The Laot project aims to protect critical infrastructure from cyber attacks, by inserting a protective device between the internet and the control system to be protected.
Much critical infrastructure must be remotely managed. This is particularly true for utilities (power, water, etc) in physically remote communities, as there are many in Australia and other places in the world. For example, a power station that supplies a community in the Australian Desert is (together with other remote generators) managed from the power company's central control room in Darwin, NT. Other relevant examples facing the same challenges are a sewage treatment plant, drinking-water supply, an oil pipeline, or Sydney's traffic control.
Specifically, the power station has a local control computer (PLC) which receives inputs from sensors that show the state of the system, such as voltage and current produced by solar panels, and issues commands, e.g. to the inverter. The PLC has a monitor/maintenance interface that connects, via the Internet, to the control room. The control room receives telemetry data showing the state of the generator, and can manage it, especially shutting it down and restarting it.
Remote operation makes the utility a target for cyber attacks. Cyber criminals might try to shut the generator down, leaving the community without electricity. They might even cause physical damage, as demonstrated in the Aurora Generator Test. Many utilities are susceptible to such attacks, as the PLCs of utilities and their communication protocols are generally not designed to operate in a hostile environment. Frequently, their software is too fragile to change (eg for hardening), and in many cases source code may not even be available.
To prevent such attacks we are developing the Laot device. Laot sits between the device under protection (the utility's PLC) and the internet. It is transparent to valid maintenance commands and outgoing traffic, but filters out any other traffic. Filtering happens on several levels, from packet headers to validity checks on the actual commands. Consequently, Laot combines general input sanitation with domain-specific protocol analysis.
Obviously, little is gained if the Laot device can itself be compromised. It contains a fair amount of software complexity, such as Ethernet drivers and protocol analysis software. We therefore use a design that is extremely resilient to attacks, by leveraging the strong isolation provided by the formally verified seL4 microkernel.
Specifically, the outside Ethernet (i.e. the network interface that is connected to the Internet) presents an attack surface. Unless the Ethernet driver is formally verified (which is not yet feasible) it could become compromised. However, seL4-provided isolation prevents the attacker from compromising other components of the system, in particular the logger. While a compromised driver might drop packets, this cannot lead to invalid commands reaching the inside Ethernet (and the device under protection). Signing outgoing traffic prevents a compromised driver from manipulating telemetry and logs without detection.
Laot is being co-designed and -implemented with the seL4 Core Platform (seL4CP), making it the first seL4CP-based system and ensuring that the platforma meets real-world requirements.
The EDS Laot page has more technical detail.
The Laot project is supported by an ICERA Grant awarded by the Australian Department of Defence to Breakaway Consulting, with Trustworthy Systems as a project partner, Breakaway does the OS development. Darwin-based EDS, a power-systems expert, contributes the domain-specific parts.
The Alaska Center for Energy and Power (ACEP) at the University of Alaska Fairbanks is dedicated to applied energy research and testing focused on lowering the cost of energy. ACEP is evaluating Laot for secure access to power stations on remote communities.
Other testing and deployment partners will be announced in due course.