Firmware Modification Analysis in Programmable Logic Controllers

Abstract

Incorporating security in supervisory control and data acquisition (SCADA) systems and sensor networks has proven to be a pervasive problem due to the constraints and demands placed on these systems. Both attackers and security professionals seek to uncover the inherent roots of trust in a system to achieve opposing goals. With SCADA systems, a battle is being fought at the cyber -- physical level, specifically the programmable logic controller (PLC). The Stuxnet worm, which became increasingly apparent in the summer of 2010, has shown that modifications to a SCADA system can be discovered on infected engineering workstations on the network, to include the ladder logic found in the PLC. However, certain firmware modifications made to a PLC can go undetected due to the lack of effective techniques available for detecting them. Current software auditing tools give an analyst a singular view of assembly code, and binary difference programs can only show simple differences between assembly codes. Additionally, there appears to be no comprehensive software tool that aids an analyst with evaluating a PLC firmware file for modifications and displaying the resulting effects. Manual analysis is time consuming and error prone. Furthermore, there are not enough talented individuals available in the industrial control system (ICS) community with an in-depth knowledge of assembly language and the inner workings of PLC firmware. This research presents a novel analysis technique that compares a suspected-altered firmware to a known good firmware of a specific PLC and performs a static analysis of differences. This technique includes multiple tests to compare both firmware versions, detect differences in size, and code differences such as removing, adding, or modifying existing functions in the original firmware. A proof-of-concept experiment demonstrates the functionality of the analysis tool using different firmware versions from an Allen-Bradley ControlLogix L61 PLC.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Mar 27, 2014
Accession Number
ADA599675

Entities

People

  • Arturo M. Garcia Jr.

Organizations

  • Air Force Institute of Technology

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Air Force
  • Computer Networks
  • Computer Programming
  • Computer Programs
  • Computers
  • Cyberattacks
  • Department Of Defense
  • Governments
  • Graphical User Interface
  • Instruction Set Architecture
  • Intrusion Detectors
  • Law
  • Local Area Networks
  • Network Protocols
  • Operating Systems
  • Programming Languages
  • Software Development

Fields of Study

  • Computer science

Readers

  • Computational Modeling and Simulation
  • Cybersecurity.

Technology Areas

  • Cyber