Control logic injection attacks on industrial control systems

Abstract

Remote control-logic injection attacks on programmable logic controllers (PLCs) impose critical threats to industrial control system (ICS) environments. For instance, Stuxnet infects the control logic of a Siemens S7-300 PLC to sabotage nuclear plants. Several control logic injection attacks have been studied in the past. However, they focus on the development and infection of PLC control logic and do not consider the stealthy methods of transferring the logic to a PLC over the network. This paper is the first effort to explore the packet manipulation of control logic to achieve stealthiness without modifying PLC firmware to support new (obfuscation) functionality. It presents two new control logic injection attacks: (1) Data Execution and (2) Fragmentation and Noise Padding. Data Execution attack subverts signatures (based-on packet-header fields) by transferring control logic to the data blocks of a PLC and then, changes the PLC’s system control flow to execute the attacker’s logic. Fragmentation and Noise Padding attack subverts deep packet inspection (DPI) by appending a sequence of padding bytes in control logic packets while keeping the size of the attacker’s logic in packet payloads significantly small. We implement the attacks on two industry-scale PLCs of different vendors and demonstrate that these attacks can subvert intrusion detection methods successfully, such as signature-based intrusion detection and Anagram-based DPI. We also release the training and attack datasets to facilitate research in this direction.