Skip to main content
SHARE
Publication

JTAG-based PLC memory acquisition framework for industrial control systems

by Muhammad Rais, Rima L Asmar Awad, Juan Lopez Jr, Irfan Ahmed
Publication Type
Conference Paper
Journal Name
Forensic Science International: Digital Investigation
Publication Date
Page Number
301196
Volume
37
Issue
Supplement
Conference Name
Digital Forensic Research Workshop USA 2021
Conference Location
Trumansburg, New York, United States of America
Conference Sponsor
Google
Conference Date
-

In industrial control systems (ICS), programmable logic controllers (PLC) are the embedded devices that directly control and monitor critical industrial infrastructure processes such as nuclear plants and power grid stations. Cyberattacks often target PLCs to sabotage a physical process. A memory forensic analysis of a suspect PLC can answer questions about an attack, including compromised firmware and manipulation of PLC control logic code and I/O devices. Given physical access to a PLC, collecting forensic information from the PLC memory at the hardware-level is risky and challenging. It may cause the PLC to crash or hang since PLCs have proprietary, legacy hardware with heterogeneous architecture. This paper addresses this research problem and proposes a novel JTAG (Joint Test Action Group)-based framework, Kyros, for reliable PLC memory acquisition. Kyros systematically creates a JTAG profile of a PLC through hardware assessment, JTAG pins identification, memory map creation, and optimizing acquisition parameters. It also facilitates the community of interest (such as ICS owners, operators, and vendors) to develop the JTAG profiles of PLCs. Further, we present a case study of Kyros implementation over Allen-Bradley 1756-A10/B to help understand the framework's application on a real-world PLC used in industry settings. The sample PLC memory dumps are shared with the research community to facilitate further research.