malware within milliseconds in DOE test.

A security startup launching early next week uses trends in power consumption activity, rather than standard malware detection, to spot cyberattacks against power and manufacturing plants. The technology successfully spotted Stuxnet in an experimental network before the malware went into action.

PFP Cybersecurity, which officially launches on Monday and was originally funded by DARPA, the Defense Department, and the Department of Homeland Security, basically establishes the baseline power consumption of ICS/SCADA equipment such as programmable logic controllers (PLCs), supervisory relays, or other devices and issues an alert when power consumption or RF radiation changes outside of their baseline usage occur. Such changes could be due to malware, as well as to hardware or system failures, for instance.

The US Department of Energy's Savannah River National Laboratory (SRNL) recently tested the PFP technology's ability to detect Stuxnet-like attacks. Joe Cordaro, advisory engineer with SRNL, says the PFP system right away found  small changes to the code on the PLC while it was dormant. "The dormant state is a lot tougher to find because there are no outward signs, and little or no impact on the processor," Cordaro says. "We did some subsequent [malware] tests on other PLCs with the same results."

SRNL also plans to test the technology on protective relay devices, which form the backbone of the power grid. Those devices were thrust into the limelight during the 2013 Superbowl in the New Orleans Superdome, when the power went out for several minutes during the third quarter of the game after a protective relay was tripped due to a defect in the device as well as an incorrect setting. "What that showed you was that someone could hack into the protective relays of the US power grid and cause brownouts and blackouts," Cordaro says. "We're working with PFP on a contract … to characterize baselining the protective relays" and running this in a test bed that ultimately will provide R&D information to US utilities, he says.

Cordaro says what makes PFP's continuous monitoring approach attractive to an ICS/SCADA network is that it's not tied to the IT or relay networks, and doesn't disrupt sensitive plant operations. These networks are notoriously sensitive to any invasive or disruptive security tools or software updates, which often results in plants not bothering with security tools at all.

PFP executives say their technology runs in an air-gapped mode, monitoring any fluctuations in electromagnetic frequencies and power usage. Sensors, or probes, sit on devices and systems on the plant floor, and they feed power information to PFP's so-called eMonitor appliance that monitors multiple PLCs. PFP, which presented an overview of its technology last week in Miami at the S4x15 ICS/SCADA conference, also sells P2Scan, a PC-based version of the product for viewing data from eMonitor.

"We give ... very early detection, within milliseconds, that something is going on," says Thurston Brooks, vice president of product marketing for PFP. That could mean a hardware or software failure, or malware, he says. Malware generates power when it checks the system time, for instance.

The ICS/SCADA operator would then investigate the alert with analytics or other forensics tools, he says.

eMonitor compares the frequency and power usage information for each device with the baseline data on those devices. "The monitoring box has a digitizer in it and sends information back to the operations center," for example. PFP ultimately hopes to have these sensors embedded in new PLC or array products from ICS vendors to eliminate the need for separate sensors, he says.

PFP execs say the company plans to integrate their technology with SIEM vendors' products, as well as big data analytics and SaaS vendor offerings.

[Inflicting major or physical harm in ICS/SCADA environments takes more than malware. Read Anatomy Of A 'Cyber-Physical' Attack.]

Reid Wightman, an ICS/SCADA security expert and director of Digital Bond Labs, says PFP's approach is interesting and has merit, but wonders whether any changes in the so-called ladder logic or "recipe" for a plant process would generate a false positive, for instance. And, he says, sophisticated malware could potentially be written to avoid any change in power consumption, such as altering a single instruction in a monitored system. "There are probably ways to evade detection like there is with everything. It depends on how granular they get," he says of PFP's approach.

PFP says an attacker in theory could try to inject code with the same number of bits as the original code, but it would be difficult. Another trick would be for him to operate "under the noise floor," says Steven Chen, founder and executive chairman. "In our research, we have shown that PFP is able to detect changes in one single bit during execution," Chen says. So a logic bomb or other malware that only triggers by a special condition would be detected when it checks for its trigger condition: because that uses power, he says.

If an alarm fired by PFP's technology doesn't persist, then it's most likely benign, says Jeffrey Reed, president of Washington, DC-based PFP Cybersecurity. "If you don't see persistence of an alarm, then it's a good indicator that it's just a noise spike," he says.

Reed and Carlos Aguayo Gonzalez, CTO, initially developed the technology in 2006 while at Virginia Tech. They teamed up with serial entrepreneur Stephen Chen in 2010 to take the technology commercial, and PFP thus far has raised some $1 million in funding. The startup has contracts with the National Science Foundation, the US Army, the US Air Force, DARPA and DHS.

PFP's initial eMonitor offering supports two probes -- such as two PLCs -- per appliance, and the next version will support 16 to 32 probes. The company has not yet announced pricing information.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MichaelE546
100%
0%
MichaelE546,
User Rank: Apprentice
1/22/2015 | 10:00:58 AM
Re: Smart approach
Ingenious but I agree with Whoopty on this technique having the "Car Alarm" effect down the road. There are many reasons networks systems may experience a spike in activity and therefore a spike in energy consumption. I'm sure their software probably builds a "finger print" for common spikes trends but they are not alwasy predictable. Eventually the Admin's will develop hyper vigelence stress syndrome from running to all the false alarms. I also see this opening up for crackers to develop malware that does nothing otehr than just produce false alarms.... I predict this tech goes no where, albeit it is ingenious.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
1/21/2015 | 12:50:20 PM
Smart approach
Seems like a pretty smart way to approach stealthy malware. I wonder if it might end up a bit like a car alarm though? Going off when something unexpected - though not malware related - happens, to the point where people ignore its warnings? 
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
BlueBorne Attack Highlights Flaws in Linux, IoT Security
Kelly Sheridan, Associate Editor, Dark Reading,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.