Towards Obfuscation of Programmable Logic Controllers
Authors: 
Vittoria Cozza, Mila Dalla Preda, Marco Lucchese, Massimo Merro, Nicola ZannoneAuthors Info & Claims
Vittoria Cozza, Mila Dalla Preda, Marco Lucchese, Massimo Merro, Nicola ZannoneAuthors Info & ClaimsARES '23: Proceedings of the 18th International Conference on Availability, Reliability and Security
Article No.: 121, Pages 1 - 10
Abstract
Recently published scan data on Shodan shows how 105K Industrial Control Systems (ICSs) around the world are directly accessible from the Internet. In particular, highly sensitive components, such as Programmable Logic Controllers (PLCs), are potentially accessible to attackers who can implement several kinds of attacks. On the other hand, to accomplish non-trivial cyber-physical attacks the attacker must possess a sufficient degree of process comprehension on the physical processes within the target ICS.
In this paper, we explore the feasibility of designing obfuscation strategies to prevent the attacker from comprehending the behavior of the physical process within an ICS by accessing PLC memory registers. We propose two generic obfuscation strategies for PLC memories, involving memory registers, PLC code, and simulated physical processes controlled by the obfuscated PLCs. We then measure the effectiveness of the proposed obfuscation strategies in terms of potency, resilience, and cost on a non-trivial case study.
References
[1]
2016. S7comm - The Wireshark Wiki. https://wiki.wireshark.org/S7comm/ Accessed: 2022-05-14.
[2]
2017. Industroyer: Biggest threat to industrial control systems since Stuxnet. https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/ Accessed: 2022-05-14.
[3]
2021. A Hacker Tried to Poison a Florida City’s Water Supply, Officials Say. https://www.wired.com/story/oldsmar-florida-water-utility-hack/ Accessed: 2022-05-14.
[4]
2023. Censys: Exposure Management and Threat Hunting Solutions. https://censys.io/ Accessed: 2023-05-23.
[5]
Int’l Standard IEC 61131-3. 2003. Programmable Controllers - Part 3: Programming Languages. second ed., Int’l Electrotechnical Commission.
[6]
A. Swales. 1999. Open modbus/tcp specification. Schneider Electric 29 (1999), 3–19.
[7]
A. Abbasi and M. Hashemi. 2016. Ghost in the PLC Designing an Undetectable Programmable Logic Controller Rootkit via Pin Control Attack. In Black Hat. 1–35.
[8]
Mariano Ceccato, Youssef Driouich, Ruggero Lanotte, Marco Lucchese, and Massimo Merro. 2022. Towards Reverse Engineering of Industrial Physical rocesses. In CPS4CIP@ESORICS(LNCS, Vol. 13785). Springer, 273–290.
[9]
C. Collberg and J. Nagra. 2009. Surreptitious Software: Obfuscation, Watermarking, and Tamperproofing for Software Protection. Addison-Wesley Professional.
[10]
C. Collberg, C. Thomborson, and D. Low. 1998. Manufacturing cheap, resilient, and stealthy opaque constructs. In Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of programming languages (POPL ’98). ACM Press, 184–196.
[11]
M. Dalla Preda and R. Giacobazzi. 2005. Semantic-based code obfuscation by abstract interpretation. In Proc. of the 32nd International Colloquium on Automata, Languages and Programming (ICALP ’05)(Lecture Notes in Computer Science, Vol. 3580). Springer-Verlag, 1325–1336.
[12]
Mila Dalla Preda and Roberto Giacobazzi. 2009. Semantics-based code obfuscation by abstract interpretation. Journal of Computer Security 17, 6 (2009), 855–908.
[13]
Bjorn De Sutter, Christian S. Collberg, Mila Dalla Preda, and Brecht Wyseur. 2019. Software Protection Decision Support and Evaluation Methodologies (Dagstuhl Seminar 19331). Dagstuhl Reports 9, 8 (2019), 1–25.
[14]
M. D. Ernst, J. H. Perkins, P. J. Guo, S. McCamant, C. Pacheco, M. S. Tschantz, and C. Xiao. 2007. The Daikon system for dynamic detection of likely invariants. Sci. Comput. Program. 69, 1-3 (2007), 35–45.
[15]
N. Falliere, L. Murchu, and E. Chien. 2011. W32.Stuxnet Dossier.
[16]
C. Feng, V. R. Palleti, A. Mathur, and D. Chana. 2019. A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems. In NDSS. The Internet Society.
[17]
Cheng Feng, Venkata Reddy Palleti, Aditya P. Mathur, and Deeph Chana. 2019. A Systematic Framework to Generate Invariants for Anomaly Detection in Industrial Control Systems. Proceedings 2019 Network and Distributed System Security Symposium (2019).
[18]
G. Clarke, D. Reynders, and E. Wright. 2004. Practical Modern SCADA Protocols: DNP3, 60870.5 and Related Systems. Newnes, Elsevier.
[19]
G. Lyon. 1997. Nmap. https://nmap.org/
[20]
Dieter Gollmann, Pavel Gurikov, Alexander Isakov, Marina Krotofil, Jason Larsen, and Alexander Winnicki. 2015. Cyber-Physical Systems Security: Experimental Analysis of a Vinyl Acetate Monomer Plant. In CCPS@ASIACCS. ACM, 1–12.
[21]
N. Govil, A. Agrawal, and N. O. Tippenhauer. 2018. On Ladder Logic Bombs in Industrial Control Systems. In SECPRE@ESORICS 2017(LNCS, Vol. 10683). Springer, 110–126.
[22]
B. Green, R. Derbyshire, M. Krotofil, W. Knowles, D. Prince, and N. Suri. 2021. PCaaD: Towards automated determination and exploitation of industrial systems. Comput. Secur. 110 (2021), 102424.
[23]
B. Green, M. Krotofil, and A. Abbasi. 2017. On the Significance of Process Comprehension for Conducting Targeted ICS Attacks. In CPS-SPC@CCS. ACM, 57–67.
[24]
Y. Huang, A. A. Cárdenas, S. Amin, Z. Lin, H. Tsai, and S. Sastry. 2009. Understanding the physical and economic consequences of attacks on control systems. Int. J. Crit. Infrastructure Prot. 2, 3 (2009), 73–83.
[25]
The MathWorks Inc.2022. MATLAB version: 9.13.0 (R2022b). Natick, Massachusetts, United States. https://www.mathworks.com
[26]
International Electrotechnical Commission. 1993. Programmable controllers-Part 3 : Programming languages. IEC 61131-3 (1993).
[27]
J. Matherly. 2015. Complete guide to Shodan. Shodan LLC.
[28]
A. Keliris and M. Maniatakos. 2019. ICSREF: A Framework for Automated Reverse Engineering of Industrial Control Systems Binaries. In NDSS. The Internet Society.
[29]
Ruggero Lanotte, Massimo Merro, and Andrei Munteanu. 2022. Industrial Control Systems Security via Runtime Enforcement. ACM Trans. Priv. Secur. 26, 1, Article 4 (nov 2022), 41 pages. https://doi.org/10.1145/3546579
[30]
R. Lanotte, M. Merro, A. Munteanu, and L: Viganò. 2020. A Formal Approach to Physics-based Attacks in Cyber-physical Systems. ACM Trans. Priv. Secur. 23, 1 (2020), 3:1–3:41.
[31]
R. Lanotte and S. Tini. 2005. Taylor Approximation for Hybrid Systems. In HSCC(LNCS, Vol. 3414). Springer, 402–416.
[32]
Aditya P. Mathur and Nils Ole Tippenhauer. 2016. SWaT: a water treatment testbed for research and training on ICS security. In 2016 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater). 31–36. https://doi.org/10.1109/CySWater.2016.7469060
[33]
Marco Oliani. 2023. Towards Process Comprehension of Industrial Control Systems: a Framework for Reverse-engineering Industrial Processes. Master’s thesis. University of Verona, Italy.
[34]
P. Brooks. 2001. Ethernet/IP-industrial protocol. In ETFA, Vol. 2. 505–514.
[35]
Koyena Pal, Sridhar Adepu, and Jonathan Goh. 2017. Effectiveness of Association Rules Mining for Invariants Generation in Cyber-Physical Systems. 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE) (2017), 124–127.
[36]
S. Paoletti, A. Lj. Juloski, G. Ferrari-Trecate, and R. Vidal. 2007. Identification of Hybrid Systems: A Tutorial. Eur. J. Control 13, 2-3 (2007), 242–260.
[37]
R. Rajkumar, L. Lee, I. Sha, and J. A. Stankovic. 2010. Cyber-physical systems: the next computing revolution. In DAC. ACM, 731–736.
[38]
S-H. Leitner and W. Mahnke. 2006. OPC UA–service-oriented architecture for industrial applications. ABB Corporate Research Center 48, 61-66 (2006), 22.
[39]
Sebastian Schrittwieser, Stefan Katzenbeisser, Johannes Kinder, Georg Merzdovnik, and Edgar R. Weippl. 2016. Protecting Software through Obfuscation: Can It Keep Pace with Progress in Code Analysis?ACM Comput. Surv. 49, 1 (2016), 4:1–4:37.
[40]
Saranyan Senthivel, Shrey Dhungana, Hyunguk Yoo, Irfan Ahmed, and Vassil Roussev. 2018. Denial of Engineering Operations Attacks in Industrial Control Systems. Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy (2018).
[41]
R. Spenneberg, M. Brüggerman, and H. Schwartke. 2016. PLC-Blaster: A Worm Living Solely in the PLC. In Black Hat. 1–16.
[42]
T.R. Alves, M. Buratto, F.M. Souza, and T.V. Rodrigues. 2014. OpenPLC: An open source alternative to automation. In IEEE GHTC. 585–589.
[43]
Alexander Winnicki, Marina Krotofil, and Dieter Gollmann. 2017. Cyber-Physical System Discovery: Reverse Engineering Physical Processes. In CPSS@ASIACCS. ACM, 3–14.
[44]
Ye Yuan, Xiuchuan Tang, Wei Zhou, Wei Pan, Xiuting Li, Hai-Tao Zhang, Han Ding, and Jorge Goncalves. 2019. Data driven discovery of cyber physical systems. Nature Communications 10, 1 (2019), 4894.
[45]
Nauman Zubair, Adeen Ayub, Hyunguk Yoo, and Irfan Ahmed. 2022. Control Logic Obfuscation Attack in Industrial Control Systems. In 2022 IEEE International Conference on Cyber Security and Resilience (CSR). 227–232. https://doi.org/10.1109/CSR54599.2022.9850326
Index Terms
- Towards Obfuscation of Programmable Logic Controllers
Recommendations
Goosewolf: An Embedded Intrusion Detection System for Advanced Programmable Logic Controllers
Critical infrastructures are making increasing use of digital technology for process control. While there are benefits, such as increased efficiency and new functionality, digitalization also introduces the risk of cyber-attacks to systems that support ...
Obfuscation strategies for industrial control systems
AbstractRecently released scan data on Shodan reveals that thousands of Industrial Control Systems (ICSs) worldwide are directly accessible via the Internet and, thus, exposed to cyber-attacks aiming at financial gain, espionage, or disruption and/or ...
Post-exploitation and Persistence Techniques Against Programmable Logic Controller
Applied Cryptography and Network Security WorkshopsAbstractThe rising appearance of system security threats against real-world Critical Infrastructure (CI) sites over the past years brought significant research attention into the security of Industrial Control Systems (ICS). Academic institutions and ...
Comments
Information & Contributors
Information
Published In
August 2023
1440 pages
ISBN:9798400707728
DOI:10.1145/3600160
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 29 August 2023
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
ARES 2023
ARES 2023: The 18th International Conference on Availability, Reliability and Security
August 29 - September 1, 2023
Benevento, Italy
Acceptance Rates
Overall Acceptance Rate 228 of 451 submissions, 51%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 355Total Downloads
- Downloads (Last 12 months)233
- Downloads (Last 6 weeks)32
Reflects downloads up to 07 Mar 2025
Other Metrics
Citations
Cited By
View allView Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatLogin options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in