A Flashback on Control Logic Injection Attacks against Programmable Logic Controllers

Programmable logic controllers (PLCs) make up a substantial part of critical infrastructures (CIs) and industrial control systems (ICSs). They are programmed with a control logic that defines how to drive and operate critical processes such as nuclear power plants, petrochemical factories, water treatment systems, and other facilities. Unfortunately, these devices are not fully secure and are prone to malicious threats, especially those exploiting vulnerabilities in the control logic of PLCs. Such threats are known as control logic injection attacks. They mainly aim at sabotaging physical processes controlled by exposed PLCs, causing catastrophic damage to target systems as shown by Stuxnet. Looking back over the last decade, many research endeavors exploring and discussing these threats have been published. In this article, we present a flashback on the recent works related to control logic injection attacks against PLCs. To this end, we provide the security research community with a new systematization based on the attacker techniques under three main attack scenarios. For each study presented in this work, we overview the attack strategies, tools, security goals, infected devices, and underlying vulnerabilities. Based on our analysis, we highlight the current security challenges in protecting PLCs from such severe attacks and suggest security recommendations for future research directions

On Ladder Logic Bombs in Industrial Control Systems

In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: a) firmware (i.e. the OS) and b) control logic (processing sensor readings to determine control actions). In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behaviour. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs. In addition to introducing vulnerabilities on the logic layer, we also discuss countermeasures and we propose two detection techniques.Comment: 11 pages, 14 figures, 2 tables, 1 algorith

Control Behavior Integrity for Distributed Cyber-Physical Systems

Cyber-physical control systems, such as industrial control systems (ICS), are increasingly targeted by cyberattacks. Such attacks can potentially cause tremendous damage, affect critical infrastructure or even jeopardize human life when the system does not behave as intended. Cyberattacks, however, are not new and decades of security research have developed plenty of solutions to thwart them. Unfortunately, many of these solutions cannot be easily applied to safety-critical cyber-physical systems. Further, the attack surface of ICS is quite different from what can be commonly assumed in classical IT systems. We present Scadman, a system with the goal to preserve the Control Behavior Integrity (CBI) of distributed cyber-physical systems. By observing the system-wide behavior, the correctness of individual controllers in the system can be verified. This allows Scadman to detect a wide range of attacks against controllers, like programmable logic controller (PLCs), including malware attacks, code-reuse and data-only attacks. We implemented and evaluated Scadman based on a real-world water treatment testbed for research and training on ICS security. Our results show that we can detect a wide range of attacks--including attacks that have previously been undetectable by typical state estimation techniques--while causing no false-positive warning for nominal threshold values.Comment: 15 pages, 8 figure

VIRTUAL PLC PLATFORM FOR SECURITY AND FORENSICS OF INDUSTRIAL CONTROL SYSTEMS

Industrial Control Systems (ICS) are vital in managing critical infrastructures, including nuclear power plants and electric grids. With the advent of the Industrial Internet of Things (IIoT), these systems have been integrated into broader networks, enhancing efficiency but also becoming targets for cyberattacks. Central to ICS are Programmable Logic Controllers (PLCs), which bridge the physical and cyber worlds and are often exploited by attackers. There\u27s a critical need for tools to analyze cyberattacks on PLCs, uncover vulnerabilities, and improve ICS security. Existing tools are hindered by the proprietary nature of PLC software, limiting scalability and efficiency. To overcome these challenges, I developed a Virtual PLC Platform (VPP) for forensic analyses of ICS attacks and vulnerability identification. The VPP employs the packet replay technique, using network traffic to create a PLC template. This template guides the virtual PLC in network communication, mimicking real PLCs. A Protocol Reverse Engineering Engine (PREE) module assists in reverse-engineering ICS protocols and discovering vulnerabilities. The VPP is automated, supporting PLCs from various vendors, and eliminates manual reverse engineering. This dissertation highlights the architecture and applications of the VPP in forensic analysis, reverse engineering, vulnerability discovery, and threat intelligence gathering, all crucial to bolstering the security and integrity of critical infrastructure

On the Control of Microgrids Against Cyber-Attacks: A Review of Methods and Applications

Nowadays, the use of renewable generations, energy storage systems (ESSs) and microgrids (MGs) has been developed due to better controllability of distributed energy resources (DERs) as well as their cost-effective and emission-aware operation. The development of MGs as well as the use of hierarchical control has led to data transmission in the communication platform. As a result, the expansion of communication infrastructure has made MGs as cyber-physical systems (CPSs) vulnerable to cyber-attacks (CAs). Accordingly, prevention, detection and isolation of CAs during proper control of MGs is essential. In this paper, a comprehensive review on the control strategies of microgrids against CAs and its defense mechanisms has been done. The general structure of the paper is as follows: firstly, MGs operational conditions, i.e., the secure or insecure mode of the physical and cyber layers are investigated and the appropriate control to return to a safer mode are presented. Then, the common MGs communication system is described which is generally used for multi-agent systems (MASs). Also, classification of CAs in MGs has been reviewed. Afterwards, a comprehensive survey of available researches in the field of prevention, detection and isolation of CA and MG control against CA are summarized. Finally, future trends in this context are clarified