On Ladder Logic Bombs in Industrial Control Systems

TL;DR

This paper introduces ladder logic bombs (LLBs), a form of malware targeting PLC control logic in industrial systems, demonstrating their design, stealth features, and proposing detection methods to mitigate such threats.

Contribution

It defines LLBs as a new class of malware in industrial control systems, demonstrates their implementation on real PLCs, and proposes detection techniques.

Findings

LLBs can manipulate sensor data and control logic stealthily.

Real-world PLC experiments validate LLB designs.

Proposed detection methods can identify LLBs effectively.

Abstract

In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: a) firmware (i.e. the OS) and b) control logic (processing sensor readings to determine control actions). In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behaviour. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs. In addition to introducing vulnerabilities on the logic layer, we also discuss countermeasures and we propose two detection techniques.