Ji-liang LUO,Hui SHAO,Wei-min WU,Hong-ye SU

DOI: https://doi.org/10.7641/CTA.2017.60929

2018-01-01

Abstract:More and more control elements are incorporated into a single system by the information technology such as internet of things.Consequently,the scale of a control system increases quickly,and the control specification becomes more and more complicated.Any logic mistake that violates a given control specification may lead to a serious industrial failure and even security issue.Besides,there is a"state space explosion"for discrete event systems.These make a challenge for designing and debugging programs running in programmable logic controllers(PLCs)or field programmable gate arrays (FPGAs).The supervisory control theory of discrete event systems is to implement a given complicated logic specification by formal methods. The specification such as interlock,sequence,mutual exclusion,and language is expressed by a Petri net or automata.It is in turn translated into codes that can be executed by a PLC or FPGA.This paper surveys these formal methods for synthesis of logical controller,which are to shorten the costed time for control programs,to ease the reuse of them,and to increase the safety and reliability of them.

Zeyu Yang,Liang He,Hua Yu,Chengcheng Zhao,Peng Cheng,Jiming Chen

DOI: https://doi.org/10.1145/3560905.3568521

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Semantic attacks have incurred increasing threats to Industrial Control Systems (ICSs), which manipulate targeted system modules by identifying the physical semantics of variables in Programmable Logic Controllers (PLCs) programs, i.e., the sensing/actuating modules represented by the variables. This is usually (and inefficiently) achieved via manual examination of system documents and long-term observation of system behavior. In this paper, we design ARES, a method that Automatically Reverse Engineers the Semantics of variables in PLC programs without requiring any domain knowledge. ARES is built on the fact that the Supervisory Control And Data Acquisition (SCADA) system monitors the behavior of PLC using a fixed mapping between the variables of program code and data log, and the data log variables are marked with physical semantics. By identifying the mapping between PLC code and SCADA data (i.e., the code-data mapping), ARES reverse engineers the physical semantics of program variables. ARES also sheds light on the preferred practices in implementing control rules that improve the resistance of PLC programs to semantic attacks. We have experimentally evaluated ARES and the recommended implementation practices on two ICS platforms.

Ruochen Zhou,Zhiyun Wang,Xiaoyu Ji,Wenyuan Xu

DOI: https://doi.org/10.1109/ei250167.2020.9347104

2020-01-01

Abstract:Programmable logic controller (PLC) is one of the critical infrastructure in industrial control system, which is therefore vulnerable to a variety of cyber-attacks. To mitigate this issue, we design an anomaly detection system, a novel non-invasive intrusion detection method for PLC. Our system utilizes the magnetic side-channel information around the power supply module of PLC and analyzes the running status rely on the fact that different programs will result in various magnetic characteristic. We design a classification algorithm which can extract representational features from the raw signal, as well as avoid the interference of environmental noise. To validate the idea, we design 3 types of attacks and implement on the prototype of thermal power plant in laboratory. The evaluation shows our system is feasible to detect attacks and achieve an overall detection accuracy above 90%.

Chao Sang,Jun Wu,Jianhua Li,Mohsen Guizani

DOI: https://doi.org/10.1109/tifs.2024.3402117

2024-01-01

Abstract:Industrial Control System (ICS) depends on the underlying Programmable Logical Controllers (PLCs) to run. As such, the security of the internal control logic of the PLCs is the top concern of ICS. Reversing analysis and forensic work against PLC require extracting control logic from the control application running inside PLC, which is still an unresolved problem. To address the challenge, we propose a PLC decompile framework named CLEVER, which can analyze the control application and extract the control logic. First, we propose a simulation execution based code extraction method, which is utilized to filter the control logic related data. Then, to normalize the control application decompile process, an intermediate representation (IR) is designed, which can simplify the analysis process and enhance the extensibility of CLEVER. Finally, a heuristic data flow analysis algorithm is proposed to find variable dependency, and a sequential parsing method is utilized to reconstruct the source code from the control application. To evaluate our work, real world PLC hardware and programming software are used for the experiment. We use 22 real-world, 58 hand-written, and 150 auto-generated control applications to demonstrate the usability, correctness, and operational efficiency of CLEVER.

Hehua Zhang,Yu Jiang,William N. N. Hung,Xiaoyu Song,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1109/tc.2013.124

2014-01-01

Abstract:Programmable Logic Controllers (PLC) are widely used in industry. The reliability of the PLC is vital to many critical applications. This paper presents a novel approach to the symbolic analysis of PLC systems. The approach includes, (1) calculating the uncertainty characterization of the PLC system, (2) abstracting the PLC system as a Hidden Markov Model, (3) solving the Hidden Markov Model with domain knowledge, (4) combining the solved Hidden Markov Model and the uncertainty characterization to form a regular Markov model, and (5) utilizing probabilistic model checking to analyze properties of the Markov model. This framework provides automated analysis of both uncertainty calculations and performance measurements, without the need for expensive simulations. A case study of an industrial, automated PLC system demonstrates the effectiveness of our work.

Hehua Zhang,Yu Jiang,William N. N. Hung,Guowu Yang,Ming Gu,Jiaguang Sun

DOI: https://doi.org/10.1016/j.mcm.2011.11.050

2013-01-01

Quality Engineering

Abstract:Programmable Logic Controllers (PLC) are widely used in industry. Reliable PLC systems are vital to many critical applications. The reliability analysis of PLC is special because the hardware component and embedded software are combined and operated in a specific manner. This paper presents a probabilistic modeling for PLC systems, which considers both the hardware and software components. Three analysis strategies are proposed for probabilistic evaluation of reliability characterization. The first method is an input-based analysis which considers the impact of errors from primary inputs. The second one is an action-based analysis. It extends the first method by considering the impact of software-based processing deviations on primary inputs. The third method is an action-traverse analysis. It computes the reliability characterization in a single topological traverse through the primary inputs during the software execution. Experimental results demonstrate the effectiveness of our approaches when compared to fault tree analysis.

Da Wang,Qianchuan Zhao

2010-01-01

Abstract:PLC (programmable logic controller) is one type of general industrial control platforms with high reliability, which has been widely used in many real-time control systems, such as transfer lines and continuous casting machines. With the increasing size and complexity of PLC programs, the traditional manual test cannot meet the needs of industrial fields due to its inefficiency and error-prone features. Program slicing is a method of program analysis and understanding. Based on some slicing criterion, it removes the irrelevant statements from the source code to obtain a group of interested program segments. In this way, the scope of the program under study is narrowed. In this paper, program slicing of PLC programs will be studied. The slicing of PLC programs needs special treatment which is usually not necessary in other software written in high level language or assembly language. For example, PLC programs run in cyclic operating mode, and they usually allow each ladder to include more than one output ports making the number of outputs in one statement much larger than that of those in other software. We first introduce a ladder transformation as a preparation for program slicing. Then algorithms for static slicing for PLC programs are proposed. A demo is given to show that this method can effectively reduce the scale of program.

Yu-jun Xiao,Wen-yuan Xu,Zhen-hua Jia,Zhuo-ran Ma,Dong-lian Qi

DOI: https://doi.org/10.1631/fitee.1601540

2017-01-01

Abstract:Industrial control systems (ICSs) are widely used in critical infrastructures, making them popular targets for attacks to cause catastrophic physical damage. As one of the most critical components in ICSs, the programmable logic controller (PLC) controls the actuators directly. A PLC executing a malicious program can cause significant property loss or even casualties. The number of attacks targeted at PLCs has increased noticeably over the last few years, exposing the vulnerability of the PLC and the importance of PLC protection. Unfortunately, PLCs cannot be protected by traditional intrusion detection systems or antivirus software. Thus, an effective method for PLC protection is yet to be designed. Motivated by these concerns, we propose a non-invasive powerbased anomaly detection scheme for PLCs. The basic idea is to detect malicious software execution in a PLC through analyzing its power consumption, which is measured by inserting a shunt resistor in series with the CPU in a PLC while it is executing instructions. To analyze the power measurements, we extract a discriminative feature set from the power trace, and then train a long short-term memory (LSTM) neural network with the features of normal samples to predict the next time step of a normal sample. Finally, an abnormal sample is identified through comparing the predicted sample and the actual sample. The advantages of our method are that it requires no software modification on the original system and is able to detect unknown attacks effectively. The method is evaluated on a lab testbed, and for a trojan attack whose difference from the normal program is around 0.63%, the detection accuracy reaches 99.83%.

DOU Zeng-jie,WANG Zhen-yu,CHEN Nan,WANG Rui-min,TIAN Jia

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.21.011

2010-01-01

Abstract:In order to analyze program control flow precisely and depict program control structure correctly,this paper introduces an overall architecture for control flow analysis and proposes an algorithm to generate the control flow of executable code. Key techniques such as abstraction of executable code and program control flow generation are described. Simple Assembly language Intermediate Representation(SAIR) is presented. Without changing semantics of the disassembly code,SAIR ensures thesimplicity and stringentness of analysis. The functions that create program control flow are defined based on SAIR and the algorithm that generates the control flow is proposed. The example of analyzing program control flow is given.

Wang Yongjun,Wang Junbiao

DOI: https://doi.org/10.3969/j.issn.1000-3886.2005.01.019

2005-01-01

Abstract:This article presents the connecting method of network link between programmable logic controller and industrial control computer,in- troduces the control command format of industrial control computer and the style of response of inferior one to IPC's control command. The method of communication programming and the details of program flow chart are analyzed.An application example of network link in the numerical control system is given.

Joochan Lee,Hyunpyo Choi,Jiho Shin,Jung Taek Seo

DOI: https://doi.org/10.1145/3440943.3444742

2020-12-12

Abstract:In recent years, 1 a large number of studies have been conducted on cybersecurity for Programmable Logic Controllers (PLCs) to cope with cyberattacks on Industrial Control Systems(ICS). However, few studies have been conducted on ensuring cybersafety for control logics running inside PLCs. In this study, a technique for detecting an attack on PLC control logic change was proposed by analyzing the network protocol data and project file structure. Based on the analysis results for the proposed technique, a tool was implemented to detect an manipulation attack on control logic, and whether such attack was detected or not was verified through experiments.

Wan Xue-jun

Abstract:PLC system has high reliability,perfect function,low energy consumption and easy maintenance,etc.,in the power sys tem is widely used in automation engineering.Currently,the practical application of the PLC there are some problems to be solved,therefore,based on the analysis of the PLC to explore PLC in power system automation projects in the specific application,a realis tic theoretical significance and practical value.

Engineering,Computer Science

Tao Feng,Yanxia Shi,Renbin Gong,Qianchuan Zhao

DOI: https://doi.org/10.1109/icpics47731.2019.8942463

2019-01-01

Abstract:The information security problem of the industrial control system (ICS) has become prominent increasingly with the advancement of industry 4.0. The programmable logic controller (PLC) is the basic control device in the supervisory control and data acquisition (SCADA) of ICS. The stable operation of ICS is limited by the safety of PLC. In this paper, the PLC attack tree model, which targets the PLC equipment security, is built to analyze and evaluate the safety of PLC systematically. First, the attack path of the PLC has been analyzed. The attack nodes have been defined by employing the attack tree model. Second, the fuzzy analytic hierarchy process has been introduced to calculate the security attribute weight and quantify the attack probability of the leaf nodes. The Shapiro-Wilk test has been employed to ensure the normality of data. Finally, the attack probability of different attack paths has been calculated as the PLC attack tree model. The PLC attack tree model which proposed in this paper is employed to distinguish the probability of different attack paths. The proposed attack tree model provides a basis for decision- makers to take appropriate protective measures.

Xia Mao,Xin Li,Yanhong Huang,Jianqi Shi,Yueling Zhang

DOI: https://doi.org/10.1109/tii.2021.3123194

IF: 12.3

2022-07-01

IEEE Transactions on Industrial Informatics

Abstract:Programmable logic controllers (PLC), which are widely applied in modern industrial control systems (ICS), work as the controller of sensors and actuators in ICS. These systems require strict correctness, especially for safety-critical systems. Currently, increasingly ICS move to come online scenarios to enhance cyber-physical features, but it makes them more vulnerable due to acquiring increased interconnection accompanied by weakening physical isolation. Moreover, with the more complex controlling environment, such as hundreds of more I/O points and more diverse field buses, the incorrect executions of PLC might cause the failure of the overall ICS. In this article, we examine how the security and safety of running PLC could be enhanced in both developing and deploying stages of ICS. We propose a novel application of runtime verification to guarantee the security and safety of real-world ICS. As a variant of temporal logic, PLC past linear temporal logic (PPLTL) is proposed to specify the security and safety properties of PLC. Using PPLTL, we synthesize monitors to improve the PLC programs security and safety as a partner of testing and static verification. Our monitors provide twofold processing in a nonintrusive manner: One is filtering abnormal input data before invading the original programs, the other is double-checking the output signals before driving the actuators. We use several case studies and benchmarks to demonstrate the efficiency of the approach. The empirical results show that the time overhead and memory occupation are tiny.

automation & control systems,computer science, interdisciplinary applications,engineering, industrial

Jianyong Zhao,Zhe Tao

DOI: https://doi.org/10.1109/access.2021.3133630

IF: 3.9

2021-01-01

IEEE Access

Abstract:Programmable logic controllers (PLCs) are widely used in industrial electronic systems. With the augmenting complexity of system, the reliability poses a crucial challenge in safety critical applications. This paper proposes a formal modeling and verification approach for programming function block diagrams. Function block diagrams are formalized in a logic specification system. We consider the equivalence checking problem which occurs frequently between design implementations under different performance constraints. We present a novel method to harness a powerful co-induction proof strategy with bisimulation to establish the equivalence in a higher-order logic theorem proving system. We validate the effectiveness of our approach by a real industry application example with key scenarios. The soundness and the completeness of our approach are substantiated.

Shengjian Guo,Meng Wu,Chao Wang

DOI: https://doi.org/10.1145/3106237.3106245

2017-08-21

Abstract:Programmable logic controllers (PLCs) are specialized computers for automating a wide range of cyber-physical systems. Since these systems are often safety-critical, software running on PLCs need to be free of programming errors. However, automated tools for testing PLC software are lacking despite the pervasive use of PLCs in industry. We propose a symbolic execution based method, named SymPLC, for automatically testing PLC software written in programming languages specified in the IEC 61131-3 standard. SymPLC takes the PLC source code as input and translates it into C before applying symbolic execution, to systematically generate test inputs that cover both paths in each periodic task and interleavings of these tasks. Toward this end, we propose a number of PLC-specific reduction techniques for identifying and eliminating redundant interleavings. We have evaluated SymPLC on a large set of benchmark programs with both single and multiple tasks. Our experiments show that SymPLC can handle these programs efficiently, and for multi-task PLC programs, our new reduction techniques outperform the state-of-the-art partial order reduction technique by more than two orders of magnitude.

Zibo Wang,Yaofang Zhang,Yilu Chen,Hongri Liu,Bailing Wang,Chonghua Wang

DOI: https://doi.org/10.3390/pr11030918

IF: 3.5

2023-03-18

Processes

Abstract:Programmable Logic Controllers (PLCs), as specialized task-oriented embedded field devices, play a vital role in current industrial control systems (ICSs), which are composed of critical infrastructure. In order to meet increasing demands on cost-effectiveness while improving production efficiency, commercial-off-the-shelf software and hardware, and external networks such as the Internet, are integrated into the PLC-based control systems. However, it also provides opportunities for adversaries to launch malicious, targeted, and sophisticated cyberattacks. To that end, there is an urgent need to summarize ongoing work in PLC-based control systems on vulnerabilities, attacks, and security detection schemes for researchers and practitioners. Although surveys on similar topics exist, they are less involved in three key aspects, as follows: First and foremost, previous work focused more on system-level vulnerability analysis than PLC itself. Subsequently, it was not clear whether their work applied to the current systems or future ones, especially for security detection schemes. Finally, the prior surveys lacked a digital forensic research review of PLC-based control systems, which was significant for security analysis at different stages. As a result, we highlight vulnerability analysis at both a core component level and a system level, as well as attack models against availability, integrity, and confidentiality. Meanwhile, reviews of security detection schemes and digital forensic research for the current PLC-based systems are provided. Finally, we discuss future work for the next-generation systems.

engineering, chemical

Hehua Zhang,Yu Jiang,William N. N. Hung,Xiaoyu Song,Ming Gu

DOI: https://doi.org/10.1007/978-3-642-24559-6_10

2011-01-01

Abstract:Programmable Logic Controllers are widely used in industry. Reliable PLCs are vital to many critical applications. This paper presents a novel symbolic approach for analysis of PLC systems. The main components of the approach consists of: (1) calculating the uncertainty characterization of the PLC systems, (2) abstracting the PLC system as a Hidden Markov Model, (3) solving the Hidden Markov Model using domain knowledge, (4) integrating the solved Hidden Markov Model and the uncertainty characterization to form an integrated (regular) Markov Model, and (5) harnessing probabilistic model checking to analyze properties on the resultant Markov Model. The framework provides expected performance measures of the PLC systems by automated analytical means without expensive simulations. Case studies on an industrial automated system are performed to demonstrate the effectiveness of our approach.

Guoping Wang

DOI: https://doi.org/10.1109/eit51626.2021.9491834

2021-01-01

Abstract:Programmable controllers (PLCs) were developed to solve the problems of automating and manufacturing control systems and they have found wide applications in industrial control fields. Ladder diagram is the most adopted programming language for PLC control. Process sequence and flow charts can be used for simple PLC ladder diagram design. For complex PLC controls, state diagrams have been proposed for PLC ladder diagram programming. However, state diagram method has some limitations. In this paper, based on the analysis and design techniques of digital systems, we proposed a new PLC design approach. In this method, first we need to identify the functions of datapath and controller and the inputs/outputs of both. Second, Algorithmic State Machine(ASM) charts are used to draw the state transitions for the controller. Finally, a ladder diagram is designed from the ASM chart. The best practices with this approach are also discussed in the paper.

Rui Wang,Xiaoyu Song,Jianzhong Zhu,Ming Gu

DOI: https://doi.org/10.1016/j.compind.2010.05.015

IF: 10

2011-01-01

Computers in Industry

Abstract:Programmable logic controllers (PLCs) are complex cyber-physical systems which are widely used in industry. This paper presents a robust approach to design and implement PLC-based embedded systems. Timed automata are used to model the controller and its environment. We validate the design model with resort to model checking techniques. We propose an algorithm to generate PLC code from timed automata and implement this algorithm with a prototype tool. This method can condense the developing process and guarantee the correctness of PLC programs. A case study demonstrates the effectiveness of the method.