ABSTRACT
We present a new type of attack termed denial of engineering operations in which an attacker can interfere with the normal cycle of an engineering operation leading to a loss of situational awareness. Specifically, the attacker can deceive the engineering software during attempts to retrieve the ladder logic program from a programmable logic controller (PLC) by manipulating the ladder logic on the PLC, such that the software is unable to process it while the PLC continues to execute it successfully. This attack vector can provide sufficient cover for the attacker»s actual scenario to play out while the owner tries to understand the problem and reestablish positive operational control. To enable the forensic analysis and, eventually, eliminate the threat, we have developed the first decompiler for ladder logic programs.
Ladder logic is a graphical programming language for PLCs that control physical processes such as power grid, pipelines, and chemical plants; PLCs are a common target of malicious modifications leading to the compromise of the control behavior (and potentially serious consequences). Our decompiler, Laddis, transforms a low-level representation to its corresponding high-level original representation comprising of graphical symbols and connections. The evaluation of the accuracy of the decompiler on the program of varying complexity demonstrates perfect reconstruction of the original program. We present three new attack scenarios on PLC-deployed ladder logic and demonstrate the effectiveness of the decompiler on these scenarios.
- 1996. DF1 Protocol and Command Set Reference Manual. http://ow.ly/ N61S30fsdqg. (1996). {Online; accessed 23-Sept-2017}.Google Scholar
- 2017. GNU Diffutils. https://www.gnu.org/software/diffutils/. (2017). {Online; accessed 23-Sept-2017}.Google Scholar
- 2017. Hex-Rays. https://www.hex-rays.com/. (2017). {Online; accessed 23-Sept- 2017}.Google Scholar
- 2017. IRONGATE ICS Malware. https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html. (2017). {Online; accessed 23-Sept-2017}.Google Scholar
- 2017. Kaspersky. https://www.kaspersky.com/blog/industrial-vulnerabilities/ 12596/. (2017). {Online; accessed 23-Sept-2017}.Google Scholar
- 2017. Man-in the middle attack in ICS. https://ics-cert.us-cert.gov/content/ overview-cyber-vulnerabilities#man. (2017). {Online; accessed 23-Sept-2017}.Google Scholar
- 2017. PLCS.net. http://www.plcs.net/downloads/index.php?&direction=0& order=&directory=Allen_Bradley. (2017). {Online; accessed 23-Sept-2017}.Google Scholar
- 2017. Python Package Index Pyshark. https://pypi.python.org/pypi/pyshark. (2017). {Online; accessed 23-Sept-2017}.Google Scholar
- 2017. Python Software Foundation. https://www.python.org/. (2017). {Online; accessed 23-Sept-2017}.Google Scholar
- I. Ahmed, S. Obermeier, S. Sudhakaran, and V. Roussev. 2017. Programmable Logic Controller Forensics. IEEE Security Privacy 15, 6 (November 2017), 18--24.Google ScholarDigital Library
- Irfan Ahmed, Vassil Roussev, William Johnson, Saranyan Senthivel, and Sneha Sudhakaran. 2016. A SCADA System Testbed for Cybersecurity and Forensic Research and Pedagogy. In Proceedings of the 2Nd Annual Industrial Control System Security Workshop (ICSS '16) . ACM, New York, NY, USA, 1--9. Google ScholarDigital Library
- T. M. Chen and S. Abu-Nimeh. 2011. Lessons from Stuxnet. Computer 44, 4 (April 2011), 91--93. Google ScholarDigital Library
- S. Cheung, B. Dutertre, M. Fong, U. Lindqvist, K. Skinner, and A. Valdes. 2007. Using Model-based Intrusion Detection for SCADA Networks. (jan 2007), 127-- 134.Google Scholar
- M. Deraman, J. M. Desa, and Z. A. Othman. 2010. Multilayer packet tagging for network behaviour analysis. In 2010 International Symposium on Information Technology, Vol. 2. 909--913.Google Scholar
- Nicolas Falliere, Liam O Murchu,, and Eric Chien. 2011). W32.Stuxnet Dossier. Technical Report. Symantec.Google Scholar
- I. N. Fovino, A. Carcano, T. D. L. Murel, A. Trombetta, and M. Masera. 2010. Modbus/DNP3 State-Based Intrusion Detection System. In 2010 24th IEEE International Conference on Advanced Information Networking and Applications. 729--736. Google ScholarDigital Library
- Luis Garcia, Ferdinand Brasser, Mehmet H. Cintuglu, Ahmad-Reza Sadeghi, Osama Mohammed, and Saman A. Zonouz. 2017. Hey, My Malware Knows Physics! Attacking PLCs with Physical Model Aware Rootkit. In 24th Annual Network & Distributed System Security Symposium (NDSS).Google Scholar
- Simson Garfunkel, Alex Nelson, and Joel Young. 2012. A General Strategy for Differential Forensic Analysis. In The Digital Forensic Research Conference DFRWS. S50--S59.Google ScholarCross Ref
- Naman Govil, Anand Agrawal, and Nils Ole Tippenhauer. 2017. On Ladder Logic Bombs in Industrial Control Systems. CoRR abs/1702.05241 (2017). http: //arxiv.org/abs/1702.05241Google Scholar
- S. Kottler, M. Khayamy, S. R. Hasan, and O. Elkeelany. 2017. Formal verification of ladder logic programs using NuSMV. In SoutheastCon 2017. 1--5.Google Scholar
- R. Langner. 2011. Stuxnet: Dissecting a Cyberwarfare Weapon. IEEE Security Privacy 9, 3 (May 2011), 49--51. Google ScholarDigital Library
- John Narayan, Sandeep K. Shukla, and T. Charles Clancy. 2015. A Survey of Automatic Protocol Reverse Engineering Tools. ACM Comput. Surv. 48, 3, Article 40 (dec 2015), 26 pages. Google ScholarDigital Library
- A. Ornaghi and M. Valleri. 2017. Ettercap. https://ettercap.github.io/ettercap/. (2017). {Online; accessed 23-Sept-2017}.Google Scholar
- Sandip C. Patel, Ganesh D. Bhatt, and James H. Graham. 2009. Improving the Cyber Security of SCADA Communication Networks. Commun. ACM 52, 7 (July 2009), 139--142. Google ScholarDigital Library
- Martin Roesch et al. 1999. Snort: Lightweight intrusion detection for networks.. In Lisa, Vol. 99. 229--238. Google ScholarDigital Library
- Saranyan Senthivel, Irfan Ahmed, and Vassil Roussev. 2017. SCADA network forensics of the PCCC protocol. Digital Investigation 22 (2017), S57--S65. Google ScholarDigital Library
- S. Valentine and C. Farkas. 2011. Software security: Application-level vulnera- bilities in SCADA systems. In 2011 IEEE International Conference on Information Reuse Integration. 498--499.Google Scholar
- K. Yakdan, S. Dechand, E. Gerhards-Padilla, and M. Smith. 2016. Helping Johnny to Analyze Malware: A Usability-Optimized Decompiler and Malware AGoogle Scholar
Index Terms
- Denial of Engineering Operations Attacks in Industrial Control Systems
Recommendations
Automated Reconstruction of Control Logic for Programmable Logic Controller Forensics
Information SecurityAbstractThis paper presents Similo, an automated scalable framework for control logic forensics in industrial control systems. Similo is designed to investigate denial of engineering operations (DEO) attacks, recently demonstrated to hide malicious ...
Industrial Control System Cyber Attacks
ICS-CSR 2013: Proceedings of the 1st International Symposium on ICS & SCADA Cyber Security Research 2013This paper presents a set of attacks against SCADA control systems. The attacks are grouped into 4 classes; reconnaissance, response and measurement injection, command injection and denial of service. The 4 classes are defined and each attack is ...
Mitigating denial of service attacks: a tutorial
This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Comments