Overshadow PLC to Detect Remote Control-Logic Injection Attacks
- University of New Orleans
- ORNL
- Virginia Commonwealth University
Programmable logic controllers (PLCs) in industrial control systems (ICS) are vulnerable to remote control logic injection attacks. Attackers target the control logic of a PLC to manipulate the behavior of a physical process such as nuclear plants, power grids, and gas pipelines. Control logic attacks have been studied extensively in the literature, including hiding the transfer of a control logic over the network from both packet header-based signatures, and deep packet inspection. For instance, these attacks transfer a control logic code as data, into small fragments (one-byte per packet), that are further padded with noise data. To detect control logic in ICS network traffic, this paper presents Shade, a novel shadow memory technique that observes the network traffic to maintain a local copy of the current state of a PLC memory. To analyze the memory contents, Shade employs a classification algorithm with 42 unique features categorized into five types at different semantic levels of a control logic code, such as number of rungs, number of consecutive decompiled instructions, and n-grams. We then evaluate Shade against control logic injection attacks on two PLCs, Modicon M221 and MicroLogix 1400 from two ICS vendors, Schneider electric and Allen-Bradley, respectively. The evaluation results show that Shade can detect an attack instance (i.e., identifying at least one attack packet during the transfer of a malicious control logic) accurately without any false alarms.
- Research Organization:
- Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States)
- Sponsoring Organization:
- USDOE
- DOE Contract Number:
- AC05-00OR22725
- OSTI ID:
- 1550730
- Resource Relation:
- Journal Volume: 11543; Conference: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2019) - Gothenburg, , Sweden - 6/19/2019 12:00:00 PM-6/20/2019 12:00:00 PM
- Country of Publication:
- United States
- Language:
- English
Similar Records
Automated Reconstruction of Control Logic for Programmable Logic Controller Forensics
Towards generic memory forensic framework for programmable logic controllers