Skip to main content

Automated Reconstruction of Control Logic for Programmable Logic Controller Forensics

by Syed Ali Qasim, Juan Lopez Jr, Irfan Ahmed
Publication Type
Conference Paper
Journal Name
Information Security Conference
Book Title
22nd International Conference, ISC 2019, New York City, NY, USA, September 16–18, 2019, Proceedings
Publication Date
Page Numbers
402 to 422
Conference Name
22nd International Conference on Information Security (ISC 2019)
Conference Location
New York City, New York, United States of America
Conference Sponsor
Stony Brook University
Conference Date

This paper presents Similo, an automated scalable framework for control logic forensics in industrial control systems. Similo is designed to investigate denial of engineering operations (DEO) attacks, recently demonstrated to hide malicious control logic in a programmable logic controller or PLC (at field sites) from an engineering software (at control center). The network traffic (if captured) contains substantial evidence to investigate DEO attacks including manipulation of control logic. Laddis a state-of-the-art forensic approach for DEO attacks, is a binary-logic decompiler for the Allen-Bradley's RSLogix engineering software and Micrologix 1400 PLC. It is developed with extensive manual reverse engineering effort of the underlying proprietary network protocol and the binary control logic. Unfortunately, Laddis is not scalable and requires similar efforts to extend on other engineering software/PLCs. The proposed solution, Similo, is based on the observation that engineering software of diff erent vendors are equipped with decompilers. Similo is a virtual PLC framework that integrates the decompilers with their respective (previously-captured) ICS network traffic of control logic. It recovers the binary logic into a high-level source code (of the programming languages de fined by IEC 61131-3 standard) automatically. Similo can work with both proprietary and open protocols without requiring protocol specifi cations and the binary formats of control logic. Thus, it is scalable to di fferent ICS vendors. We evaluate Similo on three PLCs from two ICS vendors (i.e., Micrologix 1400, and 1100, and Modicon M221). These PLCs support proprietary protocols and the control logic is written in two programming languages: Ladder Logic and Instruction List. The evaluation results show that Similo can accurately reconstruct a control logic from ICS network traffic and can be used to investigate DEO attacks eff ectively.