Accurate Modeling of the Siemens S7 SCADA Protocol for Intrusion Detection and Digital Forensics

The Siemens S7 protocol is commonly used in SCADA systems for communications between a Human Machine Interface (HMI) and the Programmable Logic Controllers (PLCs). This paper presents a model-based Intrusion Detection Systems (IDS) designed for S7 networks. The approach is based on the key observation that S7 traffic to and from a specific PLC is highly periodic; as a result, each HMI-PLC channel can be modeled using its own unique Deterministic Finite Automaton (DFA). The resulting DFA-based IDS is very sensitive and is able to flag anomalies such as a message appearing out of its position in the normal sequence or a message referring to a single unexpected bit. The intrusion detection approach was evaluated on traffic from two production systems. Despite its high sensitivity, the system had a very low false positive rate - over 99.82% of the traffic was identified as normal

Stealthy Deception Attacks Against SCADA Systems

SCADA protocols for Industrial Control Systems (ICS) are vulnerable to network attacks such as session hijacking. Hence, research focuses on network anomaly detection based on meta--data (message sizes, timing, command sequence), or on the state values of the physical process. In this work we present a class of semantic network-based attacks against SCADA systems that are undetectable by the above mentioned anomaly detection. After hijacking the communication channels between the Human Machine Interface (HMI) and Programmable Logic Controllers (PLCs), our attacks cause the HMI to present a fake view of the industrial process, deceiving the human operator into taking manual actions. Our most advanced attack also manipulates the messages generated by the operator's actions, reversing their semantic meaning while causing the HMI to present a view that is consistent with the attempted human actions. The attacks are totaly stealthy because the message sizes and timing, the command sequences, and the data values of the ICS's state all remain legitimate. We implemented and tested several attack scenarios in the test lab of our local electric company, against a real HMI and real PLCs, separated by a commercial-grade firewall. We developed a real-time security assessment tool, that can simultaneously manipulate the communication to multiple PLCs and cause the HMI to display a coherent system--wide fake view. Our tool is configured with message-manipulating rules written in an ICS Attack Markup Language (IAML) we designed, which may be of independent interest. Our semantic attacks all successfully fooled the operator and brought the system to states of blackout and possible equipment damage

SoK: Security of Programmable Logic Controllers

Billions of people rely on essential utility and manufacturing infrastructures such as water treatment plants, energy management, and food production. Our dependence on reliable infrastructures makes them valuable targets for cyberattacks. One of the prime targets for adversaries attacking physical infrastructures are Programmable Logic Controllers (PLCs) because they connect the cyber and physical worlds. In this study, we conduct the first comprehensive systematization of knowledge that explores the security of PLCs: We present an in-depth analysis of PLC attacks and defenses and discover trends in the security of PLCs from the last 17 years of research. We introduce a novel threat taxonomy for PLCs and Industrial Control Systems (ICS). Finally, we identify and point out research gaps that, if left ignored, could lead to new catastrophic attacks against critical infrastructures.Comment: 25 pages, 13 figures, Extended version February 2024, A shortened version is to be published in the 33rd USENIX Security Symposium, for more information, see https://efrenlopez.org

Automatic Forensic Analysis of PCCC Network Traffic Log

Most SCADA devices have a few built-in self-defence mechanisms and tend to implicitly trust communications received over the network. Therefore, monitoring and forensic analysis of network traffic is a critical prerequisite for building an effective defense around SCADA units. In this thesis work, We provide a comprehensive forensic analysis of network traffic generated by the PCCC(Programmable Controller Communication Commands) protocol and present a prototype tool capable of extracting both updates to programmable logic and crucial configuration information. The results of our analysis shows that more than 30 files are transferred to/from the PLC when downloading/uplloading a ladder logic program using RSLogix programming software including configuration and data files. Interestingly, when RSLogix compiles a ladder-logic program, it does not create any lo-level representation of a ladder-logic file. However the low-level ladder logic is present and can be extracted from the network traffic log using our prototype tool. the tool extracts SMTP configuration from the network log and parses it to obtain email addresses, username and password. The network log contains password in plain text

A Survey on Industrial Control System Testbeds and Datasets for Security Research

The increasing digitization and interconnection of legacy Industrial Control Systems (ICSs) open new vulnerability surfaces, exposing such systems to malicious attackers. Furthermore, since ICSs are often employed in critical infrastructures (e.g., nuclear plants) and manufacturing companies (e.g., chemical industries), attacks can lead to devastating physical damages. In dealing with this security requirement, the research community focuses on developing new security mechanisms such as Intrusion Detection Systems (IDSs), facilitated by leveraging modern machine learning techniques. However, these algorithms require a testing platform and a considerable amount of data to be trained and tested accurately. To satisfy this prerequisite, Academia, Industry, and Government are increasingly proposing testbed (i.e., scaled-down versions of ICSs or simulations) to test the performances of the IDSs. Furthermore, to enable researchers to cross-validate security systems (e.g., security-by-design concepts or anomaly detectors), several datasets have been collected from testbeds and shared with the community. In this paper, we provide a deep and comprehensive overview of ICSs, presenting the architecture design, the employed devices, and the security protocols implemented. We then collect, compare, and describe testbeds and datasets in the literature, highlighting key challenges and design guidelines to keep in mind in the design phases. Furthermore, we enrich our work by reporting the best performing IDS algorithms tested on every dataset to create a baseline in state of the art for this field. Finally, driven by knowledge accumulated during this survey's development, we report advice and good practices on the development, the choice, and the utilization of testbeds, datasets, and IDSs

PLC Code Vulnerabilities and Attacks: Detection and Prevention

Programmable Logic Controllers (PLCs) play an important role in Industrial Control Systems (ICS), production lines, public infrastructure, and critical facilities. A compromised PLC would lead to devastating consequences that risk workplace safety, humans, environment, and associated systems. Because of their important role in ICS, more specifically PLC Based Systems (PLC-BS), PLCs have been targeted by various types of cyber-attacks. Many contributions have been dedicated to protecting ICS and exploring their vulnerabilities and threats, but little attention and progress have been made in enhancing the security of PLC code by utilizing internal PLC ladder logic code solutions. Mainly the contributions to protect and secure PLC-BS are related to external factors such as industrial networks, Supervisory Control And Data Acquisition Systems (SCADA), field devices, and servers. Focusing on those external factors would not be sufficient if adversaries gain access to a PLC since PLCs are insecure by design - do not have built-in self-defense features that could reduce or detect abnormalities or vulnerabilities within their running routines or codes. PLCs are defenseless against code exploitations and malicious code modifications. This research work focuses on exposing the vulnerabilities of PLC ladder logic code and provides countermeasure solutions to detect and prevent related code exploitation and vulnerabilities. Several test-bed experiments, using Rockwell PLCs, were conducted to deploy real-time attack models against PLC ladder logic code and provided countermeasure solutions to detect the associated threats and prevent them. The deployed attacks were successfully detected by the provided countermeasure solutions. These countermeasure techniques are novel, real-time PLC ladder logic code solutions that can be deployed to any PLC to enhance its code defense mechanism and enable it to detect and prevent code attacks and even bad code practices. The main novel contribution, among the provided countermeasure solutions, is the STC (Scan Time Code) technique. STC is a ladder logic code that was developed, deployed, and tested in several test-bed experiments to detect and prevent code abnormalities and threats. STC was able to detect and prevent a variety of real-time attack models against a PLC ladder logic code. STC was designed to capture and analyze the time a PLC spends in executing a specific routine or program per scan cycle to monitor any suspicious code modifications or behaviors. Any suspicious modifications or behaviors of PLC code within a particular routine would be detected by STC which in return would stop and prevent further code execution and warn operators. In addition to detecting code modifications, the STC technique was used to detect any modification of the CPU time slice scheduling. Another countermeasure technique was PLC code that was used to detect and prevent the manipulation or deterioration of particular field devices. Moreover, several countermeasure PLC code techniques were proposed to expose the vulnerabilities of PLC alarms code where adversaries could find ways to launch cyber-attacks that could suppress (disable) or silence the alarms and critical faults of associated ICS devices monitored by PLCs. Suppressed alarms would not be reported to operators or promptly detected, resulting in devastating damage. All provided countermeasure solutions in this work were successfully tested and capable of detecting, preventing, or eliminating real-time attack scenarios. The results were analyzed and proved the validity of the provided countermeasure solutions. This research work, also, provides policies, recommendations, and general countermeasures to enhance the validity and security of PLC code. All the techniques provided in this work are applicable to be implemented and deployed to any PLC at no extra cost, additional resources, or complex integration. The techniques enhance the security of PLCs by building more defensive layers within their respective routines which in return would reduce financial losses, improve workplace safety, and protect human lives and the environment

Temporal Phase Shifts in SCADA Networks

In Industrial Control Systems (ICS/SCADA), machine to machine data traffic is highly periodic. Previous work showed that in many cases, it is possible to create an automata-based model of the traffic between each individual Programmable Logic Controller (PLC) and the SCADA server, and to use the model to detect anomalies in the traffic. When testing the validity of previous models, we noticed that overall, the models have difficulty in dealing with communication patterns that change over time. In this paper we show that in many cases the traffic exhibits phases in time, where each phase has a unique pattern, and the transition between the different phases is rather sharp. We suggest a method to automatically detect traffic phase shifts, and a new anomaly detection model that incorporates multiple phases of the traffic. Furthermore we present a new sampling mechanism for training set assembly, which enables the model to learn all phases during the training stage with lower complexity. The model presented has similar accuracy and much less permissiveness compared to the previous general DFA model. Moreover, the model can provide the operator with information about the state of the controlled process at any given time, as seen in the traffic phases.Comment: Full version of CPS-SPC'18 short pape