On Ladder Logic Bombs in Industrial Control Systems

In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: a) firmware (i.e. the OS) and b) control logic (processing sensor readings to determine control actions). In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behaviour. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs. In addition to introducing vulnerabilities on the logic layer, we also discuss countermeasures and we propose two detection techniques.Comment: 11 pages, 14 figures, 2 tables, 1 algorith

A Flashback on Control Logic Injection Attacks against Programmable Logic Controllers

Programmable logic controllers (PLCs) make up a substantial part of critical infrastructures (CIs) and industrial control systems (ICSs). They are programmed with a control logic that defines how to drive and operate critical processes such as nuclear power plants, petrochemical factories, water treatment systems, and other facilities. Unfortunately, these devices are not fully secure and are prone to malicious threats, especially those exploiting vulnerabilities in the control logic of PLCs. Such threats are known as control logic injection attacks. They mainly aim at sabotaging physical processes controlled by exposed PLCs, causing catastrophic damage to target systems as shown by Stuxnet. Looking back over the last decade, many research endeavors exploring and discussing these threats have been published. In this article, we present a flashback on the recent works related to control logic injection attacks against PLCs. To this end, we provide the security research community with a new systematization based on the attacker techniques under three main attack scenarios. For each study presented in this work, we overview the attack strategies, tools, security goals, infected devices, and underlying vulnerabilities. Based on our analysis, we highlight the current security challenges in protecting PLCs from such severe attacks and suggest security recommendations for future research directions

US nuclear deterrence policy and its problems

Nuclear deterrence is back. Of course, it had never disappeared, but retreated into the background as a hedge against future uncertainties. Hopes of overcoming the deterrence system through nuclear disarmament have been dashed. Nuclear deterrence gains new importance in the era of great power competitions. Arms control is stagnating, even eroding, and the modernisation of nuclear arsenals is progressing. Through nuclear sharing arrangements within the North Atlantic Treaty Organization (NATO), Germany is involved in nuclear deterrence. This includes the ability to deliver American nuclear bombs stored in Germany. So far, this has been ensured by nuclear-capable Tornado fighter bombers, due to be replaced in the foreseeable future. Against this background, nuclear deterrence and its strategic, legal, ethical, and political problems and dilemmas are assessed in this research paper. The focus is on US deterrence policy and its role in the Western alliance. This analysis of nuclear deterrence and its problems and dilemmas is intended to provide a basic orientation for the new nuclear debate that is emerging. (Autorenreferat

PLC based Remote Guided Vehicle for Filling and Disposal of Toxic Chemical for Unmanned Applications

Remote Guided Vehicle designed for performing operations quickly, repeatedly and accurately has a long heritage in the manufacturing industry, operating in relatively static environments and in large numbers. Trends in the oil and gas industry to improve safety and efficiency and reduce environmental impact suggest the use of robotized vehicle. New developments in regions difficult or dangerous for humans to work in could be enabled with maintenance, inspection and repairs carried out by remotely-controlled Automated Guided Vehicle (AGV). Programmable Logic Controller (PLC) is an integral part of any industrial work. Therefore, we have designed and developed a PLC based automated remote guided vehicle for filling and disposal of toxic chemical for unmanned application. This paper discusses aspects of different components used to develop an AGV and controlling its movement and on board utilities. Further, this AGV is interfaced to a 23-point PLC using wireless transmitter and receiver pair. This ensures the wireless communication to suit any such applications where human beings cannot access and control. Automated guided vehicle is used to transport toxic chemicals in areas where humans cannot reach. PLC program is written to control the AGV to follow the predetermined path and then, load the chemical at a point and unload at the other point

VIRTUAL PLC PLATFORM FOR SECURITY AND FORENSICS OF INDUSTRIAL CONTROL SYSTEMS

Industrial Control Systems (ICS) are vital in managing critical infrastructures, including nuclear power plants and electric grids. With the advent of the Industrial Internet of Things (IIoT), these systems have been integrated into broader networks, enhancing efficiency but also becoming targets for cyberattacks. Central to ICS are Programmable Logic Controllers (PLCs), which bridge the physical and cyber worlds and are often exploited by attackers. There\u27s a critical need for tools to analyze cyberattacks on PLCs, uncover vulnerabilities, and improve ICS security. Existing tools are hindered by the proprietary nature of PLC software, limiting scalability and efficiency. To overcome these challenges, I developed a Virtual PLC Platform (VPP) for forensic analyses of ICS attacks and vulnerability identification. The VPP employs the packet replay technique, using network traffic to create a PLC template. This template guides the virtual PLC in network communication, mimicking real PLCs. A Protocol Reverse Engineering Engine (PREE) module assists in reverse-engineering ICS protocols and discovering vulnerabilities. The VPP is automated, supporting PLCs from various vendors, and eliminates manual reverse engineering. This dissertation highlights the architecture and applications of the VPP in forensic analysis, reverse engineering, vulnerability discovery, and threat intelligence gathering, all crucial to bolstering the security and integrity of critical infrastructure

Preliminaries of orthogonal layered defence using functional and assurance controls in industrial control systems

Industrial Control Systems (ICSs) are responsible for the automation of different processes and the overall control of systems that include highly sensitive potential targets such as nuclear facilities, energy-distribution, water-supply, and mass-transit systems. Given the increased complexity and rapid evolvement of their threat landscape, and the fact that these systems form part of the Critical National infrastructure (CNI), makes them an emerging domain of conflict, terrorist attacks, and a playground for cyberexploitation. Existing layered-defence approaches are increasingly criticised for their inability to adequately protect against resourceful and persistent adversaries. It is therefore essential that emerging techniques, such as orthogonality, be combined with existing security strategies to leverage defence advantages against adaptive and often asymmetrical attack vectors. The concept of orthogonality is relatively new and unexplored in an ICS environment and consists of having assurance control as well as functional control at each layer. Our work seeks to partially articulate a framework where multiple functional and assurance controls are introduced at each layer of ICS architectural design to further enhance security while maintaining critical real-time transfer of command and control traffic