Sensor Fingerprints for OT Security

In 1990, one-hundred people sat in the shadow of Fisherman’s Wharf to learn from a company with ‘Oil Systems’ in their name how to process real-time industrial telemetry. A quarter century later, the company not only remains in operation, but San Leandro-based OSIsoft now brags over 1300 employees servicing a massive portfolio of OT customers, as well as many dozens of downstream technology providers connecting into the platform.

The OSIsoft concept is simple: Devices and systems from companies such as Siemens and Rockwell report their OT telemetry using standard OPC Foundation format into an OSIsoft server called PI Interface. This data is then translated to familiar formats such as JSON and stored on a so-called PI Server. Users then run PI Clients on the Web or mobile to query the stored OT data for static and real-time analysis and investigation.

The underlying OT data structures from OSIsoft are rich. Collected OPC formatted data is arranged into meaningful hierarchies, and attributes are associated with each item. Factory pumps, for example, would be arranged to reflect their live configuration, and constants, formulas, and live values called PI tags are then used by the OSIsoft clients to determine trends, identify issues, and support ICS/OT management.

It therefore makes perfect sense that tech companies would utilize this amazingly convenient OT data flow representation for cyber security. And so, I spent time last week with Tel Aviv-based Aperio Systems and found that they were providing ICS security solutions focused on operational data integrity. Their commercial platform hooks into the OSIsoft system, and the overall security arrangement looks like a winner. Here is what I learned:

“When we established the company in 2016, our objective was to leverage access to operational data to reduce data integrity risk,” Jonas Hellgren, CEO of Aperio Systems. “We accomplished this by developing advanced artificial intelligence-based algorithms that could provide significant cyber security benefits to the operator by detecting sensor data issues that might be the result of malicious activity.”

The Aperio platform works by collecting sensor data from the OSIsoft client interface and then running machine learning algorithms that learn the normal patterns of operation. When the characteristics of a sensor signal indicates some meaningful change, the algorithms make a determination about whether this might be the result of some data manipulation, sensor attack, or even a faulty or misconfigured device.

This approach results in an AI-based intrusion detection system for OT that does not require attack signatures, and that can cover any SCADA environment connected to OSIsoft or any other system following industry standards such as OPC. The algorithms can be viewed as providing a fingerprint of sensor signals which can then detect data forgery or malfunctions caused by malicious or accidental means.

“We knew that sensors have unique fingerprints,” Hellgren explained, “and that such patterns of fluctuation, reporting, and noise would allow us to create an advanced security solution. We also knew that the so-called time-series data gathered by sensors have specific frequencies that could be analyzed as well. By accessing and analyzing this data, we increase provide real-time situational awareness for OT teams.”

Hellgren showed a left-to-right view of how sensor data can be connected through a series of translations and analyses to this security awareness: First, the sensors behave as they do, bound by their physical characteristics. Aperio uses these physical laws to develop behavioral models and learn the history for the applicable sensors. AI algorithms are used to develop fingerprints, which are then the basis for the security monitoring.

I asked Hellgren about the company, and he shared the story of an engineering culture, with experts located in five countries and with high levels of education in physics, software engineering, mathematics, and signal processing. The senior management team has an average of more than two decades of professional experience (Hellgren was former CEO of Vaultive leading to its acquisition by CyberArk).

Business challenges for Aperio include the growing level of competition that can be seen in the ICS/OT security marketplace. New SCADA security companies seem to be emerging on a weekly basis lately, and OT customers will have trouble differentiating the wheat from the chaff. But with excellent backing from Data Point Capital, EDP Ventures, Jump Capital, and Scopus Ventures, Aperio will hopefully invest in strong marketing and sales teams.

If you work in OT security, and especially if you are an OSIsoft customer, then connecting with Aperio seems like an excellent idea. The real-time nature of their sensor manipulation activity looks like the early beginning of a new intrusion detection capability for industry control and other OT systems. The fingerprint-based machine learning algorithms provide additional benefit by avoiding the need for attack signatures.

Please make it a priority today to give Jonas Hellgren and the Aperio team a call. Ask to hear their OT security story and how it can work in your own industrial control, SCADA, or other operational environment. The threats to OT have advanced to the point where such protection is no longer optional. After your discussion, please share with us your experiences and views. We look forward to hearing from you.