You don’t have to be William Tell with a bow and arrow to know that a smaller target is harder to hit. In today’s world of cybersecurity, the fewer opportunities there are for hackers to make trouble, the less chance there is of it happening. OpDefender, an innovation developed at Idaho National Laboratory for the U.S. Department of Homeland Security (DHS), is based on the principle of limiting the attack surface to the greatest possible extent.
Operational control technology exists throughout the nation’s critical infrastructure at all levels. It switches breakers at substations, opens floodgates at dams, and turns valves off and on at oil refineries and water treatment plants. Left wide open, industrial control systems are vulnerable to the point that anyone with basic programming skills and a desire can shut down a substation, leaving thousands of people in the dark.
“It would only take about 40 lines of code,” said Briam Johnson, an INL cybersecurity engineer.
How it works
OpDefender works on the premise that no device on a control systems network can be trusted. It incorporates network switches that analyze and filter traffic network packets in real time, allowing operators to impose “whitelisting” rules. Its human machine interface ensures that no device can communicate with a network until it has been configured by an operator. When a network receives data transmitted from a device that has not been whitelisted, an alarm goes off by default.
The proprietary software in OpDefender allows it to act as a “smart” switch, distinguishing between routine and questionable communications. When a rogue communication appears, it quarantines the questionable packet and alerts a human operator. The operator then uses a straightforward interface to control what commands reach the industrial control system.
Unlike detection systems that require span ports and big data analysis, OpDefender analyzes packets in real time and only flags violations. It doesn’t require large data training sets to determine a normal state, which allows it to be scaled and applied more easily than other solutions. It doesn’t require malware signatures, which gives it the ability to detect zero-day attacks (hackers exploiting a vulnerability before the software developer can find a fix).
Tried and tested
During a full-scale test at INL’s Critical Infrastructure Test Range, which has its own transmission grid and distribution infrastructure, researchers launched 14 different novel attacks with the goal of disabling major power equipment. Without OpDefender, every attack was successful. When OpDefender was applied, however, every attack failed and generated an alarm, alerting operators to take appropriate action.
“It was a demonstration to show what could happen,” Johnson said. “If you can get in, it doesn’t take much.”
Incorporating a human in the loop is one of the most important ways OpDefender blends automated controls with the flexibility required in industrial operations. It permits OpDefender to continuously adapt to any operational scenario.
Work on the innovation started in 2015 with Laboratory Directed Research and Development funding. At that time, everyone knew the threat existed. But in December that year, Russia hacked the power grid of Ukraine, causing power outages that affected more than 250,000 people for hours. Another attack on Ukrainian resources came the following year, and the issue hit home in the U.S. with the 2021 ransomware attack on the Colonial Pipeline.
“I don’t think there’s any one answer,” Johnson said. “Trying to minimize your attack surface is a good starting point.”
Some potential industrial users have shown interest in OpDefender, and Johnson said that with INL’s resources and reputation behind it, he hopes there will be more. In 2021 it garnered INL the Far West Regional Award for Outstanding Technology Development from the Federal Laboratory Consortium for Technology Transfer.
Wider support from Homeland Security
Critical support for OpDefender has come from the DHS Science and Technology Directorate’s (S&T) Commercialization Accelerator Program (CAP). The program’s mission is to identify mature, federally funded technology and transfer it to the commercial market where it is available to all homeland security end users. This is done by developing partnerships and connecting federal researchers, network operators and executives from private industry – groups without a consistent history of interaction.
“It’s been a very important program to us in the advancement of intellectual property,” said Jonathan Cook, an INL commercialization manager. There’s more to technology deployment than finding a company that wants to run with an innovation coming out of a lab or university. The divide between the research phase and commercialization phase is known as the “valley of death.” DHS S&T CAP is developing better lines of communication to bring solutions to the marketplace.
“It’s often working together to find what’s needed to keep developing the technology after it’s been licensed,” Cook said. “It’s a lot to ask of a small company with limited resources to take a risk. Once a product is licensed, we still need outside funding to provide programmatic support for researchers.”