Date of Award
Engineering and Applied Science - Computer Science
Programmable logic controllers (PLC) are required to handle physical processes and thus crucial in critical infrastructures like power grids, nuclear facilities, and gas pipelines. Attacks on PLCs can have disastrous consequences, considering attacks like Stuxnet and TRISIS. Those attacks are examples of exploits where the attacker aims to inject into a target PLC malicious control logic, which engineering software compiles as a reliable code. When investigating a security incident, acquiring memory can provide valuable insight such as runtime system activities and memory-based artifacts which may contain the attacker's footprints. The existing memory acquisition tools for PLCs require a hardware-level debugging port or network protocol-based approaches, which are not practical in the real world or provide partial acquisition of memory.
This research work provides an overview of different attacks on PLCs. This work shows what embodies these three different approaches. These novel approaches leaves PLCs vulnerable that can unleash mayhem in the physical world.
The first approach describes denial of engineering operations (DEO) attacks in industrial control systems, referred to as a denial of decompilation (DoD) attack. The DoD attack involves obfuscating and installing a (malicious) control logic into a programmable logic controller (PLC) to fail the decompilation function in engineering software required to maintain control logic in PLCs. The existing seminal work on the DEO attacks exploits engineering software's improper input validation vulnerability. On the other hand, the DoD attack targets a fundamental design principle in compiling and decompiling control logic in engineering software, thereby affecting the engineering software of multiple vendors. We evaluate the DoD attack on two major PLC manufacturers' PLCs, i.e., Schneider Electric Modicon M221 and Siemens S7-300. We show that simple obfuscation techniques on control logic are sufficient to compromise the decompilation function in their engineering software, i.e., SoMachine Basic and TIA Portal, respectively.
The second approach propose two control-logic attacks and a new memory acquisition framework for PLCs. The first attack modifies in-memory firmware such that the attacker takes control of a PLC's built-in functions. The second attack involves obfuscating and installing a malicious control logic into a target PLC to fail the decompilation process in engineering software. The proposed memory acquisition framework remotely acquires a PLC's volatile memory while the PLC is controlling a physical process. The main idea is to inject a harmless code that essentially copies the protected memory fragments to protocol-mapped memory space, which is acquirable over the network. Since the proposed memory acquisition allows access to the entire memory, we can also show the evidence of the attacks.
The third approach propose an attack which doesn't involve alteration or injection of PLC's control logic. Return Oriented Programming(ROP) is an exploiting technique which can perform sophisticated attacks by utilizing the existing code in the memory of the PLC. This attack doesn't involves injecting code which makes this technique unique and hard to discover. This work is the first attempt to introduce ROP attack technique successfully on PLC without disrupting the control logic cycle.
We evaluate the proposed methods on a gas pipeline testbed to demonstrate the attacks and how a forensic investigator can identify the attacks and other critical forensic artifacts using the proposed memory acquisition method.
Zubair, Nauman, "Digital forensics for Investigating Control-logic Attacks in Industrial Control Systems" (2022). University of New Orleans Theses and Dissertations. 3029.
Available for download on Saturday, December 16, 2023
The University of New Orleans and its agents retain the non-exclusive license to archive and make accessible this dissertation or thesis in whole or in part in all forms of media, now or hereafter known. The author retains all other ownership rights to the copyright of the thesis or dissertation.