Two UAH graduate students take first place in prestigious embedded security challenge

When Thiago Alves and Rishabh Das, two cybersecurity Ph.D. students at The University of Alabama in Huntsville (UAH), placed first in the North American Embedded Security Challenge this past November, they were both in a state of shock. Not only was the competition tough, says Das, but a forgotten laptop charger also meant that their demonstration at the 14th annual Cyber Security Awareness Week (CSAW) in New York City "did not go as planned." As a result, says Alves, "we really didn’t think we’d win."

Fortunately, however, the originality and complexity of their proposal – and their ability to successfully articulate it ­– prevailed, earning them a $1,000 cash prize and medals in honor of their victory. "The judges had a keen interest in the technology that we developed, and they really wanted to understand how the system worked," says Das. "So it was already a winning experience. First prize was just the icing on the cake."

Equally satisfying was the knowledge that neither would have won without the other. Their prize-winning submission – a machine-learning intrusion prevention system (IPS) embedded inside an open-source programmable logic controller (PLC) ­– joined together Das’ proficiency in machine learning with Alves’ expertise in PLCs. "The embedded solution for securing a PLC is both novel and really efficient in countering three distinct attack vectors," says Das, referring to reconnaissance, injection, and volumetric denial of service (DoS) attacks. "We followed the classic cybersecurity approach of defense in depth, which is very similar to the design of a medieval castle."

Like multiple walls protecting the central keep, he explains, the approach has two distinct layers that protect the central PLC from outside attacks. The first, an encryption layer designed by Alves, protects the PLC against reconnaissance and injection attacks, wherein a hacker attempts to gather information about the system and then insert nefarious code for execution. The second, a machine-learning IPS layer designed by Das, protects the PLC against DoS attacks, which can disrupt services, and adapts to the network condition. "This is the first real implementation of a machine-learning IPS embedded inside a PLC, and that makes this project really interesting and exciting at the same time," says Das.

As for how Das and Alves came by their talents in machine learning and PLCs, respectively, the story starts long before either arrived at UAH to pursue their Ph.D. under Dr. Tommy Morris, an associate professor of electrical and computer engineering who serves as director of the university’s Center for Cybersecurity Research and Education (CCRE).

Das, a native of India, had been employed as an automation engineer in the oil and gas industry after earning his undergraduate degree in electrical engineering. "We all had to work closely with the research and development department to keep the control systems functional," he says. While researching cyberattacks related to PLCs, he came across articles written by Dr. Morris that described his use of innovative machine-learning techniques to counter cyber threats. "I was convinced that the approach taken by him would scale perfectly to industries in the future and would make real improvements to the security of legacy controllers," he says. "That is when I decided to contact Dr. Morris for a position on his research team, and in the fall of 2015, I started as a Ph.D. student at UAH."

It was already a winning experience. First prize was just the icing on the cake.

Like Das, Alves was also accepted into UAH’s Ph.D. program in the fall of 2015, but unlike him, he had yet to establish his professional career. A native of Brazil, he’d just completed his undergraduate degree in electrical engineering at the Pontifical Catholic University of Minas Gerais, where he initially created OpenPLC, the only PLC in the world to give users access to its source code. "It started when I was an intern at an automation company, and they wanted me to create an automation system for a car-crash test," he says. "To do that, I had to use PLC devices, which in a nutshell are like the brains of industrial machinery."

PLCs are far from new; they’ve been around since the 1970s. But back then, manufacturers were more concerned with the ability of the device’s exterior to withstand harsh industrial environments than the ability of its interior to ward off a cyber attack – something that’s become increasingly important in today’s digital age. Moreover, says Alves, "vendors don’t make available information about the hardware and firmware of their devices." So not only are users obliged to rely on vendors to provide any necessary security updates, but researchers interested in helping to improve their defense mechanisms are stymied by the lack of access.

All of which is where open-source technologies like OpenPLC come in. Because it uses a publicly accessible design that can be modified as desired without any restriction, says Alves, "it can change the paradigm." Researchers can design, test, and validate security enhancements to industrial controllers, and then these enhancements can be ported to closed commercial systems by their vendors after validation. "An intentionally vulnerable version of the original OpenPLC code can also be used to conduct industrial control system security training and to test network security tools," he says.

Initially Alves’ plan had been to create a low-cost alternative to commercially available PLCs that he could sell for a profit. "I think about that every day, how much I could have made," he says with a laugh. But after being recruited by Dr. Morris to pursue his Ph.D. in cybersecurity at UAH, his focus changed to improving their security. "At that time I was a complete hardware guy – I had zero knowledge of cybersecurity," he says. "But after I came to UAH, it became about making PLCs safer."

It’s an objective he’s that much closer to reaching since partnering with Das. Together, they have been able to examine the benefits of embedded security on the edge, such as higher resiliency when compared to traditional centralized methods. "Rishabh is the brightest guy I’ve ever met," says Alves, while Das calls Alves a "wizard" at programming. "I have learned a lot while working with him," he says.

As for the person who brought the two together and has since served as "a true role model" according to Das, Dr. Morris says he is "honored to work with both of them." And while proud of their CSAW 2017 win, he was not surprised by it. "Thiago and Rishabh are brilliant," he says. "They are great examples of the first-class Ph.D. students who attend UAH." Of course, after this year’s experience, they may want to start thinking now about packing an extra laptop charger for CSAW 2018. With a title to defend, says Alves, "we’re definitely going back!"

---