leveraging physical models for attacking and defending
play

Leveraging Physical Models for Attacking and Defending PLCs Luis - PowerPoint PPT Presentation

Nov 30, 2023 •219 likes •934 views

Leveraging Physical Models for Attacking and Defending PLCs Luis Garcia 4N6 Cyber Security & Forensics Research Lab ECE Department Rutgers University Outline Background Harvey: Model-Aware Rootkit System Model

  1. Leveraging Physical Models for Attacking and Defending PLCs Luis Garcia 4N6 Cyber Security & Forensics Research Lab ECE Department Rutgers University

  2. Outline • Background • Harvey: Model-Aware Rootkit – System Model – Physics-Awareness – Implementation and Evaluation • Device-Oriented Verification of CPS • Conclusions 2/71

  3. Programmable Logic Controllers (PLCs) and Industrial Control Systems (ICSs) Credit: MOXA 3/71

  4. What is a Programmable Logic Controller(PLC)? • The interface between cyber and physical components in many CPS applications 4/71

  5. What is a Programmable Logic Controller(PLC)? • The interface between cyber and physical components in many CPS applications • Contain simple logic code that is easy to verify 5/71

  6. What is a Programmable Logic Controller(PLC)? • The interface between cyber and physical components in many CPS applications • Contain simple logic code that is easy to verify • Typically the target in CPS attacks – E.g., Stuxnet 6/71

  7. PLC Architecture Virtual World ICS Network HMI I 1 O 1 I 2 Control Logic I 3 O 2 I 4 Input Output Firmware Module Module Scan Cycle Hardware Input CPU Output Sensor Physical World Actuator 7/71

  8. Example Industrial Control System Physical System: Power Grid Network

  9. Example Industrial Control System In this example, the opening/closing of a circuit breaker in this scenario is controlled by a PLC Physical System: Power Grid Network

  10. Example Industrial Control System An HMI System (in this case, a SCADA center) May monitor the PLC values and send commands Accordingly. Physical System: Power Grid Network

  11. Example Industrial Control System A programmer will be allowed to change The PLC configuration as well as the Control logic of the system Physical System: Power Grid Network

  12. Example Industrial Control System These 2 connections typically have different access rights Physical System: Power Grid Network

  13. Previous Attacks on PLC’s: Stuxnet • Advanced malware worm that attacked Siemens S7 PLC’s and WinCC systems • Targeted high frequency drives controlling centrifuges • Caused billions of dollars in damages

  14. Going back to our Example ICS… Physical System: Power Grid Network

  15. Stuxnet’s PLC Attack Overview

  16. Stuxnet’s PLC Attack Overview Programmer’s PC

  17. Stuxnet’s PLC Attack Overview Programmer’s PC

  18. Prior Efforts to Mitigate Attacks like Stuxnet • Typically offline, passive solutions • External solutions for PLCs 18/71

  19. Hey, My Malware Knows Physics! Attacking PLCs with Physical Model Aware Rootkit Luis Garcia , Saman Zonouz ECE Department Ferdinand Brasser, Ahmad-Reza Sadeghi Rutgers University System Security Lab Technische Universität Darmstadt Mehmet H. Cintuglu, Osama Mohammed ECE Department Florida International University NDSS 2017

  20. Harvey: Model-Aware Rootkit • A rootkit that takes into account the physical topology of the ICS • Model – Uses physical models to optimize control commands for an adversarial objective function • PLC infection: compromising the PLC’s firmware – Utilize the firmware update mechanism to replace firmware over the network – Local firmware modifications, e.g., SD card or JTAG implantation – Run-time attacks, e.g., network exploits or remote code execution vulnerabilities (FrostyURL) 20/71

  21. System Model Operator HMI Physical Central System Control (Power Grid) Sensor / Actuator HMI: Human-Machine Interface PLC: Programmable Logic Controller 21/71

  22. Adversary Model • Stealthiness 22/71

  23. Adversary Model • Stealthiness • PLC-only attack 23/71

  24. Adversary Model • Stealthiness • PLC-only attack • Physical model extraction 24/71

  25. Physics-Awareness: 2-Way Data Manipulation 25/71

  26. Back to ICS Example… Stuxnet attacked these two communication channels Physical System: Power Grid Network

  27. Our attack focuses on the interface Between the PLC and it’s own I/O Modules (i.e., the interface between Back to ICS Example… The PLC and the underly physical System) Stuxnet attacked these two communication channels Physical System: Power Grid Network

  28. Implementing Harvey: Device Selection and Specification • Allen Bradley CompactLogix L1 • Based on Texas Instruments Stellaris LM3S2793 Microcontroller – Arm Cortex-M3 ISA 28/71

  29. CompactLogix L1 PLC 29/71

  30. CompactLogix L1 PLC 16 Bit Digital Input High Value (1) ~ 24 V DC • Low Value (0) ~ 8 V DC • 30/71

  31. CompactLogix L1 PLC 16 Bit Digital Output High Value (1) ~ 24 V DC • Low Value (0) ~ 8 V DC • 31/71

  32. Analyzing the CompactLogix L1 Firmware Update Files • There have been prior works that reverse engineer the firmware update procedure of different Allen Bradley PLCs – Although these works simply bricked the PLCs, they did provide a means of updating the firmware • Although we spent a lot of time analyzing the firmware update files, we eventually found that analyzing the dumped memory was more efficient for our goals 32/71

  33. JTAG Debugging • Joint Test Action Group (JTAG) standard was designed to assist with device, board, and system testing, diagnosis and fault isolation • Usually one of the first approaches used for reverse engineering efforts 33/71

  34. Memory Analysis with JTAG 34/71

  35. Memory Analysis with JTAG • Used JTAG interface to dump memory for code disassembly • Used TI Stellaris LM3S2793 data sheet to find memory layout and built-in ROM functions 35/71

  36. Static Memory Analysis • We followed the boot sequence to determine the control flow of the program • We used the notion that for Cortex-M3 processors, the Reset Handler is located at address 0x0000004 36/71

  37. Following the Boot Sequence with IDA Pro IDA Pro is a multi-processor • disassembler and debugger We took the extracted • firmware and disassembled it using IDA Pro 37/71

  38. Following the Boot Sequence with IDA Pro IDA Pro is a multi-processor • disassembler and debugger We took the extracted • firmware and disassembled it using IDA Pro 38/71

  39. Static/Dynamic Analysis for I/O Interception • Couldn’t analyze every possible path to determine I/O interception point • Halted the CPU (via JTAG) during slow boot-up LED sequence and stepped through execution to see how LEDs values were being updated – Memory addresses of LED values led us to ISR’s responsible for forwarding GPIO values 39/71 to and from PLCs

  40. Static/Dynamic Analysis for I/O Interception • Couldn’t analyze every possible path to determine I/O interception point • Halted the CPU (via JTAG) during slow boot-up LED sequence and stepped through execution to see how LEDs values were being updated – Memory addresses of LED values led us to ISR’s responsible for forwarding GPIO values 40/71 to and from PLCs

  41. Modified GPIO-Output Update ISR Function Entry Address of mem. value Section of code that stores value from Address of LED Output For our attack, we need to intercept the app. layer in registers Control flow at the point where the value We branch to an associated with LED From memory is stored in the register arbitrary location Output whose value is manipulated in the loop, R5 of unused memory and run code that has has been injected. In Loop that this case, we store a changes a mask value to R5 Once value is value from to change the output calculated, memory to values and branch it is forwarded to GPIO format back to the GPIO subsequent output ports instructions. 41/71

  42. Modified GPIO-Input Update ISR We have a similar implementation for the input values being read from the GPIO ports. This implementation is simpler as we just modify the values being read from the GPIO ports 42/71

  43. Example Attack Scenario • Simple logic system: – If input ports 0 and 1 are Input 0 Output 1 high, then output port 1 is Input 1 high (AND gate) – If input port 0 is low or input port 1 is low, then output port 0 is high (NOR gate) Input 0 Output 0 • This system can represent a Input 1 safety condition – We can only start a process (output port 1) if two safety conditions (input port 0 and input port 1) are met. Otherwise, we are in an idle position (output 0) 43/71

  44. Simple Ladder Logic Program • Ladder logic is a graphical programming language used to program simple circuit diagrams of relay logic hardware • The system on the right represents the aforementioned AND and NOR gates • The programming/ monitoring software, RSLogix 5000, is considered our HMI – LEDs and HMI read the updated values from the same addresses in memory 44/71

  45. Spoofing Inputs Input 0 Output 1 Input Ports 0 & 1 (LEDs/HMI) Input 1 Input 0 Output Ports 0 & 1 (LEDs/HMI) Output 0 Input 1 The LEDs/HMI Indicators show that • both input ports 0 and 1 are high, so output port 1 is high according to our ladder logic program There is no input connected! Output • port 0 should be high and port 1 should be low! 45/71

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Strategies for Attacking or Defending Trusts Discovering Trust Assets, Navigating Evidentiary

Strategies for Attacking or Defending Trusts Discovering Trust Assets, Navigating Evidentiary

Presenting a live 90-minute webinar with interactive Q&A Divorce Property Division and Trust Assets: Strategies for Attacking or Defending Trusts Discovering Trust Assets, Navigating Evidentiary Issues and Available Remedies, and Joining

1.02k views • 88 slides
6/5/2018 ATTACKING THE NOTICE, PREPARING FOR AND DEFENDING THE RULE 30(B)(6) DEPOSITION THE RULE

6/5/2018 ATTACKING THE NOTICE, PREPARING FOR AND DEFENDING THE RULE 30(B)(6) DEPOSITION THE RULE

6/5/2018 ATTACKING THE NOTICE, PREPARING FOR AND DEFENDING THE RULE 30(B)(6) DEPOSITION THE RULE AND THE NOTICE The North Carolina Rule: A party may in his notice and in a subpoena name as the deponent a public or private corporation or a

327 views • 6 slides
Proving and Defending Damages Leveraging Calculation Methodologies, Documentation and Expert

Proving and Defending Damages Leveraging Calculation Methodologies, Documentation and Expert

Presenting a live 90-minute webinar with interactive Q&A Lost Profits in Commercial Litigation: Proving and Defending Damages Leveraging Calculation Methodologies, Documentation and Expert Evidence TUESDAY, MARCH 8, 2016 1pm Eastern |

697 views • 65 slides
Defending Patents in IPR Proceedings Leveraging Motions to Amend and Preliminary Responses,

Defending Patents in IPR Proceedings Leveraging Motions to Amend and Preliminary Responses,

Presenting a live 90-minute webinar with interactive Q&A Defending Patents in IPR Proceedings Leveraging Motions to Amend and Preliminary Responses, Weighing Secondary Considerations THURSDAY, AUGUST 13, 2015 1pm Eastern | 12pm

774 views • 76 slides
Defeating Class Claims by Attacking the Pleadings and Leveraging Other Early Dispositive Motions

Defeating Class Claims by Attacking the Pleadings and Leveraging Other Early Dispositive Motions

Presenting a live 90-minute webinar with interactive Q&A Defeating Class Claims by Attacking the Pleadings and Leveraging Other Early Dispositive Motions TUESDAY, MARCH 29, 2016 1pm Eastern | 12pm Central | 11am Mountain |

532 views • 51 slides
Avoiding and Defending Taking Claims Leveraging Affirmative Defenses; Mitigating Damages,

Avoiding and Defending Taking Claims Leveraging Affirmative Defenses; Mitigating Damages,

Presenting a live 90-minute webinar with interactive Q&A Inverse Condemnation Litigation: Strategies for Municipal Attorneys for Avoiding and Defending Taking Claims Leveraging Affirmative Defenses; Mitigating Damages, Attorney's Fees and

859 views • 46 slides
Lost Profits in Commercial Litigation: Proving and Defending Damages Leveraging Calculation

Lost Profits in Commercial Litigation: Proving and Defending Damages Leveraging Calculation

Presenting a live 90-minute webinar with interactive Q&A Lost Profits in Commercial Litigation: Proving and Defending Damages Leveraging Calculation Methodologies, Documentation and Expert Evidence TUESDAY, MARCH 8, 2016 1pm Eastern |

902 views • 68 slides
Punitive Damages in Commercial Litigation: Pursuing and Defending Claims Leveraging Pre-trial

Punitive Damages in Commercial Litigation: Pursuing and Defending Claims Leveraging Pre-trial

Presenting a live 90-minute webinar with interactive Q&A Punitive Damages in Commercial Litigation: Pursuing and Defending Claims Leveraging Pre-trial Motions, Discovery and Trial Strategies, Navigating Constitutional Restraints TUES DAY,

1.09k views • 51 slides
Defending Networks with Incomplete Information: A Machine Learning Approach Alexandre Pinto

Defending Networks with Incomplete Information: A Machine Learning Approach Alexandre Pinto

Defending Networks with Incomplete Information: A Machine Learning Approach Alexandre Pinto alexcp@mlsecproject.org @alexcpsec @MLSecProject WARNING! This is a talk about DEFENDING not attacking NO systems were harmed on the

801 views • 47 slides
Equitable Subordination and Recharacterization: Looming Bankruptcy Litigation Threats Attacking

Equitable Subordination and Recharacterization: Looming Bankruptcy Litigation Threats Attacking

Presenting a live 90-minute webinar with interactive Q&A Equitable Subordination and Recharacterization: Looming Bankruptcy Litigation Threats Attacking and Defending Preference Status of Lender, Creditor and PE Sponsor Secured Claims

443 views • 32 slides
Defending Distributed Cyber-Physical Systems with Bounded Time Recovery Bri Brian Sa

Defending Distributed Cyber-Physical Systems with Bounded Time Recovery Bri Brian Sa

Defending Distributed Cyber-Physical Systems with Bounded Time Recovery Bri Brian Sa Sandler, Neeraj Gandhi, Linh Thi Xuan Phan, Andreas Haeberlen NSF/Intel CPS PI Meeting July 2018 1 Machines in Control Vulnerable CPS can cause

433 views • 28 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
Co-simulation Design towards Cyber-Physical Robotic Applications Leveraging on FMI Standard and

Co-simulation Design towards Cyber-Physical Robotic Applications Leveraging on FMI Standard and

Co-simulation Design towards Cyber-Physical Robotic Applications Leveraging on FMI Standard and CSP Semantics Zhou Lu and Jan Broenink Robotics and Mechatronics, University of Twente 22 Aug, 2017 Introduction - Context Cyber-Physical

784 views • 31 slides
Deposition Strategies in Employment Litigation: Taking and Defending Depositions of Plaintiffs

Deposition Strategies in Employment Litigation: Taking and Defending Depositions of Plaintiffs

Presenting a live 90-minute webinar with interactive Q&A Deposition Strategies in Employment Litigation: Taking and Defending Depositions of Plaintiffs and Fact Witnesses Leveraging Deposition Testimony During Discovery, Summary Judgment,

806 views • 68 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Smart Phones: Pursuing or Defending Litigation Conducting Pre-Suit Investigations and Discovery,

Smart Phones: Pursuing or Defending Litigation Conducting Pre-Suit Investigations and Discovery,

Presenting a live 90-minute webinar with interactive Q&A Distracted Driving Accident Claims Involving Smart Phones: Pursuing or Defending Litigation Conducting Pre-Suit Investigations and Discovery, Leveraging Expert Witnesses, Vicarious

773 views • 73 slides
A Course in Applied Econometrics Lecture 2 Outline 1. Assessing Unconfoundedness (not

A Course in Applied Econometrics Lecture 2 Outline 1. Assessing Unconfoundedness (not

A Course in Applied Econometrics Lecture 2 Outline 1. Assessing Unconfoundedness (not testable) Estimation of Average Treatment Effects Under Unconfoundedness, Part II 2. Overlap 3. Illustration based on Lalonde Data Guido Imbens IRP

222 views • 7 slides
Automatic Test Generation for Autonomous Vehicular Systems Cumhur Erkan Tuncali, Theodore P.

Automatic Test Generation for Autonomous Vehicular Systems Cumhur Erkan Tuncali, Theodore P.

Dagstuhl 2016: Robustness in CPS 1 Automatic Test Generation for Autonomous Vehicular Systems Cumhur Erkan Tuncali, Theodore P. Pavlic and Georgios Fainekos Based on work to be presented: International Conference on Intelligent Transportation

576 views • 16 slides
The Public Option: A non-regulatory alternative to Network Neutrality Richard Ma School of

The Public Option: A non-regulatory alternative to Network Neutrality Richard Ma School of

The Public Option: A non-regulatory alternative to Network Neutrality Richard Ma School of Computing National University of Singapore Joint work with Vishal Misra (Columbia University) The 2nd Workshop on Internet Economics Highlights A more

608 views • 24 slides
A CEGAR Approach for Stability Verification of Linear Hybrid Systems Miriam Garca Soto

A CEGAR Approach for Stability Verification of Linear Hybrid Systems Miriam Garca Soto

A CEGAR Approach for Stability Verification of Linear Hybrid Systems Miriam Garca Soto Co-authored work with Pavithra Prabhakar DARS 2017 1 Cyber-Physical Systems (CPSs) Systems in which software "cyber" interacts with the

529 views • 42 slides
Using Multimodal Learning Analytics to Identify Aspects of Collaboration in Project-based Learning

Using Multimodal Learning Analytics to Identify Aspects of Collaboration in Project-based Learning

Using Multimodal Learning Analytics to Identify Aspects of Collaboration in Project-based Learning Daniel Spikol, Malm University, Sweden Emanuele Ruffaldi, Scuola Superiore Sant'Anna,Italy Mutlu Cukurova, University College London, UK CSCL

259 views • 22 slides
Advanced Topics in Cyber-Physical Systems Jack Stankovic BP America Professor Department of

Advanced Topics in Cyber-Physical Systems Jack Stankovic BP America Professor Department of

Advanced Topics in Cyber-Physical Systems Jack Stankovic BP America Professor Department of Computer Science University of Virginia Fall 2011 Outline (first 2 classes) Course Logistics/Goals Intro to Cyber Physical Systems (CPS)

970 views • 62 slides
Logic & Proofs for Cyber-Physical Systems with KeYmaera X Andr e Platzer 0.5 0.4 0.3

Logic & Proofs for Cyber-Physical Systems with KeYmaera X Andr e Platzer 0.5 0.4 0.3

Logic & Proofs for Cyber-Physical Systems with KeYmaera X Andr e Platzer 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr e Platzer (CMU) Logic & Proofs for Cyber-Physical Systems with KeYmaera X iFM17 1 / 29 Outline

1.38k views • 90 slides
SMT-based Probabilistic Analysis of Timing Constraints in Cyber-Physical Systems Li Huang 1 and

SMT-based Probabilistic Analysis of Timing Constraints in Cyber-Physical Systems Li Huang 1 and

SMT-based Probabilistic Analysis of Timing Constraints in Cyber-Physical Systems Li Huang 1 and Eun-Young Kang 12 , 1 School of Data & Computer Science, Sun Yat-sen University, China huangl223@mail2.sysu.edu.cn 2 PReCISE Research Centre,

400 views • 8 slides

More recommend