Abstract
This paper presents Similo, an automated scalable framework for control logic forensics in industrial control systems. Similo is designed to investigate denial of engineering operations (DEO) attacks, recently demonstrated to hide malicious control logic in a programmable logic controller (PLC) at field sites from an engineering software (at control center). The network traffic (if captured) contains substantial evidence to investigate DEO attacks including manipulation of control logic. Laddis, a state-of-the-art forensic approach for DEO attacks, is a binary-logic decompiler for the Allen-Bradley’s RSLogix engineering software and MicroLogix 1400 PLC. It is developed with extensive manual reverse engineering effort of the underlying proprietary network protocol and the binary control logic. Unfortunately, Laddis is not scalable and requires similar efforts to extend on other engineering software/PLCs. The proposed solution, Similo, is based on the observation that engineering software of different vendors are equipped with decompilers. Similo is a virtual-PLC framework that integrates the decompilers with their respective (previously-captured) ICS network traffic of control logic. It recovers the binary logic into a high-level source code (of the programming languages defined by IEC 61131-3 standard) automatically. Similo can work with both proprietary/open protocols without requiring protocol specifications and the binary formats of control logic. Thus, it is scalable to different ICS vendors. We evaluate Similo on three PLCs of two ICS vendors, i.e. MicroLogix 1400, MicroLogix 1100, and Modicon M221. These PLCs support proprietary protocols and the control logics written in two programming languages: Ladder Logic and Instruction List. The evaluation results show that Similo can accurately reconstruct a control logic from an ICS network traffic and can be used to investigate the DEO attacks effectively.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Ahmed, I., Obermeier, S., Naedele, M., Richard III, G.G.: SCADA systems: challenges for forensic investigators. Computer 45(12), 44–51 (2012)
Ahmed, I., Obermeier, S., Sudhakaran, S., Roussev, V.: Programmable logic controller forensics. IEEE Secur. Priv. 15(6), 18–24 (2017)
Ahmed, I., Roussev, V., Johnson, W., Senthivel, S., Sudhakaran, S.: A SCADA system testbed for cybersecurity and forensic research and pedagogy. In: Proceedings of the 2nd Annual Industrial Control System Security Workshop (ICSS) (2016)
Allen-Bradley: User manual. https://literature.rockwellautomation.com/idc/groups/literature/documents/um/1763-um001_-en-p.pdf
Beresford, D.: Exploiting Siemens Simatic S7 PLCs (2011)
Chen, T.M., Abu-Nimeh, S.: Lessons from Stuxnet. Computer 44(4), 91–93 (2011)
Cheung, S., Dutertre, B., Fong, M., Lindqvist, U., Skinner, K., Valdes, A.: Using model-based intrusion detection for SCADA networks. In: Proceedings of the SCADA Security Scientific Symposium, Miami Beach, Florida, January 2007
IEC: IEC 61131-3. https://www.sis.se/api/document/preview/562735/
Kalle, S., Ameen, N., Yoo, H., Ahmed, I.: CLIK on PLCs! Attacking control logic with decompilation and virtual PLC. In: Proceeding of the 2019 NDSS Workshop on Binary Analysis Research (BAR) (2019)
Kottler, S., Khayamy, M., Hasan, S.R., Elkeelany, O.: Formal verification of ladder logic programs using NuSMV. In: SoutheastCon 2017, pp. 1–5 (2017)
Modicon: SoMachine Basic - Generic Functions Library Guide. https://www.schneider-electric.com/en/download/document/EIO0000001474/
Patel, S.C., Bhatt, G.D., Graham, J.H.: Improving the cyber security of SCADA communication networks. Commun. ACM 52(7), 139–142 (2009)
Scapy. https://scapy.net/
Senthivel, S., Ahmed, I., Roussev, V.: SCADA network forensics of the PCCC protocol. Digit. Investig. 22(S), S57–S65 (2017)
Senthivel, S., Dhungana, S., Yoo, H., Ahmed, I., Roussev, V.: Denial of engineering operations attacks in industrial control systems. In: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, CODASPY 2018, pp. 319–329. ACM, New York (2018)
Valentine, S., Farkas, C.: Software security: application-level vulnerabilities in SCADA systems. In: 2011 IEEE International Conference on Information Reuse Integration, pp. 498–499, August 2011. https://doi.org/10.1109/IRI.2011.6009603
Yoo, H., Ahmed, I.: Control logic injection attacks on industrial control systems. In: Dhillon, G., Karlsson, F., Hedström, K., Zúquete, A. (eds.) SEC 2019. IFIPAICT, vol. 562, pp. 33–48. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22312-0_3
Yoo, H., Kalle, S., Smith, J., Ahmed, I.: Overshadow PLC to detect remote control-logic injection attacks. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds.) DIMVA 2019. LNCS, vol. 11543, pp. 109–132. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-22038-9_6
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Qasim, S.A., Lopez, J., Ahmed, I. (2019). Automated Reconstruction of Control Logic for Programmable Logic Controller Forensics. In: Lin, Z., Papamanthou, C., Polychronakis, M. (eds) Information Security. ISC 2019. Lecture Notes in Computer Science(), vol 11723. Springer, Cham. https://doi.org/10.1007/978-3-030-30215-3_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-30215-3_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-30214-6
Online ISBN: 978-3-030-30215-3
eBook Packages: Computer ScienceComputer Science (R0)