Rights statement: This is the author’s version of a work that was accepted for publication in Computers and Security. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Computers and Security, 110, 2021 DOI: 10.1016/j.cose.2021.102424
Accepted author manuscript, 427 KB, PDF document
Available under license: CC BY-NC-ND: Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License
Final published version
Research output: Contribution to Journal/Magazine › Journal article › peer-review
Research output: Contribution to Journal/Magazine › Journal article › peer-review
}
TY - JOUR
T1 - PCaaD
T2 - Towards automated determination and exploitation of industrial systems
AU - Green, B.
AU - Derbyshire, R.
AU - Krotofil, M.
AU - Knowles, W.
AU - Prince, D.
AU - Suri, N.
N1 - This is the author’s version of a work that was accepted for publication in Computers and Security. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Computers and Security, 110, 2021 DOI: 10.1016/j.cose.2021.102424
PY - 2021/11/30
Y1 - 2021/11/30
N2 - Over the last decade, Programmable Logic Controllers (PLCs) have been increasingly targeted by attackers to obtain control over industrial processes that support critical services. Such targeted attacks typically require detailed knowledge of system-specific attributes, including hardware configurations, adopted protocols, and PLC control-logic, i.e., process comprehension. The consensus from both academics and practitioners suggests stealthy process comprehension obtained from a PLC alone, to execute targeted attacks, is impractical. In contrast, we assert that current PLC programming practices open the door to a new vulnerability class, affording attackers an increased level of process comprehension. To support this, we propose the concept of Process Comprehension at a Distance (PCaaD), as a novel methodological and automatable approach towards the system-agnostic identification of PLC library functions. This leads to the targeted exfiltration of operational data, manipulation of control-logic behavior, and establishment of covert command and control channels through unused memory. We validate PCaaD on widely used PLCs through its practical application.
AB - Over the last decade, Programmable Logic Controllers (PLCs) have been increasingly targeted by attackers to obtain control over industrial processes that support critical services. Such targeted attacks typically require detailed knowledge of system-specific attributes, including hardware configurations, adopted protocols, and PLC control-logic, i.e., process comprehension. The consensus from both academics and practitioners suggests stealthy process comprehension obtained from a PLC alone, to execute targeted attacks, is impractical. In contrast, we assert that current PLC programming practices open the door to a new vulnerability class, affording attackers an increased level of process comprehension. To support this, we propose the concept of Process Comprehension at a Distance (PCaaD), as a novel methodological and automatable approach towards the system-agnostic identification of PLC library functions. This leads to the targeted exfiltration of operational data, manipulation of control-logic behavior, and establishment of covert command and control channels through unused memory. We validate PCaaD on widely used PLCs through its practical application.
KW - C2
KW - ICS
KW - OT
KW - PLC Programming Practices
KW - Process Comprehension
KW - Reconnaissance
KW - SCADA
KW - C (programming language)
KW - Computer circuits
KW - Integrated circuits
KW - Process control
KW - Programmed control systems
KW - SCADA systems
KW - Control logic
KW - Logic controller
KW - Process comprehension
KW - Programmable logic
KW - Programmable logic controller programming practice
KW - Programmable logic controllers
U2 - 10.1016/j.cose.2021.102424
DO - 10.1016/j.cose.2021.102424
M3 - Journal article
VL - 110
JO - Computers and Security
JF - Computers and Security
SN - 0167-4048
M1 - 102424
ER -