National Lab Tests Network Fingerprinting SystemBy Samuel Greengard | Posted 2015-03-04 Email Print
The Savannah River National Lab is turning to network fingerprinting technology to detect changes in power consumption that can indicate a security breach.
As security challenges continue to mount, a growing number of organizations are approaching the task with the thinking that it's not a question of if they will be attacked, but rather when.
At the Savannah River National Laboratory, which conducts applied research and development for the U.S. Department of Energy (DOE), protecting sensitive data is critical. The facility handles everything from nuclear weapons disposal to developing next-generation energy technologies.
"We have many of the same concerns about security as any government site," says Joe Cordaro, advisory engineer for the facility, which is located in Aikin, S.C. "But because we have a mission to support critical infrastructure and monitor the grid, there's a need to maintain the highest level of cyber-security protection within our network and across other computer systems."
As a result, the lab relies on an array of traditional and advanced cyber-security tools and protections.
Recently, the Savannah River National Laboratory began testing network fingerprinting technology from PFP Cybersecurity to improve its monitoring capabilities. "While there's a clear need for traditional security tools such as firewalls, scanning and patching, the growing frequency of zero day attacks introduces a level of threat and harm that hasn't previously existed," Cordaro explains.
The anomaly-based detection technology, which runs independent of the network, detects unauthorized tampering and other malicious intrusions in critical systems with a high degree of accuracy, and across execution stacks. "It is able to detect extremely minute code changes," Cordaro says.
The technology, which works by picking up the power draw from processors or radio frequency (RF) emissions from a processor, uses the signals to generate unique sets of signatures for normal operations. Through continuous monitoring, the system can detect a change in the normal pattern of power consumption or RF radiation, which can indicate a security breach. When a change occurs, IT and security staff members immediately receive an alert so they can investigate.
"The code change could be caused by a hardware issue or because malware has been introduced into the system," Cordaro says. "This makes it possible to detect a threat, such as when a piece of malware—something like Stuxnet—moves from a dormant to an active phase. Otherwise, there's no visible sign of infection. Malware increasingly operates in the shadows."
Cordaro believes that the fingerprinting technology will play an increasingly key role in monitoring critical systems across a wide range of industries and within government. "We have already seen instances where a device built or imported from another country had a vulnerability embedded in it due to the manufacturer, supplier or another party inserting it," he reports. "It's a scary scenario for U.S. industry, regardless of whether the equipment is designed for use in the automotive industry or as critical infrastructure."
Although the Savannah River Laboratory is in the early stages of testing and deploying the fingerprinting technology, Cordaro says it appears promising. "Because you can use the technology across multiple systems and devices, and it runs completely independently, it has tremendous potential," he concludes. "It fills a gap and introduces real-time monitoring.
"The additional layers of cyber-defense translate into better protection. The detection of zero day attacks is not easily solved by any other method."