Skip to main content
OSTI.GOVU.S. Department of Energy Office of Scientific and Technical Information
U.S. Department of Energy
Office of Scientific and Technical Information
 

Memory forensic analysis of a programmable logic controller in industrial control systems

Conference ·
 [1];  [2];  [2];  [1]
  1. Virginia Commonwealth University
  2. ORNL
+ Show Author Affiliations

In industrial control systems (ICS), programmable logic controllers (PLCs) are used to automate physical processes such as nuclear plants and power grid stations, and are often subject to cyber attacks. As in conventional IT domain, the memory analysis of the PLCs can help answer important forensic questions about the attack, such as the presence of malicious firmware, injection of modified control logic (the program running on the PLC), and manipulation of I/O devices (e.g., sensors and actuators). Unlike conventional IT domain, PLCs have heterogeneous hardware architecture, proprietary firmware and control software, making it challenging to employ a unified framework for their memory forensics. For merely extracting artifacts of forensic importance, reverse-engineering the firmware is a tedious task, and the effort needs to be repeated for every PLC model. As a community, a step-wise approach to tackle this challenge is to analyze the memory of specific PLCs, and subsequently find a generic framework applicable to all PLCs. Our work is a step forward in this direction. By following a methodology that focuses on the functional layer of PLCs instead of reverse engineering the firmware, we analyze the digital forensic artifacts available in a common PLC, Allen-Bradley ControlLogix 1756-L61. Before diving into the memory dump, we analyze the PLC control software to create a list of important artifacts that are sure to exist in the PLC memory dump. The approach employs a setup where PLC control software RSLogix-5000 is connected to the PLC, and the memory dump can be obtained as and when needed. We create test cases that sequentially highlight each category of artifacts, followed by an examination of the resultant impact on memory. After attaining the listed artifacts, we employ conventional string and known data searches to extract interesting information present in this PLC's memory. The memory analysis profile, presented as a Python library and shared with the community, can help a forensic investigator to readily extract forensic artifacts from the same model's controller. The adopted approach may help researchers in creating memory profile of other PLCs, and ultimately formulating a generic PLC memory analysis framework.

Research Organization:
Oak Ridge National Laboratory (ORNL), Oak Ridge, TN (United States)
Sponsoring Organization:
USDOE
DOE Contract Number:
AC05-00OR22725
OSTI ID:
1878709
Country of Publication:
United States
Language:
English

References (6)

SCADA Systems: Challenges for Forensic Investigators journal December 2012
Dynamic-thermal and localized filament-kinetic attacks on fused filament fabrication based 3D printing process journal October 2021
A methodology for determining the image base of ARM-based industrial control system firmware journal March 2017
Leveraging the SRTP protocol for over-the-network memory acquisition of a GE Fanuc Series 90-30 journal August 2017
Programmable Logic Controller Forensics journal November 2017
Firmware modification attacks on programmable logic controllers journal June 2013

Similar Records

JTAG-based PLC memory acquisition framework for industrial control systems
Conference · Thu Jul 01 00:00:00 EDT 2021 · OSTI ID:1820820
Automated Reconstruction of Control Logic for Programmable Logic Controller Forensics
Conference · Sun Sep 01 00:00:00 EDT 2019 · OSTI ID:1570119
Automated Programmable Logic Controller Memory Forensics Using RGB Image Analysis and Deep Learning
Conference · Fri Jan 31 23:00:00 EST 2025 · OSTI ID:3002122

Related Subjects