What if you knew you were being hacked the second interlopers started hacking you?
The millisecond they started hacking you?
The past year in cybersecurity has seemed like the Year the Bad Guys Won. Think Sony, Target, JPMorgan Chase, and now Anthem, the health insurer that announced a huge hack this morning. So companies are paying more attention than ever to the threat.
- QuickTake: Cybersecurity
But they're usually clueless for weeks—even months—as the hackers rifle through their valuables. It takes an average of more than 200 days to discover a breach, according to Mandiant, a cyber-forensics company.
A novel technology from PFP Cybersecurity, of Vienna, Va., promises to help close that detection gap by identifying malware attacks based on changes in the power that devices use. It essentially takes their energy fingerprints and alerts users when those fingerprints change.
Here's how it works.
First you establish a baseline pattern for a system as it operates normally. PFP sees a particular opportunity in poorly protected infrastructure systems, so take a protective relay for example. That's a device used to sense and cut off voltage surges on power lines.
Once the power signature for the device is recorded, PFP's monitor can detect even the smallest change in that pattern. Maybe the relay has stopped functioning properly—or perhaps a hacker has implanted a piece of malicious code in it. Either way, the technology can alert a human technician to the anomaly within milliseconds.
The technology, made up of sensors and software that analyzes what the sensors pick up, was developed in 2006 at Virginia Tech by Jeffrey Reed, a professor of electrical and computer engineering, and Carlos Aguayo Gonzalez, one of his Ph.D. students at the time. The research was inspired by the side-channel attack, a way of breaking into an encrypted system by analyzing physical signals such as heat and power consumption, says Reed, PFP's president.
Reed and Aguayo Gonzalez, chief technology officer, set up PFP in 2010 with Steven Chen, who had founded and sold 3e Technologies International, a supplier of secure wireless technology, to the U.S. Navy. PFP has gotten contracts from the Army, Air Force, Department of Homeland Security, and Darpa, which develops advanced technologies for the Defense Department. PFP has raised about $1 million in venture funding, according to Chen.
The company has been testing its technology together with the Department of Energy's Savannah River National Laboratory (SRNL) in South Carolina, focusing on such microprocessor chips as programmable logic controllers, which run a lot of automated processes in industrial settings. In one test, they showed that the technology was capable of detecting the Stuxnet virus, the program that attacked industrial control systems in Iran's nuclear industry, even before it becomes active.
The ability to catch a Stuxnet-like attack, which exploited several previously unidentified "zero-day" flaws, is what got Joe Cordaro, an engineer at SRNL, interested. A lot of cyber-defense now rests on detecting and blocking what you know is bad, but a zero-day attack is, by definition, unknown. Potential attacks of that kind on the electrical grid constitute one of DOE's biggest areas of concern, Cordaro says.
It's not a theoretical worry, either. Researchers at Symantec reported in June on a hacking group that targeted pipeline operators and other energy companies and successfully infected industrial control systems.
PFP's technology can identify a zero day because it's based on changes in physical signals and power consumption, not on the ability to recognize malicious code, which may be in use for the first time or cleverly disguised as legitimate software.
Grid systems are difficult to patch and scan for problems because they're constantly operating, Cordaro said. The PFP technology works because it is "air-gapped" from the device it's fingerprinting—the sensors used for fingerprinting aren't connected, and you don't have to load any software onto the system to take the measurement—so it doesn't interfere with normal daily operations. That way, it can't be detected or interfered with by a hacker nosing around in the system.
"It's very innovative. I think it's a very significant development," says Cordaro, who got to know Chen and Reed a few years ago, when he was working on developing ultra-secure wirelss systems so DOE could transfer classified nuclear weapons data within its facilities wirelessly. "And it's not being done in place of any of the other cyber-security arrangements. It's another layer."
PFP also envisions its power fingerprinting as a solution to such supply-chain management problems as counterfeit components for electronics. Let's say a company gets a shipment of chips that were made in China. Those fabricated to the right specifications should have a particular energy pattern that's identical. A fake or substandard chip—or worse, one with malware inserted during manufacturing—wouldn't match the correct energy fingerprint.
PFP's Reed says it's practically impossible for malware to evade his technology. That's a big claim for a cybersecurity company. Let's hope he's right. The good guys could use some help.