Last week OT detection vendor Indegy announced that they have been granted a patent by the U.S. Patent and Trademark Office for PLC version control. Yes, you heard that right: PLC version control, a technology that is around for approximately two decades, is now patented by an Israel-based vendor who doesn’t even offer a PLC version control product.
How can that be?
The patent
The “invention” in a nutshell is to download ladder logic or parts thereof from a PLC and then compare it with a stored version. End of story.
In case you are interested in the technical details, you can download the patent application here.
The patent application was filed in April 2015, less than a year after the company was founded. Indegy announced the filing three years later, but for some funny reason wasn’t willing to provide much detail, as indicated by a lack of response to our inquiry on Twitter in July 2018.
@IndegyCom Hey Indegy, can you please share the USPTO document number of your patent application?
— Ralph Langner (@langnergroup) July 29, 2018
What does PLC version control have to do with OT security?
Apparently Indegy never had any stakes in PLC version control. The company was founded two decades after the technology was introduced by pretty much all the large automation vendors. Since the end of the Nineties, you can buy PLC version control products from Rockwell and Siemens, to mention just two. On top of that there are third party products by PAS, MDT, Auvesy and others.
The version control angle to Indegy’s “OT detection” product, which allegedly can detect cyber attacks on PLCs, is — to recap — that they download PLC ladder logic over the network and compare it with a stored version of that PLC’s code.
So far this is what every PLC version control product does.
If there is a mismatch, and no legitimate change case, an unauthorized re-programming of the PLC did occur, maybe as a result of a cyber attack.
That is some simple yet powerful reasoning, isn’t it? Problem is, Indegy is far from a position where they could claim intellectual property rights. This exact approach was suggested and taken by us back in 2010 (years before the patent application), when we invented a cure against Stuxnet-like attacks on the fly — by mimicking the fingerprinting that Stuxnet does in order to identify if it’s on target.
The difference between fingerprinting in our product and PLC version control is that for fingerprinting, we download not the full ladder logic, but a set of indicators, comparable to hash values. The benefit is that the whole process is much more efficient than version control, and if you just want to learn about the fact that ladder logic has been changed, it is certainly good enough. (Having that said, any PLC version control software can also be used to identify potentially unauthorized changes in ladder logic — a fact that we had pointed out often in our post-Stuxnet discussions.)
Inventor of PLC version control (or not): Mille Gandelsman
It seems implausible to assume that Indegy had no knowledge of the wealth of prior art when filing their patent application. We have to assume that they simply went for it knowing fully well that the invention as specified in the patent application was anyhting but new, or their intellectual property.
This is shameful for two reasons. First, it is shameful for Indegy for turning into a patent troll.
Second, it is shameful for the US Patent and Trademark office for not performing due research on prior art. Last year we pointed out the patent nonsense on Twitter — but it seems like the patent examiner isn’t among our followers.
Hijacking a simple and widespread technology: Indegy tries to patent PLC version controlhttps://t.co/iCHKOhMH0s pic.twitter.com/rgc0AxK4XT
— Ralph Langner (@langnergroup) October 10, 2018
The OT detection marketing circus
The world of OT detection products is full of crazies, in that major players confuse self-celebration of imagined grandeur as marketing:
– Thirty startups with almost identical products compete head-on, with everybody claiming that they have “the best” detection capabilities (without necessarily daring to show these off in a public competition).
– No superlative is deemed too silly in product descriptions (“extreme visibility”, which is backed with simplistic data flow diagrams of trivial installations) and mission statements (“safeguarding civilization” — do you, Corporation X, have a business case, budget and line item for “safeguarding civilization”?)
– Every vendor claims the capability to detect sophisticated cyber-physical attacks (of which there were just a handful in the history of OT) but cannot point to a track record of even one such success in real life.
– After years of scaring customers with the idea that active discovery would be “unsafe”, active is nowadays promoted by the same vendors as “advanced” (over passive).
To top it all off, Indegy claims to have invented PLC version control, spits on other people’s intellectual property, and treats customers as idiots. Quote from the marketing collateral:
“The grant of this patent is an important proof point that both validates the approach and provides for you third party confirmation of what Indegy has advocated all along.”
No, a patent is not in any way validation. You can patent complete nonsense if you want to. And if you’re lucky because the patent examiner is sleeping on the job, you can even patent things that others had invented a long time ago, and are in everyday use, such as toasting bread.
How this all works out for Indegy in court will be interesting, as chances are that they have simply picked the wrong type of enemy, with much deeper pockets and large legal departments who do patent lawsuits on a daily basis.