PCaaD: Towards Automated Determination and Exploitation of Industrial Processes

TL;DR

This paper introduces PCaaD, a novel automated method that exploits control-logic constructs in PLCs to enable targeted attacks on industrial processes, bypassing traditional system-specific knowledge requirements.

Contribution

It presents a new, system-agnostic approach for exploiting PLC library functions to facilitate covert data exfiltration and control manipulation in industrial settings.

Findings

Validated attacks on widely used PLCs

Demonstrated feasibility of process comprehension at a distance

Identified vulnerabilities in current PLC programming practices

Abstract

Over the last decade, Programmable Logic Controllers (PLCs) have been increasingly targeted by attackers to obtain control over industrial processes that support critical services. Such targeted attacks typically require detailed knowledge of system-specific attributes, including hardware configurations, adopted protocols, and PLC control-logic, i.e. process comprehension. The consensus from both academics and practitioners suggests stealthy process comprehension obtained from a PLC alone, to conduct targeted attacks, is impractical. In contrast, we assert that current PLC programming practices open the door to a new vulnerability class based on control-logic constructs. To support this, we propose the concept of Process Comprehension at a Distance (PCaaD), as a novel methodological and automatable approach for system-agnostic exploitation of PLC library functions, leading to the targeted exfiltration of operational data, manipulation of control-logic behavior, and establishment of covert command and control channels through unused memory. We validate PCaaD on widely used PLCs, by identification of practical attacks.