This company says that they have built a lie detector for machines.
With organizations like Wikileaks exposing the theft of Hillary Clinton’s campaign’s private email to the public, the 2016 presidential elections powerfully demonstrated how hackers can have an outsized effect on world affairs. No longer simply an issue of young hackers breaking into systems for fun and games, or criminals stealing valuable information from corporates, the potential damage that can arise from cyber attacks has brought up concerns from across different industries.
One of the sectors realizing that they need to up their cyber game is the industrial. This includes facilities dealing with power, water, manufacturing, pharmaceutical, smart cities, and many others that can be called critical infrastructure.
Now a new company called Aperio Systems out of Israel is throwing their hat in the ring, coming out of stealth today to bring a new perspective on how to tackle the issue of monitoring industrial systems.
Founded in January, the Haifa-based startup has developed an on premises and SaaS solution that they say is a lie detector for machines and physical data. Aperio is led by co-founders CEO Yevgeni Nogin and VP Product Michael Shalyt, as well as Head of Algorithms Itay Baruchi, and Chief Scientific Officer Charles Tresser.
Attacks on countries like Iran and Ukraine have shown what a sophisticated and powerful attack can do from afar, slowly destroying turbines at a nuclear facility or simply shutting off the power grid.
In the case of the joint Israeli-American attack on Iran’s uranium enrichment program, hackers succeeded in speeding up the turbines gradually over time, causing them to wear down much faster than expected, thus slowing the Iranian efforts to produce enriched nuclear material to a grind. What is interesting about this attack, among many aspects, is not just that they were able to overcome the air gaps and infiltrate the system with their malicious code, but that they could keep it hidden from monitors for so long while it carried out its task.
While this case may have been a success in damaging a potentially dangerous process from the Iranians, it highlights the risk posed to the entirety of the industrial sector, wherein they can no longer trust what their instruments are telling them. The consequences here can be devastating. Unlike a website or network that is hit by an attack and is forced to shut down, an infected generator that is forced to speed up can explode, bringing down important operations for long stretches of time, and possibly kill people.
Over the past year, we have seen a number of companies coming to the stage, offering high level protection for industrial networks. Names like Claroty, Indegy, CyberX, and others have raised big rounds to bring their solutions to market, and by all appearances are being well received.
Whereas most other providers bring protections for the new mixing of operational technology (OT) and IT networks, Aperio Systems combine elements from math, physics, and engineering to produce a solution that protects the physical equipment at a site.
“What we care about is the physical equipment that is under that network,” says Shalyt. “You can think about it as three layers, the IT, OT, and the physical layer. Everyone is focusing on the digital realm, with many actors going into this field. Our approach is different.”
Their theory is that while digital data can be reproduced, physical data is much harder to fake. The product that they have come up with is called the Data Forgery Protection™ (DFP), and it looks for signs that the machine reporting systems are sending back something other than the truth.
Hackers looking to trick a monitoring system have a number of options at their disposal, which can be broken down into three general categories. The first is a replay attack where the hacker records the state when the equipment was working normally and sends it back on a loop. Think about the Oceans 11 vault scene. The next is synthetic data generation where a code is used to generate the relevant numbers that the monitor is looking for, while adding fluctuations to make it look more natural. Finally there is the transform attack which is a bit more sophisticated. Here the current measurements of the system that is under attack are taken in real time, but then the reporting is altered. In this case, the attacker could double the activity of a piece of equipment, but then report that it is only half of that value.
“We in Aperio use several different statistical models with machine learning methods, learning how the statistics of the signal looks like. It reports physical information, things that are going on in the real world. The real world follows the rules of physics. This information has statistical patterns and correlations that this model has to fulfill. They are unique to every piece of equipment, with very fine details, have a fingerprint,” Shalyt tells Geektime, describing how his team has spent considerable amounts of time testing physical equipment and learning their behavior.
“These fluctuations are not random,” he says of the readings from the machines. “We cannot see the patterns with the human eye, but with recordings from the past, you can pick up on the patterns. These fluctuations create a fingerprint in the data. You can imagine it with the same pipe that operated at 15 yesterday and the day before, the exact measurements are never the same.”
So far, Aperio has succeeded in raising a $2 million seed from CyActive co-founders Liran Tancman and Shlomi Boutnaru, as well as Doron Bergerbest-Eilon, whose past roles included the protection of Israel’s critical infrastructure. All three are board members and part of the founding team.
Still new to the market, Aperio is already working with European energy giant Enel, and have some paying clients in Israel.
Interestingly, the team does not view themselves as being in direct competition with some of the other big names in the industrial cyber sector. Instead Shalyt says that, “We’re a complementary kind of product. Whereas the others work on the OT and IT layers, we work on the physical layer.” He recommends that clients use their product along with other protections, much in the same way that organizations should have both firewalls and malware detection.
However, they see a clear advantage in their approach to the kill chain. If the end of the line in a cyber attack is simply having control over a system, in the physical world of industrial security, the process has a final additional step of changing the actual behavior of a machine. Aperio’s ability to step out of the network and give monitors that extra layer of protection leads Shalyt to confidently make the claim that they are “the last line of defense.”