Analytics //

Security Monitoring

1/20/2015
03:55 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

New Technology Detects Cyberattacks By Their Power Consumption

Startup's "power fingerprinting" approach catches stealthy malware within milliseconds in DOE test.

A security startup launching early next week uses trends in power consumption activity, rather than standard malware detection, to spot cyberattacks against power and manufacturing plants. The technology successfully spotted Stuxnet in an experimental network before the malware went into action.

PFP Cybersecurity, which officially launches on Monday and was originally funded by DARPA, the Defense Department, and the Department of Homeland Security, basically establishes the baseline power consumption of ICS/SCADA equipment such as programmable logic controllers (PLCs), supervisory relays, or other devices and issues an alert when power consumption or RF radiation changes outside of their baseline usage occur. Such changes could be due to malware, as well as to hardware or system failures, for instance.

The US Department of Energy's Savannah River National Laboratory (SRNL) recently tested the PFP technology's ability to detect Stuxnet-like attacks. Joe Cordaro, advisory engineer with SRNL, says the PFP system right away found  small changes to the code on the PLC while it was dormant. "The dormant state is a lot tougher to find because there are no outward signs, and little or no impact on the processor," Cordaro says. "We did some subsequent [malware] tests on other PLCs with the same results."

SRNL also plans to test the technology on protective relay devices, which form the backbone of the power grid. Those devices were thrust into the limelight during the 2013 Superbowl in the New Orleans Superdome, when the power went out for several minutes during the third quarter of the game after a protective relay was tripped due to a defect in the device as well as an incorrect setting. "What that showed you was that someone could hack into the protective relays of the US power grid and cause brownouts and blackouts," Cordaro says. "We're working with PFP on a contract … to characterize baselining the protective relays" and running this in a test bed that ultimately will provide R&D information to US utilities, he says.

Cordaro says what makes PFP's continuous monitoring approach attractive to an ICS/SCADA network is that it's not tied to the IT or relay networks, and doesn't disrupt sensitive plant operations. These networks are notoriously sensitive to any invasive or disruptive security tools or software updates, which often results in plants not bothering with security tools at all.

PFP executives say their technology runs in an air-gapped mode, monitoring any fluctuations in electromagnetic frequencies and power usage. Sensors, or probes, sit on devices and systems on the plant floor, and they feed power information to PFP's so-called eMonitor appliance that monitors multiple PLCs. PFP, which presented an overview of its technology last week in Miami at the S4x15 ICS/SCADA conference, also sells P2Scan, a PC-based version of the product for viewing data from eMonitor.

"We give ... very early detection, within milliseconds, that something is going on," says Thurston Brooks, vice president of product marketing for PFP. That could mean a hardware or software failure, or malware, he says. Malware generates power when it checks the system time, for instance.

The ICS/SCADA operator would then investigate the alert with analytics or other forensics tools, he says.

eMonitor compares the frequency and power usage information for each device with the baseline data on those devices. "The monitoring box has a digitizer in it and sends information back to the operations center," for example. PFP ultimately hopes to have these sensors embedded in new PLC or array products from ICS vendors to eliminate the need for separate sensors, he says.

PFP execs say the company plans to integrate their technology with SIEM vendors' products, as well as big data analytics and SaaS vendor offerings.

[Inflicting major or physical harm in ICS/SCADA environments takes more than malware. Read Anatomy Of A 'Cyber-Physical' Attack.]

Reid Wightman, an ICS/SCADA security expert and director of Digital Bond Labs, says PFP's approach is interesting and has merit, but wonders whether any changes in the so-called ladder logic or "recipe" for a plant process would generate a false positive, for instance. And, he says, sophisticated malware could potentially be written to avoid any change in power consumption, such as altering a single instruction in a monitored system. "There are probably ways to evade detection like there is with everything. It depends on how granular they get," he says of PFP's approach.

PFP says an attacker in theory could try to inject code with the same number of bits as the original code, but it would be difficult. Another trick would be for him to operate "under the noise floor," says Steven Chen, founder and executive chairman. "In our research, we have shown that PFP is able to detect changes in one single bit during execution," Chen says. So a logic bomb or other malware that only triggers by a special condition would be detected when it checks for its trigger condition: because that uses power, he says.

If an alarm fired by PFP's technology doesn't persist, then it's most likely benign, says Jeffrey Reed, president of Washington, DC-based PFP Cybersecurity. "If you don't see persistence of an alarm, then it's a good indicator that it's just a noise spike," he says.

Reed and Carlos Aguayo Gonzalez, CTO, initially developed the technology in 2006 while at Virginia Tech. They teamed up with serial entrepreneur Stephen Chen in 2010 to take the technology commercial, and PFP thus far has raised some $1 million in funding. The startup has contracts with the National Science Foundation, the US Army, the US Air Force, DARPA and DHS.

PFP's initial eMonitor offering supports two probes -- such as two PLCs -- per appliance, and the next version will support 16 to 32 probes. The company has not yet announced pricing information.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MichaelE546
100%
0%
MichaelE546,
User Rank: Apprentice
1/22/2015 | 10:00:58 AM
Re: Smart approach
Ingenious but I agree with Whoopty on this technique having the "Car Alarm" effect down the road. There are many reasons networks systems may experience a spike in activity and therefore a spike in energy consumption. I'm sure their software probably builds a "finger print" for common spikes trends but they are not alwasy predictable. Eventually the Admin's will develop hyper vigelence stress syndrome from running to all the false alarms. I also see this opening up for crackers to develop malware that does nothing otehr than just produce false alarms.... I predict this tech goes no where, albeit it is ingenious.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
1/21/2015 | 12:50:20 PM
Smart approach
Seems like a pretty smart way to approach stealthy malware. I wonder if it might end up a bit like a car alarm though? Going off when something unexpected - though not malware related - happens, to the point where people ignore its warnings? 
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2013-2516
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.