Tampering detection for Programmable Logic Controller (PLC) programs using fingerprinting based on cache access patterns
Tampering detection for Programmable Logic Controller (PLC) programs using fingerprinting based on cache access patterns
Technology title
Tampering detection for Programmable Logic Controller (PLC) programs using fingerprinting based on cache access patterns
Technology overview
This technology is related to a methodology that is used to protect PLCs through fingerprinting of a PLC鈥檚 cache access patterns i.e., behaviour recording and analysis, to enable detection of tampering attacks on PLC code. By employing our methodology, we aim to enhance protections for PLCs and hence cyber-physical systems to improve safety and security.
The problem that this technology intends to solve is the detection of tampering of PLC code. Parties that are likely interested in buying this technology include government agencies of countries, and companies in industries, where there is significant reliance on the use of PLCs for controlling of physical processes.
This IP addresses the problem of detecting tampered PLC code. This is accomplished by a novel technique that uses cache access timings for anomaly detection. This detection method is generally more difficult to evade compared to heuristics-based detection.
Technology specifications
The technology disclosed is a methodology to detect tampering attacks on PLC programs, using a timing extraction algorithm on the PLC running separately from the program to control physical processes, and a separate program on a normal computer for monitoring and analysis of the extracted cache access timings for detection of tampering attacks.
The timing collection program operates on the PLC. It collects the access timings of the PLC cache, which the methodology proposes as a means of describing the behaviour of the PLC in operation. Cache access timings are collected using a technique (Prime+Probe) normally used in cache side-channel or covert-channel attacks, and the extracted timing details are regularly transmitted to the analysis and judgement program on the normal computer.
The analysis and judgement program operates on a separate computer. The program receives timings from the PLC-based algorithm and uses the timings to calculate statistical features such as mean timing and standard deviation.
These features are then passed to a permutation test where the features are compared against historically recorded baseline features (taken and calculated in the absence of tampering attacks), and the result of the test is used to determine whether the PLC is likely behaving abnormally, possibly due to tampering of the physical process control program(s) on the PLC.
Sector
This technology relates to cybersecurity of programmable logic controllers that are commonly used in critical national infrastructure.
Market opportunity
The global PLC is currently estimated by Mordor Intelligence to be at USD 12.79 billion this year and forecast to reach USD 15.78 billion by 2030.
Parties that are likely interested in buying this technology include government agencies of countries, and companies in industries, where there is significant reliance on the use of PLCs for controlling of physical processes.
One advantage over existing state-of-the-art methods is the novel use of cache access timings for anomaly detection, which is generally more difficult to evade compared to heuristics-based detection.
Additionally, to the best of our knowledge, most existing solutions to protect PLCs reside outside the PLC, while part of this technology involves running an algorithm within the PLC to be protected. This allows our technology to gain more visibility over the real-time behaviour of the PLC.
Applications
Applications include a variety of cyber-physical systems such as electric power plants, manufacturing industry and onboard power management system of maritime vessels.
Customer benefits
Potential competitors include companies developing cybersecurity solutions for OT systems including Fortinet and Dragos.
One advantage over existing state-of-the-art methods is the novel use of cache access timings for anomaly detection, which is generally more difficult to evade compared to heuristics-based detection.
Additionally, to the best of our knowledge, most existing solutions to protect PLCs reside outside the PLC, while part of this technology involves running an algorithm within the PLC to be protected. This allows our technology to gain more visibility over the real-time behaviour of the PLC.
Technology readiness level
TRL 4
Ideal collaboration partner聽
Ideal collaboration partners include vendors of PLC products, with which it may be possible to extend the technology to cover PLCs from said vendors through further R&D.
Companies in industries that rely heavily on PLCs for automated control of physical processes would also serve as ideal partners for testing of the technology in real environments.
Collaboration mode
We are open to R&D collaboration or Test-bedding.