Control Logic Forensics Framework using Built-in Decompiler of Engineering Software in Industrial Control Systems

Syed Ali Qasim, Jared Smith, and Irfan Ahmed
Digital Investigation (DFWRS 2020)

In industrial control systems (ICS), attackers inject malicious control-logic into programmable logic controllers (PLCs) to sabotage physical processes, such as nuclear plants, traffic-light signals, elevators, and conveyor belts. For instance, Stuxnet operates by transferring control logic to Siemens S7-300 PLCs over the network to manipulate the motor speed of centrifuges. These devastating attacks are referred to as control-logic injection attacks. Their network traffic, if captured, contains malicious control logic that can be leveraged as a forensic artifact. In this paper, we present Reditus to recover control logic from a suspicious ICS network traffic. Reditus is based on the observation that an engineering software has a built-in decompiler that can transform the control logic into its source-code. Reditus integrates the decompiler with a (previously-captured) set of network traffic from a control-logic to recover the source code of the binary control-logic automatically. We evaluate Reditus on the network traffic of 40 control logic programs transferred from the SoMachineBasic engineering software to a Modicon M221 PLC. Our evaluation successfully demonstrates that Reditus can recover the source-code of a control logic from its network traffic.

Winner of Best Paper Award