Skip to main content
Springer Nature Link
Log in

On Ladder Logic Bombs in Industrial Control Systems

  • Conference paper
  • First Online:
Computer Security (SECPRE 2017, CyberICPS 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10683))

Abstract

In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: (a) firmware (i.e. the OS) and (b) control logic (processing sensor readings to determine control actions).

In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behavior. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Beresford, D.: Exploiting Siemens Simatic S7 PLCs. In: Proceedings of Black Hat USA (2011)

    Google Scholar 

  2. Cárdenas, A.A., Amin, S., Sastry, S.: Research challenges for the security of control systems. In: Proceedings of USENIX Workshop on Hot Topics in Security (HotSec) (2008)

    Google Scholar 

  3. Caselli, M., Zambon, E., Kargl, F.: Sequence-aware intrusion detection in industrial control systems. In: Proceedings of the Workshop on Cyber-Physical System Security (CPSS), pp. 13–24. ACM (2015)

    Google Scholar 

  4. Chabukswar, R., Sinópoli, B., Karsai, G., Giani, A., Neema, H., Davis, A.: Simulation of network attacks on SCADA systems. In: Proceedings of Workshop on Secure Control Systems (2010)

    Google Scholar 

  5. Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet dossier

    Google Scholar 

  6. Goldenberg, N., Wool, A.: Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. Int. J. Crit. Infrastruct. Prot. 6(2), 63–75 (2013)

    Article  Google Scholar 

  7. John, K.H., Tiegelkamp, M.: IEC 61131–3: Programming Industrial Automation Systems: Concepts and Programming Languages, Requirements for Programming Systems, Decision-Making Aids, 2nd edn. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12015-2

    Google Scholar 

  8. Karnouskos, S.: Stuxnet worm impact on industrial cyber-physical system security. In: Proceedings of Conference on Industrial Electronics Society (IECON), pp. 4490–4494. IEEE (2011)

    Google Scholar 

  9. Kim, D.-Y.: Cyber security issues imposed on nuclear power plants. Ann. Nucl. Energy 65, 141–143 (2014)

    Article  Google Scholar 

  10. Kim, G.H., Spafford, E.H.: The design and implementation of tripwire: a file system integrity checker. In: Proceedings of the Conference on Computer and Communications Security (CCS), pp. 18–29. ACM (1994)

    Google Scholar 

  11. Kosut, O., Jia, L., Thomas, R., Tong, L.: Malicious data attacks on smart grid state estimation: attack strategies and countermeasures. In: Proceedings of the IEEE Conference on Smart Grid Communications (SmartGridComm), pp. 220–225, October 2010

    Google Scholar 

  12. Krotofil, M., Cárdenas, A.A., Manning, B., Larsen, J.: CPS: driving cyber-physical systems to unsafe operating conditions by timing DoS attacks on sensor signals. In: Proceedings of the Conference on Annual Computer Security Applications Conference (ACSAC), pp. 146–155. ACM (2014)

    Google Scholar 

  13. Lin, J., Yu, W., Yang, X., Xu, G., Zhao, W.: On false data injection attacks against distributed energy routing in smart grid. In: Proceedings of Conference on Cyber-Physical Systems (ICCPS) (2012)

    Google Scholar 

  14. Liu, Y., Ning, P., Reiter, M.K.: False data injection attacks against state estimation in electric power grids. ACM Trans. Inf. Syst. Secur. (TISSEC) 14(1), 13 (2011)

    Article  Google Scholar 

  15. McLaughlin, S.: On dynamic malware payloads aimed at programmable logic controllers. In: Proceedings of USENIX Conference on Hot Topics in Security (HotSec), p. 10, August 2013

    Google Scholar 

  16. McLaughlin, S., McDaniel, P.: SABOT: specification-based payload generation for programmable logic controllers. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 439–449. ACM (2012)

    Google Scholar 

  17. McLaughlin, S.E., Zonouz, S.A., Pohly, D.J., McDaniel, P.D.: A trusted safety verifier for process controller code. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  18. Milinkovic, S.A., Lazic, L.R.: Industrial PLC security issues. In: Proceedings of Conference on Telecommunications Forum (TELFOR), pp. 1536–1539. IEEE (2012)

    Google Scholar 

  19. Morris, T.H., Gao, W.: Industrial control system cyber attacks. In: Proceedings of the Symposium for ICS and SCADA Cyber Security Research (ICS-CSR). BCS Learning and Development Ltd. (2013)

    Google Scholar 

  20. Pollet, J.: Electricity for free? The dirty underbelly of SCADA and smart meters. In: Proceedings of Black Hat USA (2010)

    Google Scholar 

  21. Wang, E., Ye, Y., Xu, X., Yiu, S., Hui, L., Chow, K.: Security issues and challenges for cyber physical system. In: Proceedings of Conference on Cyber, Physical and Social Computing (CPSCom), pp. 733–738, December 2010

    Google Scholar 

  22. Zhu, B., Joseph, A., Sastry, S.: A taxonomy of cyber attacks on SCADA systems. In: Proceedings of Conference on Cyber, Physical and Social Computing (CPSCom), pp. 380–388 (2011)

    Google Scholar 

  23. Zonouz, S., Rogers, K., Berthier, R., Bobba, R., Sanders, W., Overbye, T.: SCPSE: security-oriented cyber-physical state estimation for power grid critical infrastructures. IEEE Trans. Smart Grid 3(4), 1790–1799 (2012)

    Article  Google Scholar 

  24. Zonouz, S., Rrushi, J., McLaughlin, S.: Detecting industrial control malware using automated PLC code analytics. IEEE Secur. Priv. 12(6), 40–47 (2014)

    Article  Google Scholar 

Download references

Acknowledgments

This work was supported by SUTD’s startup grant SRIS14081.

Author information

Authors and Affiliations

  1. IIIT Hyderabad, Hyderabad, India

    Naman Govil

  2. Information Systems Technology and Design Pillar, Singapore University of Technology and Design, 8 Somapah Road, Singapore, 487372, Singapore

    Anand Agrawal & Nils Ole Tippenhauer

Authors
  1. Naman Govil
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anand Agrawal
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nils Ole Tippenhauer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anand Agrawal .

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis K. Katsikas

  2. IMT Atlantique, Brest, France

    Frédéric Cuppens

  3. IMT Atlantique, Brest, France

    Nora Cuppens

  4. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

  5. University of the Aegean, Mytilene, Greece

    Christos Kalloniatis

  6. University of Toronto, Toronto, Ontario, Canada

    John Mylopoulos

  7. Georgia Institute of Technology, Atlanta, Georgia, USA

    Annie Antón

  8. University of the Aegean, Karlovassi, Greece

    Stefanos Gritzalis

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Govil, N., Agrawal, A., Tippenhauer, N.O. (2018). On Ladder Logic Bombs in Industrial Control Systems. In: Katsikas, S., et al. Computer Security. SECPRE CyberICPS 2017 2017. Lecture Notes in Computer Science(), vol 10683. Springer, Cham. https://doi.org/10.1007/978-3-319-72817-9_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-72817-9_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-72816-2

  • Online ISBN: 978-3-319-72817-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics