In recent years, hackers have increasingly targeted the physical systems we rely on to run our society. Electricity utilities, food processors, and aluminum manufacturers are just some of the industries that have been attacked recently, causing huge disruptions in the supply chain.
Fortunately, the innovative research of the Pacific Northwest National Laboratory offers a new tool in the fight against this type of cybercrime. They call it a shadow figure.
With machine learning techniques, Shadow Figment gives a new twist to the concept known as “honeypot”. Traditionally in the computing industry, honeypots are a region of a site or network that contains what appears to be legitimate files and other information. This is used to attract and track hackers and help identify the methods and techniques they are using to gain access.
But with the development of intrusion methods and the field of cybersecurity itself, more sophisticated deception techniques have been required. Shadow Figment fulfills this need by creating an illusion that leads intruders to believe they have breached a working industrial control system when in fact they are isolated in a misrepresentation of the facility.
“The goal is to create bait for a particular control system so that an advanced attacker believes they have found what they are looking for,” explains Thomas Edgar, the cybersecurity researcher who led the PNNL project. “For example, the bait must look like it is part of an electrical system or part of a pipeline.”
Unlike data networks, industrial control systems (ICS) use myriad instruments and sensors to function. So while a static deception system may work for a data honeypot, ICS decoys have to be much more dynamic and interactive to be convincing. The goal of keeping the hacker informed requires a compelling system that can provide the feedback necessary to make them believe that they have gained access to a legitimate target.
We buy time so defenders can take action to prevent bad things from happening. Sometimes just a few minutes are enough to stop an attack.“The intruder will probe to see what this sensor is monitoring and what this controller is controlling,” Edgar said. “That way you can identify your goals.”
Cybersecurity specialists generally want to keep hackers in the honeypot for as long as possible, not only to learn about their techniques, but also to identify the weak points in the system so that they can be fixed. Shadow Figment does this by making the intruder believe he is making progress and regularly rewarding him with false clues that his actions are having real results. This consumes your time and distracts the attacker from real assets, data and resources.
Accurately mapping hundreds, even thousands, of sensors and controllers is an enormous amount of work, especially when it is required for many different types of control systems. Shadow Figment’s machine learning approach achieves this by learning the expected outputs of the actual system. Using extrapolative machine learning techniques on the control system’s software backend, Shadow Figment is trained on the equations of the data that are generated to create its models.
From there, it can then simulate realistic behavior and produce compelling results in response to the intruder’s actions.
“We’re buying time so the defenders can take action to prevent bad things from happening,” Edgar said. “Sometimes just a few minutes are enough to stop an attack. However, Shadow Figment needs to be part of a broader cybersecurity defense program. There is no solution that is a miracle cure. “
The development of Shadow Figment and this approach is very timely. The number and severity of attacks on ICS facilities increased significantly during last year’s pandemic. With the potentially thousands of sensors, controllers, valves, heaters, pumps, etc. that can be accessed, anticipating every vulnerability in an industrial control system is a challenge. As soon as malicious actors compromise a facility, they can potentially generate incorrect readings, change chemical mixtures or overheat critical parts.
The potential for destruction and even death is growing. In February, a water treatment plant in Florida was infiltrated by a relatively inexperienced hacker. The attacker tried to increase the amount of caustic soda – also known as lye – in the city’s water supply to potentially lethal levels. Had the attacker been more cunning and hid his presence, his actions might have been catastrophic.
There are still many types of vulnerabilities that deception defenses like Shadow Figment cannot protect against. For example, the most recent attack on the Colonial Pipeline, which cut off nearly half of the fuel supply on the US east coast, was the result of ransomware blocking the company’s billing system. While the physical pipeline itself was not at risk, it was shut down to prevent the possible spread of the infection. Regardless of the method used, such attacks are not only becoming more and more expensive, they are also disruptive.
In response to the growing need for new tools to prevent such attacks, PNNL developed its Proactive Adaptive Cybersecurity for Control Suite (PACiFiC). Conceived as a new approach to automated threat detection, the suite offers the possibility of making control systems measurably safer, more reliable, more robust and more resilient. Shadow Figment is one of five cybersecurity tools designed for the suite.
PNNL has applied for a patent on Shadow Figment, which is being developed into a commercial product by Attivo Networks, headquartered in Fremont, California, under a non-exclusive license. The PNNL team’s research was published in the Journal of Information Warfare last spring.
Since the dawn of the Internet, the complexity and prevalence of cybercrime have grown exponentially. From a relatively few incidents in the early 1990s, the global cost of all forms of cybercrime has skyrocketed. A recent estimate by research firm Cybersecurity Ventures estimates that the global cost of cybercrime rose to $ 6 trillion in 2020.
In combating this explosive growth, the cybersecurity industry has moved together and developed tools to secure networks and recover lost data from such intruders. Shadow Figment and PACiFiC are another set of tools that help make a difference.