Abstract
Programmable logic controllers monitor and control physical processes in critical infrastructure assets, including nuclear power plants, gas pipelines and water treatment plants. They are equipped with control logic written in IEC 61131 languages such as ladder diagrams and structured text that define how the physical processes are monitored and controlled. Cyber attacks that seek to sabotage physical processes typically target the control logic of programmable logic controllers.
Most of the attacks described in the literature inject malicious control logic into programmable logic controllers. This chapter presents a new type of attack that targets the control logic engine that is responsible for executing the control logic. It demonstrates that a control logic engine can be disabled by exploiting inherent features such as the program mode and starting/stopping the engine. Case studies involving control logic engine attacks on real programmable logic controllers are presented. The case studies present internal details of the logic engine attacks to enable industry and the research community to understand the control logic engine attack vector. Additionally, control engine attacks on power substation, conveyor belt and elevator testbeds are presented to demonstrate their impacts on physical systems.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
H. Adjei, T. Shunhua, G. Agordzo, Y. Li, G. Peprah and E. Gyarteng, SSL stripping technique (DHCP snooping and ARP spoofing inspection), Proceedings of the Twenty-Third International Conference on Advanced Communications Technology, pp. 187–193, 2021.
I. Ahmed, S. Obermeier, M. Naedele and G. Richard III, SCADA systems: Challenges for forensic investigators, IEEE Computer, vol. 45(12), pp. 44–51, 2012.
I. Ahmed, S. Obermeier, S. Sudhakaran and V. Roussev, Programmable logic controller forensics, IEEE Security and Privacy, vol. 15(6), pp. 18–24, 2017.
I. Ahmed, V. Roussev, W. Johnson, S. Senthivel and S. Sudhakaran, A SCADA system testbed for cybersecurity and forensic research and pedagogy, Proceedings of the Second Annual Industrial Control System Security Workshop, pp. 1–9, 2016.
A. Ayub, H. Yoo and I. Ahmed, Empirical study of PLC authentication protocols in industrial control systems, Proceedings of the IEEE Security and Privacy Workshops, pp. 383–397, 2021.
S. Bhatia, S. Behal and I. Ahmed, Distributed denial-of-service attacks and defense mechanisms: Current landscape and future directions, in Versatile Cybersecurity, M. Conti, G. Somani and R. Poovendran (Eds.), Springer, Cham, Switzerland, pp. 55–97, 2018.
T. Chen and S. Abu-Nimeh, Lessons from Stuxnet, IEEE Computer, vol. 44(4), pp. 91–93, 2011.
Ettercap Project, Ettercap (www.ettercap-project.org), 2021.
N. Falliere, L. O’Murchu and E. Chien, W32.Stuxnet Dossier, Version 1.4, Symantec, Mountain View, California, 2011.
L. Garcia, F. Brasser, M. Cintuglu, A. Sadeghi, O. Mohammed and S. Zonouz, Hey, my malware knows physics! Attacking PLCs with a physical-model-aware rootkit, Proceedings of the Twenty-Fourth Annual Network and Distributed System Security Symposium, 2017.
N. Govil, A. Agrawai and N. Tippenhauer, On ladder logic bombs in industrial control systems, in Computer Security, S. Katsikas, F. Cuppens, N. Cuppens, C. Lambrinoudakis, C. Kalloniatis, J. Mylopoulos, A. Anton and S. Gritzalis (Eds.), Springer, Cham, Switzerland, pp. 110–126, 2018.
R. Johnson, Survey of SCADA security challenges and potential attack vectors, Proceedings of the International Conference on Internet Technology and Secured Transactions, 2010.
S. Kalle, N. Ameen, H. Yoo and I. Ahmed, CLIK on PLCs! Attacking control logic with decompilation and virtual PLCs, Proceedings of the Network and Distributed System Security Symposium Workshop on Binary Analysis Research, 2019.
N. Kush, E. Foo, E. Ahmed, I. Ahmed and A. Clark, Gap analysis of intrusion detection in smart grids, Proceedings of the Second International Cyber Resilience Conference, pp. 38–46, 2011.
S. McLaughlin and P. McDaniel, SABOT: Specification-based payload generation for programmable logic controllers, Proceedings of the ACM Conference on Computer and Communications Security, pp. 439–449, 2012.
MITRE Corporation, ATT&CK for Industrial Control Systems, Bedford, Massachusetts (collaborate.mitre.org/attackics/index.php/Main_Page), 2021.
Office of Electricity Delivery and Energy Reliability, exe-GUARD, DOE/OE-0009, U.S. Department of Energy, Washington, DC (www.energy.gov/sites/prod/files/2017/04/f34/SEL_Exe-guard_FactSheet.pdf), 2012.
S. Qasim, J. Lopez and I. Ahmed, Automated reconstruction of control logic for programmable logic controller forensics, in Information Security, Z. Lin, C. Papamanthou and M. Polychronakis (Eds.), Springer, Cham, Switzerland, pp. 402–422, 2019.
S. Qasim, J. Smith and I. Ahmed, Control logic forensics framework using a built-in decompiler of engineering software in industrial control systems, Forensic Science International: Digital Investigation, vol. 33(S), article no. 301013, 2020.
M. Rais, R. Awad, J. Lopez and I. Ahmed, JTAG-based PLC memory acquisition framework for industrial control systems, Forensic Science International: Digital Investigation, vol. 37(S), article no. 301196, 2021.
M. Rais, Y. Li and I. Ahmed, Spatiotemporal G-code modeling for secure FDM-based 3D printing, Proceedings of the Twelfth ACM/IEEE International Conference on Cyber-Physical Systems, pp. 177–186, 2021.
C. Schuett, J. Butts and S. Dunlap, An evaluation of modification attacks on programmable logic controllers, International Journal of Critical Infrastructure Protection, vol. 7(1), pp. 61–68, 2014.
Schweitzer Engineering Laboratories, SEL-3505/SEL-3505-3 Real-Time Automation Controller (RTAC), Pullman, Washington (selinc.com/products/3505), 2021.
S. Senthivel, I. Ahmed and V. Roussev, SCADA network forensics of the PCCC protocol, Digital Investigation, vol. 22(S), pp. S57–S65, 2017.
S. Senthivel, S. Dhungana, H. Yoo, I. Ahmed and V. Roussev, Denial of engineering operations attacks on industrial control systems, Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, pp. 319–329, 2018.
R. Sun, A. Mera, L. Lu and D. Choffnes, SoK: Attacks on Industrial Control Logic and Formal Verification-Based Defenses, arxiv.org/abs/2006.04806, 2020.
H. Yoo and I. Ahmed, Control logic injection attacks on industrial control systems, in ICT Systems Security and Privacy Protection, G. Dhillon, F. Karlsson, K. Hedstrom and A. Zuquete (Eds.), Springer, Cham, Switzerland, pp. 33–48, 2019.
H. Yoo, S. Kalle, J. Smith and I. Ahmed, Overshadow PLC to detect remote control logic injection attacks, in Detection of Intrusions and Malware, and Vulnerability Assessment, R. Perdisci, C. Maurice, G. Giacinto and M. Almgren (Eds.), Springer, Cham, Switzerland, pp. 109–132, 2019.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 IFIP International Federation for Information Processing
About this paper
Cite this paper
Qasim, S.A., Ayub, A., Johnson, J., Ahmed, I. (2022). Attacking the IEC 61131 Logic Engine in Programmable Logic Controllers. In: Staggs, J., Shenoi, S. (eds) Critical Infrastructure Protection XV. ICCIP 2021. IFIP Advances in Information and Communication Technology, vol 636. Springer, Cham. https://doi.org/10.1007/978-3-030-93511-5_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-93511-5_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-93510-8
Online ISBN: 978-3-030-93511-5
eBook Packages: Computer ScienceComputer Science (R0)