Overshadow PLC to Detect Remote Control-Logic Injection Attacks

Yoo, Hyunguk; Kalle, Sushma; Smith, Jared M.; Ahmed, Irfan

doi:10.1007/978-3-030-22038-9_6

Title: Overshadow PLC to Detect Remote Control-Logic Injection Attacks

Conference · Sat Jun 01 00:00:00 EDT 2019

DOI:https://doi.org/10.1007/978-3-030-22038-9_6· OSTI ID:1550730

Yoo, Hyunguk ^[1]; Kalle, Sushma ^[1];

^[2]; Ahmed, Irfan ^[3]

University of New Orleans
ORNL
Virginia Commonwealth University

Programmable logic controllers (PLCs) in industrial control systems (ICS) are vulnerable to remote control logic injection attacks. Attackers target the control logic of a PLC to manipulate the behavior of a physical process such as nuclear plants, power grids, and gas pipelines. Control logic attacks have been studied extensively in the literature, including hiding the transfer of a control logic over the network from both packet header-based signatures, and deep packet inspection. For instance, these attacks transfer a control logic code as data, into small fragments (one-byte per packet), that are further padded with noise data. To detect control logic in ICS network traffic, this paper presents Shade, a novel shadow memory technique that observes the network traffic to maintain a local copy of the current state of a PLC memory. To analyze the memory contents, Shade employs a classification algorithm with 42 unique features categorized into five types at different semantic levels of a control logic code, such as number of rungs, number of consecutive decompiled instructions, and n-grams. We then evaluate Shade against control logic injection attacks on two PLCs, Modicon M221 and MicroLogix 1400 from two ICS vendors, Schneider electric and Allen-Bradley, respectively. The evaluation results show that Shade can detect an attack instance (i.e., identifying at least one attack packet during the transfer of a malicious control logic) accurately without any false alarms.

View Conference

Cite

Export

Save

Research Organization:: Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States)

Sponsoring Organization:: USDOE

DOE Contract Number:: AC05-00OR22725

OSTI ID:: 1550730

Resource Relation:: Journal Volume: 11543; Conference: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2019) - Gothenburg, , Sweden - 6/19/2019 12:00:00 PM-6/20/2019 12:00:00 PM

Country of Publication:: United States

Language:: English

Similar Records

Attacking the IEC-61131 Logic Engine in Programmable Logic Controllers in Industrial Control Systems

Conference · Mon Mar 01 00:00:00 EST 2021 · OSTI ID:1550730

Ali qasim, Syed; Ayub, Adeen; Johnson, Jordan; +1 more

Automated Reconstruction of Control Logic for Programmable Logic Controller Forensics

Conference · Sun Sep 01 00:00:00 EDT 2019 · OSTI ID:1550730

Ali qasim, Syed; Lopez Jr, Juan; Ahmed, Irfan

Towards generic memory forensic framework for programmable logic controllers

Journal Article · Mon Mar 20 00:00:00 EDT 2023 · Forensic Science International: Digital Investigation · OSTI ID:1550730

Asmar Awad, Rima; Haris Rais, Muhammad; Rogers, Michael; +2 more

Title: Overshadow PLC to Detect Remote Control-Logic Injection Attacks

Citation Formats

Similar Records

Related Subjects