AttkFinder: Discovering Attack Vectors in PLC Programs using Information Flow Analysis

To protect an Industrial Control System (ICS), defenders need to identify potential attacks on the system and then design mechanisms to prevent them. Unfortunately, identifying potential attack conditions is a time-consuming and error-prone process. In this work, we propose and evaluate a set of tools to symbolically analyse the software of Programmable Logic Controllers (PLCs) guided by an information flow analysis that takes into account PLC network communication (compositions). Our tools systematically analyse malicious network packets that may force the PLC to send specific control commands to actuators. We evaluate our approach in a real-world system controlling the dosing of chemicals for water treatment. Our tools are able to find 75 attack tactics (56 were novel attacks), and we confirm that 96% of these tactics cause the intended effect in our testbed.

[1]  Henrik Sandberg,et al.  Limiting the Impact of Stealthy Attacks on Industrial Control Systems , 2016, CCS.

[2]  Michail Maniatakos,et al.  Security and Privacy in Cyber-Physical Systems: A Survey of Surveys , 2017, IEEE Design & Test.

[3]  Rajeev Alur,et al.  Principles of Cyber-Physical Systems , 2015 .

[4]  Jianying Zhou,et al.  Finding Dependencies between Cyber-Physical Domains for Security Testing of Industrial Control Systems , 2018, ACSAC.

[5]  Saman A. Zonouz,et al.  A Trusted Safety Verifier for Process Controller Code , 2014, NDSS.

[6]  Qin Lin,et al.  TABOR: A Graphical Model-based Approach for Anomaly Detection in Industrial Control Systems , 2018, AsiaCCS.

[7]  Wei Yu,et al.  On False Data-Injection Attacks against Power System State Estimation: Modeling and Countermeasures , 2014, IEEE Transactions on Parallel and Distributed Systems.

[8]  Michail Maniatakos,et al.  I came, I saw, I hacked: Automated Generation of Process-independent Attacks for Industrial Control Systems , 2020, AsiaCCS.

[9]  Sandro Etalle,et al.  ECFI: Asynchronous Control Flow Integrity for Programmable Logic Controllers , 2017, ACSAC.

[10]  Dipl.-Inform. Karl-Heinz John,et al.  IEC 61131-3: Programming Industrial Automation Systems , 2001, Springer Berlin Heidelberg.

[11]  Aditya Mathur,et al.  A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems , 2019, NDSS.

[12]  Fan Zhang,et al.  Active fuzzing for testing and securing cyber-physical systems , 2020, ISSTA.

[13]  W. Gao,et al.  Membrane fouling control in ultrafiltration technology for drinking water production: A review , 2011 .

[14]  Jun Sun,et al.  Learning from Mutants: Using Code Mutation to Learn and Monitor Invariants of a Cyber-Physical System , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[15]  Michael J. Assante,et al.  The Industrial Control System Cyber Kill Chain , 2016 .

[16]  Yuqi Chen,et al.  Learning-Guided Network Fuzzing for Testing Cyber-Physical System Defences , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[17]  Thomas A. Henzinger,et al.  The theory of hybrid automata , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[18]  Meng Wu,et al.  Symbolic execution of programmable logic controller code , 2017, ESEC/SIGSOFT FSE.

[19]  Sridhar Adepu,et al.  Distributed Detection of Single-Stage Multipoint Cyber Attacks in a Water Treatment Plant , 2016, AsiaCCS.

[20]  Pieter H. Hartel,et al.  Through the eye of the PLC: semantic security monitoring for industrial processes , 2014, ACSAC.

[21]  Patrick D. McDaniel,et al.  Programmable Logic Controllers , 2012 .

[22]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[23]  Michael Tiegelkamp,et al.  IEC 61131-3: Programming Industrial Automation Systems , 2001, Springer Berlin Heidelberg.

[24]  Ricardo G. Sanfelice,et al.  Analysis and Design of Cyber-Physical Systems: A Hybrid Control Systems Approach , 2015 .

[25]  Martín Ochoa,et al.  Design-time Quantification of Integrity in Cyber-physical Systems , 2017, PLAS@CCS.

[26]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[27]  Xavier Litrico,et al.  Cyber Security of Water SCADA Systems—Part I: Analysis and Experimentation of Stealthy Deception Attacks , 2013, IEEE Transactions on Control Systems Technology.

[28]  Jianying Zhou,et al.  Noise Matters: Using Sensor and Process Noise Fingerprint to Detect Stealthy Cyber Attacks and Authenticate sensors in CPS , 2018, ACSAC.

[29]  Edward A. Lee,et al.  Introduction to Embedded Systems - A Cyber-Physical Systems Approach , 2013 .

[30]  Ali Abbasi,et al.  On the Significance of Process Comprehension for Conducting Targeted ICS Attacks , 2017, CPS-SPC@CCS.

[31]  Stephen E. McLaughlin CPS: stateful policy enforcement for control system device usage , 2013, ACSAC.

[32]  T. Henzinger The theory of hybrid automata , 1996, LICS 1996.