Forensic and security analysis of programmable logic controller

Abstract

In recent years, cyber-attacks have aimed to target the critical infrastructure which includes the Industrial Control System (ICS). Before Stuxnet attacks, researchers did not focus on the ICS system because they are closed systems. Engineers were not aware that the software development environment could be utilized to access and control the ICS for an attack. Nevertheless, Stuxnet shows that it is possible to attack the Programmable Logic Controller (PLC), which is a key component in ICS to control and monitor sensors. Existing ICS has been operating for a decade with following problems: 1. The PLC programs have been optimized for reliability, usually with minimal logging and protection mechanisms. 2. The PLC has limited computational power and memory, which is difficult to add any extra protection techniques. 3. The internal ICS network infrastructure is different from a typical computer network infrastructure and with minimum network security protection. 4. The industrial system operator is the operator who accesses and control the PLC, not computer system engineer. 5. Few existing network devices are designed to protect ICS and PLC from cyber-attacks. It therefore enables lots of new research to focus on this area as there is no security, nor incident response procedures if an adversary is targeting the ICS. We present here to apply digital forensic investigation and security analysis techniques to ICS. As Siemens PLCs are targets of cyber attacks, this research studies the Siemens S7-1200, which is one of the PLC models widely used in many ICS. First, this work tries to identify potential threats targeting the ICS internal network. We analyze potential vulnerabilities of the Siemens PLC that the adversary can make use. We have developed a simple proof-of-concept program, which can change the behavior of a PLC controlled elevator system and traffic light system. Second, we presented the difference between ICS and computer system, and then defined attack patterns for ICS, which can be used to design security test cases for assessing the security of ICS and the related devices. Last, we presented a forensic analysis framework for digital investigation for ICS. We introduce the working and logging mechanism of the Siemens PLC which can be utilized to trace the PLC's events for analysis. We then apply the framework to a case study for investigating an ICS incident. This work brings the security threats and attack patterns concept from the computer system to the ICS. It also shows how digital forensic analysis techniques can be conducted in ICS. As the ICS system can be considered as one of the vulnerable targets for cyber-weapon, this research enables the digital forensic investigators and security professionals to have a better understanding of ICS.