Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

03:55 PM
Connect Directly

New Technology Detects Cyberattacks By Their Power Consumption

Startup's "power fingerprinting" approach catches stealthy malware within milliseconds in DOE test.

A security startup launching early next week uses trends in power consumption activity, rather than standard malware detection, to spot cyberattacks against power and manufacturing plants. The technology successfully spotted Stuxnet in an experimental network before the malware went into action.

PFP Cybersecurity, which officially launches on Monday and was originally funded by DARPA, the Defense Department, and the Department of Homeland Security, basically establishes the baseline power consumption of ICS/SCADA equipment such as programmable logic controllers (PLCs), supervisory relays, or other devices and issues an alert when power consumption or RF radiation changes outside of their baseline usage occur. Such changes could be due to malware, as well as to hardware or system failures, for instance.

The US Department of Energy's Savannah River National Laboratory (SRNL) recently tested the PFP technology's ability to detect Stuxnet-like attacks. Joe Cordaro, advisory engineer with SRNL, says the PFP system right away found  small changes to the code on the PLC while it was dormant. "The dormant state is a lot tougher to find because there are no outward signs, and little or no impact on the processor," Cordaro says. "We did some subsequent [malware] tests on other PLCs with the same results."

SRNL also plans to test the technology on protective relay devices, which form the backbone of the power grid. Those devices were thrust into the limelight during the 2013 Superbowl in the New Orleans Superdome, when the power went out for several minutes during the third quarter of the game after a protective relay was tripped due to a defect in the device as well as an incorrect setting. "What that showed you was that someone could hack into the protective relays of the US power grid and cause brownouts and blackouts," Cordaro says. "We're working with PFP on a contract … to characterize baselining the protective relays" and running this in a test bed that ultimately will provide R&D information to US utilities, he says.

Cordaro says what makes PFP's continuous monitoring approach attractive to an ICS/SCADA network is that it's not tied to the IT or relay networks, and doesn't disrupt sensitive plant operations. These networks are notoriously sensitive to any invasive or disruptive security tools or software updates, which often results in plants not bothering with security tools at all.

PFP executives say their technology runs in an air-gapped mode, monitoring any fluctuations in electromagnetic frequencies and power usage. Sensors, or probes, sit on devices and systems on the plant floor, and they feed power information to PFP's so-called eMonitor appliance that monitors multiple PLCs. PFP, which presented an overview of its technology last week in Miami at the S4x15 ICS/SCADA conference, also sells P2Scan, a PC-based version of the product for viewing data from eMonitor.

"We give ... very early detection, within milliseconds, that something is going on," says Thurston Brooks, vice president of product marketing for PFP. That could mean a hardware or software failure, or malware, he says. Malware generates power when it checks the system time, for instance.

The ICS/SCADA operator would then investigate the alert with analytics or other forensics tools, he says.

eMonitor compares the frequency and power usage information for each device with the baseline data on those devices. "The monitoring box has a digitizer in it and sends information back to the operations center," for example. PFP ultimately hopes to have these sensors embedded in new PLC or array products from ICS vendors to eliminate the need for separate sensors, he says.

PFP execs say the company plans to integrate their technology with SIEM vendors' products, as well as big data analytics and SaaS vendor offerings.

[Inflicting major or physical harm in ICS/SCADA environments takes more than malware. Read Anatomy Of A 'Cyber-Physical' Attack.]

Reid Wightman, an ICS/SCADA security expert and director of Digital Bond Labs, says PFP's approach is interesting and has merit, but wonders whether any changes in the so-called ladder logic or "recipe" for a plant process would generate a false positive, for instance. And, he says, sophisticated malware could potentially be written to avoid any change in power consumption, such as altering a single instruction in a monitored system. "There are probably ways to evade detection like there is with everything. It depends on how granular they get," he says of PFP's approach.

PFP says an attacker in theory could try to inject code with the same number of bits as the original code, but it would be difficult. Another trick would be for him to operate "under the noise floor," says Steven Chen, founder and executive chairman. "In our research, we have shown that PFP is able to detect changes in one single bit during execution," Chen says. So a logic bomb or other malware that only triggers by a special condition would be detected when it checks for its trigger condition: because that uses power, he says.

If an alarm fired by PFP's technology doesn't persist, then it's most likely benign, says Jeffrey Reed, president of Washington, DC-based PFP Cybersecurity. "If you don't see persistence of an alarm, then it's a good indicator that it's just a noise spike," he says.

Reed and Carlos Aguayo Gonzalez, CTO, initially developed the technology in 2006 while at Virginia Tech. They teamed up with serial entrepreneur Stephen Chen in 2010 to take the technology commercial, and PFP thus far has raised some $1 million in funding. The startup has contracts with the National Science Foundation, the US Army, the US Air Force, DARPA and DHS.

PFP's initial eMonitor offering supports two probes -- such as two PLCs -- per appliance, and the next version will support 16 to 32 probes. The company has not yet announced pricing information.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
User Rank: Ninja
1/21/2015 | 12:50:20 PM
Smart approach
Seems like a pretty smart way to approach stealthy malware. I wonder if it might end up a bit like a car alarm though? Going off when something unexpected - though not malware related - happens, to the point where people ignore its warnings? 
User Rank: Apprentice
1/22/2015 | 10:00:58 AM
Re: Smart approach
Ingenious but I agree with Whoopty on this technique having the "Car Alarm" effect down the road. There are many reasons networks systems may experience a spike in activity and therefore a spike in energy consumption. I'm sure their software probably builds a "finger print" for common spikes trends but they are not alwasy predictable. Eventually the Admin's will develop hyper vigelence stress syndrome from running to all the false alarms. I also see this opening up for crackers to develop malware that does nothing otehr than just produce false alarms.... I predict this tech goes no where, albeit it is ingenious.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...