Critical infrastructures rely on industrial controls, referred to as primary logic controllers (PLC) in industry, and supervisory control and data acquisition (SCADA) in government systems, to control essential processes.
Charged with oversight of the nation’s nuclear arsenal, National Nuclear Security Agency’s (NNSA) Sandia National Laboratories developed WeaselBoard to detect and respond against potential attacks.
The technology utilizes a small card that plugs into the backplane of an industrial controller to detect illicit traffic. WeaselBoard’s application in cybertechnology offers security not just for the nuclear security enterprise, but for critical infrastructure across a broad range of industries.
“WeaselBoard allows operators to detect compromises as they are in progress,” instead of relying on signatures of previously cataloged attacks,” Sandia’s principal investigator John Mulder said.
Most attacks on control systems focus on network communications and computer software, so industrial control systems, which are embedded at the hardware or firmware level, are not often monitored for security compromise.
“Because industrial control systems aren’t monitored routinely, current industry practice forces critical infrastructure owners to wait for the zero-day exploit before they know something is wrong. This means that owners can only react to malicious attacks after the damage has occurred, which can lead to expensive equipment damage, lost uptime, and in some cases, casualties among operating personnel,” John says.
WeaselBoard works by detecting changes in the controllers and its processes, such as control settings, sensor values, module configuration information, firmware updates, and process control program (logic) updates. It forwards inter-module traffic to an external analysis system that detects changes. The analysis workstation then extracts fields at each protocol layer.
These fields are tested using mechanisms to identify malicious behavior: a rule set and a machine-learning algorithm. The rules-based mechanism causes an alert when predetermined behavior is seen, and can be customized to process-specific limits.
“WeaselBoard allows operators to detect compromises as they are in progress, because it alerts on the effects of the attack in progress, and not on signatures of previously catalogued attacks. This allows zero-day exploits to be detected, unlike systems using signature-based detection methods,” John says.
WeaselBoard is currently being piloted in an operational environment.
Through the DHS Transition to Practice program, Sandia is seeking additional pilot partners to test the patented WeaselBoard technology in other environments.