Control Logic Attack Detection and Forensics Through Reverse-Engineering and Verifying PLC Control Applications.

Industrial control systems (ICSs) are prevalent in critical infrastructures, where programmable logic controllers (PLCs) and physical instruments are integrated. However, multiple successful attacks against PLC control logic programs have caused significant damage to ICSs, which has led to an urgent need for detection and forensics of such attacks. Although several off-the-shelf defending mechanisms have been presented in the past, few of them can detect and locate the control logic attacks at run-time. In this paper, we propose a practical and automatic Control Logic Attack Detection and Forensics framework (CLADF) to conduct control logic attack detection and forensics in ICSs. Specifically, the core of CLADF includes 1) a control application extraction module to extract PLC binary control applications by simulating PLC normal upload functionality, 2) a control application reverse engineering module to disassemble binary control applications, and 3) an attack detection and forensics module for verifying the integrity of PLC control applications, recovering the normal control application, and locating the modified control instructions. We extensively evaluated CLADF in five different application scenarios and two real-world Schneider PLCs. For each PLC, we generated three types of 150 mutated control logic attacks. The results demonstrate that CLADF can effectively extract the run-time binary control application in different application scenarios and disassemble these binary control applications into assembly instructions. Moreover, CLADF can accurately detect the attacks and locate the modified subroutines.