The Department of Energy is integrating machine learning (ML) with a threat information-sharing tool it developed to find cybersecurity adversaries embedded in electric grid control systems.
DOE‘s Grid Modernization Laboratory Consortium (GMLC) consists of the Idaho, Argonne and Sandia national labs and the National Renewable Energy Laboratory — all working together on the Firmware Command and Control (FC2) project.
Firmware is often vulnerable, permanent software present in industrial control systems and operational technology (OT), and INL partnered with software company Forescout to ensure FC2’s cyber data analytics could detect firmware-centric vulnerabilities with ML.
“Embedded systems are black boxes with little insight on what subcomponents make up the code underneath, preventing protection and potentially rendering the system vulnerable,” said Rita Foster, infrastructure advisor at INL, in commentary. “Emerging machine-learning techniques enable the identification of ubiquitous libraries, which may contain known potential vulnerabilities.”
INL further developed the Structured Threat Intelligence Graph (STIG) for sharing of actionable threat information among grid utilities and OT vendors, who are notoriously stingy with such information. Rather than having threat analysts read thousands of lines of code, STIG visualizes relationships between attack patterns, compromise indicators and exploits and presents mitigations.
FC2, and GMLC more broadly, are helping utilities like Southern California Edison and Detroit Energies — which serve as large, expensive testbeds — augment their grid architectures. Meanwhile OT manufacturer partners like Siemens, Rockwell Automation, Eaton, GE, and Hitachi can develop better cyber protections.
“The need for an analysis tool to share security threat information and intelligence has escalated, and existing tools have proven to be inadequate,” Foster said.
A number of big-name OT manufacturers the government employs — Emerson, Honeywell, Mitsubishi Electric, Rockwell Automation, and Schneider Electric — do business with InterNiche, whose stack was revealed to have 14 newly discovered vulnerabilities Wednesday.
Forescout Research Labs and JFrog Security Research disclosed set, dubbed INFRA:HALT, as part of the former’s Project Memoria. The vulnerabilities allow for remote code execution, denial of service, information leaking, transmission control protocol spoofing, and Domain Name System cache poisoning, which could compromise OT and critical infrastructure like the electric grid.
Forescout’s report recommends utilities limit the network exposure of critical vulnerable devices through network segmentation, apply patches once vendors release them, and block or disable support for unused protocols like HTTP.
The 14 vulnerabilities were discovered using cutting-edge automate binary analysis for large-scale vulnerability finding.
“We believe that the cybersecurity community is at a turning point, and soon automated vulnerability discovery techniques will become more common, which should make finding very large-scale vulnerabilities, such as those affecting TCP/IP stacks, faster and more frequent,” reads the report. “All these vulnerabilities, however, will have to be disclosed, mapped to affected devices and mitigated.”