Automated Reconstruction of Control Logic for Programmable Logic Controller Forensics

This paper presents Similo, an automated scalable framework for control logic forensics in industrial control systems. Similo is designed to investigate denial of engineering operations (DEO) attacks, recently demonstrated to hide malicious control logic in a programmable logic controller (PLC) at field sites from an engineering software (at control center). The network traffic (if captured) contains substantial evidence to investigate DEO attacks including manipulation of control logic. Laddis, a state-of-the-art forensic approach for DEO attacks, is a binary-logic decompiler for the Allen-Bradley's RSLogix engineering software and MicroLogix 1400 PLC. It is developed with extensive manual reverse engineering effort of the underlying proprietary network protocol and the binary control logic. Unfortunately, Laddis is not scalable and requires similar efforts to extend on other engineering software/PLCs. The proposed solution, Similo, is based on the observation that engineering software of different vendors are equipped with decompilers. Similo is a virtual-PLC framework that integrates the decompilers with their respective (previously-captured) ICS network traffic of control logic. It recovers the binary logic into a high-level source code (of the programming languages defined by IEC 61131-3 standard) automatically. Similo can work with both proprietary/open protocols without requiring protocol specifications and the binary formats of control logic. Thus, it is scalable to different ICS vendors. We evaluate Similo on three PLCs of two ICS vendors, i.e. MicroLogix 1400, MicroLogix 1100, and Modicon M221. These PLCs support proprietary protocols and the control logics written in two programming languages: Ladder Logic and Instruction List. The evaluation results show that Similo can accurately reconstruct a control logic from an ICS network traffic and can be used to investigate the DEO attacks effectively.