Adeen Ayub,Hyunguk Yoo,Irfan Ahmed

DOI: https://doi.org/10.1109/spw53761.2021.00058

2021-05-01

Abstract:Programmable logic controllers (PLCs) run a ‘control logic’ program that defines how to control a physical process such as a nuclear plant, power grid stations, and gas pipelines. Attackers target the control logic of a PLC to sabotage a physical process. Most PLCs employ password based authentication mechanisms to prevent unauthorized remote access to control logic. This paper presents an empirical study on proprietary authentication mechanisms in five industry-scale PLCs to understand the security-design practices of four popular ICS vendors, i.e., Allen-Bradley, Schneider Electric, AutomationDirect, and Siemens. The empirical study determines whether the mechanisms are vulnerable by design and can be exploited. It reveals serious design issues and vulnerabilities in authentication mechanisms, including lack of nonce, small-sized encryption key, weak encryption scheme, and client-side authentication. The study further confirms the findings empirically by creating and testing their proof-of-concept exploits derived from MITRE ATT&CK knowledge base of adversary tactics and techniques. Unlike existing work, our study relies solely on network traffic examination and does not employ typical reverse-engineering of binary files (e.g., PLC firmware) to reveal the seriousness of design problems. Moreover, the study covers PLCs from different vendors to highlight an industry-wide issue of secure PLC authentication that needs to be addressed.

Zibo Wang,Yaofang Zhang,Yilu Chen,Hongri Liu,Bailing Wang,Chonghua Wang

DOI: https://doi.org/10.3390/pr11030918

IF: 3.5

2023-03-18

Processes

Abstract:Programmable Logic Controllers (PLCs), as specialized task-oriented embedded field devices, play a vital role in current industrial control systems (ICSs), which are composed of critical infrastructure. In order to meet increasing demands on cost-effectiveness while improving production efficiency, commercial-off-the-shelf software and hardware, and external networks such as the Internet, are integrated into the PLC-based control systems. However, it also provides opportunities for adversaries to launch malicious, targeted, and sophisticated cyberattacks. To that end, there is an urgent need to summarize ongoing work in PLC-based control systems on vulnerabilities, attacks, and security detection schemes for researchers and practitioners. Although surveys on similar topics exist, they are less involved in three key aspects, as follows: First and foremost, previous work focused more on system-level vulnerability analysis than PLC itself. Subsequently, it was not clear whether their work applied to the current systems or future ones, especially for security detection schemes. Finally, the prior surveys lacked a digital forensic research review of PLC-based control systems, which was significant for security analysis at different stages. As a result, we highlight vulnerability analysis at both a core component level and a system level, as well as attack models against availability, integrity, and confidentiality. Meanwhile, reviews of security detection schemes and digital forensic research for the current PLC-based systems are provided. Finally, we discuss future work for the next-generation systems.

engineering, chemical

Efrén López-Morales,Ulysse Planta,Carlos Rubio-Medrano,Ali Abbasi,Alvaro A. Cardenas

2024-03-01

Abstract:Billions of people rely on essential utility and manufacturing infrastructures such as water treatment plants, energy management, and food production. Our dependence on reliable infrastructures makes them valuable targets for cyberattacks. One of the prime targets for adversaries attacking physical infrastructures are Programmable Logic Controllers (PLCs) because they connect the cyber and physical worlds. In this study, we conduct the first comprehensive systematization of knowledge that explores the security of PLCs: We present an in-depth analysis of PLC attacks and defenses and discover trends in the security of PLCs from the last 17 years of research. We introduce a novel threat taxonomy for PLCs and Industrial Control Systems (ICS). Finally, we identify and point out research gaps that, if left ignored, could lead to new catastrophic attacks against critical infrastructures.

Cryptography and Security

Zeyu Yang,Liang He,Hua Yu,Chengcheng Zhao,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1145/3560905.3568521

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Semantic attacks have incurred increasing threats to Industrial Control Systems (ICSs), which manipulate targeted system modules by identifying the physical semantics of variables in Programmable Logic Controllers (PLCs) programs, i.e., the sensing/actuating modules represented by the variables. This is usually (and inefficiently) achieved via manual examination of system documents and long-term observation of system behavior. In this paper, we design ARES, a method that Automatically Reverse Engineers the Semantics of variables in PLC programs without requiring any domain knowledge. ARES is built on the fact that the Supervisory Control And Data Acquisition (SCADA) system monitors the behavior of PLC using a fixed mapping between the variables of program code and data log, and the data log variables are marked with physical semantics. By identifying the mapping between PLC code and SCADA data (i.e., the code-data mapping), ARES reverse engineers the physical semantics of program variables. ARES also sheds light on the preferred practices in implementing control rules that improve the resistance of PLC programs to semantic attacks. We have experimentally evaluated ARES and the recommended implementation practices on two ICS platforms.

Ruochen Zhou,Zhiyun Wang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei250167.2020.9347104

2020-01-01

Abstract:Programmable logic controller (PLC) is one of the critical infrastructure in industrial control system, which is therefore vulnerable to a variety of cyber-attacks. To mitigate this issue, we design an anomaly detection system, a novel non-invasive intrusion detection method for PLC. Our system utilizes the magnetic side-channel information around the power supply module of PLC and analyzes the running status rely on the fact that different programs will result in various magnetic characteristic. We design a classification algorithm which can extract representational features from the raw signal, as well as avoid the interference of environmental noise. To validate the idea, we design 3 types of attacks and implement on the prototype of thermal power plant in laboratory. The evaluation shows our system is feasible to detect attacks and achieve an overall detection accuracy above 90%.

Rongkuan Ma,Qiang Wei,Jingyi Wang,Shunkai Zhu,Shouling Ji,Peng Cheng,Yan Jia,Qingxian Wang

DOI: https://doi.org/10.48550/arXiv.2212.14296

2022-12-29

Cryptography and Security

Abstract:Programmable Logic Controllers (PLCs) are the core control devices in Industrial Control Systems (ICSs), which control and monitor the underlying physical plants such as power grids. PLCs were initially designed to work in a trusted industrial network, which however can be brittle once deployed in an Internet-facing (or penetrated) network. Yet, there is a lack of systematic empirical analysis of the run-time security of modern real-world PLCs. To close this gap, we present the first large-scale measurement on 23 off-the-shelf PLCs across 13 leading vendors. We find many common security issues and unexplored implications that should be more carefully addressed in the design and implementation. To sum up, the unsupervised logic applications can cause system resource/privilege abuse, which gives adversaries new means to hijack the control flow of a runtime system remotely (without exploiting memory vulnerabilities); 2) the improper access control mechanisms bring many unauthorized access implications; 3) the proprietary or semi-proprietary protocols are fragile regarding confidentiality and integrity protection of run-time data. We empirically evaluated the corresponding attack vectors on multiple PLCs, which demonstrates that the security implications are severe and broad. Our findings were reported to the related parties responsibly, and 20 bugs have been confirmed with 7 assigned CVEs.

Ruimin Sun,Alejandro Mera,Long Lu,David Choffnes

DOI: https://doi.org/10.48550/arXiv.2006.04806

2021-03-24

Abstract:Programmable Logic Controllers (PLCs) play a critical role in the industrial control systems. Vulnerabilities in PLC programs might lead to attacks causing devastating consequences to the critical infrastructure, as shown in Stuxnet and similar attacks. In recent years, we have seen an exponential increase in vulnerabilities reported for PLC control logic. Looking back on past research, we found extensive studies explored control logic modification attacks, as well as formal verification-based security solutions. We performed systematization on these studies, and found attacks that can compromise a full chain of control and evade detection. However, the majority of the formal verification research investigated ad-hoc techniques targeting PLC programs. We discovered challenges in every aspect of formal verification, rising from (1) the ever-expanding attack surface from evolved system design, (2) the real-time constraint during the program execution, and (3) the barrier in security evaluation given proprietary and vendor-specific dependencies on different techniques. Based on the knowledge systematization, we provide a set of recommendations for future research directions, and we highlight the need of defending security issues besides safety issues.

Cryptography and Security

Ramiro Ramirez,Chun-Kai Chang,Shu-Hao Liang

DOI: https://doi.org/10.3390/electronics12051195

IF: 2.9

2023-03-02

Electronics

Abstract:Programming logic controllers (PLCs) are vital components for conveyors in production lines, and the sensors and actuators controlled underneath the PLCs represent critical points in the manufacturing process. Attacks targeting the exploitation of PLC vulnerabilities have been on the rise recently. In this study, a PLC test platform aims to analyze the vulnerabilities of a typical industrial setup and perform cyberattack exercises to review the system cybersecurity challenges. The PLC test platform is a sorting machine consisting of an automatic conveyor belt, two Mitsubishi FX5U-32M PLCs, and accessories for material sorting, and Modbus is the selected protocol for data communication. The O.S. on the attacker is Kali ver. 2022.3, runs Nmap and Metasploit to exploit the target Modbus registers. On the other hand, the target host runs the O.S., Ubuntu 22.04 in the cyberattack exercises. The selected attack method for this study is packet reply which can halt operations sending custom data packets to the PLC. In summary, this study provides a basic step-by-step offensive strategy targeting register modification, and the testbed represents a typical industrial environment and its vulnerabilities against cyberattacks with common open-source tools.

engineering, electrical & electronic,computer science, information systems,physics, applied

Wael Alsabbagh,Chaerin Kim,Peter Langendörfer

DOI: https://doi.org/10.1109/access.2024.3356051

IF: 3.9

2024-01-01

IEEE Access

Abstract:Open-source Programmable Logic Controller (OpenPLC) software is designed to be vendor-natural and run on almost any computer or low-cost embedded devices e.g., Raspberry Pi, Ardunio, and other controllers. The aim of this project is to introduce an affordable and practical alternative solution for the high-cost of real hardware PLCs, and has successfully gained substantial interest within both the research and industrial communities. Due to its popularity grows, understanding its security vulnerabilities and implementing effective mitigation strategies become crucial. Through a combination of threat modeling, vulnerability analysis, and practical experiments, this article provides valuable insights for developers, researchers, and engineers aiming to deploy OpenPLC securely in industrial environments. To this end, we first conducted an in-depth analysis aimed to shed light on various security challenges and vulnerabilities within the OpenPLC project. These encompass issues such as unauthorized access, vulnerabilities in communication protocols, concerns regarding data integrity, the absence of robust encryption mechanisms, etc. After that, we showed the research community what the consequences of those vulnerabilities would be if they are exploited. To this end, we performed a sophisticated control logic injection attack that maliciously modifies the user program run on the OpenPLC Runtime. Our injection was stealthy and not detected by the legitimate user. Finally, we introduced a security-enhanced OpenPLC software called OpenPLC Aqua. Our developed software is equipped with a set of security solutions designed specifically to address the vulnerabilities to which current OpenPLC versions are prone. All our attack codes as well OpenPLC Aqua software are publically available.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tao Feng,Yanxia Shi,Renbin Gong,Qianchuan Zhao

DOI: https://doi.org/10.1109/icpics47731.2019.8942463

2019-01-01

Abstract:The information security problem of the industrial control system (ICS) has become prominent increasingly with the advancement of industry 4.0. The programmable logic controller (PLC) is the basic control device in the supervisory control and data acquisition (SCADA) of ICS. The stable operation of ICS is limited by the safety of PLC. In this paper, the PLC attack tree model, which targets the PLC equipment security, is built to analyze and evaluate the safety of PLC systematically. First, the attack path of the PLC has been analyzed. The attack nodes have been defined by employing the attack tree model. Second, the fuzzy analytic hierarchy process has been introduced to calculate the security attribute weight and quantify the attack probability of the leaf nodes. The Shapiro-Wilk test has been employed to ensure the normality of data. Finally, the attack probability of different attack paths has been calculated as the PLC attack tree model. The PLC attack tree model which proposed in this paper is employed to distinguish the probability of different attack paths. The proposed attack tree model provides a basis for decision- makers to take appropriate protective measures.

Awais Tanveer,Roopak Sinha,Stephen G. MacDonell,Paulo Leitao,Valeriy Vyatkin

DOI: https://doi.org/10.1109/INDIN41052.2019.8972262

2021-01-06

Abstract:Programmable Logic Controllers (PLCs) execute critical control software that drives Industrial Automation and Control Systems (IACS). PLCs can become easy targets for cyber-adversaries as they are resource-constrained and are usually built using legacy, less-capable security measures. Security attacks can significantly affect system availability, which is an essential requirement for IACS. We propose a method to make PLC applications more security-aware. Based on the well-known IEC 61499 function blocks standard for developing IACS software, our method allows designers to annotate critical parts of an application during design time. On deployment, these parts of the application are automatically secured using appropriate security mechanisms to detect and prevent attacks. We present a summary of availability attacks on distributed IACS applications that can be mitigated by our proposed method. Security mechanisms are achieved using IEC 61499 Service-Interface Function Blocks (SIFBs) embedding Intrusion Detection and Prevention System (IDPS), added to the application at compile time. This method is more amenable to providing active security protection from attacks on previously unknown (zero-day) vulnerabilities. We test our solution on an IEC 61499 application executing on Wago PFC200 PLCs. Experiments show that we can successfully log and prevent attacks at the application level as well as help the application to gracefully degrade into safe mode, subsequently improving availability.

Cryptography and Security,Software Engineering

Yu-jun Xiao,Wen-yuan Xu,Zhen-hua Jia,Zhuo-ran Ma,Dong-lian Qi

DOI: https://doi.org/10.1631/fitee.1601540

2017-01-01

Abstract:Industrial control systems (ICSs) are widely used in critical infrastructures, making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs, the programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. The number of attacks targeted at PLCs has increased noticeably over the last few years, exposing the vulnerability of the PLC and the importance of PLC protection. Unfortunately, PLCs cannot be protected by traditional intrusion detection systems or antivirus software. Thus, an effective method for PLC protection is yet to be designed. Motivated by these concerns, we propose a non-invasive powerbased anomaly detection scheme for PLCs. The basic idea is to detect malicious software execution in a PLC through analyzing its power consumption, which is measured by inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions. To analyze the power measurements, we extract a discriminative feature set from the power trace, and then train a long short-term memory (LSTM) neural network with the features of normal samples to predict the next time step of a normal sample. Finally, an abnormal sample is identified through comparing the predicted sample and the actual sample. The advantages of our method are that it requires no software modification on the original system and is able to detect unknown attacks effectively. The method is evaluated on a lab testbed, and for a trojan attack whose difference from the normal program is around 0.63%, the detection accuracy reaches 99.83%.

Sam Maesschalck,Alexander Staves,Richard Derbyshire,Benjamin Green,David Hutchison

DOI: https://doi.org/10.48550/arXiv.2206.06669

2023-01-30

Abstract:Cyber security risk assessments provide a pivotal starting point towards the understanding of existing risk exposure, through which suitable mitigation strategies can be formed. Where risk is viewed as a product of threat, vulnerability, and impact, understanding each element is of equal importance. This can be a challenge in Industrial Control System (ICS) environments, where adopted technologies are typically not only bespoke, but interact directly with the physical world. To date, existing vulnerability identification has focused on traditional vulnerability categories. While this provides risk assessors with a baseline understanding, and the ability to hypothesize on potential resulting impacts, it is high level, operating at a level of abstraction that would be viewed as incomplete within a traditional information system context. The work presented in this paper takes the understanding of ICS device vulnerabilities one step further. It offers a tool, PLC-VBS, that helps identify Programmable Logic Controller (PLC) vulnerabilities, specifically within logic used to monitor, control, and automate operational processes. PLC-VBS gives risk assessors a more coherent picture about the potential impact should the identified vulnerabilities be exploited; this applies specifically to operational process elements.

Cryptography and Security

B. Green,W. Knowles,M. Krotofil,R. Derbyshire,D. Prince,N. Suri

DOI: https://doi.org/10.48550/arXiv.2102.10049

2021-02-19

Cryptography and Security

Abstract:Over the last decade, Programmable Logic Controllers (PLCs) have been increasingly targeted by attackers to obtain control over industrial processes that support critical services. Such targeted attacks typically require detailed knowledge of system-specific attributes, including hardware configurations, adopted protocols, and PLC control-logic, i.e. process comprehension. The consensus from both academics and practitioners suggests stealthy process comprehension obtained from a PLC alone, to conduct targeted attacks, is impractical. In contrast, we assert that current PLC programming practices open the door to a new vulnerability class based on control-logic constructs. To support this, we propose the concept of Process Comprehension at a Distance (PCaaD), as a novel methodological and automatable approach for system-agnostic exploitation of PLC library functions, leading to the targeted exfiltration of operational data, manipulation of control-logic behavior, and establishment of covert command and control channels through unused memory. We validate PCaaD on widely used PLCs, by identification of practical attacks.

Joochan Lee,Hyunpyo Choi,Jiho Shin,Jung Taek Seo

DOI: https://doi.org/10.1145/3440943.3444742

2020-12-12

Abstract:In recent years, 1 a large number of studies have been conducted on cybersecurity for Programmable Logic Controllers (PLCs) to cope with cyberattacks on Industrial Control Systems(ICS). However, few studies have been conducted on ensuring cybersafety for control logics running inside PLCs. In this study, a technique for detecting an attack on PLC control logic change was proposed by analyzing the network protocol data and project file structure. Based on the analysis results for the proposed technique, a tool was implemented to detect an manipulation attack on control logic, and whether such attack was detected or not was verified through experiments.

Andres Robles-Durazno,Naghmeh Moradpoor,James McWhinnie,Gordon Russell,Inaki Maneru-Marin

DOI: https://doi.org/10.1007/978-3-030-05532-5_7

2018-12-30

Abstract:Critical infrastructures such as nuclear plants and water supply systems are mainly managed through electronic control systems. Such control systems comprise of a number of elements, such as programmable logic controllers (PLC), networking devices, sensors and actuators. With the development of online and networking solutions, such control systems can be managed online. Even though network connected control systems permit users to keep up to date with system operation, it also opens the door to attackers taking advantages of such availability. In this paper, a novel attack vector for modifying PLC memory is proposed, which affects the perceived values of sensors, such as a water flow meter, or the operation of actuators, such as a pump. In addition, this attack vector can also manipulate control variables located in the PLC working memory, reprogramming decision making rules. To show the impact of the attacks in a real scenario, a model of a clean water supply system is implemented on a Festo MPA rig. The results show that the attacks on the PLC memory can have a significant detrimental effect on control system operations. Further, a mechanism of detecting such attacks on the PLC memory is proposed based on monitoring energy consumption and electrical signals using current-measurement sensors. The results show the successful implementation of the novel PLC attacks as well as the feasibility of detecting such attacks.

Karen Li,Kopo M. Ramokapane,Awais Rashid

DOI: https://doi.org/10.48550/arXiv.2208.02500

2022-08-04

Abstract:Programmable Logic Controllers (PLCs) drive industrial processes critical to society, e.g., water treatment and distribution, electricity and fuel networks. Search engines (e.g., Shodan) have highlighted that Programmable Logic Controllers (PLCs) are often left exposed to the Internet, one of the main reasons being the misconfigurations of security settings. This leads to the question -- why do these misconfigurations occur and, specifically, whether usability of security controls plays a part? To date, the usability of configuring PLC security mechanisms has not been studied. We present the first investigation through a task-based study and subsequent semi-structured interviews (N=19). We explore the usability of PLC connection configurations and two key security mechanisms (i.e., access levels and user administration). We find that the use of unfamiliar labels, layouts and misleading terminology exacerbates an already complex process of configuring security mechanisms. Our results uncover various (mis-) perceptions about the security controls and how design constraints, e.g., safety and lack of regular updates (due to long term nature of such systems), provide significant challenges to realization of modern HCI and usability principles. Based on these findings, we provide design recommendations to bring usable security in industrial settings at par with its IT counterpart.

Cryptography and Security,Computation and Language,Human-Computer Interaction,Systems and Control

Abdullah Al Farooq,Jessica Marquard,Kripa George,Thomas Moyer

DOI: https://doi.org/10.48550/arXiv.1911.06304

2019-11-14

Cryptography and Security

Abstract:Programmable Logic Controllers are an integral component for managing many different industrial processes (e.g., smart building management, power generation, water and wastewater management, and traffic control systems), and manufacturing and control industries (e.g., oil and natural gas, chemical, pharmaceutical, pulp and paper, food and beverage, automotive, and aerospace). Despite being used widely in many critical infrastructures, PLCs use protocols which make these control systems vulnerable to many common attacks, including man-in-the-middle attacks, denial of service attacks, and memory corruption attacks (e.g., array, stack, and heap overflows, integer overflows, and pointer corruption). In this paper, we propose PLC-PROV, a system for tracking the inputs and outputs of the control system to detect violations in the safety and security policies of the system. We consider a smart building as an example of a PLC-based system and show how PLC-PROV can be applied to ensure that the inputs and outputs are consistent with the intended safety and security policies.

Zeyu Yang,Liang He,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1109/TDSC.2024.3384146

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Stealthy attacks manipulate the operation of Industrial Control Systems (ICSs) without being undetected, allowing persistent manipulation of system operation and thus the potential to cause destructive damage. This paper introduces a new vulnerability of ICS that can be exploited to mount stealthy attacks without requiring any domain knowledge. This vulnerability is caused by a common practice in system monitoring, i.e., the SCADA monitors ICS operation at a much lower frequency than system execution, causing a loss of precision when the SCADA tries to cross-validate the issued control commands using the collected sensory data. Exploiting this vulnerability, an attack called <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">PLC-SAGE</i> is designed to stealthily manipulate the system operation by identifying and injecting malicious control commands that will not be concluded as abnormal by the SCADA. This paper further discusses a preferred ICS engineering practice and an attestation strategy to mitigate the above vulnerability and protect ICS from <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">PLC-SAGE</i> . Both <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">PLC-SAGE</i> and the proposed mitigations have been experimentally validated on two ICS platforms.

Mario Hildebrandt,Kevin Lamshöft,Jana Dittmann,Tom Neubert,Claus Vielhauer

DOI: https://doi.org/10.1145/3369412.3395068

2020-06-22

Abstract:Industrial Control Systems (ICS) help to automate various cyber-physical systems in our world. The controlled processes range from rather simple traffic lights and elevators to complex networks of ICS in car manufacturing or controlling nuclear power plants. With the advent of industrial Ethernet ICS are increasingly connected to networks of Information Technology (IT). Thus, novel attack vectors on ICS are possible. In IT networks information hiding and steganography is increasingly used in advanced persistent threats to conceal the infection of the systems allowing the attacker to retain control over the compromised networks. In parallel ICS are more and more a target for attacks as well. Here, simple automated attacks as well as targeted attacks of nation state actors with the intention of damaging components or infrastructures as a part of cyber crime have already been observed. Information hiding could bring such attacks to a new level by integrating backdoors and hidden/covert communication channels that allow for attacking specific processes whenever it is deemed necessary. This paper sheds light on potential attack vectors on Programmable Logic Controllers (PLCs) using OPC Unified Architecture (OPC UA) network protocol based communication. We implement an exemplary supply chain attack consisting of an OPC UA server (Bob, B) and a Siemens S7-1500 PLC as OPC UA client (Alice, A). The hidden storage channel is using source timestamps to embed encrypted control sequences allowing for setting digital outputs to arbitrary values. The attack is solely relying on the programming of the PLC and does not require firmware level access. Due to the potential harm to life caused by attacks on cyber-physical systems any presentation of novel attack vectors need to present suitable mitigation strategies. Thus, we investigate potential approaches for the detection of the hidden storage channel for a warden W as well as potential countermeasures in order to increase the warden-compliance. Our machine learning based detection approach using a One-Class-Classifier yields a detection performance of 89.5% with zero false positives within an experiment with 46,159 OPC UA read responses without a steganographic message and 7,588 OPC UA read responses with an embedded steganographic message.