Digital forensics for Investigating Control-logic Attacks in Industrial Control Systems

Programmable logic controllers (PLC) are required to handle physical processes and thus crucial in critical infrastructures like power grids, nuclear facilities, and gas pipelines. Attacks on PLCs can have disastrous consequences, considering attacks like Stuxnet and TRISIS. Those attacks are examples of exploits where the attacker aims to inject into a target PLC malicious control logic, which engineering software compiles as a reliable code. When investigating a security incident, acquiring memory can provide valuable insight such as runtime system activities and memory-based artifacts which may contain the attacker\u27s footprints. The existing memory acquisition tools for PLCs require a hardware-level debugging port or network protocol-based approaches, which are not practical in the real world or provide partial acquisition of memory. This research work provides an overview of different attacks on PLCs. This work shows what embodies these three different approaches. These novel approaches leaves PLCs vulnerable that can unleash mayhem in the physical world. The first approach describes denial of engineering operations (DEO) attacks in industrial control systems, referred to as a denial of decompilation (DoD) attack. The DoD attack involves obfuscating and installing a (malicious) control logic into a programmable logic controller (PLC) to fail the decompilation function in engineering software required to maintain control logic in PLCs. The existing seminal work on the DEO attacks exploits engineering software\u27s improper input validation vulnerability. On the other hand, the DoD attack targets a fundamental design principle in compiling and decompiling control logic in engineering software, thereby affecting the engineering software of multiple vendors. We evaluate the DoD attack on two major PLC manufacturers\u27 PLCs, i.e., Schneider Electric Modicon M221 and Siemens S7-300. We show that simple obfuscation techniques on control logic are sufficient to compromise the decompilation function in their engineering software, i.e., SoMachine Basic and TIA Portal, respectively. The second approach propose two control-logic attacks and a new memory acquisition framework for PLCs. The first attack modifies in-memory firmware such that the attacker takes control of a PLC\u27s built-in functions. The second attack involves obfuscating and installing a malicious control logic into a target PLC to fail the decompilation process in engineering software. The proposed memory acquisition framework remotely acquires a PLC\u27s volatile memory while the PLC is controlling a physical process. The main idea is to inject a harmless code that essentially copies the protected memory fragments to protocol-mapped memory space, which is acquirable over the network. Since the proposed memory acquisition allows access to the entire memory, we can also show the evidence of the attacks. The third approach propose an attack which doesn\u27t involve alteration or injection of PLC\u27s control logic. Return Oriented Programming(ROP) is an exploiting technique which can perform sophisticated attacks by utilizing the existing code in the memory of the PLC. This attack doesn\u27t involves injecting code which makes this technique unique and hard to discover. This work is the first attempt to introduce ROP attack technique successfully on PLC without disrupting the control logic cycle. We evaluate the proposed methods on a gas pipeline testbed to demonstrate the attacks and how a forensic investigator can identify the attacks and other critical forensic artifacts using the proposed memory acquisition method

Denial of service attacks and challenges in broadband wireless networks

Broadband wireless networks are providing internet and related services to end users. The three most important broadband wireless technologies are IEEE 802.11, IEEE 802.16, and Wireless Mesh Network (WMN). Security attacks and vulnerabilities vary amongst these broadband wireless networks because of differences in topologies, network operations and physical setups. Amongst the various security risks, Denial of Service (DoS) attack is the most severe security threat, as DoS can compromise the availability and integrity of broadband wireless network. In this paper, we present DoS attack issues in broadband wireless networks, along with possible defenses and future directions

A survey on cyber security for smart grid communications

A smart grid is a new form of electricity network with high fidelity power-flow control, self-healing, and energy reliability and energy security using digital communications and control technology. To upgrade an existing power grid into a smart grid, it requires significant dependence on intelligent and secure communication infrastructures. It requires security frameworks for distributed communications, pervasive computing and sensing technologies in smart grid. However, as many of the communication technologies currently recommended to use by a smart grid is vulnerable in cyber security, it could lead to unreliable system operations, causing unnecessary expenditure, even consequential disaster to both utilities and consumers. In this paper, we summarize the cyber security requirements and the possible vulnerabilities in smart grid communications and survey the current solutions on cyber security for smart grid communications. © 2012 IEEE