The Cyber-Physical Security Lab @ Georgia Tech team that worked on PLCHound. (From left to right: Raheem Beyah, Ryan Pickren, Sam Zonouz. Not pictured: Frank Li, Animesh Chhotaray.)
Behind the normalcy of daily life is critical infrastructure.
It's responsible for keeping water clean, providing electricity, and facilitating the supply chain ensuring the needs of countless people around the world are met.
As with most systems, the technology that helps operate, manage, and monitor critical infrastructure can be connected to the internet, making it vulnerable to cyberattacks.
Just last year, a water treatment plant in Pennsylvania was attacked by Iranian hackers and taken offline. Russia is also currently using cyberattacks to interfere with the Ukrainian power grid.
These attacks are becoming more frequent and more powerful, with the capability to shut down large operations, adversely affecting millions of people.
An Algorithm Focused on Online Vulnerabilities
A Georgia Tech School of Electrical and Computer Engineering (ECE) team led by Ph.D. student Ryan Pickren is working to stop these malicious attacks.
Pickren, along with Associate Professor Saman Zonouz, Assistant Professor Frank Li, Professor and Dean of the College of Engineering Raheem Beyah, and research scientist Animesh Chhotaray, has developed an algorithm that enhances critical infrastructure security by more accurately identifying devices vulnerable to remote cyberattacks.
“Attackers are actively using the public Internet to attack vulnerable systems, so defenders need to understand which devices are susceptible,” Pickren said.
This new study builds on a previous collaboration between Georgia Tech and WAGO, a German industrial automation solutions provider. Pickren previously discovered zero-day vulnerabilities in WAGO controllers, which led to the company implementing security patches in 2023.
Pickren’s latest research aimed to assess the global impact of these security issues by identifying real-world instances of vulnerable WAGO devices. This study uncovered significantly more vulnerable systems worldwide than previously believed, underscoring the ongoing risks and the importance of advancing security measures to protect critical services from cyberattacks.
"Effective industrial control system cybersecurity relies on robust network defenses," Pickren said. "Algorithms that can identify vulnerable devices in large, noisy network data are a key part of this defense."
The Role of Industrial Control Systems and Programmable Logic Controllers
Many critical infrastructure operations are controlled by industrial control systems (ICS). ICS can control up to thousands of remote parts in an industrial setting, such as sensors and manufacturing instruments.
ECE Associate Professor Frank Li
Research Scientist Animesh Chhotaray
At the center of these systems are programmable logic controllers (PLC) which is the command center for the whole operation.
Many of these sensors and other devices are connected to PLCs via the internet though the scope was previously unknown. The algorithm created by Pickren and the team was able to identify 37 times more internet-connected devices than previously estimated.
Devices unknowingly connected to the internet are less likely to be secured and leave the linked PLCs exposed to remote exploitation.
“Modern PLCs speak many different networking protocols, each of which expose a unique fingerprint that actually changes over time depending on the firmware version and other customer-defined settings,” Pickren said. “Simplistic IoT Search Engine queries don’t capture the total population anymore.”
PLCHound was tested on a number of devices such as the ones pictured above.
The Power of PLCHound
The algorithm, named PLCHound, used advanced natural language processing (NLP) and machine learning (ML) techniques to sifts through large databases of internet records, and log the IP address and security of internet-connected devices.
Using this data, the team was able to contact exposed entities such as airports, hospitals, and government offices, to inform them of their vulnerabilities.
The algorithm is already having a huge impact, as a follow up scan just a month later showed 34 percent of the unsecured IP addresses they scanned worldwide were no longer exposing a PLC device.
“We actively work on this topic as a part of the U.S. Department of Energy’s DerGuard project, so I am confident that percentage will continue to grow,” said Zonouz, who also holds a joint appointment as an associate professor in the School of Cybersecurity and Privacy.
Early Interests Shows Bright Future
The work is also drawing significant interest from government and industry stakeholders. In 2023, a congressional group visited the Zonouz’s Cyber-Physical Systems Security Lab where the research is being done, to see the work firsthand.
Many different components make up critical infrastructure systems. PLCHound is designed to ensure all internet-connected components are secure.
Additionally, Zonouz presented the algorithm to an audience of thousands from both industry and academia at U.S. Department of Energy’s Cybersecurity and Technology Innovation Conference
Next week, Pickren is set to present the research at the 2024 Association for Computing Machinery Conference on Computer and Communications Security, in Salt Lake City, Utah.
The group is pursuing a patent for the algorithm, so it can be made available for wider use and to ensure critical infrastructure remains protected.
“This algorithm will be an important tool against cyberattacks,” Pickren said. “Though we detected and helped secure many vulnerabilities already, systems and technology are always evolving. Something that’s secure today may not be secure tomorrow and this algorithm will ensure PLCs of all kinds remain protected well into the future.”
Related Content
Are Acoustic Waves the Future of IoT Sensors?
Now with the support of the National Science Foundation, Professor Karthikeyan Sundaresan is exploring the use of acoustic waves to develop more efficient and scalable Internet of Things sensors, potentially transforming various applications from smart homes to vehicle synchronization and more.
Citrin’s Terahertz Imaging Technology Speeds Up Bulk Document Scanning
The research completed out of the Terahertz Laboratory has the potential to count and measure stacks of paper in a fraction of the time of current scanners.