13,488 research outputs found

    A Flashback on Control Logic Injection Attacks against Programmable Logic Controllers

    Get PDF
    Programmable logic controllers (PLCs) make up a substantial part of critical infrastructures (CIs) and industrial control systems (ICSs). They are programmed with a control logic that defines how to drive and operate critical processes such as nuclear power plants, petrochemical factories, water treatment systems, and other facilities. Unfortunately, these devices are not fully secure and are prone to malicious threats, especially those exploiting vulnerabilities in the control logic of PLCs. Such threats are known as control logic injection attacks. They mainly aim at sabotaging physical processes controlled by exposed PLCs, causing catastrophic damage to target systems as shown by Stuxnet. Looking back over the last decade, many research endeavors exploring and discussing these threats have been published. In this article, we present a flashback on the recent works related to control logic injection attacks against PLCs. To this end, we provide the security research community with a new systematization based on the attacker techniques under three main attack scenarios. For each study presented in this work, we overview the attack strategies, tools, security goals, infected devices, and underlying vulnerabilities. Based on our analysis, we highlight the current security challenges in protecting PLCs from such severe attacks and suggest security recommendations for future research directions

    Digital forensics for Investigating Control-logic Attacks in Industrial Control Systems

    Get PDF
    Programmable logic controllers (PLC) are required to handle physical processes and thus crucial in critical infrastructures like power grids, nuclear facilities, and gas pipelines. Attacks on PLCs can have disastrous consequences, considering attacks like Stuxnet and TRISIS. Those attacks are examples of exploits where the attacker aims to inject into a target PLC malicious control logic, which engineering software compiles as a reliable code. When investigating a security incident, acquiring memory can provide valuable insight such as runtime system activities and memory-based artifacts which may contain the attacker\u27s footprints. The existing memory acquisition tools for PLCs require a hardware-level debugging port or network protocol-based approaches, which are not practical in the real world or provide partial acquisition of memory. This research work provides an overview of different attacks on PLCs. This work shows what embodies these three different approaches. These novel approaches leaves PLCs vulnerable that can unleash mayhem in the physical world. The first approach describes denial of engineering operations (DEO) attacks in industrial control systems, referred to as a denial of decompilation (DoD) attack. The DoD attack involves obfuscating and installing a (malicious) control logic into a programmable logic controller (PLC) to fail the decompilation function in engineering software required to maintain control logic in PLCs. The existing seminal work on the DEO attacks exploits engineering software\u27s improper input validation vulnerability. On the other hand, the DoD attack targets a fundamental design principle in compiling and decompiling control logic in engineering software, thereby affecting the engineering software of multiple vendors. We evaluate the DoD attack on two major PLC manufacturers\u27 PLCs, i.e., Schneider Electric Modicon M221 and Siemens S7-300. We show that simple obfuscation techniques on control logic are sufficient to compromise the decompilation function in their engineering software, i.e., SoMachine Basic and TIA Portal, respectively. The second approach propose two control-logic attacks and a new memory acquisition framework for PLCs. The first attack modifies in-memory firmware such that the attacker takes control of a PLC\u27s built-in functions. The second attack involves obfuscating and installing a malicious control logic into a target PLC to fail the decompilation process in engineering software. The proposed memory acquisition framework remotely acquires a PLC\u27s volatile memory while the PLC is controlling a physical process. The main idea is to inject a harmless code that essentially copies the protected memory fragments to protocol-mapped memory space, which is acquirable over the network. Since the proposed memory acquisition allows access to the entire memory, we can also show the evidence of the attacks. The third approach propose an attack which doesn\u27t involve alteration or injection of PLC\u27s control logic. Return Oriented Programming(ROP) is an exploiting technique which can perform sophisticated attacks by utilizing the existing code in the memory of the PLC. This attack doesn\u27t involves injecting code which makes this technique unique and hard to discover. This work is the first attempt to introduce ROP attack technique successfully on PLC without disrupting the control logic cycle. We evaluate the proposed methods on a gas pipeline testbed to demonstrate the attacks and how a forensic investigator can identify the attacks and other critical forensic artifacts using the proposed memory acquisition method

    On Ladder Logic Bombs in Industrial Control Systems

    Full text link
    In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: a) firmware (i.e. the OS) and b) control logic (processing sensor readings to determine control actions). In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behaviour. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs. In addition to introducing vulnerabilities on the logic layer, we also discuss countermeasures and we propose two detection techniques.Comment: 11 pages, 14 figures, 2 tables, 1 algorith

    Assessing and augmenting SCADA cyber security: a survey of techniques

    Get PDF
    SCADA systems monitor and control critical infrastructures of national importance such as power generation and distribution, water supply, transportation networks, and manufacturing facilities. The pervasiveness, miniaturisations and declining costs of internet connectivity have transformed these systems from strictly isolated to highly interconnected networks. The connectivity provides immense benefits such as reliability, scalability and remote connectivity, but at the same time exposes an otherwise isolated and secure system, to global cyber security threats. This inevitable transformation to highly connected systems thus necessitates effective security safeguards to be in place as any compromise or downtime of SCADA systems can have severe economic, safety and security ramifications. One way to ensure vital asset protection is to adopt a viewpoint similar to an attacker to determine weaknesses and loopholes in defences. Such mind sets help to identify and fix potential breaches before their exploitation. This paper surveys tools and techniques to uncover SCADA system vulnerabilities. A comprehensive review of the selected approaches is provided along with their applicability

    Forensic Attacks Analysis and the Cyber Security of Safety-Critical Industrial Control Systems

    Get PDF
    Industrial Control Systems (ICS) and SCADA (Supervisory Control And Data Acquisition) applications monitor and control a wide range of safety-related functions. These include energy generation where failures could have significant, irreversible consequences. They also include the control systems that are used in the manufacture of safety-related products. In this case bugs in an ICS/SCADA system could introduce flaws in the production of components that remain undetected before being incorporated into safety-related applications. Industrial Control Systems, typically, use devices and networks that are very different from conventional IP-based infrastructures. These differences prevent the re-use of existing cyber-security products in ICS/SCADA environments; the architectures, file formats and process structures are very different. This paper supports the forensic analysis of industrial control systems in safety-related applications. In particular, we describe how forensic attack analysis is used to identify weaknesses in devices so that we can both protect components but also determine the information that must be analyzed during the aftermath of a cyber-incident. Simulated attacks detect vulnerabilities; a risk-based approach can then be used to assess the likelihood and impact of any breach. These risk assessments are then used to justify both immediate and longer-term countermeasures
    • …
    corecore