Friday, February 24, 2012

Intrusion Detection for Embedded Control Systems

Digital Bond's SCADA Security Scientific Symposium (S4)

S4 did include one paper from academia, IDS for Embedded Control Systems presented by Jason Reeves of Dartmouth College and the TCIPG effort. Jason and a TCIPG team had previously developed a research product called Autoscopy and have recently enhanced it in Autoscopy Jr.

The primary purpose of Autoscopy Jr. is to detect rootkits on embedded control systems while limiting the overhead to less than 5%. The primary method is to monitor the sequence of executed instructions in a learning phase and then detect behavior that is indicative of rootkits. Jason refers to it as something akin to function level whitelisting.

It’s a detailed technical talk worth watching if you are interested in the future of IDS in PLC’s, RTU’s and other field devices. The performance testing showed it was under the 5% threshold and there were ways to improve the performance further by identifying the most resource intensive Kprobes.

The effectiveness is an open question. The team did test this against 15 rootkits that attempted control flow hijacking, but there was not a set of real world embedded system rootkits to test against.

Refer here to watch the presentation video.

No comments: