WeaselBoard: Zero-Day Exploit Detection for Programmable Logic Controllers

The place for technology related posts.

Moderator: Moderators

Post Reply
User avatar
Sabre
DCAWD Founding Member
Posts: 21432
Joined: Wed Aug 11, 2004 8:00 pm
Location: Springfield, VA
Contact:

WeaselBoard: Zero-Day Exploit Detection for Programmable Logic Controllers

Post by Sabre »

Sandia
Critical infrastructures, such as electrical power plants and oil refineries, rely on PLCs to control
essential processes. State of the art security cannot detect attacks on PLCs at the hardware or
firmware level. This renders critical infrastructure control systems vulnerable to costly and
dangerous attacks.
Most attacks on control systems focus on network communications, Windows PCs, and PLC
logic, but not on PLCs at the hardware or firmware level. PLCs are currently not monitored for
security compromise.
These industrial control system (ICS) components receive little attention as an asset requiring
security monitoring. Recent high profile events like the Stuxnet attack (2010) and Digital Bond's
Basecamp (2012) have highlighted this critical vulnerability.
There is a critical need to inspect and monitor PLC hardware and firmware, and create an
assurance platform for responding to attacks as these systems scale up in the future. Millions of
dollars in equipment damage, lost uptime, and ultimately, casualties among operating personnel
can be prevented by early detection.

1.1 Technical Approach
WeaselBoard captures and analyzes backplane communications between PLC modules.
WeaselBoard connects directly to the PLC backplane either in a chassis or an ICS and forwards
inter-module traffic to an external analysis system.
WeaselBoard takes the signals from the backplane and sends them to the analysis workstation
using a custom protocol called WeaselTalk. Analysis software displays the backplane traffic,
which is similar to network traffic, but is based on proprietary physical layer protocols. The
analysis workstation then extracts fields at each protocol layer. These fields have been tested
using mechanisms to identify malicious behavior: a rule set and a machine-learning algorithm.
The rules-based mechanism causes an alert when predetermined behavior is seen, and can be
customized to process-specific limits. The machine-learning algorithm is a Bayesian classifier
trained to alert on traffic classified into known bad states.

Using this system, operators can detect any compromise that affects the process because
WeaselBoard alerts on the effects of the attack in progress, not on signatures of previously
catalogued attacks. This allows zero-day exploits to be detected, unlike systems using signaturebased
detection methods.
...
Sabre (Julian)
Image
92.5% Stock 04 STI
Good choice putting $4,000 rims on your 1990 Honda Civic. That's like Betty White going out and getting her tits done.
Post Reply