Abstract
Programmable logic controllers (PLCs) in industrial control systems (ICS) are vulnerable to remote control logic injection attacks. Attackers target the control logic of a PLC to manipulate the behavior of a physical process such as nuclear plants, power grids, and gas pipelines. Control logic attacks have been studied extensively in the literature, including hiding the transfer of a control logic over the network from both packet header-based signatures, and deep packet inspection. For instance, these attacks transfer a control logic code as data, into small fragments (one-byte per packet), that are further padded with noise data. To detect control logic in ICS network traffic, this paper presents Shade, a novel shadow memory technique that observes the network traffic to maintain a local copy of the current state of a PLC memory. To analyze the memory contents, Shade employs a classification algorithm with 42 unique features categorized into five types at different semantic levels of a control logic code, such as number of rungs, number of consecutive decompiled instructions, and n-grams. We then evaluate Shade against control logic injection attacks on two PLCs, Modicon M221 and MicroLogix 1400 from two ICS vendors, Schneider electric and Allen-Bradley, respectively. The evaluation results show that Shade can detect an attack instance (i.e., identifying at least one attack packet during the transfer of a malicious control logic) accurately without any false alarms.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
The maximum payload sizes are 236 bytes and 80 bytes for the Modicon M221 PLC and the MicroLogix 1400 PLC, respectively.
- 3.
In Allen-Bradley PLCs, each control logic block is called as a file.
- 4.
The control logic programs were collected in two ways: (1) Generated in a lab environment using venders’ engineering software and PLCs (2) Downloaded from various sources on the Internet (e.g., plctalk.net). Collectively, they are written for different physical processes (e.g., traffic light system, elevator, gas pipeline, hot water tank) with varying instructions and rung complexity.
- 5.
We extract features based on the properties of control logic code and decide code packets as malicious in our evaluation scenario.
- 6.
Stuxnet replaces original s7otbxdx.dll of STEP 7 with its own version to intercept communication between STEP 7 and S7-300 PLC.
References
Toth, T., Kruegel, C.: Accurate buffer overflow detection via abstract pay load execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36084-0_15
Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30143-1_11
Chinchani, R., van den Berg, E.: A fast static analysis approach to detect exploit code inside network flows. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 284–308. Springer, Heidelberg (2006). https://doi.org/10.1007/11663812_15
Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: a content anomaly detector resistant to mimicry attack. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006). https://doi.org/10.1007/11856214_12
Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of the 15th Conference on USENIX Security Symposium (2006)
Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation, pp. 89–100 (2007)
Fovino, I.N., Carcano, A., Murel, T.D.L., Trombetta, A., Masera, M.: Modbus/DNP3 state-based intrusion detection system, pp. 729–736 (2010)
Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, Symantec Corporation, Security Response. 5(6), 29 (2011)
Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: AddressSanitizer: A fast address sanity checker, pp. 28–28 (2012)
Ahmed, I., Obermeier, S., Naedele, M., Richard III, G.G.: SCADA systems: challenges for forensic investigators. Computer 45(12), 44–51 (2012)
IEC 61131–3 Ed. 3.0 b:2013, Programmable controllers - Part 3: Programming languages. Standard, International Electrotechnical Commission (2013)
IEC 61850–5 Ed. 2.0:2013, Communication Networks and Systems for Power Utility Automation - Part 5: Communication requirements for functions and device models. Standard, International Electrotechnical Commission (2013)
Lee, R.M., Assante, M.J., Conway, T.: German Steel Mill Cyber Attack. Technical report, SANS, USA (2014)
ICS Focused Malware. https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01 (2014). Accessed 03 June 2018
Hadžiosmanović, D., Sommer, R., Zambon, E., Hartel, P.H.: Through the eye of the PLC: Semantic security monitoring for industrial processes. In: Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC) (2014)
McLaughlin, S.E., Zonouz, S.A., Pohly, D.J., McDaniel, P.D.: A trusted safety verifier for process controller code. In: Proceeding of the 21st Network and Distributed System Security Symposium (NDSS) (2014)
Cyber-Attack Against Ukrainian Critical Infrastructure. https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01 (2016). Accessed 03 June 2018
ICS-CERT Annual Vulnerability Coordination Report. Report, National Cybersecurity and Communications Integration Center (2016)
Ahmed, I., Roussev, V., Johnson, W., Senthivel, S., Sudhakaran, S.: A SCADA system testbed for cybersecurity and forensic research and pedagogy. In: Proceedings of the 2nd Annual Industrial Control System Security Workshop (ICSS) (2016)
CRASHOVERRIDE Malware (2017). https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-206-01. Accessed 03 June 2018
Cinelli, M., et al.: Feature selection using a one dimensional naïve Bayes’ classifier increases the accuracy of support vector machine classification of CDR3 repertoires. Bioinformatics 33(7), 951–955 (2017)
Ahmed, I., Obermeier, S., Sudhakaran, S., Roussev, V.: Programmable logic controller forensics. IEEE Secur. Priv. 15(6), 18–24 (2017a)
Senthivel, S., Ahmed, I., Roussev, V.: SCADA network forensics of the PCCC protocol. Digit. Invest. 22, S57–S65 (2017b)
Senthivel, S., Dhungana, S., Yoo, H., Ahmed, I., Roussev, V.: Denial of engineering operations attacks in industrial control systems. In: Proceeding of the 8th ACM Conference on Data and Application Security and Privacy (CODASPY) (2018)
Digital Bond’s IDS/IPS rules for ICS (2018). https://github.com/digitalbond/Quickdraw-Snort. Accessed 19 July 2018
Sushma K., Nehal A., Hyunguk Y., Irfan A.: CLIK on PLCs! attacking control logic with decompilation and virtual PLC. In: Proceeding of the 2019 NDSS Workshop on Binary Analysis Research (BAR) (2019)
Hyunguk Y., Irfan A.: Control logic injection attacks on industrial control systems. In: 34th IFIP International Conference on Information Security and Privacy Protection (2019)
Tofino Xenon Security Appliance (2019). https://www.tofinosecurity.com/products/tofino-xenon-security-appliance. Accessed 17 April 2019
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Yoo, H., Kalle, S., Smith, J., Ahmed, I. (2019). Overshadow PLC to Detect Remote Control-Logic Injection Attacks. In: Perdisci, R., Maurice, C., Giacinto, G., Almgren, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2019. Lecture Notes in Computer Science(), vol 11543. Springer, Cham. https://doi.org/10.1007/978-3-030-22038-9_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-22038-9_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22037-2
Online ISBN: 978-3-030-22038-9
eBook Packages: Computer ScienceComputer Science (R0)