By Gregory Hale
Stuxnet was the perfect case of where attackers were able to disguise to operators what was really happening to the physical devices.
While centrifuges at the nuclear facility in Natanz, Iran, were running wildly out of control, operators in the control room saw everything appearing to be in perfect condition.
Forget for a moment it was the U.S. and Israel working to stop Iran’s nuclear enrichment program, but look at it as attackers looking to disguise an assault to the physical infrastructure. That worked to perfection.
To protect against that type of physical attack, APERIO Systems Tuesday launched from stealth mode, to bring to market technology that detects artificial manipulations of industrial process data, which can allow operators to take real-time corrective action without service disruption to industrial control systems (ICS).
From the rate of gas flow at a petroleum refinery, to the temperature and spin rates of turbines in a power plant, or the chlorine level of water supply networks, APERIO Systems’ Data Forgery Protection (DFP) technology looks to protect critical SCADA systems against insider and external threats.
“In the Stuxnet case, operators of the centrifuges were lied to because the information about what is actually happening was forged,” said Yevgeni Nogin, chief executive of Haifa, Israel-based APERIO. “The reality was the rotation speed was different than what was reported back.”
APPERIO said its technology can guard against that type of attack.
“We have a special patent pending technology that learns the physical model of devices which exists in the world of industrial control systems and can detect when someone forges data,” Nogin said. “We don’t care how the malware gets inside; whether it is a Zero Day attack or from another way. We are looking at the physical data coming from turbines, motors and everything else, like the temperature or pressure. We are taking some ideas from predictive maintenance. We are taking those ideas and applying them to the cyber security problem.”
Where this technology can help is with legacy industrial control systems created before security was even an issue and continues to be difficult to patch because mission critical systems cannot go offline.
This non-intrusive technology uses its proprietary algorithms to search for the data’s unique fingerprints and validate its authenticity. Any mismatches generate an alert and it pinpoints the attacked equipment and forged process data. Using a combination of physics and machine learning techniques, APERIO reconstructs the real values of the forged operational data and reverts it to its original state in real time.
“We are providing operators a lie detector for rogue machines that are trying to lie to them,” Nogin said.
It is all about communicating to operators and letting them know something is awry with their process.
“Control engineers know their plants better than anyone else in the world, the last thing we want to do is to shut down anything that should not be shut down,” said Michael Shalyt, APERIO vice president of products. “We give an alert and give the real experts all the information they need to take the correct actions.”
Yes, APERIO is a security company, but they also want to relate to operators running a plant.
“Since we are a hybrid company, we are not the usual cybersecurity company that talks in bits and bytes, but we talk the language of the operators,” Shalyt said. “In any discussion there is the CISO and an industrial engineer because we are talking about the physical systems and physical information. When we say the signal contains a physical fingerprint, industrial engineers understand what we mean.”
• Data Forgery Protection (DFP): Validates integrity and authenticity of reported signals to provide operators with true state awareness, enabling them to take corrective action in real time.
• Process Continuity: Enables trust in the most critical data and provides resilience when attacked.
• Operational Alerts: Fast, actionable, specific and accurate alerts integrate cybersecurity into operational emergency procedures, allowing operators to mitigate permanent damage.
• Accurate and Relevant: Alerts operators only when the reported process state does not reflect the plant’s real situation — providing an extremely low false alert rate.
• Minimized Risk: Passive and non-intrusive system minimizes operational risks, as well as installation and maintenance costs.
• Counters Insider Threats: Protects the plant’s process continuity from both external and internal actors.
“We are not concerned about the network, but rather being the last line of defense,” Nogin said. “We are protecting the devices even if there is malware in the network. We are looking at the behavior of signals reported back to the operators.”