Abstract

Industrial control systems (ICS) play a critical role in the operation of our vital infrastructures. They consist of field sites and a control center, with programmable logic controllers (PLCs) used at field sites to control physical processes directly. These systems communicate with the control center using proprietary protocols for remote monitoring, control, and configuration. The ability to reverse engineer these protocols can improve digital forensics techniques for investigating ICS attacks. The existing methods for reversing ICS protocols are manual forensics, binary analysis, probabilistic methods, or predefined network traffic analysis tools. ICS protocols, designed to operate in industrial environments, exhibit overlapping functionality, like uploading/downloading control logic to a PLC, which results in shared standard fields, such as function code and PLC memory address. Our hypothesis is that knowledge of one ICS protocol can aid in reverse engineering other proprietary ICS protocols. The paper introduces a heuristic builder, PREE, which enables control engineers with ICS protocol knowledge to create heuristics for identifying fields in other ICS protocols. We test our hypothesis by creating seven heuristic variants using the rolling window, vertical window, and frequency table techniques. We evaluate our heuristics on six ICS protocols, i.e., Modbus TCP, UMAS, ENIP, Omron FINS, CLICK, and PCCC. The evaluation involves five PLCs from four vendors: Modicon M221, Allen Bradley 1400 and 1100, Omron CP1L, and AutomationDirect CLICK Koyo. Results show that PREE can effectively identify common fields in multiple protocols, such as function code, message type, message length, PLC memory address, data size, and session/transaction IDs. PREE outperforms existing reverse engineering tools like NetPlier, Netzob, and Discoverer in terms of accuracy, conciseness, completeness, and consistency. We also demonstrate PREE's applications in a vulnerability study on CLICK Koyo PLC and present SNORT rules for investigating various attacks on it.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.