research-article

Reverse Engineering Physical Semantics of PLC Program Variables Using Control Invariants

Authors:

Chengcheng Zhao,

Jiming ChenAuthors Info & Claims

SenSys '22: Proceedings of the 20th ACM Conference on Embedded Networked Sensor Systems

Pages 548 - 562

https://doi.org/10.1145/3560905.3568521

Published: 24 January 2023 Publication History

Abstract

Semantic attacks have incurred increasing threats to Industrial Control Systems (ICSs), which manipulate targeted system modules by identifying the physical semantics of variables in Programmable Logic Controllers (PLCs) programs, i.e., the sensing/actuating modules represented by the variables. This is usually (and inefficiently) achieved via manual examination of system documents and long-term observation of system behavior. In this paper, we design ARES, a method that Automatically Reverse Engineers the Semantics of variables in PLC programs without requiring any domain knowledge. ARES is built on the fact that the Supervisory Control And Data Acquisition (SCADA) system monitors the behavior of PLC using a fixed mapping between the variables of program code and data log, and the data log variables are marked with physical semantics. By identifying the mapping between PLC code and SCADA data (i.e., the code-data mapping), ARES reverse engineers the physical semantics of program variables. ARES also sheds light on the preferred practices in implementing control rules that improve the resistance of PLC programs to semantic attacks. We have experimentally evaluated ARES and the recommended implementation practices on two ICS platforms.

References

[1]

Ali Abbasi and Majid Hashemi. 2016. Ghost in the PLC Designing an Undetectable Programmable Logic Controller Rootkit via Pin Control Attack. In Black Hat Europe. 1--35.

[2]

ICS Advisory. 2020. Emerson OpenEnterprise. https://www.cisa.gov/uscert/ics/advisories/icsa-20-238-02. (2020). [Online; Accessed October 2022].

[3]

ICS Advisory. 2020. Siemens SIMATIC HMI Products. https://us-cert.cisa.gov/ics/advisories/icsa-20-252-06. (2020). [Online; Accessed October 2022].

[4]

ICS Advisory. 2021. SIMATIC WinCC Graphics Designer. https://us-cert.cisa.gov/ics/advisories/icsa-21-040-09. (2021). [Online; Accessed October 2022].

[5]

Siemens AG. 2017. Programming with STEP 7. https://cache.industry.siemens.com/dl/files/825/109751825/att_933142/v1/STEP_7_-_Programming_with_STEP_7.pdf. (2017). [Online; Accessed October 2022].

[6]

Siemens AG. 2019. WinCC V7.5 SP1: Working with WinCC. https://support.industry.siemens.com/cs/document/109773058/wincc-v7-5-sp1-working-with-wincc?dti=0&lc=en-CZ. (2019). [Online; Accessed October 2022].

[7]

Thiago Alves. 2021. OpenPLC Runtime version 3. https://github.com/thiagoralves/OpenPLC_v3. (2021). [Online; Accessed October 2022].

[8]

Karl Johan Åström, Tore Hägglund, and Karl J Astrom. 2006. Advanced PID control.

[9]

Rockwell Automation. 2021. MicroLogix 1400 Programmable Controllers User Manual. https://literature.rockwellautomation.com/idc/groups/literature/documents/um/1766-um001_-en-p.pdf. (2021). [Online; Accessed October 2022].

[10]

Amy Babay, John Schultz, Thomas Tantillo, Samuel Beckley, Eamon Jordan, Kevin Ruddell, Kevin Jordan, and Yair Amir. 2019. Deploying Intrusion-Tolerant SCADA for the Power Grid. In 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 328--335.

[11]

Zachry Basnight, Jonathan Butts, Juan Lopez Jr, and Thomas Dube. 2013. Firmware modification attacks on programmable logic controllers. International Journal of Critical Infrastructure Protection 6, 2 (2013), 76--84.

[12]

Hans Berger. 2012. Automating with STEP7 in STL and SCL: programmable controllers Simatic S7-300/400.

[13]

Eli Biham, Sara Bitan, Aviad Carmel, Alon Dankner, Uriel Malin, and Avishai Wool. 2019. Rogue7: Rogue Engineering Station Attacks on S7 Simatic PLCs. In BlackHat USA.

[14]

Siemens Security Advisory by Siemens ProductCERT. 2020. SSA-381684: Improper Password Protection during Authentication in SIMATIC S7-300 and S7-400 CPUs and Derived Products. https://cert-portal.siemens.com/productcert/pdf/ssa-381684.pdf. (2020). [Online; Accessed October 2022].

[15]

Michael Büsch. 2020. Awlsim: S7 compatible PLC/SPS. https://bues.ch/cms/automation/awlsim. (2020). [Online; Accessed October 2022].

[16]

Defense Use Case. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid. Electricity Information Sharing and Analysis Center (2016).

[17]

John H Castellanos, Martin Ochoa, Alvaro A Cardenas, Owen Arden, and Jianying Zhou. 2021. AttkFinder: Discovering Attack Vectors in PLC Programs using Information Flow Analysis. In 24th International Symposium on Research in Attacks, Intrusions and Defenses. 235--250.

Digital Library

[18]

Joao M Ceron, Justyna J Chromik, Jair Santanna, and Aiko Pras. 2020. Online Discoverability and Vulnerabilities of ICS/SCADA Devices in the Netherlands. arXiv preprint arXiv:2011.02019 (2020).

[19]

Yuqi Chen, Christopher M Poskitt, and Jun Sun. 2021. Code Integrity Attestation for PLCs using Black Box Neural Network Predictions. In The ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE).

Digital Library

[20]

Yuqi Chen, Bohan Xuan, Christopher M Poskitt, Jun Sun, and Fan Zhang. 2020. Active Fuzzing for Testing and Securing Cyber-Physical Systems. In Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis. 14--26.

Digital Library

[21]

Hongjun Choi, Wen-Chuan Lee, Yousra Aafer, Fan Fei, Zhan Tu, Xiangyu Zhang, Dongyan Xu, and Xinyan Deng. 2018. Detecting Attacks Against Robotic Vehicles: A Control Invariant Approach. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS). 801--816.

Digital Library

[22]

Kevin Collier. 2021. In Florida, a near-miss with a cybersecurity worst-case scenario. https://www.nbcnews.com/tech/security/florida-near-miss-cybersecurity-worst-case-scenario-n1257091. (2021). [Online; Accessed October 2022].

[23]

Donatello Conte, Pasquale Foggia, Carlo Sansone, and Mario Vento. 2004. THIRTY YEARS OF GRAPH MATCHING IN PATTERN RECOGNITION. International journal of pattern recognition and artificial intelligence 18, 03 (2004), 265--298.

[24]

Cybersecurity and Infrastructure Security Agency. 2020. Rockwell Automation MicroLogix Controllers and RSLogix 500 Software. https://us-cert.cisa.gov/ics/advisories/icsa-20-070-06. (2020). [Online; Accessed October 2022].

[25]

Schneider Electric. 2010. User Manual for PLC Programming with CoDeSys 2.3. https://www.ee.pw.edu.pl/~purap/PLC/manuals/m07590333_00000000_1en.pdf. (2010). [Online; Accessed October 2022].

[26]

Schneider Electric. 2019. EcoStruxureTM Machine SCADA Expert Technical Reference Manual. https://damrexelprod.blob.core.windows.net/medias/10bdfea1-bba7-490a-94ff-cff4fabf55e2. (2019). [Online; Accessed October 2022].

[27]

Alessandro Erba, Riccardo Taormina, Stefano Galelli, Marcello Pogliani, Michele Carminati, Stefano Zanero, and Nils Ole Tippenhauer. 2020. Constrained Concealment Attacks against Reconstruction-based Anomaly Detectors in Industrial Control Systems. In Annual Computer Security Applications Conference. 480--495.

Digital Library

[28]

Nicolas Falliere, Liam O Murchu, and Eric Chien. 2011. W32. Stuxnet Dossier. White paper, Symantec Corp., Security Response. 5, 6 (2011), 29.

[29]

Cheng Feng, Venkata Reddy Palleti, Aditya Mathur, and Deeph Chana. 2019. A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems. In Network and Distributed Systems Security (NDSS) Symposium.

[30]

Brian Gallagher. 2006. Matching Structure and Semantics: A Survey on Graph-Based Pattern Matching. In AAAI Fall Symposium: Capturing and Using Patterns for Evidence Detection.

[31]

Luis Garcia, Ferdinand Brasser, Mehmet Hazar Cintuglu, Ahmad-Reza Sadeghi, Osama A Mohammed, and Saman A Zonouz. 2017. Hey, My Malware Knows Physics! Attacking PLCs with Physical Model Aware Rootkit. In Network and Distributed Systems Security (NDSS) Symposium.

[32]

Hamid Reza Ghaeini, Nils Ole Tippenhauer, and Jianying Zhou. 2019. Zero Residual Attacks on Industrial Control Systems and Stateful Countermeasures. In Proceedings of the 14th International Conference on Availability, Reliability and Security. 1--10.

Digital Library

[33]

Martin Giles. 2019. Triton is the world's most murderous malware, and it's spreading. https://www.technologyreview.com/2019/03/05/103328/cybersecurity-critical-infrastructure-triton-malware/. (2019). [Online; Accessed October 2022].

[34]

Naman Govil, Anand Agrawal, and Nils Ole Tippenhauer. 2018. On Ladder Logic Bombs in Industrial Control Systems. In Computer Security. 110--126.

[35]

Benjamin Green, Marina Krotofil, and Ali Abbasi. 2017. On the Significance of Process Comprehension for Conducting Targeted ICS Attacks. In Proceedings of the 2017 Workshop on Cyber-Physical Systems Security and PrivaCy. 57--67.

Digital Library

[36]

Dag H Hanssen. 2015. Programmable logic controllers: a practical approach to IEC 61131-3 using CODESYS.

[37]

Sushma Kalle, Nehal Ameen, Hyunguk Yoo, and Irfan Ahmed. 2019. CLIK on PLCs! Attacking Control Logic with Decompilation and Virtual PLC. In Binary Analysis Research (BAR) Workshop, Network and Distributed System Security Symposium (NDSS).

[38]

Anastasis Keliris and Michail Maniatakos. 2019. ICSREF: A Framework for Automated Reverse Engineering of Industrial Control Systems Binaries. In Symposium on Network and Distributed System Security (NDSS).

[39]

Johannes Klick, Stephan Lau, Daniel Marzin, Jan-Ole Malchow, and Volker Roth. 2015. Internet-facing PLCs - A New Back Orifice. In Blackhat USA.

[40]

Alexander Kraskov, Harald Stögbauer, and Peter Grassberger. 2004. Estimating Mutual Information. Physical review E 69, 6 (2004), 066138.

[41]

Jochen Kühner. 2014. Library to Access Siemens PLCs and Step5/Step7 Project Files. https://github.com/dotnetprojects/DotNetSiemensPLCToolBoxLibrary. (2014). [Online; Accessed October 2022].

[42]

Qiang Li, Xuan Feng, Haining Wang, and Limin Sun. 2018. Understanding the Usage of Industrial Control System Devices on the Internet. IEEE Internet of Things Journal 5, 3 (2018), 2178--2189.

[43]

Aditya P. Mathur and Nils Ole Tippenhauer. 2016. SWaT: A Water Treatment Testbed for Research and Training on ICS Security. In 2016 international workshop on cyber-physical systems for smart water networks (CySWater). IEEE, 31--36.

[44]

Stephen McLaughlin and Patrick McDaniel. 2012. SABOT: Specification-based Payload Generation for Programmable Logic Controllers. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS). 439--449.

Digital Library

[45]

Stephen McLaughlin and Saman Zonouz. 2014. Controller-Aware False Data Injection Against Programmable Logic Controllers. In 2014 IEEE International Conference on Smart Grid Communications (SmartGridComm). IEEE, 848--853.

[46]

Stephen McLaughlin, Saman A Zonouz, Devin J Pohly, and Patrick D McDaniel. 2014. A Trusted Safety Verifier for Process Controller Code. In Network and Distributed Systems Security (NDSS) Symposium.

[47]

Matthias Niedermaier, Jan-Ole Malchow, Florian Fischer, Daniel Marzin, Dominik Merli, Volker Roth, and Alexander Von Bodisco. 2018. You Snooze, You Lose: Measuring PLC Cycle Times under Attacks. In 12th USENIX Workshop on Offensive Technologies (WOOT 18).

[48]

Schneider Electric Security Notification. 2021. Security Notification - Modicon M100/M200/M221 Programmable Logic Controller (V3.0). https://www.se.com/ww/en/download/document/SEVD-2020-315-05/. (2021). [Online; Accessed October 2022].

[49]

Inc PNF Software. 2015. JEB Decompiler for S7 PLC. https://www.pnfsoftware.com/jeb/plc. (2015). [Online; Accessed October 2022].

[50]

Raul Quinonez, Jairo Giraldo, Luis Salazar, Erick Bauman, Alvaro Cardenas, and Zhiqiang Lin. 2020. SAVIOR: Securing Autonomous Vehicles with Robust Physical Invariants. In 29th USENIX Security Symposium (USENIX Security 20). 895--912.

[51]

Andres Robles-Durazno, Naghmeh Moradpoor, James McWhinnie, Gordon Russell, and Inaki Maneru-Marin. 2018. Implementation and Detection of Novel Attacks to the PLC Memory on a Clean Water Supply System. In International Conference on Technology Trends. 91--103.

[52]

Thomas Roth and Bruce McMillin. 2013. Physical Attestation of Cyber Processes in the Smart Grid. In International Workshop on Critical Information Infrastructures Security. 96--107.

[53]

Esha Sarkar, Hadjer Benkraouda, and Michail Maniatakos. 2020. I came, I saw, I hacked: Automated Generation of Process-independent Attacks for Industrial Control Systems. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. 744--758.

Digital Library

[54]

Ralf Spenneberg, Maik Brüggemann, and Hendrik Schwartke. 2016. PLC-Blaster: A Worm Living Solely in the PLC. Black Hat Asia 16 (2016), 1--16.

[55]

Pengfei Sun, Luis Garcia, and Saman Zonouz. 2019. Tell Me More Than Just Assembly! Reversing Cyber-physical Execution Semantics of Embedded IoT Controller Software Binaries. In 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). 349--361.

[56]

Siemens Industry Online Support. 2019. Exporting Archived Data from WinCC with the OLE DB Provider. https://cache.industry.siemens.com/dl/files/261/38132261/att_946466/v3/38132261__Application_Reverse_Osmosis_DOC_en.pdf. (2019). [Online; Accessed October 2022].

[57]

Symantec DeepSight Adversary Intelligence Team. 2018. Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-espionage-group. (2018). [Online; Accessed October 2022].

[58]

Symantec Threat Hunter Team. 2017. Dragonfly: Western energy sector targeted by sophisticated attack group. https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks. (2017). [Online; Accessed October 2022].

[59]

Symantec Threat Hunter Team. 2018. Shamoon: Destructive Threat Re-Emerges with New Sting in its Tail. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail. (2018). [Online; Accessed October 2022].

[60]

A Semantic Attack Against the Elevator Control System. 2022. https://youtu.be/1mksLMRYFtE. (2022).

[61]

Dimitrios Tychalas, Hadjer Benkraouda, and Michail Maniatakos. 2021. ICSFuzz: Manipulating I/Os and Repurposing Binary Code to Enable Instrumented Fuzzing in ICS Control Applications. In 30th USENIX Security Symposium (USENIX Security 21).

[62]

Mu Zhang, James Moyne, Z Morley Mao, Chien-Ying Chen, Bin-Chou Kao, Yassine Qamsane, Yuru Shao, Yikai Lin, Elaine Shi, Sibin Mohan, et al. 2019. Towards Automated Safety Vetting of PLC Code in Real-World Plants. In 2019 IEEE Symposium on Security and Privacy (S&P). 522--538.

Cited By

Qin ZYang ZGeng YChe XWang TZhu HCheng PChen J(2024)Reverse Engineering Industrial Protocols Driven By Control FieldsIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621405(2408-2417)Online publication date: 20-May-2024
https://doi.org/10.1109/INFOCOM52122.2024.10621405
Meng JYang ZZhang ZGeng YDeng RCheng PChen JZhou J(2023)SePanner: Analyzing Semantics of Controller Variables in Industrial Control Systems based on Network TrafficProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627179(310-323)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627179
Zhu HLiu MFang CDeng RCheng P(2023)Detection-Performance Tradeoff for Watermarking in Industrial Control SystemsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326991918(2780-2793)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1109/TIFS.2023.3269919

Index Terms

Reverse Engineering Physical Semantics of PLC Program Variables Using Control Invariants
1. Security and privacy
  1. Security in hardware
    1. Embedded systems security

Recommendations

SePanner: Analyzing Semantics of Controller Variables in Industrial Control Systems based on Network Traffic
ACSAC '23: Proceedings of the 39th Annual Computer Security Applications Conference

Programmable logic controllers (PLCs), the essential components of critical infrastructure, play a crucial role in various industrial manufacturing processes. Recent attack events show that attackers have a strong interest in tampering with the ...
A PLC-based modified-fuzzy controller for PWM-driven induction motor drive with constant V/Hz ratio control

In this paper, a method to develop and design a fuzzy-hybrid control on an industrial controller to control speed of an induction motor and implementing a constant V/Hz ratio control is presented. Detailed discussions on the controller for a PWM-driven ...
Detection and Analysis Technique for Manipulation Attacks on PLC Control Logic
ACM ICEA '20: Proceedings of the 2020 ACM International Conference on Intelligent Computing and its Emerging Applications

In recent years, 1 a large number of studies have been conducted on cybersecurity for Programmable Logic Controllers (PLCs) to cope with cyberattacks on Industrial Control Systems(ICS). However, few studies have been conducted on ensuring cybersafety ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

SenSys '22: Proceedings of the 20th ACM Conference on Embedded Networked Sensor Systems

November 2022

1280 pages

ISBN:9781450398862

DOI:10.1145/3560905

General Chairs:
Jeremy Gummeson
University of Massachusetts Amherst
,
Sunghoon Ivan Lee
University of Massachusetts Amherst
,
Program Chairs:
Jie Gao
Rutgers University
,
Guoliang Xing
The Chinese University of Hong Kong

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 January 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Natural Science Foundation of China
Fundamental Research Funds for the Central Universities (Zhejiang University NGICS Platform)
University of Colorado Denver

Conference

SenSys '22

Sponsor:

SenSys '22: The 20th ACM Conference on Embedded Networked Sensor Systems

November 6 - 9, 2022

Massachusetts, Boston

Acceptance Rates

SenSys '22 Paper Acceptance Rate 52 of 187 submissions, 28%;

Overall Acceptance Rate 174 of 867 submissions, 20%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
241
Total Downloads

Downloads (Last 12 months)106
Downloads (Last 6 weeks)18

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Qin ZYang ZGeng YChe XWang TZhu HCheng PChen J(2024)Reverse Engineering Industrial Protocols Driven By Control FieldsIEEE INFOCOM 2024 - IEEE Conference on Computer Communications10.1109/INFOCOM52122.2024.10621405(2408-2417)Online publication date: 20-May-2024
https://doi.org/10.1109/INFOCOM52122.2024.10621405
Meng JYang ZZhang ZGeng YDeng RCheng PChen JZhou J(2023)SePanner: Analyzing Semantics of Controller Variables in Industrial Control Systems based on Network TrafficProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627179(310-323)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627179
Zhu HLiu MFang CDeng RCheng P(2023)Detection-Performance Tradeoff for Watermarking in Industrial Control SystemsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2023.326991918(2780-2793)Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1109/TIFS.2023.3269919

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents