Remote Non-Intrusive Malware Detection for PLCs based on Chain of Trust Rooted in Hardware

Rajput, Prashant Hari Narayan; Sarkar, Esha; Tychalas, Dimitrios; Maniatakos, Michail

doi:10.1109/eurosp51992.2021.00033

Cited by 6 publications

(3 citation statements)

References 50 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…On the JTAG-based defense side, Rajput et al [33] present ORRIS, a lightweight and out-of-the-device framework that detects Linux-based PLC malware at both kernel and user-level by processing the information collected using the JTAG interface. Guri et al [34] propose JoKER, a JTAG-based framework for detecting rootkits in the Android OS kernel.…”

Section: Related Workmentioning

confidence: 99%

“…For any attacks that would leave traces in the memory [33], Aye establishes a trusted forensics chain to generate an authoritative result, as illustrated in Figure 3. The chain of forensics begins at the regular PLC's JTAG interface with an unattacked pristine state and ends with the JTAG adapter, which has full access to PLC memory.…”

Section: Establishment Of the Trusted Forensics Chainmentioning

confidence: 99%

See 1 more Smart Citation

Aye: A Trusted Forensic Method for Firmware Tampering Attacks

Zhang

2023

Symmetry

View full text Add to dashboard Cite

The Programmable Logic Controller (PLC) is located at the junction of the virtual network and physical reality in the Industrial Control System (ICS), which is vulnerable to attacks due to its weak security. Specifically, firmware tampering attacks take the firmware under the PLC operating system as the primary attack target. The firmware provides the bridge between PLC’s hardware and software, which means tampering against the firmware can be more destructive and harmful than other attacks. However, existing defense and forensics methods against firmware tampering attacks are asymmetrical, which directly leads to the proliferation of such attacks and the difficulty of forensic tracing. How to accurately, quickly, and efficiently conduct forensics for such attacks is an urgent problem. In this paper, we designed and implemented a reliable detection method based on Joint Test Action Group (JTAG) and memory comparison—Aye, which can detect mainstream firmware tampering attacks reliably. To determine the effectiveness and reliability of Aye, we selected a widely used PLC to observe Aye’s performance in defense and forensics by simulating the two latest PLC firmware tampering attack methods. The experimental results show that Aye can effectively defend against firmware tampering attacks, helping improve the efficiency and accuracy of such attack detection and forensics.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Establishment Of the Trusted Forensics Chainmentioning

confidence: 99%

Aye: A Trusted Forensic Method for Firmware Tampering Attacks

Zhang

2023

Symmetry

View full text Add to dashboard Cite

show abstract

“…Attacks on ICS have been explored in literature, for instance, attacking the Programmable Logic Controller (PLC) to change the control logic or its parameters process [19,25,17], modifying the firmware [11] or the sensors with false data injection (FDI) attacks that gather and relay data to the PLC [24,28,9,34] for attacking the controlled physical process. Proactively uncovering vulnerabilities in PLC programming [40] and detecting the presence of malware [35] are also topics of interest to the ICS community. Defenses for attacks on ICS hardware have also been studied extensively, among others these include protecting the PLC using control invariants (correlation between sensor readings and PLC commands) [44], extracting control logic rules [16] and detecting safety violations [26].…”

Section: Introductionmentioning

confidence: 99%

ICSML: Industrial Control Systems Machine Learning Inference Framework natively executing on IEC 61131-3 compliant devices

Constantine¹,

Rajput²,

Maniatakos³

2022

Preprint

Self Cite

View full text Add to dashboard Cite

Industrial Control Systems (ICS) have played a catalytic role in enabling the 4th Industrial Revolution. ICS devices like Programmable Logic Controllers (PLCs), automate, monitor and control critical processes in industrial, energy and commercial environments. The convergence of traditional Operational Technology (OT) with Information Technology (IT) has opened a new and unique threat landscape. This has inspired defense research that focuses heavily on Machine Learning (ML) based anomaly detection methods that run on external IT hardware which means an increase in costs and the further expansion of the threat landscape. To remove this requirement, we introduce the ICS Machine Learning inference framework (ICSML) which enables the execution of ML models natively on the PLC. ICSML is implemented in IEC 61131-3 code and works around the limitations imposed by the domain-specific languages, providing a complete set of components for the creation of fully fledged ML models in a way similar to established ML frameworks. We then demonstrate a complete endto-end methodology for creating ICS ML models using an external framework for training and ICSML for the PLC implementation. To evaluate our contributions we run a series of benchmarks studying memory and performance and compare our solution to the TFLite inference framework. Finally, to demonstrate the abilities of IC-SML and to verify its non-intrusive nature, we develop and evaluate a case study of a real defense for process aware attacks against a Multi Stage Flash (MSF) desalination plant.

show abstract

Semantic Integrity Measurement of Industrial Control Embedded Devices Based on National Secret Algorithm

Zhang,

Qi,

et al. 2023

2023 IEEE/CIC International Conference on Communications in China (ICCC Workshops)

View full text Add to dashboard Cite

Remote Non-Intrusive Malware Detection for PLCs based on Chain of Trust Rooted in Hardware

Cited by 6 publications

References 50 publications

Aye: A Trusted Forensic Method for Firmware Tampering Attacks

Aye: A Trusted Forensic Method for Firmware Tampering Attacks

ICSML: Industrial Control Systems Machine Learning Inference Framework natively executing on IEC 61131-3 compliant devices

Semantic Integrity Measurement of Industrial Control Embedded Devices Based on National Secret Algorithm

Contact Info

Product

Resources

About