A security startup launching early next week uses trends in power consumption activity, rather than standard malware detection, to spot cyberattacks against power and manufacturing plants. The technology successfully spotted Stuxnet in an experimental network before the malware went into action.
PFP Cybersecurity, which officially launches on Monday and was originally funded by DARPA, the Defense Department, and the Department of Homeland Security, basically establishes the baseline power consumption of ICS/SCADA equipment such as programmable logic controllers (PLCs), supervisory relays, or other devices and issues an alert when power consumption or RF radiation changes outside of their baseline usage occur. Such changes could be due to malware, as well as to hardware or system failures, for instance.
The US Department of Energy's Savannah River National Laboratory (SRNL) recently tested the PFP technology's ability to detect Stuxnet-like attacks. Joe Cordaro, advisory engineer with SRNL, says the PFP system right away found small changes to the code on the PLC while it was dormant. "The dormant state is a lot tougher to find because there are no outward signs, and little or no impact on the processor," Cordaro says. "We did some subsequent [malware] tests on other PLCs with the same results."
SRNL also plans to test the technology on protective relay devices, which form the backbone of the power grid. Those devices were thrust into the limelight during the 2013 Superbowl in the New Orleans Superdome, when the power went out for several minutes during the third quarter of the game after a protective relay was tripped due to a defect in the device as well as an incorrect setting. "What that showed you was that someone could hack into the protective relays of the US power grid and cause brownouts and blackouts," Cordaro says. "We're working with PFP on a contract … to characterize baselining the protective relays" and running this in a test bed that ultimately will provide R&D information to US utilities, he says.
Cordaro says what makes PFP's continuous monitoring approach attractive to an ICS/SCADA network is that it's not tied to the IT or relay networks, and doesn't disrupt sensitive plant operations. These networks are notoriously sensitive to any invasive or disruptive security tools or software updates, which often results in plants not bothering with security tools at all.
PFP executives say their technology runs in an air-gapped mode, monitoring any fluctuations in electromagnetic frequencies and power usage. Sensors, or probes, sit on devices and systems on the plant floor, and they feed power information to PFP's so-called eMonitor appliance that monitors multiple PLCs. PFP, which presented an overview of its technology last week in Miami at the S4x15 ICS/SCADA conference, also sells P2Scan, a PC-based version of the product for viewing data from eMonitor.
"We give ... very early detection, within milliseconds, that something is going on," says Thurston Brooks, vice president of product marketing for PFP. That could mean a hardware or software failure, or malware, he says. Malware generates power when it checks the system time, for instance.
The ICS/SCADA operator would then investigate the alert with analytics or other forensics tools, he says.
eMonitor compares the frequency and power usage information for each device with the baseline data on those devices. "The monitoring box has a digitizer in it and sends information back to the operations center," for example. PFP ultimately hopes to have these sensors embedded in new PLC or array products from ICS vendors to eliminate the need for separate sensors, he says.
PFP execs say the company plans to integrate their technology with SIEM vendors' products, as well as big data analytics and SaaS vendor offerings.
[Inflicting major or physical harm in ICS/SCADA environments takes more than malware. Read Anatomy Of A 'Cyber-Physical' Attack.]
Reid Wightman, an ICS/SCADA security expert and director of Digital Bond Labs, says PFP's approach is interesting and has merit, but wonders whether any changes in the so-called ladder logic or "recipe" for a plant process would generate a false positive, for instance. And, he says, sophisticated malware could potentially be written to avoid any change in power consumption, such as altering a single instruction in a monitored system. "There are probably ways to evade detection like there is with everything. It depends on how granular they get," he says of PFP's approach.
PFP says an attacker in theory could try to inject code with the same number of bits as the original code, but it would be difficult. Another trick would be for him to operate "under the noise floor," says Steven Chen, founder and executive chairman. "In our research, we have shown that PFP is able to detect changes in one single bit during execution," Chen says. So a logic bomb or other malware that only triggers by a special condition would be detected when it checks for its trigger condition: because that uses power, he says.
If an alarm fired by PFP's technology doesn't persist, then it's most likely benign, says Jeffrey Reed, president of Washington, DC-based PFP Cybersecurity. "If you don't see persistence of an alarm, then it's a good indicator that it's just a noise spike," he says.
Reed and Carlos Aguayo Gonzalez, CTO, initially developed the technology in 2006 while at Virginia Tech. They teamed up with serial entrepreneur Stephen Chen in 2010 to take the technology commercial, and PFP thus far has raised some $1 million in funding. The startup has contracts with the National Science Foundation, the US Army, the US Air Force, DARPA and DHS.
PFP's initial eMonitor offering supports two probes -- such as two PLCs -- per appliance, and the next version will support 16 to 32 probes. The company has not yet announced pricing information.