One of the limitations of IoT devices is that they lack the power and
processor resources for malware detection. This is true with
supervisory control and data acquisition or SCADA systems as well. What
if there was a way to passively monitor these systems for any
unauthorized changes? One vendor at next month’s Black Hat Briefings in
Las Vegas believes it has the solution.
“The market is crying for somebody to raise a red flag in machine
time, in millisecond, say with 99 percent confidence that you have been
hacked,” said Steven Chen Founder, CEO, and Chairman of PFP Cybersecurity.
PFP –which stands for Power Fingerprint – performs active side channel
analysis by observing discrete power fluctuations in microprocessors.
They were recently named a Gartner “Cool Vendor” for 2015.
“Because we are a separate system,” said Thurston Brooks VP of
Product Marketing at PFP Cybersecurity, “we don’t borrow cycles from
your system. That’s why PLC [software used in a SCADA system] doesn’t
have security today because there’s not enough processing horsepower to
load on virus checkers and malware checkers and everything else. But we
sit beside it and grab the side channel data and analyze it in a
separate system so we don’t steal any resources from the system at all,”
he said.
The technology is versatile enough to work on most any device – even mobile phones.
“We
monitor the actual power fluctuations that occur inside the Android
phone’s microprocessor. We’re not looking at the direct usage, we’re not
looking at the code, and we’re not trying to understand the signature
of the code or anything, we’re only looking at the power fluctuation of
the processor in real time at real clock speeds. By doing that we create
a normal baseline, so when your phone is working normally, we create
this signature of a baseline and if you deviate from that we know that
something has happened and we raise the flag.”
With SCADA systems PFP can install a unit to monitor the PLC system. For mobile phones, it’s different.
The first option Brooks said is a special power charging cradle, an
aftermarket choice for phones that are already built. “You would come
home at night and stick your Android phone in the cradle and we can
analyze it and tell you whether you’ve been hacked during the day.” He
said that it would not be immediate, but it would nonetheless flag the
phone as having something changed.
The second, and best
option, is to work directly with the carriers and handset makers. This
would require a small, independent chip to be placed on the circuit
board to perform the side channel analysis. CEO Chen said they are talks
with the major players right now, and argued that it would be
practically costless for OEMs to do this at time of manufacture. Having
the chip in the phone would immediately notify the user – and the
carrier– in real time when something has changed. It would help the
carrier and the handset maker against counterfeiting – only legit phones
would have the PFP chip.
By monitoring the change in power fluctuations, there will also be
legitimate software and firmware updates. Would that be a problem for
clients?
Brooks said commercial clients want to know when the software has
been changed. Some companies send people out in the field and sometime
those people are not authorized update that POS or update that computer.
If the field workers are doing making unauthorized updates, the
companies want to know about it. They might okay it once they know about
it, he said, but they want to know about it first.
Currently PFP Cybersecurity is focusing on supply chain assurance
(anti-counterfeiting) and critical infrastructure (SCADA systems).
They’ve also demonstrated their technology against attacks on routers,
mobiles, BIOS and OSs such as Windows. Brooks said they’re primed for
IoT as well.
Although the product is still in development, Chen and Brooks did share one case study.
The Savannah River National Laboratory
provides nuclear material for the US Defense Department. Across the US
the National Labs have split up the process and Savannah makes the
material that is actually used in making bombs. Brooks explained, “They
build up control systems in these labs and test them out. When they are
convinced they work right, the control system moves into production and
is never seen again. There is no way to hook up and there’s no way to go
in and do things to it.”
Brooks said the guys at Savannah loved PFP because if the control
system is already safety certified they can’t put in antivirus
protection later. They can’t add anything. “But PFP just watches the
system; it’s isolated, the equivalent of an air gap,” he said. “So if
you go in and change that code, even with an upgrade, that’s a violation
of the safety policy. And if you go in change it with a Trojan, that’s
without a doubt a violation.”
No comments:
Post a Comment