Home > Research > Publications & Outputs > PCaaD

Electronic data

  • PCaaD

    Rights statement: This is the author’s version of a work that was accepted for publication in Computers and Security. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Computers and Security, 110, 2021 DOI: 10.1016/j.cose.2021.102424

    Accepted author manuscript, 427 KB, PDF document

    Available under license: CC BY-NC-ND: Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License

Links

Text available via DOI:

View graph of relations

PCaaD: Towards automated determination and exploitation of industrial systems

Research output: Contribution to Journal/MagazineJournal articlepeer-review

Published

Standard

PCaaD : Towards automated determination and exploitation of industrial systems. / Green, B.; Derbyshire, R.; Krotofil, M.; Knowles, W.; Prince, D.; Suri, N.

In: Computers and Security, Vol. 110, 102424, 30.11.2021.

Research output: Contribution to Journal/MagazineJournal articlepeer-review

Harvard

APA

Vancouver

Author

Bibtex

@article{71888af682104ea4a93b2938c8b66468,
title = "PCaaD: Towards automated determination and exploitation of industrial systems",
abstract = "Over the last decade, Programmable Logic Controllers (PLCs) have been increasingly targeted by attackers to obtain control over industrial processes that support critical services. Such targeted attacks typically require detailed knowledge of system-specific attributes, including hardware configurations, adopted protocols, and PLC control-logic, i.e., process comprehension. The consensus from both academics and practitioners suggests stealthy process comprehension obtained from a PLC alone, to execute targeted attacks, is impractical. In contrast, we assert that current PLC programming practices open the door to a new vulnerability class, affording attackers an increased level of process comprehension. To support this, we propose the concept of Process Comprehension at a Distance (PCaaD), as a novel methodological and automatable approach towards the system-agnostic identification of PLC library functions. This leads to the targeted exfiltration of operational data, manipulation of control-logic behavior, and establishment of covert command and control channels through unused memory. We validate PCaaD on widely used PLCs through its practical application. ",
keywords = "C2, ICS, OT, PLC Programming Practices, Process Comprehension, Reconnaissance, SCADA, C (programming language), Computer circuits, Integrated circuits, Process control, Programmed control systems, SCADA systems, Control logic, Logic controller, Process comprehension, Programmable logic, Programmable logic controller programming practice, Programmable logic controllers",
author = "B. Green and R. Derbyshire and M. Krotofil and W. Knowles and D. Prince and N. Suri",
note = "This is the author{\textquoteright}s version of a work that was accepted for publication in Computers and Security. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Computers and Security, 110, 2021 DOI: 10.1016/j.cose.2021.102424",
year = "2021",
month = nov,
day = "30",
doi = "10.1016/j.cose.2021.102424",
language = "English",
volume = "110",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Ltd",

}

RIS

TY - JOUR

T1 - PCaaD

T2 - Towards automated determination and exploitation of industrial systems

AU - Green, B.

AU - Derbyshire, R.

AU - Krotofil, M.

AU - Knowles, W.

AU - Prince, D.

AU - Suri, N.

N1 - This is the author’s version of a work that was accepted for publication in Computers and Security. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Computers and Security, 110, 2021 DOI: 10.1016/j.cose.2021.102424

PY - 2021/11/30

Y1 - 2021/11/30

N2 - Over the last decade, Programmable Logic Controllers (PLCs) have been increasingly targeted by attackers to obtain control over industrial processes that support critical services. Such targeted attacks typically require detailed knowledge of system-specific attributes, including hardware configurations, adopted protocols, and PLC control-logic, i.e., process comprehension. The consensus from both academics and practitioners suggests stealthy process comprehension obtained from a PLC alone, to execute targeted attacks, is impractical. In contrast, we assert that current PLC programming practices open the door to a new vulnerability class, affording attackers an increased level of process comprehension. To support this, we propose the concept of Process Comprehension at a Distance (PCaaD), as a novel methodological and automatable approach towards the system-agnostic identification of PLC library functions. This leads to the targeted exfiltration of operational data, manipulation of control-logic behavior, and establishment of covert command and control channels through unused memory. We validate PCaaD on widely used PLCs through its practical application.

AB - Over the last decade, Programmable Logic Controllers (PLCs) have been increasingly targeted by attackers to obtain control over industrial processes that support critical services. Such targeted attacks typically require detailed knowledge of system-specific attributes, including hardware configurations, adopted protocols, and PLC control-logic, i.e., process comprehension. The consensus from both academics and practitioners suggests stealthy process comprehension obtained from a PLC alone, to execute targeted attacks, is impractical. In contrast, we assert that current PLC programming practices open the door to a new vulnerability class, affording attackers an increased level of process comprehension. To support this, we propose the concept of Process Comprehension at a Distance (PCaaD), as a novel methodological and automatable approach towards the system-agnostic identification of PLC library functions. This leads to the targeted exfiltration of operational data, manipulation of control-logic behavior, and establishment of covert command and control channels through unused memory. We validate PCaaD on widely used PLCs through its practical application.

KW - C2

KW - ICS

KW - OT

KW - PLC Programming Practices

KW - Process Comprehension

KW - Reconnaissance

KW - SCADA

KW - C (programming language)

KW - Computer circuits

KW - Integrated circuits

KW - Process control

KW - Programmed control systems

KW - SCADA systems

KW - Control logic

KW - Logic controller

KW - Process comprehension

KW - Programmable logic

KW - Programmable logic controller programming practice

KW - Programmable logic controllers

U2 - 10.1016/j.cose.2021.102424

DO - 10.1016/j.cose.2021.102424

M3 - Journal article

VL - 110

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

M1 - 102424

ER -