JTAG-based PLC memory acquisition framework for industrial control systems

In industrial control systems (ICS), programmable logic controllers (PLC) are the embedded devices that directly control and monitor critical industrial infrastructure processes such as nuclear plants and power grid stations. Cyberattacks often target PLCs to sabotage a physical process. A memory forensic analysis of a suspect PLC can answer questions about an attack, including compromised firmware and manipulation of PLC control logic code and I/O devices. Given physical access to a PLC, collecting forensic information from the PLC memory at the hardware-level is risky and challenging. It may cause the PLC to crash or hang since PLCs have proprietary, legacy hardware with heterogeneous architecture. This paper addresses this research problem and proposes a novel JTAG (Joint Test Action Group)-based framework, Kyros, for reliable PLC memory acquisition. Kyros systematically creates a JTAG profile of a PLC through hardware assessment, JTAG pins identification, memory map creation, and optimizing acquisition parameters. It also facilitates the community of interest (such as ICS owners, operators, and vendors) to develop the JTAG profiles of PLCs. Further, we present a case study of Kyros implementation over AllenBradley 1756-A10/B to help understand the framework's application on a real-world PLC used in industry settings. The sample PLC memory dumps are shared with the research community to facilitate further

[1]  Lilian Bossuet,et al.  JTAG Combined Attack , 2016 .

[2]  Golden G. Richard,et al.  SCADA Systems: Challenges for Forensic Investigators , 2012, Computer.

[3]  Sven Dietrich,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2014, Lecture Notes in Computer Science.

[4]  Irfan Ahmed,et al.  Overshadow PLC to Detect Remote Control-Logic Injection Attacks , 2019, DIMVA.

[5]  Vassil Roussev,et al.  A SCADA System Testbed for Cybersecurity and Forensic Research and Pedagogy , 2016, ICSS '16.

[6]  Sunny Behal,et al.  Distributed Denial of Service Attacks and Defense Mechanisms: Current Landscape and Future Directions , 2018 .

[7]  Ernest Foo,et al.  Gap analysis of intrusion detection in smart grids , 2011 .

[8]  Stuart Harvey Rubin,et al.  Distributed denial of service attacks , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[9]  Irfan Ahmed,et al.  Automated Reconstruction of Control Logic for Programmable Logic Controller Forensics , 2019, ISC.

[10]  Frank Breitinger,et al.  Leveraging the SRTP protocol for over-the-network memory acquisition of a GE Fanuc Series 90-30 , 2017, Digit. Investig..

[11]  Lilian Bossuet,et al.  JTAG Combined Attacks , 2015 .

[12]  Karen A. Scarfone,et al.  SP 800-82. Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC) , 2011 .

[13]  Mordechai Guri,et al.  JoKER: Trusted Detection of Kernel Rootkits in Android Devices via JTAG Interface , 2015, 2015 IEEE Trustcom/BigDataSE/ISPA.

[14]  Irfan Ahmed,et al.  Control Logic Injection Attacks on Industrial Control Systems , 2019, SEC.

[15]  Hyunguk Yoo,et al.  Empirical Study of PLC Authentication Protocols in Industrial Control Systems , 2021, 2021 IEEE Security and Privacy Workshops (SPW).

[16]  Vassil Roussev,et al.  SCADA network forensics of the PCCC protocol , 2017, Digit. Investig..

[17]  Tina Wu,et al.  Exploring The Use Of PLC Debugging Tools For Digital Forensic Investigations On SCADA Systems , 2015, J. Digit. Forensics Secur. Law.

[18]  Syed Ali Qasim,et al.  Attacking the IEC 61131 Logic Engine in Programmable Logic Controllers , 2021, Critical Infrastructure Protection.

[19]  Muhammad Haris Rais,et al.  Spatiotemporal G-code modeling for secure FDM-based 3D printing , 2021, ICCPS.

[20]  Eduardo Chielle,et al.  PHYLAX: Snapshot-based profiling of real-time embedded devices via JTAG interface , 2018, 2018 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[21]  Osama A. Mohammed,et al.  Hey, My Malware Knows Physics! Attacking PLCs with Physical Model Aware Rootkit , 2017, NDSS.

[22]  Stephen Dunlap,et al.  An evaluation of modification attacks on programmable logic controllers , 2014, Int. J. Crit. Infrastructure Prot..

[23]  Jared M. Smith,et al.  Control Logic Forensics Framework using Built-in Decompiler of Engineering Software in Industrial Control Systems , 2020, Digit. Investig..

[24]  Ing. M. F. Breeuwsma Forensic imaging of embedded systems using JTAG (boundary-scan) , 2006, Digit. Investig..

[25]  Svein Yngvar Willassen Forensic Analysis of Mobile Phone Internal Memory , 2005, IFIP Int. Conf. Digital Forensics.

[26]  Juan Lopez,et al.  Firmware modification attacks on programmable logic controllers , 2013, Int. J. Crit. Infrastructure Prot..

[27]  Wonjun Lee,et al.  Exploiting JTAG and Its Mitigation in IOT: A Survey , 2018, Future Internet.

[28]  Irfan Ahmed,et al.  CLIK on PLCs! Attacking Control Logic with Decompilation and Virtual PLC , 2019, Proceedings 2019 Workshop on Binary Analysis Research.

[29]  Vassil Roussev,et al.  Programmable Logic Controller Forensics , 2017, IEEE Security & Privacy.

[30]  Vassil Roussev,et al.  Denial of Engineering Operations Attacks in Industrial Control Systems , 2018, CODASPY.