Litcius/Paper detail

Control Logic Forensics Framework using Built-in Decompiler of Engineering Software in Industrial Control Systems

Syed Ali Qasim, Jared M. Smith, Irfan Ahmed

2020Forensic Science International Digital Investigation26 citationsDOIOpen Access PDF

Abstract

In industrial control systems (ICS), attackers inject malicious control-logic into programmable logic controllers (PLCs) to sabotage physical processes, such as nuclear plants, traffic-light signals, elevators, and conveyor belts. For instance, Stuxnet operates by transfering control logic to Siemens S7-300 PLCs over the network to manipulate the motor speed of centrifuges. These devestating attacks are referred to as control-logic injection attacks. Their network traffic, if captured, contains malicious control logic that can be leveraged as a forensic artifact. In this paper, we present Reditus to recover control logic from a suspicious ICS network traffic. Reditus is based on the observation that an engineering software has a built-in decompiler that can transform the control logic into its source-code. Reditus integrates the decompiler with a (previously-captured) set of network traffic from a control-logic to recover the source code of the binary control-logic automatically. We evaluate Reditus on the network traffic of 40 control logic programs transferred from the SoMachine Basic engineering software to a Modicon M221 PLC. Our evaluation successfully demonstrates that Reditus can recover the source-code of a control logic from its network traffic.

Topics & Concepts

Programmable logic controllerControl logicComputer scienceIndustrial control systemControl systemArtifact (error)SoftwareEmbedded systemEngineeringControl (management)Computer hardwareProgramming languageOperating systemArtificial intelligenceElectrical engineeringAdvanced Malware Detection TechniquesDigital and Cyber ForensicsSecurity and Verification in Computing