Sandia LabNews


Backplane analysis system bites infrastructure bad guys

When you own or manage critical infrastructures, a day with a zero-day exploit is a horrible, no good, very bad day.

It means someone has compromised the most fundamental level of your system, allowing a potential evildoer access to all the things you’ve been attempting to protect, such as your manufacturing machinery, your solar array, your microgrid, or your nuclear power plant. And you have zero days to fix it before it’s too late: In other words, it’s already too late.

Sandia’s WeaselBoard helps critical infrastructure owners protect their systems against zero-day exploits. It is a small card that plugs into the backplane of an industrial controller to detect illicit traffic. WeaselBoard creates an assurance platform for responding to attacks as systems network together and scale up in the future.

Attacks could be expensive and dangerous

Critical infrastructures, such as electrical power plants and oil refineries, rely on industrial controls, referred to as primary logic controllers (PLC) in industry, and supervisory control and data acquisition (SCADA) in government systems, to control essential processes.

Industrial control devices control billions of dollars worth of production, manufacturing, and utility equipment in the US Industrial control processes require high availability and any cyberattack could result in something expensive and dangerous. And most industrial processes are unprotected.

“Most machines weren’t initially designed to be networked together, so industrial control systems were not designed with security in mind,” says principal investigator John Mulder.

Most attacks on control systems focus on network communications and computer software, so industrial control systems, which are embedded at the hardware or firmware level, are not often monitored for security compromise.

“Because industrial control systems aren’t monitored routinely, current industry practice forces critical infrastructure owners to wait for the zero-day exploit before they know something is wrong. This means that owners can only react to malicious attacks after the damage has occurred, which can lead to expensive equipment damage, lost uptime, and in some cases, casualties among operating personnel,” John says.

Identifying malicious behavior

WeaselBoard works by detecting changes in the controllers and its processes, such as control settings, sensor values, module configuration information, firmware updates, and process control program (logic) updates. It forwards inter-module traffic to an external analysis system that detects changes. The analysis workstation then extracts fields at each protocol layer.

These fields are tested using mechanisms to identify malicious behavior: a rule set and a machine-learning algorithm. The rules-based mechanism causes an alert when predetermined behavior is seen, and can be customized to process-specific limits.

“WeaselBoard allows operators to detect compromises as they are in progress, because it alerts on the effects of the attack in progress, and not on signatures of previously catalogued attacks. This allows zero-day exploits to be detected, unlike systems using signature-based detection methods,”  John says.

WeaselBoard is currently being piloted in an operational environment.

Through the DHS Transition to Practice program, Sandia is seeking additional pilot partners to test the patented WeaselBoard technology in other environments.

This work was funded under Sandia’s Laboratory Directed Research and Development program.

Highlighting WeaselBoard’s potential use for many types of cyber-physical systems, senior manager for Renewable Energy Technologies Juan Torres recently took WeaselBoard to the Hill as part of the Grid Modernization Lab Consortium discussion on security and resilience. It was also showcased at July Lab Day on the Hill in Washington, D.C.

“Weaselboard is an example of cybertechnology that Sandia developed with potential application to energy systems,” Juan says.