How ‘Power fingerprint’ could improve security for ICS/SCADA systems

Most people have heard that one way law enforcement can figure out who might be growing marijuana in their basement is to monitor power consumption.

If a small house is sucking up as much electricity as two or three similar houses in the neighborhood, then something “anomalous” is going on.

That — at a vastly more microscopic level — is what some security experts say can be done to detect malicious activity in digital systems, ranging from the power plants that form the nation’s critical infrastructure, all the way down to tiny embedded devices in the Internet of Things (IoT).

The idea is that since every device has a “power fingerprint,” that by detecting anomalies in that baseline fingerprint, it is possible to tell if something bad is happening, or an intrusion has occurred.

That is the premise of PFP Cybersecurity, a company that went public last month after launching with startup funding from the Defense Advanced Research Agency (DARPA), the Defense Department, and the Department of Homeland Security.

As a post in Dark Reading put it, PFP’s technology, “establishes the baseline power consumption of ICS/SCADA (Industrial Control Systems/Supervisory Control and Data Acquisition) equipment such as programmable logic controllers (PLC), supervisory relays, or other devices and issues an alert when power consumption or RF radiation changes outside of their baseline usage occur.

“Such changes could be due to malware, as well as to hardware or system failures,” the post said.

According to the company, power fingerprinting could have detected the notorious Stuxnet malware, which damaged the Iranian nuclear program.

Does that make it a security silver bullet for the nation’s notoriously insecure critical infrastructure?

Not according to a number of experts in the field, although they agree that it will likely improve security for ICS/SCADA systems, at least for a while.

Those experts said that while the technology is not new, they have not seen it used in this kind of commercial application before.

“Commercially it’s a new thing,” said Dave Pack, director of labs at LogRhythm, “but you can read academic papers on it going back years.”

Seventeen years, at least. Ben Jun, a former vice president at Cryptography Research (CR) and now CTO of Chosen Plaintext Partners, said when he was at CR, “we coined the terms Simple Power Analysis (SPA) and Differential Power Analysis (DPA) in 1998. They refer to using power measurements on computers and embedded devices, such as the Siemens Simatic S7-315 that Stuxnet targeted.”

The reference to Stuxnet leads to another point — power analysis has primarily been a technology used to attack, rather than to secure, systems, or to gather information about (spy on) a device — some of it almost magically specific.