Programmable Logic Controllers

Programmable Logic Controllers (PLCs) drive the behavior of industrial control systems according to uploaded programs. It is now known that PLCs are vulnerable to the uploading of malicious code that can have severe physical consequences. What is not understood is whether an adversary with no knowledge of the PLC's interface to the control system can execute a damaging, targeted, or stealthy attack against a control system using the PLC. In this paper, we present SABOT, a tool that automatically maps the control instructions in a PLC to an adversary-provided specification of the target control system's behavior. This mapping recovers sufficient semantics of the PLC's internal layout to instantiate arbitrary malicious controller code. This lowers the prerequisite knowledge needed to tailor an attack to a control system. SABOT uses an incremental model checking algorithm to map a few plant devices at a time, until a mapping is found for all adversary-specified devices. At this point, a malicious payload can be compiled and uploaded to the PLC. Our evaluation shows that SABOT correctly compiles payloads for all tested control systems when the adversary correctly specifies full system behavior, and for 4 out of 5 systems in most cases where there where unspecified features. Furthermore, SABOT completed all analyses in under 2 minutes.

[1]  Kelvin T. Erickson,et al.  Plantwide process control , 1999 .

[2]  Bruce H. Krogh,et al.  Design recovery for relay ladder logic , 1992, [Proceedings 1992] The First IEEE Conference on Control Applications.

[3]  Edmund M. Clarke,et al.  Automatic verification of sequential control systems using temporal logic , 1992 .

[4]  Thomas Wilhelm,et al.  Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research , 2007 .

[5]  Jean-Marc Roussel,et al.  Towards automatic verification of ladder logic programs , 2003 .

[6]  Lui Sha,et al.  S3A: Secure System Simplex Architecture for Enhanced Security of Cyber-Physical Systems , 2012, ArXiv.

[7]  P. I. Barton,et al.  Formal verification of sequence controllers , 2000 .

[8]  Carl A. Gunter,et al.  Cumulative Attestation Kernels for Embedded Systems , 2009, ESORICS.

[9]  R. Evans Control Systems Cyber Security Standards Support Activities , 2009 .

[10]  D. Sanger Obama Order Sped Up Wave of Cyberattacks Against Iran , 2012 .

[11]  Fausto Giunchiglia,et al.  NUSMV: A New Symbolic Model Verifier , 1999, CAV.

[12]  Yilin Mo,et al.  False Data Injection Attacks in Control Systems , 2010 .

[13]  J. F. Groote,et al.  The safety guaranteeing system at station Hoorn-Kersenboogerd , 1994, COMPASS '95 Proceedings of the Tenth Annual Conference on Computer Assurance Systems Integrity, Software Safety and Process Security'.

[14]  Hovav Shacham,et al.  On the effectiveness of address-space randomization , 2004, CCS '04.

[15]  Mark Ryan,et al.  Logic in Computer Science: Modelling and Reasoning about Systems , 2000 .

[16]  Stephen E. McLaughlin On Dynamic Malware Payloads Aimed at Programmable Logic Controllers , 2011, HotSec.

[17]  Timothy M. Yardley SCADA: Issues, Vulnerabilities, and FutureDirections , 2008, login Usenix Mag..

[18]  Ulf Lindqvist,et al.  Using Model-based Intrusion Detection for SCADA Networks , 2006 .

[19]  Yuri Gurevich,et al.  Logic in Computer Science , 1993, Current Trends in Theoretical Computer Science.

[20]  Carl A. Gunter,et al.  Cumulative Attestation Kernels for Embedded Systems , 2009, IEEE Transactions on Smart Grid.

[21]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2009, CCS.

[22]  L Piètre-Cambacédès,et al.  Cybersecurity Myths on Power Control Systems: 21 Misconceptions and False Beliefs , 2011, IEEE Transactions on Power Delivery.

[23]  E. Byres,et al.  The Myths and Facts behind Cyber Security Risks for Industrial Control Systems , 2004 .

[24]  Jeffrey E. Dagle,et al.  Summary of Control System Security Standards Activities in the Energy Sector , 2005 .

[25]  David M. Nicol Hacking the lights out , 2011 .

[26]  Adrian Perrig,et al.  VIPER: verifying the integrity of PERipherals' firmware , 2011, CCS '11.

[27]  Paulo Sérgio Muniz Silva,et al.  Automatic Verification of Safety Rules for a Subway Control Software , 2005, SBMF.

[28]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[29]  B.H. Krogh,et al.  Design recovery for relay ladder logic , 1993, IEEE Control Systems.

[30]  Kirsten Winter,et al.  Model Checking Railway Interlocking Systems , 2002, ACSC.

[31]  Monika Heiner,et al.  Instruction list verification using a Petri net semantics , 1998, SMC'98 Conference Proceedings. 1998 IEEE International Conference on Systems, Man, and Cybernetics (Cat. No.98CH36218).

[32]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[33]  Markus Roggenbach SAT-based model checking of train control systems , 2009 .

[34]  Xavier Litrico,et al.  Stealthy deception attacks on water SCADA systems , 2010, HSCC '10.

[35]  S. Shankar Sastry,et al.  Research Challenges for the Security of Control Systems , 2008, HotSec.