New technology claims to detect cyber attacks in milliseconds

A novel technology from PFP Cybersecurity, of Vienna, Virginia, promises to help close that detection gap by identifying malware attacks based on changes in the power that devices use — essentially by taking their energy fingerprints and alerting users when those fingerprints change. 

Here's how it works.

First you establish a baseline pattern for a system as it operates normally. PFP sees a particular opportunity in poorly protected infrastructure systems, so take a protective relay for example. That's a device used to sense and cut off voltage surges on power lines.

Once the power signature for the device is recorded, PFP's monitor can detect even the smallest change in that pattern. Maybe the relay has stopped functioning properly — or maybe a hacker has implanted a piece of malicious code in it. Either way, the technology can alert a human technician to the anomaly within milliseconds.

The technology — made up of sensors and software that analyzes what the sensors pick up – was developed in 2006 at Virginia Tech by Jeffrey Reed, a professor of electrical and computer engineering, and Carlos Aguayo Gonzalez, one of his Ph.D. students at the time. The research was  inspired by the side-channel attack, a way of breaking into an encrypted system by analyzing physical signals like heat and power consumption, said Reed, PFP's president. 

Reed and Aguayo Gonzalez, chief technology officer, set up PFP in 2010 with Steven Chen, who had founded and sold 3e Technologies International, a supplier of secure wireless technology, to the U.S. Navy. PFP has gotten contracts from the Army, Air Force, Department of Homeland Security and Darpa, which develops advanced technologies for the Defense Department, and has raised about $1 million in venture funding, according to Chen. 

The company has been testing its technology together with the Department of Energy's Savannah River National Laboratory (SRNL) in South Carolina, focusing on microprocessor chips like programmable logic controllers, which run a lot of automated processes in industrial settings. In one test, they showed that the technology was capable of detecting the Stuxnet virus, the program that attacked industrial control systems in Iran's nuclear industry, even before it becomes active.

The ability to catch a Stuxnet-like attack, which exploited several previously unidentified "zero-day" flaws, is what got Joe Cordaro, an engineer at SRNL, interested. A lot of cyber-defense now rests on detecting and blocking what you know is bad, but a zero-day attack is, by definition, unknown. Potential attacks of that kind on the electrical grid is one of DOE's biggest areas of concern, Cordaro said. 

It's not a theoretical worry, either. Researchers at Symantec Corp.reportedin June on a hacking group that targeted pipeline operators and other energy companies and successfully infected industrial control systems.

PFP's technology can identify a zero day because it's based on changes in physical signals and power consumption, not on the ability to recognize malicious code, which may be in use for the first time, or cleverly disguised as legitimate software. 

Grid systems are difficult to patch and scan for problems because they're constantly operating, Cordaro said. The PFP technology works because it is "air-gapped" from the device it's fingerprinting — the sensors used for fingerprinting aren't connected, and you don't have to load any software onto the system to take the measurement — so it doesn't interfere with normal daily operations. That way, it can't be detected or interfered with by a hacker nosing around in the system. 

"It's very innovative. I think it's a very significant development," said Cordaro, who got to know Chen and Reed a few years ago when he was working on developing ultra-secure wirelss systems so DOE could transfer classified nuclear weapons data within its facilities wirelessly. "And it's not being done in place of any of the other cyber-security arrangements. It's another layer."

PFP also envisions its power fingerprinting as a solution to supply chain management problems like counterfeit components for electronics. Let's say a company gets a shipment of chips, made in China. Those fabricated to the right specifications should have a particular, identical energy pattern. A fake or substandard chip — or worse, one with malware inserted in it during manufacturing — wouldn't match the right energy fingerprint. 

PFP's Reed said it's practically impossible for malware to evade his technology. That's a big claim for a cyber-security company. Let's hope he's right — the good guys could use some help.