How 'Power fingerprint' could improve security for ICS/SCADA systems

23.02.2015
Most people have heard that one way law enforcement can figure out who might be growing marijuana in their basement is to monitor power consumption.

If a small house is sucking up as much electricity as two or three similar houses in the neighborhood, then something "anomalous" is going on.

That -- at a vastly more microscopic level -- is what some security experts say can be done to detect malicious activity in digital systems, ranging from the power plants that form the nation's critical infrastructure, all the way down to tiny embedded devices in the Internet of Things (IoT).

The idea is that since every device has a "power fingerprint," that by detecting anomalies in that baseline fingerprint, it is possible to tell if something bad is happening, or an intrusion has occurred.

That is the premise of PFP Cybersecurity, a company that went public last month after launching with startup funding from the Defense Advanced Research Agency (DARPA), the Defense Department, and the Department of Homeland Security.

As a post in Dark Reading put it, PFP's technology, "establishes the baseline power consumption of ICS/SCADA (Industrial Control Systems/Supervisory Control and Data Acquisition) equipment such as programmable logic controllers (PLC), supervisory relays, or other devices and issues an alert when power consumption or RF radiation changes outside of their baseline usage occur.

"Such changes could be due to malware, as well as to hardware or system failures," the post said.

According to the company, power fingerprinting could have detected the notorious Stuxnet malware, which damaged the Iranian nuclear program.

Does that make it a security silver bullet for the nation's notoriously insecure critical infrastructure

Not according to a number of experts in the field, although they agree that it will likely improve security for ICS/SCADA systems, at least for a while.

Those experts said that while the technology is not new, they have not seen it used in this kind of commercial application before.

"Commercially it's a new thing," said Dave Pack, director of labs at LogRhythm, "but you can read academic papers on it going back years."

Seventeen years, at least. Ben Jun, a former vice president at Cryptography Research (CR) and now CTO of Chosen Plaintext Partners, said when he was at CR, "we coined the terms Simple Power Analysis (SPA) and Differential Power Analysis (DPA) in 1998. They refer to using power measurements on computers and embedded devices, such as the Siemens Simatic S7-315 that Stuxnet targeted."

The reference to Stuxnet leads to another point -- power analysis has primarily been a technology used to attack, rather than to secure, systems, or to gather information about (spy on) a device -- some of it almost magically specific.

"In 2010, researchers found that the LEDs used in TV monitors consume a significant amount of the overall power," Jun said. "They could identify which scene from which Star Trek movie was playing at a house simply by looking at the house's power meter data."

Another use for it has been to defeat encryption. "The more prominent application is monitoring power fluctuations to recover encryption keys," said Zach Lanier, senior research scientist at Accuvant Labs.

[ How a hacker could cause chaos on city streets ]

Jon Oberheide, cofounder and CTO at Duo Security, agreed. "Traditionally, monitoring power and other side channels has been used to break security, as opposed to increasing security," he said.

"For example, an attacker who is attempting to compromise an embedded system may use side channels such as power consumption to extract secrets from an embedded device."

Carlos Aguayo Gonzalez, CTO at PFP Cybersecurity, agrees with all that. But, he said, the power fingerprinting technology his firm has developed is "drastically different" from those offensive uses.

"There are some elements that PFP has in common with side-channel attacks, such as capturing side-channels," he said. "But after the power or emissions are captured, the analysis is completely different. You cannot use our monitors to break cryptographic devices.

"To the best of our knowledge, we are the first to use side-channel information to assess the integrity of devices and detect malicious intrusions directly at the endpoint and without having to install any software on the target."

That makes sense to Pack, who called it, "a really interesting, side-channel approach that, over time could prove to be valuable," noting that programmable logic controllers (PLC), "don't allow vendors to install some piece of software directly on them to monitor what it's doing.

"So if the goal is to fully instrument your environment, to find out when anything changes, this will be an effective part of a toolkit," he said.

Power analysis has, however, been used for defensive or authentication purposes in the past. IBM researchers presented a paper at an IEEE Symposium in 2007, in which they said, "side-channel information such as power, temperature, and electromagnetic (EM) profiles," could be used to develop "fingerprints" that could authenticate integrated circuits (IC) made overseas, to make sure they did not contain Trojan circuits.

Kevin Fu, chief scientist at Virta Labs and MIT Technology Review's "2009 Innovator of the Year," led a research group at the University of Michigan that developed a system called WattsUpDoc to detect malware in medical devices and SCADA systems based on analyzing anomalies in the devices' power consumption.

Fu said Virta has since created a commercial product that requires, "no software to install, and no modification to the protected devices. It's as simple as a surge protector."

And Cryptography Research has a long-term deal with Samsung, in which, "devices such as smartphones, payment chips, content protection systems, and enterprise applications," come with DPA countermeasures meant to protect those devices from side-channel attacks.

But experts agree that this type of power fingerprinting should improve the security of ICS/SCADA systems.

"It's certainly an ideal approach for ICS, SCADA, and other embedded equipment where any other kind of security instrumentation or measurement is simply infeasible," Oberheide said.

At the same time, however, they say it adds a tool to the security toolkit, but doesn't replace the toolkit.

"I doubt this will be the end-all-be-all of ICS security," Lanier said. "Undoubtedly, adversaries will eventually unearth the details of this technology and refine their tools and techniques to slip past. That isn't to say that it won't at least provide a pretty major security benefit for some period of time, though."

Another possible flaw, Pack said, is that, "an anomaly doesn't necessarily mean something malicious is going on," so there could be a problem with "false positives."

Oberheide agreed. "If you're too sensitive, you flood an operator with false security concerns and costly investigation. If you're not sensitive enough, you open the door to attackers hiding their malicious activity within the baseline operation," he said.

Gonzalez, however, contends that PFP's technology is very difficult to evade. "While it is technically possible to develop an intrusion that matches perfectly the power consumed each clock cycle in the original logic, in practice it is extremely difficult to do so," he said.

"In our demo, we show how PFP is able detect an intrusion in an ICS system even when the intrusion is in a dormant state, waiting for a trigger condition to activate."

And regarding false positives, Gonzalez said the technology is flexible enough to allow users to set a tolerable false-positive rate. "PFP can be very accurate, with a really small false alarm rate if it is able to observe multiple instances of the same execution," he said.

Finally, whether power fingerprinting could be used to secure the billions of devices that make up the IoT is still an open question. But experts have doubts, since each device will not only have a different fingerprint, but also be used in different ways.

"It's not like ICS or a factory floor," Pack said. "As you move out to the IoT, those are being used in all sorts of different ways and times by human schedules. Anomalies will be a bit more difficult to find."

Oberheide said consumer devices, "vary so wildly in functionality that power measurement would not be the most effective approach for detecting malicious behavior."

It would be better, he said, for developers and manufacturers to, "build security into the platform and provide adequate patching mechanisms."

Gonzalez did not dispute that. "Certain systems provide an easier target for PFP monitoring than others," he said. 'For instance, ICS/SCADA systems, with their deterministic and repeatable logic, represent an easier target than a complex cloud server."

But, Hugh Thompson, CTO at Blue Coat, said he thinks the technology could be very useful to authenticate the components of various IoT devices -- many of them made from all over the world.

"You build these things from 30 suppliers," he said, "so I can imagine for the manufacturer and provider, having a method to test and validate the things from other vendors will be useful.

"It would also be good for the end buyer, to be able to routinely go back and make sure they are still OK, with a mechanism to make sure something is in a clean state."

(www.csoonline.com)

Taylor Armerding

Zur Startseite