Charlie, Charlie, Charlie on Industrial Control Systems: PLC Control Logic Attacks by Design, Not by Chance

Programmable logic controllers (PLCs) in industrial control systems (ICS) run a control logic program to monitor and control critical infrastructures in real-time, such as nuclear plants and power grids. Attackers target PLC control logic remotely to sabotage or disrupt physical processes. Network intrusion detection systems (IDS) are increasingly used to detect malicious control logic. This paper demonstrates that standard IDS features in a protocol message header and payload are not resilient for detecting (control logic) binary programs, such as entropy, n-gram, and decompilation. It identifies and utilizes a PLC design feature, redundant address pins (RAP), unexplored in the literature, to bypass IDS for injecting a small piece of programmable malicious code (PMC) into a PLC's control logic as an initial attack vector, allowing it to execute with every scan cycle. We propose three unique attack methods (GizmoSplit, BuffWarp, and EnigmaFlow) using PMC as a proof of concept that blends control logic with network traffic via payload encoding, small-size payloads, or sparse memory addressing. The GizmoSplit attack divides the control logic into small gadgets and writes them in random memory locations in a PLC; PMC modifies the stack with the location of the gadgets to execute them as return-oriented programming. The BuffWarp attack employs a small-size buffer where the attacker writes malicious code periodically to bypass stateful inspection at the payload level; PMC, in turn, keeps moving the buffer content to consecutive memory locations to execute. The EnigmaFlow attack encodes control logic and sends it to a PLC's typically unused memory region, which PMC decodes and executes. The evaluation results indicate that these attacks are stealthy and can subvert IDS utilizing standard message header and payload features. This work points to a research gap in intrusion detection that caters to control logic attacks exploiting PLC design features.