skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Overshadow PLC to Detect Remote Control-Logic Injection Attacks

Abstract

Programmable logic controllers (PLCs) in industrial control systems (ICS) are vulnerable to remote control logic injection attacks. Attackers target the control logic of a PLC to manipulate the behavior of a physical process such as nuclear plants, power grids, and gas pipelines. Control logic attacks have been studied extensively in the literature, including hiding the transfer of a control logic over the network from both packet header-based signatures, and deep packet inspection. For instance, these attacks transfer a control logic code as data, into small fragments (one-byte per packet), that are further padded with noise data. To detect control logic in ICS network traffic, this paper presents Shade, a novel shadow memory technique that observes the network traffic to maintain a local copy of the current state of a PLC memory. To analyze the memory contents, Shade employs a classification algorithm with 42 unique features categorized into five types at different semantic levels of a control logic code, such as number of rungs, number of consecutive decompiled instructions, and n-grams. We then evaluate Shade against control logic injection attacks on two PLCs, Modicon M221 and MicroLogix 1400 from two ICS vendors, Schneider electric and Allen-Bradley, respectively. The evaluation results showmore » that Shade can detect an attack instance (i.e., identifying at least one attack packet during the transfer of a malicious control logic) accurately without any false alarms.« less

Authors:
 [1];  [1]; ORCiD logo [2];  [3]
  1. University of New Orleans
  2. ORNL
  3. Virginia Commonwealth University
Publication Date:
Research Org.:
Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1550730
DOE Contract Number:  
AC05-00OR22725
Resource Type:
Conference
Resource Relation:
Journal Volume: 11543; Conference: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2019) - Gothenburg, , Sweden - 6/19/2019 12:00:00 PM-6/20/2019 12:00:00 PM
Country of Publication:
United States
Language:
English

Citation Formats

Yoo, Hyunguk, Kalle, Sushma, Smith, Jared M., and Ahmed, Irfan. Overshadow PLC to Detect Remote Control-Logic Injection Attacks. United States: N. p., 2019. Web. doi:10.1007/978-3-030-22038-9_6.
Yoo, Hyunguk, Kalle, Sushma, Smith, Jared M., & Ahmed, Irfan. Overshadow PLC to Detect Remote Control-Logic Injection Attacks. United States. doi:10.1007/978-3-030-22038-9_6.
Yoo, Hyunguk, Kalle, Sushma, Smith, Jared M., and Ahmed, Irfan. Sat . "Overshadow PLC to Detect Remote Control-Logic Injection Attacks". United States. doi:10.1007/978-3-030-22038-9_6. https://www.osti.gov/servlets/purl/1550730.
@article{osti_1550730,
title = {Overshadow PLC to Detect Remote Control-Logic Injection Attacks},
author = {Yoo, Hyunguk and Kalle, Sushma and Smith, Jared M. and Ahmed, Irfan},
abstractNote = {Programmable logic controllers (PLCs) in industrial control systems (ICS) are vulnerable to remote control logic injection attacks. Attackers target the control logic of a PLC to manipulate the behavior of a physical process such as nuclear plants, power grids, and gas pipelines. Control logic attacks have been studied extensively in the literature, including hiding the transfer of a control logic over the network from both packet header-based signatures, and deep packet inspection. For instance, these attacks transfer a control logic code as data, into small fragments (one-byte per packet), that are further padded with noise data. To detect control logic in ICS network traffic, this paper presents Shade, a novel shadow memory technique that observes the network traffic to maintain a local copy of the current state of a PLC memory. To analyze the memory contents, Shade employs a classification algorithm with 42 unique features categorized into five types at different semantic levels of a control logic code, such as number of rungs, number of consecutive decompiled instructions, and n-grams. We then evaluate Shade against control logic injection attacks on two PLCs, Modicon M221 and MicroLogix 1400 from two ICS vendors, Schneider electric and Allen-Bradley, respectively. The evaluation results show that Shade can detect an attack instance (i.e., identifying at least one attack packet during the transfer of a malicious control logic) accurately without any false alarms.},
doi = {10.1007/978-3-030-22038-9_6},
journal = {},
issn = {0302--9743},
number = ,
volume = 11543,
place = {United States},
year = {2019},
month = {6}
}

Conference:
Other availability
Please see Document Availability for additional information on obtaining the full-text document. Library patrons may search WorldCat to identify libraries that hold this conference proceeding.

Save / Share: