Analysis of Time Drift and Real-Time Challenges in Programmable Logic Controller-Based Industrial Automation Systems: Insights from 24-Hour and 14-Day Tests

Industrial control systems (ICSs) architecture consists of programmable logic controllers (PLCs) which communicate with an engineering station on one side, and control a certain physical process on the other side. Siemens PLCs, particularly S7-300 controllers, are widely used in industrial systems, and modern critical infrastructures heavily rely on them. But unfortunately, Security features are largely absent in such devices or ignored/disabled because security is often at odds with operations. As a consequence of the already reported vulnerabilities, it is possible to leverage PLCs and perhaps even the corporate IT network. In this paper we show such PLCs are vulnerable and demonstrate that exploiting the execution process of the logic program running in a PLC is feasible. We target the logic program by injecting a Time-of-Day (TOD) interrupt code, which interrupts the execution sequence of the logic control at a certain time the attacker wishes. This attack is the first work that allows external adversaries to patch their malicious codes once they access exposed PLCs, keeping their attack idle inside the infected device, and then activate the attack at later time without even being connected to the target at the attack date. In contrast to all previous works, this new approach opens the door entirely for attackers to compromise PLCs when they are offline at the point zero for the attack. For a real scenario, we implemented our attack on a real small industrial setting using S7-300 PLCs, and developed an already published tool called PLCinject to run our experiments. We finally suggest some potential mitigation approaches to secure systems against such threat.

Programmable Logic Controllers (PLCs) are a core component of an Industrial Control System (ICS). However, if a PLC is compromised or the commands sent across a network from the PLCs are spoofed, consequences could be catastrophic. In this work, a novel technique to authenticate PLCs is proposed that aims at raising the bar against powerful attackers while being compatible with real-time systems. The proposed technique captures timing information for each controller in a non-invasive manner. It is argued that Scan Cycle is a unique feature of a PLC that can be approximated passively by observing network traffic. An attacker that spoofs commands issued by the PLCs would deviate from such fingerprints. To detect replay attacks a PLC Watermarking technique is proposed. PLC Watermarking models the relation between the scan cycle and the control logic by modeling the input/output as a function of request/response messages of a PLC. The proposed technique is validated on an operational water treatment plant (SWaT) and smart grid (EPIC) testbeds. Results from experiments indicate that PLCs can be distinguished based on their scan cycle timing characteristics.

Memory forensic analysis of a programmable logic controller in industrial control systems

Industrial control systems (ICSs) consist of programmable logic controllers (PLCs) which communicate with an engineering station on one side, and control a certain physical process on the other side. Siemens PLCs, particularly S7-300 controllers, are widely used in industrial systems, and modern critical infrastructures heavily rely on them. But unfortunately, security features are largely absent in such devices or ignored/disabled because security is often at odds with operations. As a consequence of the already reported vulnerabilities, it is possible to leverage PLCs and perhaps even the corporate IT network. In this paper we show that S7-300 PLCs are vulnerable and demonstrate that exploiting the execution process of the logic program running in a PLC is feasible. We discuss a replay attack that compromises the password protected PLCs, then we show how to retrieve the Bytecode from the target and decompile the Bytecode to STL source code. Afterwards we present how to conduct a typical injection attack showing that even a very tiny modification in the code is sufficient to harm the target system. Finally we combine the replay attack with the injection approach to achieve a stronger attack – the stealth program injection attack – which can hide the previous modification by engaging a fake PLC, impersonating the real infected device. For real scenarios, we implemented all our attacks on a real industrial setting using S7-300 PLC. We eventually suggest mitigation approaches to secure systems against such threats.

The use of Programmable Logic Controllers (PLCs) in the control of large physics experiments is ubiquitous 1, 2, 3 . The programming of these controllers is normally the domain of engineers with a background in electronics, this paper introduces PLC program development from the software engineer's perspective. PLC programs provide the link between control software running on PC architecture systems and physical hardware controlled and monitored by digital and analog signals. The higher-level software running on the PC is typically responsible for accepting operator input and from this deciding when and how hardware connected to the PLC is controlled. The PLC accepts demands from the PC, considers the current state of its connected hardware and if correct to do so (based upon interlocks or other constraints) adjusts its hardware output signals appropriately for the PC's demands. A published ICD (Interface Control Document) defines the PLC memory locations available to be written and read by the PC to control and monitor the hardware. Historically the method of programming PLCs has been ladder diagrams that closely resemble circuit diagrams, however, PLC manufacturers nowadays also provide, and promote, the use of higher-level programming languages 4 . Based on techniques used in the development of high-level PC software to control PLCs for multiple telescopes, this paper examines the development of PLC programs to operate the hardware of a medical cyclotron beamline controlled from a PC using the Experimental Physics and Industrial Control System (EPICS), which is also widely used in telescope control 5, 6, 7 . The PLC used is the new generation Siemens S7-1200 programmed using Siemens Pascal based Structured Control Language (SCL), which is their implementation of Structured Text (ST). The approach described is that from a software engineer's perspective, utilising Siemens Totally Integrated Automation (TIA) Portal integrated development environment (IDE) to create modular PLC programs based upon reusable functions capable of being unit tested without the PLC connected to hardware. Emphasis has been placed on designing an interface between EPICS and SCL that enforces correct operation of hardware through stringent separation of PC accessible PLC memory and hardware I/O addresses used only by the PLC. The paper also introduces the method used to automate the creation, from the same source document, the PLC memory structure (tag) definitions (defining memory used to access hardware I/O and that accessed by the PC) and creation of the PC program data structures (EPICS database records) used to access the permitted PLC addresses. From direct experience this paper demonstrates the advantages of PLC program development being shared between electronic and software engineers, to enable use of the most appropriate processes from both the perspective of the hardware and the higher-level software used to control it.

Connecting programmable logic controllers (PLC) to control and data acquisition a comparison of the JET and Wendelstein 7-X approach

JTAG-based PLC memory acquisition framework for industrial control systems

In industrial control systems (ICS), programmable logic controllers (PLCs) directly control and monitor physical processes in real-time such as nuclear plants, and power grid stations. Adversaries typically transfer malicious control logic to PLCs over the network to sabotage a physical process. These control logic attacks are well-understood containing machine instructions in network packets and are likely to be detected by network intrusion detection systems (IDS). On the other hand, return-oriented programming (ROP) reuses blocks (or gadgets) of existing code in computer memory to create and execute malicious code. It limits or eliminates the need to transfer machine instructions over the network, making it stealthier. Currently, ROP attacks on control logic has never been discussed in the literature to explore it as a practical ICS attack. This paper is the first attempt in this direction to explore challenges for a successful ROP attack on real-world PLCs, including maintaining a continuous (control logic) scan cycle through ROP gadgets, no user input (to cause a buffer overflow) to overwrite the stack for gadget installation, and limited ROP gadgets in a PLC memory to find blocks of instructions equivalent to the high-level constructs of PLC programming languages (such as instruction list, and ladder logic). We identify and utilize typical PLC design features (that we find exploitable) to overcome these challenges, which makes ROP attacks applicable to most PLCs e.g., no stack protection, and remote access to certain PLC memory regions via ICS protocols. We demonstrate two successful ROP attacks on the control logic programs of three fully-functional physical processes, i.e., a belt conveyor system, a four-floor elevator, and a compact traffic light system. The first ROP attack manipulates a PLC’s current control logic and has two variants involving either a single or multiple gadgets; the second ROP attack constructs a control logic from scratch using gadgets in a PLC’s memory. Our evaluation results show that the attacks can be performed using a set of small-sized gadgets with no significant effect on a PLC’s scan time.

Detecting anomalous programmable logic controller behavior using RF-based Hilbert transform features and a correlation-based verification process

Programmable Logic Controller (PLC) are used in many industrial and infrastructure systems to monitor input sensors and control actuators. With progressively more demand for adaptive, robust and smart systems for manufacturing, transportation, and industrial systems, the demand for engineers proficient in PLCs has been growing. However, typical engineering curriculum focuses more on fundamental principles and other applications, not covering PLCs. Employers desire and students yearn for hands-on, real-world, job read skills and proficiency. This study has explored and developed educational modules for PLCs that with further development and testing could be incorporated into engineering courses. Such modules would help student awareness, understanding and proficiency to enable contribution within a growing area of demand within the job market.

This paper considers a verification problem of the whitelist function applicable to the Programmable Logic Controller (PLC). The PLC of the industrial control system is an important controller to control sensors and actuators and requires security functions because PLCs are becoming targets for cyber-attacks such as malware and zero-day attacks. One of the PLC security functions is a whitelisting system that registers normal operations as a safety list and detects the operations not registered in the list as abnormal operations. The detection performance of the whitelist depends on how accurately the normal operation of PLC is modeled via Petri net. Therefore, it is necessary to verify the consistency of the normal operation and whitelist of the PLC. Verification of the consistency allows us to evaluate the detection range and to suppress false detection. The previous work of the current authors demonstrates that the Petri net model allows us to generate the whitelist from the control program of PLC. The whitelist generation is composed of two processes: The first is to convert a control program to a Petri net and the second is to convert a Petri net model to a whitelist. Thus, this paper proposes two whitelist verification methods. The first is a model verification method to verify the Petri net model using reachability of the Petri net. The second is an exhaustive test method to verify the whitelist operation. Furthermore, it is expected that the proposed methods are applicable for evaluation and verification of detection performance when the whitelist is compressed to reduce the load on the PLC.

With the convergence of computer technology and industrial networks, attackers are not limited to attacking only individual users’ computers, turning to attack industrial control systems that can cause major infrastructure problems. Programmable Logic Controllers (PLC) are the core components of industrial control systems. Its safety has a profound impact on the safety of the entire industrial system. This paper firstly classifies the security research of PLC according to the structure and function, and expounds the existing security defects of PLC from the aspects of firmware security, operation security and program security. Then it summarizes and analyzes four types of security protection measures: the integrity of verification firmware, protocol security encryption, code formal verification, and program security defence detection. Finally, according to the overall safety of the industrial system and the actual development of the current PLC, we discuss the development trend of safety research.

One key role in industrial control systems (ICSs) is known as Programmable Logic Controller (PLC). However, with the development of the Internet of Things (IoT), PLCs have become exposed to an increasing number of attacks, which may cause malfunctions of the whole ICS. Thus, it is necessary to identify potential attacks on PLCs and propose effective solutions to mitigate them. Unfortunately, to date, there have not been significant efforts made to provide a detailed overview of existing works on PLC security. With such a concern in mind, in this paper, we focus on summarising PLC security from different components running at different layers of a PLC architecture. We first review the framework of PLCs; then, we discuss several models when considering PLC security. After that, we provide an overview of existing attacks on PLCs and general solutions to those issues from different perspectives. Lastly, we conclude this paper with an overview of future research areas in PLC security.

Cybersecurity in Programmable Logic Controllers (PLCs) is a critical component in ensuring the overall security and reliability of industrial control systems. PLCs are widely used in various industries to automate processes and control machinery. However, as PLCs become more interconnected with other systems and the internet, they are increasingly vulnerable to cyber threats. This abstract explores the importance of cybersecurity in PLCs and the potential risks associated with inadequate security measures. It highlights the various ways in which PLCs can be compromised, such as through malware attacks, unauthorized access, or physical tampering. This abstract discusses the potential consequences of a cyber-attack on PLCs, including disruption of critical infrastructure, loss of sensitive data, and potential harm to personnel. It also emphasizes the importance of implementing robust cybersecurity measures, such as encryption, access control, and regular security audits, to protect PLCs from cyber threats. Finally, this abstract underscores the importance of prioritizing cybersecurity in PLCs to ensure the continued safety and reliability of industrial processes. Failure to adequately secure PLCs can have far-reaching consequences, making it imperative for organizations to invest in cybersecurity measures to safeguard their critical infrastructure.

Programmable Logic Controllers (PLCs) are the backbone of modern-day Industrial Control Systems (ICSs), and as such play a key role in many critical infrastructure sectors (e.g., water and water-waste management, power distribution, transportation, food and agriculture, critical manufacturing, etc.). Given the important functions that PLCs carry out within many critical infrastructures, a cyber-compromise of even a single PLC device can have far-reaching impact and consequences, ranging from distribution-system outages, environmental pollution, mass water and food poisoning, to outright loss of human life. The objective of this work-in-progress is to develop a free open source tool, named PIRAT, for cyber-risk assessment of individual PLC components, as well as more complex PLC systems. The tool synthesizes the user-provided PLC component/system information with the readily available data from the National Vulnerability Database (NVD) and MITRE Adversarial Tactics, Techniques and Common Knowledge (MITRE ATT&CK) database. The output of the tool is an aggregate risk scores for the given PLC component/system. The risk score is derived not only based on the known PLC vulnerabilities, but also based on the presence and capabilities of advance persistent threat (APT) groups potentially targeting the given PLC component/system and/or targeting the respective critical infrastructure industry.