Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

03:55 PM
Connect Directly

New Technology Detects Cyberattacks By Their Power Consumption

Startup's "power fingerprinting" approach catches stealthy malware within milliseconds in DOE test.

A security startup launching early next week uses trends in power consumption activity, rather than standard malware detection, to spot cyberattacks against power and manufacturing plants. The technology successfully spotted Stuxnet in an experimental network before the malware went into action.

PFP Cybersecurity, which officially launches on Monday and was originally funded by DARPA, the Defense Department, and the Department of Homeland Security, basically establishes the baseline power consumption of ICS/SCADA equipment such as programmable logic controllers (PLCs), supervisory relays, or other devices and issues an alert when power consumption or RF radiation changes outside of their baseline usage occur. Such changes could be due to malware, as well as to hardware or system failures, for instance.

The US Department of Energy's Savannah River National Laboratory (SRNL) recently tested the PFP technology's ability to detect Stuxnet-like attacks. Joe Cordaro, advisory engineer with SRNL, says the PFP system right away found  small changes to the code on the PLC while it was dormant. "The dormant state is a lot tougher to find because there are no outward signs, and little or no impact on the processor," Cordaro says. "We did some subsequent [malware] tests on other PLCs with the same results."

SRNL also plans to test the technology on protective relay devices, which form the backbone of the power grid. Those devices were thrust into the limelight during the 2013 Superbowl in the New Orleans Superdome, when the power went out for several minutes during the third quarter of the game after a protective relay was tripped due to a defect in the device as well as an incorrect setting. "What that showed you was that someone could hack into the protective relays of the US power grid and cause brownouts and blackouts," Cordaro says. "We're working with PFP on a contract … to characterize baselining the protective relays" and running this in a test bed that ultimately will provide R&D information to US utilities, he says.

Cordaro says what makes PFP's continuous monitoring approach attractive to an ICS/SCADA network is that it's not tied to the IT or relay networks, and doesn't disrupt sensitive plant operations. These networks are notoriously sensitive to any invasive or disruptive security tools or software updates, which often results in plants not bothering with security tools at all.

PFP executives say their technology runs in an air-gapped mode, monitoring any fluctuations in electromagnetic frequencies and power usage. Sensors, or probes, sit on devices and systems on the plant floor, and they feed power information to PFP's so-called eMonitor appliance that monitors multiple PLCs. PFP, which presented an overview of its technology last week in Miami at the S4x15 ICS/SCADA conference, also sells P2Scan, a PC-based version of the product for viewing data from eMonitor.

"We give ... very early detection, within milliseconds, that something is going on," says Thurston Brooks, vice president of product marketing for PFP. That could mean a hardware or software failure, or malware, he says. Malware generates power when it checks the system time, for instance.

The ICS/SCADA operator would then investigate the alert with analytics or other forensics tools, he says.

eMonitor compares the frequency and power usage information for each device with the baseline data on those devices. "The monitoring box has a digitizer in it and sends information back to the operations center," for example. PFP ultimately hopes to have these sensors embedded in new PLC or array products from ICS vendors to eliminate the need for separate sensors, he says.

PFP execs say the company plans to integrate their technology with SIEM vendors' products, as well as big data analytics and SaaS vendor offerings.

[Inflicting major or physical harm in ICS/SCADA environments takes more than malware. Read Anatomy Of A 'Cyber-Physical' Attack.]

Reid Wightman, an ICS/SCADA security expert and director of Digital Bond Labs, says PFP's approach is interesting and has merit, but wonders whether any changes in the so-called ladder logic or "recipe" for a plant process would generate a false positive, for instance. And, he says, sophisticated malware could potentially be written to avoid any change in power consumption, such as altering a single instruction in a monitored system. "There are probably ways to evade detection like there is with everything. It depends on how granular they get," he says of PFP's approach.

PFP says an attacker in theory could try to inject code with the same number of bits as the original code, but it would be difficult. Another trick would be for him to operate "under the noise floor," says Steven Chen, founder and executive chairman. "In our research, we have shown that PFP is able to detect changes in one single bit during execution," Chen says. So a logic bomb or other malware that only triggers by a special condition would be detected when it checks for its trigger condition: because that uses power, he says.

If an alarm fired by PFP's technology doesn't persist, then it's most likely benign, says Jeffrey Reed, president of Washington, DC-based PFP Cybersecurity. "If you don't see persistence of an alarm, then it's a good indicator that it's just a noise spike," he says.

Reed and Carlos Aguayo Gonzalez, CTO, initially developed the technology in 2006 while at Virginia Tech. They teamed up with serial entrepreneur Stephen Chen in 2010 to take the technology commercial, and PFP thus far has raised some $1 million in funding. The startup has contracts with the National Science Foundation, the US Army, the US Air Force, DARPA and DHS.

PFP's initial eMonitor offering supports two probes -- such as two PLCs -- per appliance, and the next version will support 16 to 32 probes. The company has not yet announced pricing information.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/22/2015 | 10:00:58 AM
Re: Smart approach
Ingenious but I agree with Whoopty on this technique having the "Car Alarm" effect down the road. There are many reasons networks systems may experience a spike in activity and therefore a spike in energy consumption. I'm sure their software probably builds a "finger print" for common spikes trends but they are not alwasy predictable. Eventually the Admin's will develop hyper vigelence stress syndrome from running to all the false alarms. I also see this opening up for crackers to develop malware that does nothing otehr than just produce false alarms.... I predict this tech goes no where, albeit it is ingenious.
User Rank: Ninja
1/21/2015 | 12:50:20 PM
Smart approach
Seems like a pretty smart way to approach stealthy malware. I wonder if it might end up a bit like a car alarm though? Going off when something unexpected - though not malware related - happens, to the point where people ignore its warnings? 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.