skip to main content
OSTI.GOV title logo U.S. Department of Energy
Office of Scientific and Technical Information

Title: Automated Reconstruction of Control Logic for Programmable Logic Controller Forensics

Abstract

This paper presents Similo, an automated scalable framework for control logic forensics in industrial control systems. Similo is designed to investigate denial of engineering operations (DEO) attacks, recently demonstrated to hide malicious control logic in a programmable logic controller (PLC) at field sites from an engineering software (at control center). The network traffic (if captured) contains substantial evidence to investigate DEO attacks including manipulation of control logic. Laddis, a state-of-the-art forensic approach for DEO attacks, is a binary-logic decompiler for the Allen-Bradley’s RSLogix engineering software and MicroLogix 1400 PLC. It is developed with extensive manual reverse engineering effort of the underlying proprietary network protocol and the binary control logic. Unfortunately, Laddis is not scalable and requires similar efforts to extend on other engineering software/PLCs. The proposed solution, Similo, is based on the observation that engineering software of different vendors are equipped with decompilers. Similo is a virtual-PLC framework that integrates the decompilers with their respective (previously-captured) ICS network traffic of control logic. It recovers the binary logic into a high-level source code (of the programming languages defined by IEC 61131-3 standard) automatically. Similo can work with both proprietary/open protocols without requiring protocol specifications and the binary formats of control logic.more » Thus, it is scalable to different ICS vendors. We evaluate Similo on three PLCs of two ICS vendors, i.e. MicroLogix 1400, MicroLogix 1100, and Modicon M221. These PLCs support proprietary protocols and the control logics written in two programming languages: Ladder Logic and Instruction List. The evaluation results show that Similo can accurately reconstruct a control logic from an ICS network traffic and can be used to investigate the DEO attacks effectively.« less

Authors:
 [1];  [2];  [1]
  1. Virginia Commonwealth University
  2. ORNL
Publication Date:
Research Org.:
Oak Ridge National Lab. (ORNL), Oak Ridge, TN (United States)
Sponsoring Org.:
USDOE
OSTI Identifier:
1570119
DOE Contract Number:  
AC05-00OR22725
Resource Type:
Conference
Resource Relation:
Conference: 22nd International Conference on Information Security (ISC 2019) - New York City, New York, United States of America - 9/16/2019 8:00:00 AM-9/18/2019 8:00:00 AM
Country of Publication:
United States
Language:
English

Citation Formats

Ali qasim, Syed, Lopez Jr, Juan, and Ahmed, Irfan. Automated Reconstruction of Control Logic for Programmable Logic Controller Forensics. United States: N. p., 2019. Web.
Ali qasim, Syed, Lopez Jr, Juan, & Ahmed, Irfan. Automated Reconstruction of Control Logic for Programmable Logic Controller Forensics. United States.
Ali qasim, Syed, Lopez Jr, Juan, and Ahmed, Irfan. Sun . "Automated Reconstruction of Control Logic for Programmable Logic Controller Forensics". United States. https://www.osti.gov/servlets/purl/1570119.
@article{osti_1570119,
title = {Automated Reconstruction of Control Logic for Programmable Logic Controller Forensics},
author = {Ali qasim, Syed and Lopez Jr, Juan and Ahmed, Irfan},
abstractNote = {This paper presents Similo, an automated scalable framework for control logic forensics in industrial control systems. Similo is designed to investigate denial of engineering operations (DEO) attacks, recently demonstrated to hide malicious control logic in a programmable logic controller (PLC) at field sites from an engineering software (at control center). The network traffic (if captured) contains substantial evidence to investigate DEO attacks including manipulation of control logic. Laddis, a state-of-the-art forensic approach for DEO attacks, is a binary-logic decompiler for the Allen-Bradley’s RSLogix engineering software and MicroLogix 1400 PLC. It is developed with extensive manual reverse engineering effort of the underlying proprietary network protocol and the binary control logic. Unfortunately, Laddis is not scalable and requires similar efforts to extend on other engineering software/PLCs. The proposed solution, Similo, is based on the observation that engineering software of different vendors are equipped with decompilers. Similo is a virtual-PLC framework that integrates the decompilers with their respective (previously-captured) ICS network traffic of control logic. It recovers the binary logic into a high-level source code (of the programming languages defined by IEC 61131-3 standard) automatically. Similo can work with both proprietary/open protocols without requiring protocol specifications and the binary formats of control logic. Thus, it is scalable to different ICS vendors. We evaluate Similo on three PLCs of two ICS vendors, i.e. MicroLogix 1400, MicroLogix 1100, and Modicon M221. These PLCs support proprietary protocols and the control logics written in two programming languages: Ladder Logic and Instruction List. The evaluation results show that Similo can accurately reconstruct a control logic from an ICS network traffic and can be used to investigate the DEO attacks effectively.},
doi = {},
journal = {},
number = ,
volume = ,
place = {United States},
year = {2019},
month = {9}
}

Conference:
Other availability
Please see Document Availability for additional information on obtaining the full-text document. Library patrons may search WorldCat to identify libraries that hold this conference proceeding.

Save / Share: