Top

Published in:

2019 | OriginalPaper | Chapter

Overshadow PLC to Detect Remote Control-Logic Injection Attacks

Authors : Hyunguk Yoo, Sushma Kalle, Jared Smith, Irfan Ahmed

Published in: Detection of Intrusions and Malware, and Vulnerability Assessment

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Programmable logic controllers (PLCs) in industrial control systems (ICS) are vulnerable to remote control logic injection attacks. Attackers target the control logic of a PLC to manipulate the behavior of a physical process such as nuclear plants, power grids, and gas pipelines. Control logic attacks have been studied extensively in the literature, including hiding the transfer of a control logic over the network from both packet header-based signatures, and deep packet inspection. For instance, these attacks transfer a control logic code as data, into small fragments (one-byte per packet), that are further padded with noise data. To detect control logic in ICS network traffic, this paper presents Shade, a novel shadow memory technique that observes the network traffic to maintain a local copy of the current state of a PLC memory. To analyze the memory contents, Shade employs a classification algorithm with 42 unique features categorized into five types at different semantic levels of a control logic code, such as number of rungs, number of consecutive decompiled instructions, and n-grams. We then evaluate Shade against control logic injection attacks on two PLCs, Modicon M221 and MicroLogix 1400 from two ICS vendors, Schneider electric and Allen-Bradley, respectively. The evaluation results show that Shade can detect an attack instance (i.e., identifying at least one attack packet during the transfer of a malicious control logic) accurately without any false alarms.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Detecting, Fingerprinting and Tracking Reconnaissance Campaigns Targeting Industrial Control Systems

next chapter A Security Evaluation of Industrial Radio Remote Controllers

https://gitlab.com/hyunguk/plcdpi/.

The maximum payload sizes are 236 bytes and 80 bytes for the Modicon M221 PLC and the MicroLogix 1400 PLC, respectively.

In Allen-Bradley PLCs, each control logic block is called as a file.

The control logic programs were collected in two ways: (1) Generated in a lab environment using venders’ engineering software and PLCs (2) Downloaded from various sources on the Internet (e.g., plctalk.net). Collectively, they are written for different physical processes (e.g., traffic light system, elevator, gas pipeline, hot water tank) with varying instructions and rung complexity.

We extract features based on the properties of control logic code and decide code packets as malicious in our evaluation scenario.

Stuxnet replaces original s7otbxdx.dll of STEP 7 with its own version to intercept communication between STEP 7 and S7-300 PLC.

Toth, T., Kruegel, C.: Accurate buffer overflow detection via abstract pay load execution. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 274–291. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-36084-0_15CrossRefMATH

Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30143-1_11CrossRef

Chinchani, R., van den Berg, E.: A fast static analysis approach to detect exploit code inside network flows. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 284–308. Springer, Heidelberg (2006). https://doi.org/10.1007/11663812_15CrossRef

Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: a content anomaly detector resistant to mimicry attack. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006). https://doi.org/10.1007/11856214_12CrossRef

Fogla, P., Sharif, M., Perdisci, R., Kolesnikov, O., Lee, W.: Polymorphic blending attacks. In: Proceedings of the 15th Conference on USENIX Security Symposium (2006)

Nethercote, N., Seward, J.: Valgrind: a framework for heavyweight dynamic binary instrumentation, pp. 89–100 (2007)CrossRef

Fovino, I.N., Carcano, A., Murel, T.D.L., Trombetta, A., Masera, M.: Modbus/DNP3 state-based intrusion detection system, pp. 729–736 (2010)

Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, Symantec Corporation, Security Response. 5(6), 29 (2011)

Serebryany, K., Bruening, D., Potapenko, A., Vyukov, D.: AddressSanitizer: A fast address sanity checker, pp. 28–28 (2012)

10.

Ahmed, I., Obermeier, S., Naedele, M., Richard III, G.G.: SCADA systems: challenges for forensic investigators. Computer 45(12), 44–51 (2012)CrossRef

11.

IEC 61131–3 Ed. 3.0 b:2013, Programmable controllers - Part 3: Programming languages. Standard, International Electrotechnical Commission (2013)

12.

IEC 61850–5 Ed. 2.0:2013, Communication Networks and Systems for Power Utility Automation - Part 5: Communication requirements for functions and device models. Standard, International Electrotechnical Commission (2013)

13.

Lee, R.M., Assante, M.J., Conway, T.: German Steel Mill Cyber Attack. Technical report, SANS, USA (2014)

14.

ICS Focused Malware. https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01 (2014). Accessed 03 June 2018

15.

Hadžiosmanović, D., Sommer, R., Zambon, E., Hartel, P.H.: Through the eye of the PLC: Semantic security monitoring for industrial processes. In: Proceedings of the 30th Annual Computer Security Applications Conference (ACSAC) (2014)

16.

McLaughlin, S.E., Zonouz, S.A., Pohly, D.J., McDaniel, P.D.: A trusted safety verifier for process controller code. In: Proceeding of the 21st Network and Distributed System Security Symposium (NDSS) (2014)

17.

Cyber-Attack Against Ukrainian Critical Infrastructure. https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01 (2016). Accessed 03 June 2018

18.

ICS-CERT Annual Vulnerability Coordination Report. Report, National Cybersecurity and Communications Integration Center (2016)

19.

Ahmed, I., Roussev, V., Johnson, W., Senthivel, S., Sudhakaran, S.: A SCADA system testbed for cybersecurity and forensic research and pedagogy. In: Proceedings of the 2nd Annual Industrial Control System Security Workshop (ICSS) (2016)

20.

CRASHOVERRIDE Malware (2017). https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-206-01. Accessed 03 June 2018

21.

Cinelli, M., et al.: Feature selection using a one dimensional naïve Bayes’ classifier increases the accuracy of support vector machine classification of CDR3 repertoires. Bioinformatics 33(7), 951–955 (2017)

22.

Ahmed, I., Obermeier, S., Sudhakaran, S., Roussev, V.: Programmable logic controller forensics. IEEE Secur. Priv. 15(6), 18–24 (2017a)CrossRef

23.

Senthivel, S., Ahmed, I., Roussev, V.: SCADA network forensics of the PCCC protocol. Digit. Invest. 22, S57–S65 (2017b)CrossRef

24.

Senthivel, S., Dhungana, S., Yoo, H., Ahmed, I., Roussev, V.: Denial of engineering operations attacks in industrial control systems. In: Proceeding of the 8th ACM Conference on Data and Application Security and Privacy (CODASPY) (2018)

25.

Digital Bond’s IDS/IPS rules for ICS (2018). https://github.com/digitalbond/Quickdraw-Snort. Accessed 19 July 2018

26.

Sushma K., Nehal A., Hyunguk Y., Irfan A.: CLIK on PLCs! attacking control logic with decompilation and virtual PLC. In: Proceeding of the 2019 NDSS Workshop on Binary Analysis Research (BAR) (2019)

27.

Hyunguk Y., Irfan A.: Control logic injection attacks on industrial control systems. In: 34th IFIP International Conference on Information Security and Privacy Protection (2019)

28.

Tofino Xenon Security Appliance (2019). https://www.tofinosecurity.com/products/tofino-xenon-security-appliance. Accessed 17 April 2019

Title: Overshadow PLC to Detect Remote Control-Logic Injection Attacks
Authors: Hyunguk Yoo
Sushma Kalle
Jared Smith
Irfan Ahmed
Publisher: Springer International Publishing
Book: Detection of Intrusions and Malware, and Vulnerability Assessment
Print ISBN: 978-3-030-22037-2

Electronic ISBN: 978-3-030-22038-9

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-22038-9_6

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner