Skip to main content
SpringerLink
Log in
Book cover

International Conference on Critical Information Infrastructures Security

CRITIS 2016: Critical Information Infrastructures Security pp 1–12Cite as

Stealth Low-Level Manipulation of Programmable Logic Controllers I/O by Pin Control Exploitation

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10242))

Abstract

Input/Output is the mechanism through which Programmable Logic Controllers (PLCs) interact with and control the outside world. Particularly when employed in critical infrastructures, the I/O of PLCs has to be both reliable and secure. PLCs I/O like other embedded devices are controlled by a pin based approach. In this paper, we investigate the security implications of the PLC pin control system. In particular, we show how an attacker can tamper with the integrity and availability of PLCs I/O by exploiting certain pin control operations and the lack of hardware interrupts associated to them.

The work of the first, third and fourth authors has been partially supported by the European Commission through project FP7-SEC-607093-PREEMPTIVE funded by the 7th Framework Program.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Abbasi, A., Wetzels, J., Bokslag, W., Zambon, E., Etalle, S.: On emulation-based network intrusion detection systems. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 384–404. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11379-1_19

    Google Scholar 

  2. Basnight, Z., Butts, J., Lopez Jr., J., Dube, T.: Firmware modification attacks on programmable logic controllers. Int. J. Crit. Infrastruct. Prot. 6(2), 76–84 (2013)

    Article  Google Scholar 

  3. Beresford, D.: Exploiting siemens simatic S7 PLCs. In: Black Hat USA (2011)

    Google Scholar 

  4. Beresford, D., Abbasi, A.: Project IRUS: multifaceted approach to attacking and defending ICS. In: SCADA Security Scientific Symposium (S4) (2013)

    Google Scholar 

  5. Cui, A., Stolfo, S.J.: Defending embedded systems with software symbiotes. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 358–377. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23644-0_19

    Chapter  Google Scholar 

  6. DigitalBond: 3S CoDeSys, Project Basecamp (2012). http://www.digitalbond.com/tools/basecamp/3s-codesys/

  7. Embleton, S., Sparks, S., Zou, C.C.: SMM rootkit: a new breed of os independent malware. Secur. Commun. Netw. 6(12), 1590–1605 (2013)

    Article  Google Scholar 

  8. Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, Symantec Corp., Security Response 5 (2011)

    Google Scholar 

  9. ICS-CERT: Abb ac500 plc webserver codesys vulnerability (2013). https://ics-cert.us-cert.gov/advisories/ICSA-12-320-01

  10. ICS-CERT: Schneider electric modicon quantum vulnerabilities (update b) (2014). https://ics-cert.us-cert.gov/alerts/ICS-ALERT-12-020-03B

  11. ICS-CERT: Schneider electric modicon m340 buffer overflow vulnerability (2015). https://ics-cert.us-cert.gov/advisories/ICSA-15-351-01

  12. ICS-CERT: Rockwell automation micrologix 1100 plc overflow vulnerability (2016). https://ics-cert.us-cert.gov/advisories/ICSA-16-026-02

  13. Igure, V.M., Laughter, S.A., Williams, R.D.: Security issues in SCADA networks. Comput. Secur. 25(7), 498–506 (2006)

    Article  Google Scholar 

  14. Koopman, P.: Embedded system security. Computer 37(7), 95–97 (2004)

    Article  Google Scholar 

  15. Langner, R.: To kill a centrifuge: A technical analysis of what stuxnets creators tried to achieve (2013). http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf

  16. Larsen, J.: Physical damage 101: bread and butter attacks. In: Black Hat USA (2015)

    Google Scholar 

  17. Liang, Z., Yin, H., Song, D.: HookFinder: identifying and understanding malware hooking behaviors. In: Proceeding of the 15th Annual Network and Distributed System Security Symposium (NDSS 2008) (2008). http://bitblaze.cs.berkeley.edu/papers/hookfinder_ndss08.pdf

  18. Maxino, T.C., Koopman, P.J.: The effectiveness of checksums for embedded control networks. IEEE Trans. Dependable Secure Comput. 6(1), 59–72 (2009)

    Article  Google Scholar 

  19. McLaughlin, S., McDaniel, P.: SABOT: specification-based payload generation for programmable logic controllers. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 439–449. ACM, New York (2012)

    Google Scholar 

  20. McLaughlin, S.E.: On dynamic malware payloads aimed at programmable logic controllers. In: HotSec (2011)

    Google Scholar 

  21. Peck, D., Peterson, D.: Leveraging ethernet card vulnerabilities in field devices. In: SCADA Security Scientific Symposium, pp. 1–19 (2009)

    Google Scholar 

  22. PREEMPTIVE-Consortium: Reference taxonomy on industrial control systems networks for utilities (2014). http://preemptive.eu/wp-content/uploads/2015/07/preemptive_deliverable-d2.3.pdf

  23. Reeves, J., Ramaswamy, A., Locasto, M., Bratus, S., Smith, S.: Intrusion detection for resource-constrained embedded control systems in the power grid. Int. J. Crit. Infrastruct. Prot. 5(2), 74–83 (2012)

    Article  Google Scholar 

  24. Schiffman, J., Kaplan, D.: The smm rootkit revisited: fun with USB. In: 9th International Conference on Availability, Reliability and Security (ARES), pp. 279–286 (2014)

    Google Scholar 

  25. Sparks, S., Embleton, S., Zou, C.C.: A chipset level network backdoor: bypassing host-based firewall & IDS. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 125–134. ACM (2009)

    Google Scholar 

  26. Spenneberg, R., Brüggemann, M., Schwartke, H.: PLC-blaster: a worm living solely in the PLC. In: Black Hat Asia (2016)

    Google Scholar 

  27. Wightman, R.: Project basecamp at s4. SCADA Security Scientific Symposium (2012). https://www.digitalbond.com/tools/basecamp/schneider-modicon-quantum/

  28. Wrightman, K.R.: Vulnerability inheritance in PLCs. DEFCON 23 IoT Village (2015)

    Google Scholar 

  29. Yin, H., Song, D.: Hooking behavior analysis. In: Automatic Malware Analysis, pp. 43–58. Springer, New York (2013). https://doi.org/10.1007/978-1-4614-5523-3_5

Download references

Author information

Authors and Affiliations

  1. Services, Cyber Security and Safety Group, University of Twente, Enschede, The Netherlands

    Ali Abbasi, Emmanuele Zambon & Sandro Etalle

  2. Quarkslab, Paris, France

    Majid Hashemi

  3. Eindhoven University of Technology, Eindhoven, The Netherlands

    Sandro Etalle

  4. SecurityMatters BV, Eindhoven, The Netherlands

    Emmanuele Zambon

Authors
  1. Ali Abbasi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Majid Hashemi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Emmanuele Zambon
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sandro Etalle
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ali Abbasi .

Editor information

Editors and Affiliations

  1. International Union of Railways, Paris, France

    Grigore Havarneanu

  2. University Campus Bio-Medico, Rome, Italy

    Roberto Setola

  3. Ecole des Ingénieurs de la Ville de Paris (EIVP), Paris, France

    Hypatia Nassopoulos

  4. Royal Holloway, University of London, London, United Kingdom

    Stephen Wolthusen

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Abbasi, A., Hashemi, M., Zambon, E., Etalle, S. (2017). Stealth Low-Level Manipulation of Programmable Logic Controllers I/O by Pin Control Exploitation. In: Havarneanu, G., Setola, R., Nassopoulos, H., Wolthusen, S. (eds) Critical Information Infrastructures Security. CRITIS 2016. Lecture Notes in Computer Science(), vol 10242. Springer, Cham. https://doi.org/10.1007/978-3-319-71368-7_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-71368-7_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-71367-0

  • Online ISBN: 978-3-319-71368-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation