Xage introduces fingerprinting to protect industrial IoT devices

As old-school industries like oil and gas increasingly network entities like oil platforms, they become more vulnerable to hacking attacks that were impossible when they were stand-alone. That requires a new approach to security and Xage (pronounced Zage), a security startup that launched last year thinks it has the answer with a concept called ‘fingerprinting’ combined with the blockchain.

“Each individual fingerprint tries to reflect as much information as possible about a device or controller,” Duncan Greenwood, Xage’s CEO explained. They do this by storing configuration data from each device and controller on the network. That includes the hardware type, the software that’s installed on it, the CPU ID, the storage ID and so forth.

If someone were to try to inject malware into one of these controllers, the fingerprint identification would notice a change and shut it down until human technicians could figure out if it’s a legitimate change or not.

Whither blockchain?

You may be wondering where the blockchain comes into this, but imagine a honey pot of these fingerprints were stored in a conventional database. If that database were compromised, it would mean hackers could have access to a company’s entire store of fingerprints, completely neutering that idea. That’s where the blockchain comes in.

Greenwood says it serves multiple purposes to prevent such a scenario from happening. For starters, it takes away that centralized honey pot. It also provides a means of authentication making it impossible to insert a fake fingerprint without explicit permission to do so.

But he says that Xage takes one more precaution unrelated to the blockchain to allow for legitimate updates to the controller. “We have a digital replica (twin) of the system we keep in the cloud, so if someone is changing the software or plans to change it on a device or controller, we will pre-calculate what the new fingerprint will be before we update the controller,” he said. That will allow them to understand when there is a sanctioned update happening and not an external threat agent trying to mimic one.

Checks and balances

In this way they check the validity of every fingerprint and have checks and balances every step of the way. If the updated fingerprint matches the cloud replica, they can be reasonably assured that it’s authentic. If it doesn’t, he says they assume the fingerprint might have been hacked and shut it down for further investigation by the customer.

While this sounds like a complex way of protecting this infrastructure, Greenwood points out that these devices and controllers tend to be fairly simple in terms of their configuration, not like the complexities involved in managing security on a network of workstations with many possible access points for hackers.

The irony here is that these companies are networking their devices to simplify maintenance, but in doing so they have created a new set of issues. “It’s a very interesting problem. They are adopting IoT, so they don’t have to do [so many] truck rolls. They want that network capability, but then the risk of hacking is greater because it only takes one hack to get access to thousands of controllers,” he explained.

In case you are thinking they may be overstating the actual problem of oil rigs and other industrial targets getting hacked, a Department of Homeland Security report released in March suggests that the energy sector has been an area of interest for nation-state hackers in recent years.