Abstract
Input/Output is the mechanism through which Programmable Logic Controllers (PLCs) interact with and control the outside world. Particularly when employed in critical infrastructures, the I/O of PLCs has to be both reliable and secure. PLCs I/O like other embedded devices are controlled by a pin based approach. In this paper, we investigate the security implications of the PLC pin control system. In particular, we show how an attacker can tamper with the integrity and availability of PLCs I/O by exploiting certain pin control operations and the lack of hardware interrupts associated to them.
The work of the first, third and fourth authors has been partially supported by the European Commission through project FP7-SEC-607093-PREEMPTIVE funded by the 7th Framework Program.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Abbasi, A., Wetzels, J., Bokslag, W., Zambon, E., Etalle, S.: On emulation-based network intrusion detection systems. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 384–404. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_19
Basnight, Z., Butts, J., Lopez Jr., J., Dube, T.: Firmware modification attacks on programmable logic controllers. Int. J. Crit. Infrastruct. Prot. 6(2), 76–84 (2013)
Beresford, D.: Exploiting siemens simatic S7 PLCs. In: Black Hat USA (2011)
Beresford, D., Abbasi, A.: Project IRUS: multifaceted approach to attacking and defending ICS. In: SCADA Security Scientific Symposium (S4) (2013)
Cui, A., Stolfo, S.J.: Defending embedded systems with software symbiotes. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 358–377. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_19
DigitalBond: 3S CoDeSys, Project Basecamp (2012). http://www.digitalbond.com/tools/basecamp/3s-codesys/
Embleton, S., Sparks, S., Zou, C.C.: SMM rootkit: a new breed of os independent malware. Secur. Commun. Netw. 6(12), 1590–1605 (2013)
Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, Symantec Corp., Security Response 5 (2011)
ICS-CERT: Abb ac500 plc webserver codesys vulnerability (2013). https://ics-cert.us-cert.gov/advisories/ICSA-12-320-01
ICS-CERT: Schneider electric modicon quantum vulnerabilities (update b) (2014). https://ics-cert.us-cert.gov/alerts/ICS-ALERT-12-020-03B
ICS-CERT: Schneider electric modicon m340 buffer overflow vulnerability (2015). https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01
ICS-CERT: Rockwell automation micrologix 1100 plc overflow vulnerability (2016). https://ics-cert.us-cert.gov/advisories/ICSA-16-026-02
Igure, V.M., Laughter, S.A., Williams, R.D.: Security issues in SCADA networks. Comput. Secur. 25(7), 498–506 (2006)
Koopman, P.: Embedded system security. Computer 37(7), 95–97 (2004)
Langner, R.: To kill a centrifuge: A technical analysis of what stuxnets creators tried to achieve (2013). http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf
Larsen, J.: Physical damage 101: bread and butter attacks. In: Black Hat USA (2015)
Liang, Z., Yin, H., Song, D.: HookFinder: identifying and understanding malware hooking behaviors. In: Proceeding of the 15th Annual Network and Distributed System Security Symposium (NDSS 2008) (2008). http://bitblaze.cs.berkeley.edu/papers/hookfinder_ndss08.pdf
Maxino, T.C., Koopman, P.J.: The effectiveness of checksums for embedded control networks. IEEE Trans. Dependable Secure Comput. 6(1), 59–72 (2009)
McLaughlin, S., McDaniel, P.: SABOT: specification-based payload generation for programmable logic controllers. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 439–449. ACM, New York (2012)
McLaughlin, S.E.: On dynamic malware payloads aimed at programmable logic controllers. In: HotSec (2011)
Peck, D., Peterson, D.: Leveraging ethernet card vulnerabilities in field devices. In: SCADA Security Scientific Symposium, pp. 1–19 (2009)
PREEMPTIVE-Consortium: Reference taxonomy on industrial control systems networks for utilities (2014). http://preemptive.eu/wp-content/uploads/2015/07/preemptive_deliverable-d2.3.pdf
Reeves, J., Ramaswamy, A., Locasto, M., Bratus, S., Smith, S.: Intrusion detection for resource-constrained embedded control systems in the power grid. Int. J. Crit. Infrastruct. Prot. 5(2), 74–83 (2012)
Schiffman, J., Kaplan, D.: The smm rootkit revisited: fun with USB. In: 9th International Conference on Availability, Reliability and Security (ARES), pp. 279–286 (2014)
Sparks, S., Embleton, S., Zou, C.C.: A chipset level network backdoor: bypassing host-based firewall & IDS. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 125–134. ACM (2009)
Spenneberg, R., Brüggemann, M., Schwartke, H.: PLC-blaster: a worm living solely in the PLC. In: Black Hat Asia (2016)
Wightman, R.: Project basecamp at s4. SCADA Security Scientific Symposium (2012). https://www.digitalbond.com/tools/basecamp/schneider-modicon-quantum/
Wrightman, K.R.: Vulnerability inheritance in PLCs. DEFCON 23 IoT Village (2015)
Yin, H., Song, D.: Hooking behavior analysis. In: Automatic Malware Analysis, pp. 43–58. Springer, New York (2013). https://doi.org/10.1007/978-1-4614-5523-3_5
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Abbasi, A., Hashemi, M., Zambon, E., Etalle, S. (2017). Stealth Low-Level Manipulation of Programmable Logic Controllers I/O by Pin Control Exploitation. In: Havarneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds) Critical Information Infrastructures Security. CRITIS 2016. Lecture Notes in Computer Science(), vol 10242. Springer, Cham. https://doi.org/10.1007/978-3-319-71368-7_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-71368-7_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-71367-0
Online ISBN: 978-3-319-71368-7
eBook Packages: Computer ScienceComputer Science (R0)