The intelligent embedded operational technology (OT) and industrial control systems (ICSs) that are central to the success of Industry 4.0 are generally connected to the cloud. As such, these devices face potential cyber threats, including malware, ransomware, data breaches and denial-of-service (DoS) attacks. To combat these threats, industries must implement strong cyber security measures such as encryption, multifactor authentication, network segmentation and regular software updates.

However, a remaining challenge faced by the vastly increased threat surface presented by OT and ICSs is how to attain real-time observability of these remote fleet of devices in terms of performance patterns, behavior anomalies and events. In short, there is a need for real-time intrusion detection on these resource-constrained embedded devices.

Look but do not touch

ABB’s proposed solution is based on an Extended Berkely Packet Filter (eBPF) approach. eBPF is a well-established technology that makes it possible to run special programs deep inside the Linux operating system in an isolated way. Technology makes the Linux kernel programmable without writing a single line of low-level kernel code. An application programming interface (API) allows eBPF to hook into the Linux kernel and listen to all types of system calls there. eBPF comes compiled with Linux kernels version 4.10 onwards, so it requires no extra installation.

An eBPF agent can be created that carries custom signatures and detects various types of attacks or anomalies on ICS protocols such as Modbus, DNP, MMS, etc. For example:

• Removable storage media mounted on the target
• FTP/Telnet logins
• Sensitive file modifications
• Rogue process creation on the target
• Processes with high CPU loading
• Kernel-level attacks, such as privilege escalation through kernel module loading.

Events are reported to either a remote cloud operations team or local operator workstation. Critically, the agent watches for security events happening on devices in real time.

The agent can also be used to push detection signatures for a zero-day attack without rebooting the device. Further, deep packet inspection capabilities can be used to analyze incoming and outgoing traffic on the device.

Open-source and close scrutiny

ABB’s eBPF approach to cyber security provides continuous, inbuilt security event monitoring and anomaly detection. Based on threat intelligence, new detection signatures for zero-day vulnerabilities and newly disclosed weaknesses can be pushed to the on-field OT devices with zero downtime, thus reducing the interval between patch release and implementation.

The agent uses available eBPF technology and open-source tools, minimizing costs and, with the appropriate kernel version, can support legacy systems.

Advanced testing is underway, and it is hoped that this eBPF approach to cyber security that provides continuous cyber security monitoring and anomaly detection will soon be in use in the field.