Industrial control systems (ICS) are essential for safe and efficient operations of critical infrastructures such as power grids, pipelines, and water treatment facilities. Attackers target ICS, mainly programmable logic controllers (PLC), to sabotage underlying infrastructure. A PLC controls a physical process through connected sensors and actuators. It runs a control-logic program that specifies monitoring and controlling a physical process and is a common target of cyberattacks. A vendor-provided proprietary engineering software is typically used to investigate the infected control logic. This paper shows that an attacker can use control-logic obfuscation as an anti-forensics technique to hinder the investigations and incident response. The control-logic obfuscation subverts the engineering software’s decompilation function; therefore, we call it a denial-of-decompilation attack. The attack exploits a fundamental design principle of creating compiled control logic in engineering software, thereby affecting the engineering software of multiple vendors in the industry.

Nauman Zubair; Adeen Ayub; Hyunguk Yoo; Irfan Ahmed. Control Logic Obfuscation Attack in Industrial Control Systems. 2022, 227 -232.

Nauman Zubair, Adeen Ayub, Hyunguk Yoo, Irfan Ahmed. Control Logic Obfuscation Attack in Industrial Control Systems. . 2022; ():227-232.

Nauman Zubair; Adeen Ayub; Hyunguk Yoo; Irfan Ahmed. 2022. "Control Logic Obfuscation Attack in Industrial Control Systems." , no. : 227-232.

Programmable logic controllers (PLCs) run a ‘control logic’ program that defines how to control a physical process such as a nuclear plant, power grid stations, and gas pipelines. Attackers target the control logic of a PLC to sabotage a physical process. Most PLCs employ password based authentication mechanisms to prevent unauthorized remote access to control logic. This paper presents an empirical study on proprietary authentication mechanisms in five industry-scale PLCs to understand the security-design practices of four popular ICS vendors, i.e., Allen-Bradley, Schneider Electric, AutomationDirect, and Siemens. The empirical study determines whether the mechanisms are vulnerable by design and can be exploited. It reveals serious design issues and vulnerabilities in authentication mechanisms, including lack of nonce, small-sized encryption key, weak encryption scheme, and client-side authentication. The study further confirms the findings empirically by creating and testing their proof-of-concept exploits derived from MITRE ATT&CK knowledge base of adversary tactics and techniques. Unlike existing work, our study relies solely on network traffic examination and does not employ typical reverse-engineering of binary files (e.g., PLC firmware) to reveal the seriousness of design problems. Moreover, the study covers PLCs from different vendors to highlight an industry-wide issue of secure PLC authentication that needs to be addressed.

Adeen Ayub; Hyunguk Yoo; Irfan Ahmed. Empirical Study of PLC Authentication Protocols in Industrial Control Systems. 2021, 383 -397.

Adeen Ayub, Hyunguk Yoo, Irfan Ahmed. Empirical Study of PLC Authentication Protocols in Industrial Control Systems. . 2021; ():383-397.

Adeen Ayub; Hyunguk Yoo; Irfan Ahmed. 2021. "Empirical Study of PLC Authentication Protocols in Industrial Control Systems." , no. : 383-397.

Programmable logic controllers (PLCs) have design features to enable operations, such as real-time control of physical processes. These features have weaknesses, making PLCs vulnerable to attacks (network/firmware based). We study these features and attacks and suggest security requirements for designing a PLC.

Adeen Ayub; Wooyeon Jo; Syed Ali Qasim; Irfan Ahmed. How Are Industrial Control Systems Insecure by Design? A Deeper Insight Into Real-World Programmable Logic Controllers. IEEE Security & Privacy 2023, 21, 10 -19.

Adeen Ayub, Wooyeon Jo, Syed Ali Qasim, Irfan Ahmed. How Are Industrial Control Systems Insecure by Design? A Deeper Insight Into Real-World Programmable Logic Controllers. IEEE Security & Privacy. 2023; 21 (4):10-19.

Adeen Ayub; Wooyeon Jo; Syed Ali Qasim; Irfan Ahmed. 2023. "How Are Industrial Control Systems Insecure by Design? A Deeper Insight Into Real-World Programmable Logic Controllers." IEEE Security & Privacy 21, no. 4: 10-19.

Programmable logic controllers (PLCs) in industrial control systems (ICS) run a control logic program to monitor and control critical infrastructures in real-time, such as nuclear plants and power grids. Attackers target PLC control logic remotely to sabotage or disrupt physical processes. Network intrusion detection systems (IDS) are increasingly used to detect malicious control logic. This paper demonstrates that standard IDS features in a protocol message header and payload are not resilient for detecting (control logic) binary programs, such as entropy, n-gram, and decompilation. It identifies and utilizes a PLC design feature, redundant address pins (RAP), unexplored in the literature, to bypass IDS for injecting a small piece of programmable malicious code (PMC) into a PLC's control logic as an initial attack vector, allowing it to execute with every scan cycle. We propose three unique attack methods (GizmoSplit, BuffWarp, and EnigmaFlow) using PMC as a proof of concept that blends control logic with network traffic via payload encoding, small-size payloads, or sparse memory addressing. The GizmoSplit attack divides the control logic into small gadgets and writes them in random memory locations in a PLC; PMC modifies the stack with the location of the gadgets to execute them as return-oriented programming. The BuffWarp attack employs a small-size buffer where the attacker writes malicious code periodically to bypass stateful inspection at the payload level; PMC, in turn, keeps moving the buffer content to consecutive memory locations to execute. The EnigmaFlow attack encodes control logic and sends it to a PLC's typically unused memory region, which PMC decodes and executes. The evaluation results indicate that these attacks are stealthy and can subvert IDS utilizing standard message header and payload features. This work points to a research gap in intrusion detection that caters to control logic attacks exploiting PLC design features.

Adeen Ayub; Wooyeon Jo; Irfan Ahmed. Charlie, Charlie, Charlie on Industrial Control Systems: PLC Control Logic Attacks by Design, Not by Chance. 2024, 2016, 182 -193.

Adeen Ayub, Wooyeon Jo, Irfan Ahmed. Charlie, Charlie, Charlie on Industrial Control Systems: PLC Control Logic Attacks by Design, Not by Chance. . 2024; 2016 ():182-193.

Adeen Ayub; Wooyeon Jo; Irfan Ahmed. 2024. "Charlie, Charlie, Charlie on Industrial Control Systems: PLC Control Logic Attacks by Design, Not by Chance." 2016, no. : 182-193.

Syed Ali Qasim; Adeen Ayub; Jordan Johnson; Irfan Ahmed. Attacking the IEC 61131 Logic Engine in Programmable Logic Controllers. 2022, 73 -95.

Syed Ali Qasim, Adeen Ayub, Jordan Johnson, Irfan Ahmed. Attacking the IEC 61131 Logic Engine in Programmable Logic Controllers. . 2022; ():73-95.

Syed Ali Qasim; Adeen Ayub; Jordan Johnson; Irfan Ahmed. 2022. "Attacking the IEC 61131 Logic Engine in Programmable Logic Controllers." , no. : 73-95.

In industrial control systems (ICS), programmable logic controllers (PLCs) directly control and monitor physical processes in real-time such as nuclear plants, and power grid stations. Adversaries typically transfer malicious control logic to PLCs over the network to sabotage a physical process. These control logic attacks are well-understood containing machine instructions in network packets and are likely to be detected by network intrusion detection systems (IDS). On the other hand, return-oriented programming (ROP) reuses blocks (or gadgets) of existing code in computer memory to create and execute malicious code. It limits or eliminates the need to transfer machine instructions over the network, making it stealthier. Currently, ROP attacks on control logic has never been discussed in the literature to explore it as a practical ICS attack. This paper is the first attempt in this direction to explore challenges for a successful ROP attack on real-world PLCs, including maintaining a continuous (control logic) scan cycle through ROP gadgets, no user input (to cause a buffer overflow) to overwrite the stack for gadget installation, and limited ROP gadgets in a PLC memory to find blocks of instructions equivalent to the high-level constructs of PLC programming languages (such as instruction list, and ladder logic). We identify and utilize typical PLC design features (that we find exploitable) to overcome these challenges, which makes ROP attacks applicable to most PLCs e.g., no stack protection, and remote access to certain PLC memory regions via ICS protocols. We demonstrate two successful ROP attacks on the control logic programs of three fully-functional physical processes, i.e., a belt conveyor system, a four-floor elevator, and a compact traffic light system. The first ROP attack manipulates a PLC’s current control logic and has two variants involving either a single or multiple gadgets; the second ROP attack constructs a control logic from scratch using gadgets in a PLC’s memory. Our evaluation results show that the attacks can be performed using a set of small-sized gadgets with no significant effect on a PLC’s scan time.

Adeen Ayub; Nauman Zubair; Hyunguk Yoo; Wooyeon Jo; Irfan Ahmed. Gadgets of Gadgets in Industrial Control Systems: Return Oriented Programming Attacks on PLCs. 2023, 16, 215 -226.

Adeen Ayub, Nauman Zubair, Hyunguk Yoo, Wooyeon Jo, Irfan Ahmed. Gadgets of Gadgets in Industrial Control Systems: Return Oriented Programming Attacks on PLCs. . 2023; 16 ():215-226.

Adeen Ayub; Nauman Zubair; Hyunguk Yoo; Wooyeon Jo; Irfan Ahmed. 2023. "Gadgets of Gadgets in Industrial Control Systems: Return Oriented Programming Attacks on PLCs." 16, no. : 215-226.

Programmable logic controllers (PLC) are special-purpose embedded devices used in various industries for automatic control of physical processes. Cyberattacks on PLCs can unleash mayhem in the physical world. In case of a security breach, volatile memory acquisition is critical in investigating the attack since it provides unique insights into the runtime system activities and memory-based artifacts. However, existing memory acquisition methods for PLCs (i.e., using a hardware-level debugging port and network protocol-based approaches) are either inapplicable in real-world forensic investigations (due to requiring disassembling of a suspect PLC or power cycling) or incomplete (i.e., acquire only partial memory contents). This paper proposes a new memory acquisition framework to remotely acquire a PLC's volatile memory while the PLC is controlling a physical process. The main idea is to inject a harmless memory duplicator into the running control logic of a PLC to copy local memory contents into a protocol-mapped address space, which is then readable over a network. We also present a new control-logic attack that targets in-memory firmware to compromise a PLC's built-in system functions. Since PEM can acquire the entire PLC memory, we show that its memory dump contains evidence of this attack. Further, we present a case study on a gas pipeline testbed to demonstrate the effectiveness of the attack on a physical process and how PEM plays its role in effectively identifying the attack and other important forensic artifacts such as the control logic of a PLC.

Nauman Zubair; Adeen Ayub; Hyunguk Yoo; Irfan Ahmed. PEM: Remote forensic acquisition of PLC memory in industrial control systems. Forensic Science International: Digital Investigation 2022, 40, 301336 .

Nauman Zubair, Adeen Ayub, Hyunguk Yoo, Irfan Ahmed. PEM: Remote forensic acquisition of PLC memory in industrial control systems. Forensic Science International: Digital Investigation. 2022; 40 ():301336.

Nauman Zubair; Adeen Ayub; Hyunguk Yoo; Irfan Ahmed. 2022. "PEM: Remote forensic acquisition of PLC memory in industrial control systems." Forensic Science International: Digital Investigation 40, no. : 301336.