Control Logic Attack Detection and Forensics through Reverse-engineering and Verifying PLC Control Applications

Control Logic Attack Detection and Forensics through Reverse-engineering and Verifying PLC Control Applications

Industrial control systems (ICSs) are prevalent in critical infrastructures, where programmable logic controllers (PLCs) and physical instruments are integrated. However, multiple successful attacks against PLC control logic programs have caused significant damage to ICSs, which has led to an urgent...

Full description

Saved in:
Bibliographic Details
Published in:IEEE internet of things journal Vol. 11; no. 5; p. 1
Main Authors: Geng, Yangyang, Che, Xin, Ma, Rongkuan, Wei, Qiang, Wang, Mufeng, Chen, Yuqi
Format: Journal Article
Language:English
Published: Piscataway IEEE 01-03-2024
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects:
Attack detection and forensics
Automatic control
Codes
Control equipment
Control logic attacks
Control systems
Critical infrastructure
Dismantling
Forensic sciences
Forensics
Industrial control systems
Industrial electronics
Instruments
Integrated circuits
Internet of Things
Logic programs
Modules
Process control
Programmable logic controllers
Reverse engineering
Runtime
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Industrial control systems (ICSs) are prevalent in critical infrastructures, where programmable logic controllers (PLCs) and physical instruments are integrated. However, multiple successful attacks against PLC control logic programs have caused significant damage to ICSs, which has led to an urgent need for detection and forensics of such attacks. Although several off-the-shelf defending mechanisms have been presented in the past, few of them can detect and locate the control logic attacks at run-time. In this paper, we propose a practical and automatic Control Logic Attack Detection and Forensics framework (CLADF) to conduct control logic attack detection and forensics in ICSs. Specifically, the core of CLADF includes 1) a control application extraction module to extract PLC binary control applications by simulating PLC normal upload functionality, 2) a control application reverse engineering module to disassemble binary control applications, and 3) an attack detection and forensics module for verifying the integrity of PLC control applications, recovering the normal control application, and locating the modified control instructions. We extensively evaluated CLADF in five different application scenarios and two real-world Schneider PLCs. For each PLC, we generated three types of 150 mutated control logic attacks. The results demonstrate that CLADF can effectively extract the run-time binary control application in different application scenarios and disassemble these binary control applications into assembly instructions. Moreover, CLADF can accurately detect the attacks and locate the modified subroutines.
ISSN:2327-4662
2327-4662
DOI:10.1109/JIOT.2023.3318988