Abstract
Adversaries may target alerting alarms raised by PLCs (Programmable Logic Controllers) to prevent notifying operators of critical conditions, to hide faults, to disrupt operations, to cause damages to ICS (Industrial Control Systems) and surrounding environment, or to lead to financial loss. The paper focuses on exposing vulnerabilities of the ladder logic code that handles the alerting alarm messages and how to mitigate them. A real-time test bed of a PLC alarms code was developed and used to conduct several stealthy attack techniques to suppress or hinder alarms by exploiting code vulnerabilities. A novel ladder logic solution that consists of countermeasures against the introduced attacks was proposed, demonstrated, and tested. The countermeasure techniques, such as scan time and heartbeat techniques, were able to detect and prevent the code vulnerabilities and other abnormalities. The provided countermeasure techniques in this experiment could be applied to any PLC to enhance the validity and security of its PLC alarms code.
Article Highlights
-
Four stealthy attack models were introduced to exploit PLC alarms code. They were embedded to skip, delete, fake out, or delay alerting alarms.
-
Real-time countermeasure solutions with different techniques were introduced: scan time code, heartbeat code, and physical plausibility check. They effectively detected and prevented the introduced attack models.
-
PLC alarms Code general abnormalities was validated and detected using scan time techniques.
-
A list of general best code practices for PLC alarms code was introduced to mitigate code vulnerabilities.
Similar content being viewed by others
Avoid common mistakes on your manuscript.
1 Introduction
The demand for reliable, valid, and secure PLC alarms has been a great concern since the 2000 Maroochy Shire cyber event, Australia [1,2,3]. In the Maroochy malicious attack, an insider was able to suppress the PLC alarms to prevent them from notifying operators and central servers of any threats or abnormalities.
By preventing outgoing alarms from being raised and reported, operators were fooled into believing that the system was running normally.
Though preventing alarms from being raised or being acted upon might not be considered as critical as other threats, it could risk critical devices or endanger human life [4].
Every PLC has a dedicated alarms code that is responsible for monitoring the status of the controlled devices and raising alarms to alert staff in case of any abnormalities or faults.
This paper focuses on identifying and detecting vulnerabilities within the PLC alarms code and introduce countermeasure techniques to enhance the validity and the reliability of the code. A real-time test bed was implemented in ladder logic that was able to detect code abnormalities and prevent possible exploitations.
The rest of the paper is arranged as follows: Sect. 2 provides a brief literature of the Roles of PLCs and other associated dependencies in monitoring faults and raising alarms. Section 3 provides details about alarms and their roles in ICS, structure and organizations of alarms, and the consequences of suppressed or deleted alarms. Section 4 describes a real-time testbed for PLC alarms code. The alarms code was introduced and developed to raise functioning alarms in case of faults detection, mimicking real life scenarios. The exploitation and attacks models are described in Sect. 5. Real-time countermeasure solutions that detected and prevented previously introduced threats are introduced and demonstrated in Sect. 6. A discussion of the results is provided in Sect. 7. General guideline to mitigate and reduce PLC alarms code vulnerabilities are discussed in Sect. 8. Finally, the conclusion is presented in Sect. 9.
2 Related work
Very little work has been done on topics related to vulnerabilities of PLC alarms code. The concerns of researchers have been mostly focused on vulnerabilities associated with general PLC code [5,6,7,8,9,10], non-code related or general alarms analysis and management [4, 11,12,13,14,15,16,17,18,19], ICS networks related [20,21,22,23,24,25], code intrusion and injection [10, 26,27,28,29], security credentials and accessibilities [30,31,32], and general recommendations or surveys [33, 34].
3 Roles of PLCs and their dependencies in alarms
Industrial control systems (ICS), typically, consist of PLCs, human machine interface (HMIs) devices, industrial networks, and field devices. Because of their important roles in monitoring alarms, the following is a brief explanation of each one of them:
3.1 PLCs’ role
PLCs are the main controllers of ICS. PLCs handle several programs that control and monitor other dependencies, activities, and process in a real-time manner. Among those programs, there are associated or dedicated codes to handle alarming messages. A PLC alarms code can be written in ladder logic, function block diagram (FBD), sequential function chart (SFC), or structured text (ST).
The role of a PLC alarms code is to raise alarms whenever faults or abnormalities are detected while monitoring field devices and operations. Once detected, the PLC alarms code sent raises alarms to HMIs to alert operators, see Fig. 1.
PLC flow in capturing and triggering alarms
3.2 HMIs’ role
HMIs act like visual aids to operators where any alarming messages raised by a PLC alarms code would be displayed and acknowledged by the operators. HMIs could be considered like a GUI interface of a PLC to operators to check messages and perform manual activities. HMIs could be as simple as touchscreen panels or could be more complex such as server-based ones where they can handle statistical tools, logging capabilities, ladder logic code monitoring in addition to alarming messages and manual activities.
When it comes to monitoring messages, HMIs are slaves to PLCs since alarming message are controlled by PLC alarms code. If alarms within a PLC alarms code are suppressed, no messages would be displayed on HMIs.
3.3 Industrial networks’ role
Industrial networks (such as EtherNet/IP) enable real-time communication among I/O modules, HMIs, PLCs, and associated field devices. If the network is down or slow, that would affect displaying proper alarming messages handled by PLCs.
3.4 Field devices’ role
Field devices (such as limit switches, actuators, drives, etc.) are controlled and monitored by PLCs via industrial networks [6]. If any is faulty the designated PLC would detect that, and an alarm would be raised by the PLC alarms program. However, no alarms would be raised or triggered, if the PLC alarms program gets compromised, which could lead to critical consequences.
The following are examples of some field devices with a brief description of each of them:
3.4.1 Sensors’ role
Sensors send the status of devices and instrumentations to PLCs. Even with highly reliable, thorough, and accurate sensors, any designated PLC alarms program would be not valid and reliable if its code gets compromised; where alarms could be suppressed, tampered with, or deleted.
3.4.2 Actuators and other devices’ role
They are devices that translate received output signals from PLCs into practical operations. Good examples of such devices are actuators, inverters, and servo motors. Most of the time, output commands from PLCs to such devices must also be monitored, so PLCs could verify, stop, or adjust any of their behaviors accordingly. In case of any errors or issues, the PLC through its alarms program would raise alarming messages to alert operators.
3.4.3 I/O modules’ role
I/O modules, such as ArmorBlocks and ArmorStratix, act like hubs that facilitate communications between PLCs and all other devices. They reduce labor costs, wiring, and maintenance costs. PLCs monitor and control all inputs and outputs PLCs through I/O modules; including feedback and status bits that are critical in any PLC alarms program.
4 PLC alarms overview
Alarms including faults, system errors, and warnings are essential indicators in protecting, maintaining, and enhancing automated systems. The alarms are simple to configure and develop in a PLC alarms code and HMIs. Despite their simplicity, they are critical, vital, and helpful in recovering from downtime or preventing damages [4]. Whenever there are any faults or abnormalities, alarms are raised or activated to protect devices and sent to HMIs to alert operators. To be useful and helpful, alarms should cover and monitor the status of all sensors, devices, I/O modules, and other dependencies that a PLC controls. Therefore, a PLC alarms code that handles alarms must be reliable, valid, and thorough. Thorough and reliable alarms would reduce maintenance costs, decrease troubleshooting time, and increase efficiency, and help in statics tools if logged [13].
The following are some useful information regarding the alarms raised by PLC alarms code:
4.1 Alarms levels
PLC alarms can be broken into several levels or groups:
-
System-stop alarms: these are raised whenever there are global, unsafe violations where more than one station is involved. For example: safety gates and perimeter E-Stops.
-
Station-stop alarms: these only stop a specific and certain devices or stations within a cell or a predefined zone.
-
Cycle-stop alarms: they are non-immediate stops that take effect once a cycle is done.
-
Warnings alarms: these are not designed to stop any system or devices but are used to initialize warnings in case of undesired conditions. Though these are not considered critical, they are helpful in predictive maintenance.
4.2 Alarms prioritization
Prioritizing alarms helps in preventing flooding the system with messages and reduce operators’ distractions. When an alarm is raised it indicates an abnormal state was detected by the PLC alarms code in a process, an operation, or a device. Since not all alarms carry the same weight, alarms prioritization must be taken into considerations to reduce distraction and accelerate maintenance response time, see Fig. 2.
Alarms priority based on criticality and time responses
The prioritization of alarms is categorized as follows:
-
High Priority alarms: cause critical damage to living beings, environment, equipment, and huge economic losses. Such alarms must be given the highest attention and fastest response time by operators.
-
Medium Priority alarms: Are not as serious and critical as the previous ones. They might cause serious financial loss or deteriorate the life service of devices or equipment in the long or short run.
-
Low Priority alarms: minor financial impact, and less financial loss.
4.3 Supressed or tampered alarms consequences
If alarms within the PLC alarms code were to be suppressed or tampered with, they could cause the following:
-
Risk the safety of workers or even other living beings.
-
Impact the functionality and safety of devices.
-
Impact public and private facilities and infrastructure.
-
Impact the environment.
-
Increase maintenance costs and troubleshooting time.
-
Prevent addressing critical alarming messages.
5 A real-time testbed for PLC alarms code
A ladder logic was developed as a real-time PLC alarms code that could be used as a test bed for several experiments.
5.1 Devices and software used
The following are the main devices and software used to implement the test bed:
-
PLC: Allen-Bradly/Rockwell GuardLogix5570 Safety Controller.
-
Software: Rockwell Logix Designer version 33 to develop, monitor, and edit the ladder logic code.
-
Allen-Bradley EtherNet/IP Network modules.
-
Allen-Bradley ArmorStratix module.
5.2 Developing alarms ladder logic code
A ladder logic code was designed to monitor faulty devices and operations. In the beginning a “Reset” setup code was implemented to clear non-retentive faults whenever it is needed. For instance, by pressing the associated HMI push button (HMI_PB_Reset) of PV01 group, all faults related to that group would be cleared and acknowledged as shown in Fig. 3. If faults were to be acknowledged but not cleared, then that would be a sign of a real-time faulty device that must be resolved. Typically, whenever a field device is faulted, it would be reported to the PLC alarms code where a designated alarm message or tag, such as “- PV01_Arrays_Faulted[0]0.0”, would be enabled, as shown in Fig. 4 and Fig. 5.
Faults reset setup to clear non-retentive alarms
Alarms setup for every fault related to PV01 group
Example of faults sent to HMI
Overall, every detected fault would energize or raise an alarm bit, i.e., triggering an HMI message to be displayed, as shown in Fig. 6.
Monitoring all PV01 related faults
Another optional method that relies on FBC (File Bit Comparison) was introduced, based on the previous code setup, see Fig. 5. By using FBC instruction, detecting the occurrence of faults would be easier.
6 Case study: introducing real-time attack techniques to exploit vulnerabilities
A case study based on the previously described test bed was introduced to expose vulnerabilities within the PLC alarms code using a variety of exploits. The main target was how to detect if any or all alarms within the PLC alarms code can be suppressed or modified.
Adversaries might suppress, delay, or delete alarms raised by a PLC code to evade detection to cause damage and disruption. Suppressed or inactive alarms prevent real-time notification messages which in turn could mislead operators, delay maintenance, increase financial loss, risk the safety of ICS systems, or even jeopardize human life. Bad code practices can also result in disruption to processes and cause damage.
The following is summary of the main vulnerabilities scenarios that might be exploited:
-
All devices are functioning properly and reporting all abnormalities to the designated PLC but their alarms within the PLC code are deactivated, deleted, or tampered with. So, the PLC would be getting all statuses of devices and operations, but alarms would not be raised. That would be a sign of suppressed alarms within the PLC code.
-
Alarms are getting delayed or skipped because of code modifications. That could reduce productivity, increase maintenance costs, or even risk the system.
-
Alarms are faked to deceive operators, risking the safety of the devices.
-
PLC alarms code is valid and legitimate, but not receiving any faults from faulty devices. This could be due to physical problems, networks issues, or wrong configurations.
To mimic a malicious code attack where hackers would exploit vulnerabilities of a running PLC alarms code, real-time exploitation techniques were introduced into our test bed and applied without stopping any process or recompiling any routine. The attack models were stealthy and ran without being detected or noticed.
The following are four real-time attack models used to exploit PLC alarms code:
6.1 Skipping or deleting alarms code
One of the techniques used in skipping some alarms or all alarms, was by embedding a “JMP” Jump instruction, named “LBL01” and “LBL” instructions, named “LBL01”. The CPU skipped scanning all alarms rungs (code lines) that are between “JMP” and “LBL” without energizing or raising any alarms bits within that range, see Fig. 7.
The logic code between “JMP” and “LBL” is skipped
The logic would not know whether skipping a code using “JMP” was legal or not. Therefore, operators would not be notified, and the skipping would not be detected.
6.2 Slowing down the scan cycle of the PLC alarms code
Slowing down the scan time of the PLC alarms code means that the code was modified either by adding more code elements or suspicious loops. Some embedded finite loops would significantly slow down logic response for highly critical situations, or they might lead to a faulty PLC scenario.
To slow down a scan time, a single “FOR” instruction was embedded to call another routine several times, looping for.
500 times, see Fig. 8. Once the looping started, the scanning of the logic code was slowed down and then the PLC was faulted. When the number of loops was reduced to 300, the scanning of the logic was slower than normal but without faulting the PLC.
Embedding a “FOR” to slow the scanning time of the code
The PLC was not able to detect or report to the operator any slower scanning of the PLC alarms code.
6.3 Deactivating or suppressing alarms
In this test, the alarms were suppressed when a single Boolean instruction, “Always_OFF”, that was set to false (zero) was embedded before the energizing the alarms, as shown in Fig. 9.
Faults were deactivated when ANDed with a false bit
When the “Always_OFF” bit was ANDed with any precondition instructions, like “SysReady”, the rung condition-out result was false i.e., all its output coils de-energized.
In other words, whenever the result of the rung-condition-in was false, the result of the rung-condition-out was false as well, i.e., suppressing all associated alarms, as shown in Fig. 10.
Suppressed or Deenergized faults means values are set to zero
The PLC in this scenario would not detect any abnormal code behavior because all syntaxes and code elements are legal.
6.4 Faking alarms
The alarms in this scenario were faked rather than being skipped or deleted. Faking alarms would be difficult to detect.
To counter such scenario, a flash bit called “Flash” was created based on the code of couple timers, as shown in Fig. 11. The “Flash” bit acted like a fluctuating false that occurred every predefined duration (toggled ON/OFF every few seconds). The “Flash” bit was placed before energizing alarms to fool the operators that alarms were active and occurring occasionally in a normal way, see Fig. 12.
Create a flashing bit using timer on delay instructions
Misleading diagnostics by adding a flashing bit
7 Countermeasures
The following are the real-time methods that were implemented to detect and prevent the attack models introduced in previously:
7.1 Method 1: a scan time countermeasure against skipped or deleted code attack
7.1.1 Scan time overview
The scan time of a code is the amount of time the CPU would take to scan the code within a scan cycle. Since the scan time value would be affected by any code modifications, storing a scan time value (or average of several one) and using it as a reference point would be a reliable and effective approach.
To do that a ladder logic code was developed and embedded within the PLC alarms code to capture the scan time value of the running PLC alarms code under normal conditions.
The average of several one was computed and stored as a reference point. It was proven that whenever portion of the code was skipped, the scan time was faster than the average, and vice versa.
By using comparison instructions further logic scanning would be stopped and staff would be warned whenever a scan time value is not within the range of the average one.
7.1.2 Developing scan time code
It turned out that capturing the scan time of the PLC alarms code or any other specific routine is not a direct built-in feature in Rockwell PLCs. Built-in timer instructions were not applicable when capturing microseconds intervals. To circumvent that, a “WallClockTime” object of a GSV (Get System Value) instruction was used, see Fig. 13.
Capturing a starting point of a scan time
The “WallClockTime” is an ongoing global timer that provides timestamps scheduled by the controller. A “WallClockTime” object was added to the beginning of PLC alarms code to timestamp the starting point of every initial scanning of the code. Then the captured timestamp value was stored into “_PLC_Time[0]” array, as shown in Fig. 13.
Another “WallClockTime” object was added by the end of the code to capture its timestamp. That captured time value was stored into “_PLC_TimeNext[0]”. By subtracting the values of the two arrays, “_PLC_Time[0]” and “_PLC_TimeNext[0]”, we were able to get the time that the CPU took to scan the PLC alarms code within one cycle. The scan time captured was stored into “PLC_TimeResult[0]”, as shown in Fig. 14. As the CPU keeps scanning the code, a new scan time value was captured with some marginal variances.
Capturing the scan time by the end of the routine
To get more accurate result with less discrepancies (such as clock latency), several more scan time values were captured at several instances and stored within a group of arrays, from [0] to [9], as shown in Fig. 15. That was done by using a “FIFO” instruction, see Fig. 16. The average of those stored values of each scan time was calculated using “CPT” (Compute) instruction, and the result was stored in “ScanAverage” array, as shown in Fig. 17.
Capturing several values of the scan time
Using a “FIFO" to capture several values the scan time
Getting the average time of ten scan time values
The code is scalable and could get more enhanced if more reliable and accurate value of the scan time. For instance, by capturing and storing more scan time values during longer duration with different event the average would be accurate.
7.1.3 Using scan time to detect skipped or deleted alarms code
This method was introduced and tested to detect skipped or deleted alarms by checking and validating every scan time per PLC cycle. When a newly captured scan time was less than that of the reference scan average value, then the PLC stopped further code scanning (stop further code execution) and warn operators. After skipping all rungs related to alarms, a new scan time value was captured, “_PLC_TimeResult[0]”. As expected, the scan time was tremendously less than that of the original average value, “ScanAverage[0]” (23 microseconds compared to about 592 microseconds). Several new scan values of the modified code were, as shown in Fig. 18. Then the average of those values was computed and stored in “ScanCurrentAvg[0]” to get a more accurate and stable value, see Fig. 19. By comparing the newly calculated average, “ScanCurrentAvg[0]”, to that of the reference a discrepancy was detected and a warning message, “Warn_HMI_User” bit, was raised to alert operators, as shown in Fig. 20.
Capturing scan time values after logic was skipped
The new scan time average of the modified code
Preventing further logic scanning
The result of the comparison was also used as a precondition to stop further logic scanning, see Fig. 20.
7.2 Method 2: a scan time countermeasure against slower code scan cycle attack
Since embedding more code or finite loops was not detected by the PLC, as demonstrated in the earlier attack model, a real-time countermeasure technique based on a scan time implementation was introduced. The PLC cycle would take more time to finish scanning the embedded code, i.e., increasing the scan time duration.
When “For” instruction (with 300 steps) was embedded within the PLC alarms code, the scan time trap was able to detect that attack based on its scan time duration. Figure 21 shows that the new scan value was above 230,000 ms, significantly greater than that of the normal average value which was around 592 ms. For reliability, several scan time values were captured and stored, as shown in Fig. 22. Then the average of those was computed and stored in the array named “ScanCurrentAvg[0]”, as shown in Fig. 23.
The scan time was significantly increase after inserting “For” loop instruction
Several scans time values were captured and stored
The average scan time was computed
Similar to the previous comparison code setup and techniques introduced in Sect. 7.1, once an abnormal scan time was detected, further logic scanning would not be allowed, and a warning message was sent to operators, as shown in Figs. 24 and 25.
Preventing further logic scanning and alerting staff
Another way to prevent further logic scanning using “JMP” instruction to skip certain code
7.3 Method 3: a heartbeat bit countermeasure against inactive or suppressed alarms attack
A heartbeat code was developed to verify the validity and the real-time status of alarms. The alarms would be considered invalid if all faults were idle (all ON or all OFF) within a predefined duration of time. The resultant of the faults of each group was tied to a Boolean bit, such as “GroupAlarms05”.
When “GroupAlarms05” had its status idle for 3,600,000 ms, the heartbeat bit, “Heartbeat_OK”, was disabled, as shown in Fig. 26 and Fig. 27. A dead or disabled heartbeat bit was then used to stop further logic scanning and to warn operators.
Heartbeat setup based on alarms within a group
Heartbeat setup based on groups of alarms
7.4 Method 4: a physical plausibility check to detect faked alarms attack
To detect faked alarms or unnoticed malfunctioning devices, a physical verification of all critical devices and instruments involved must be conducted. A physical plausibility check should be performed to validate whether the alarms are matching real-time status and behavior of field devices.
The following are some of the techniques that should be followed to properly validate the process of verification:
7.4.1 Validate a device operation based on a predefined duration
Validation of the operation of devices and instruments must be based on predefined duration. The operation time of a device should be compared to a predefined or to a previously computed average while physically operating or checking the device. It is not enough to check, for instance, that a locking pin is extending without comparing its operation duration to a specific predefined time. If the behavior of an instrument or a device is taking more than its predefined duration, then the operators should be alerted, and any associated alarms should be raised.
7.4.2 Validate PLC outputs
There should be a handshaking validation between a PLC and the controlled devices (such as actuators) through their statuses. A PLC should validate that an output is sent to the proper designated device by getting the proper expected feedback before running further code. In the absence of a device feedback or proper acknowledgment, associated alarms must be raised. For instance, when a PLC sends a program number to a robot, the robot must send back a matching program number. If both program numbers are not matching, then the PLC should alert the operators and stop executing the rest of related code.
7.4.3 Validate PLC inputs
Validate the inputs of sensors and other monitored devices based on their proper physical operations. For instance, a clamp should indicate an exclusive status which is either “OPEN” or “CLOSED”, neither in between nor none. If the hardware indicates that both are active “TRUE” or both are “FALSE”, an alarm should be reported.
7.4.4 Validate coils or commands
Validate there is no conflict among PLC commands (such as energized coils or outputs) that work in pairs. A conveyor, for instance, should not get a request to move forward and backward at the same time. A pin, for instance, should not be commanded to extend and retract at the same time. Such invalid conflict should be monitored, logged, and prevented.
8 Results and discussion
The main contribution of this paper are the solutions that can be applied to mitigate real attacks on PLC alarms. It was shown how the ladder logic code of alarms could be compromised even though all other field devices, including HMIs, were properly functioning, leading to serious damage. Four attack models within the PLC alarms code were introduced and exploited PLC alarms code. Each one of the attacks relied on modifying the ladder logic of the PLC alarms code by embedding instructions that adversely affected the behavior of the alarms. Real-time countermeasures were deployed and successfully detected and prevented those introduced attacks.
To analyze and verify our previously calculated scan time values, real-time trends that captured and analyzed real-time scan time values were introduced and demonstrated using an experimental test bed.
Each trend captured more than 50 real-time values of the PLC alarms code scan time, “_PLC_TimeNext[0]”. The values were captured and analyzed during a 2 ms interval.
Under normal condition, attacks free scenarios, the values of the captured scan time in our test bed were between 469 and 606 microseconds, as shown in Fig. 28. All those captured values were close to the average that was calculated previously, about 592 microseconds, see Fig. 17.
Capturing several scan-time values under normal conditions
Similarly, when the skipping code attack was introduced the scan time value was significantly reduced. The trend diagram provided in Fig. 29 showed that the real-time values of the scan time were within the range of 20 and 23 microseconds. That was close to the average scan computed earlier, see Fig. 19.
Scan-time values during the skipping code attack scenario
Regarding the slow scan time attack, the captured real-time values of the scan time was between 1361 and 2700 microseconds, as shown in Fig. 30. That was significantly more than the normal average scan and close to the abnormal average that was computed earlier, see Fig. 23. Similar scan time measurements can be extracted from any PLC alarm code and analyzed to monitor the alarms code behavior.
Capturing several scan-time values when slow code attack was introduced
9 General PLC alarms code guidelines
9.1 PLC alarms code best practices
For safer systems and better troubleshooting and recovering, it is recommended that PLC alarms code follow these code practices:
-
Alarms code must reside in dedicated and separated PLC routines to make it easier to authenticate, analyze, and troubleshoot.
-
Raised alarms bits by PLC code must stay set (latched) once they are triggered and only cleared (reset) if faults are resolved and acknowledged by operators.
-
Raised alarms must be logged into arrays within PLCs and sent instantly to designated HMIs where they would be clearly displayed and logged.
-
Validate alarms raised within PLC alarms code with those displayed on HMIs. In some scenarios, a PLC could be triggering the proper messages on its side, but an HMI messaged could be misconfigured.
-
Each alarm configured within the PLC alarms code must have a unique ID or identifier, so it can be properly initialized, set, and tracked. The identifier is a unique fault code that must be considered when implementing the alarms within the PLC code. Each alarm must be clearly displayed on any associated HMIs with its ID and proper descriptive message.
-
Alarms within PLC alarms code must have standards that define naming conventions, tags, and data types.
-
Alarms could be more useful if they are time stamped which would help in knowing the initial root cause of the problem.
-
PLC alarms code should be password protected.
-
A comparison of the PLC alarms code must be performed with a previously validated file should be performed every time the checksum of the PLC is changed.
-
Raising the same alarm (output) in more than one place within the PLC code should be avoided, especially those are OTE (Output Energize) based.
-
Empty branches must not be allowed.
-
Forcing tag values should be avoided since forced bits could be hard to track.
-
Avoid any racing scenarios within the PLC alarms code. Racing occurs when two routines or set of operands of logic are racing against each other.
9.2 Other suggested techniques
9.2.1 A mirror PLC for alarms
In some critical scenarios, adding a duplicate or a mirror PLC would be an effective use of redundancy. The redundant PLC can be used as an external backup for alarms, safety, and other critical routines. The access to a mirror PLC should be very limited and restrained. A mirror PLC can be used also as a real-time reference in checking if there are any code modifications within the primary PLC. If any discrepancies are found, then the operators must be alerted. Also, having a backup PLC would make compromising the code harder on hackers.
9.2.2 Effective usage of HMIs and logs
It would more effective if PLC alarms, abnormal scenarios, scan time values, PLC cycles, etc. are sent and displayed on HMIs. Those charts would and logged information would be used in trends and statistical charts.
9.2.3 Alarms test mode
Enhance PLC alarms code to handle an automatic alarms test mode (ATM) where operators can run it to verify all alarms. When ATM is enabled, the PLC would raise every alarm in a sequential manner and display all of them on the designated HMI. If an alarm is not raised on the HMI, then operators should be alerted.
10 Conclusion
The real-time test bed introduced in this paper exposed some vulnerabilities of the ladder logic code responsible of raising alarm messages, i.e., PLC alarms code.
Four real-time attack techniques were introduced and applied within the PLC alarms code while the PLC was in “RUN” mode. None of the attacks stopped or interrupted the PLC, other ladder logic code, or got detected. All of the attacks could be used to cause serious damage to a PLC based ICS. The attacks were based on different ladder logic scenarios and techniques.
It was proven that the PLC was defenseless in detecting or preventing any of those embedded attacks.
Several effective countermeasure solutions against the described attacks were introduced: scan time code, heartbeat code, and verification guidelines of alarms and designated physical devices.
One of the challenges we faced in this experiment was in capturing the scan time of a fast cycle. The built-in timer instruction provided by Rockwell software were not capable in capturing time intervals within microseconds. To bypass that problem a “WallClockTime” object was used.
As future work, we are working on enhancing and expanding the countermeasure solutions to cover more PLC code scenarios rather than limiting them to PLC alarms code.
References
Slay J, Miller M (2008) Lessons Learned from the Maroochy Water Breach. In: Goetz E., Shenoi S. (eds) Critical Infrastructure Protection. ICCIP 2007. IFIP International Federation for Information Processing, vol 253. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-75462-8_6
Sayfayn N, Madnick S (2017) “Cybersafety Analysis of the Maroochy Shire Sewage Spill,”. Available: https://web.mit.edu/smadnick/www/wp/2017-09.pdf. [Accessed January 22, 2022].
Ismail S, Sitnikova E, Slay J (2014). Towards Developing SCADA Systems Security Measures for Critical Infrastructures against Cyber-Terrorist Attacks.
Goel P, Datta A, Mannan M (2017) Industrial alarm systems: Challenges and opportunities. J Loss Prev Process Ind 50:23–36
Serhane A, Raad M, Raad R, Susilo W (2018) "PLC Code-Level Vulnerabilities," 2018 International Conference on Computer and Applications (ICCA), Beirut, pp. 348–352.
Serhane A, Raad M, Raad R, Susilo W (2019) “Programmable logic controllers based systems (PLC-BS): vulnerabilities and threats,” SN Appl Sci. 1, 924. Available: https://doi.org/10.1007/s42452-019-0860-2. [Accessed January 22, 2022].
Valentine SE, Jr (2013) “PLC code vulnerabilities through SCADA systems,” Ph.D. dissertation, University of South Carolina
Klick J, Lau S, Marzin D, Malchow J, Roth V (2015) “Internet-facing PLCs-a new back orifice,” Black Hat USA, pp 22–26. Available: https://www.blackhat.com/docs/us-15/materials/us-15-Klick-Internet-Facing-PLCs-A-New-Back-Orifice-wp.pdf. [Accessed January 12, 2022].
Spenneberg A, Brüggemann M, Schwartke H (2016) “PLC-blaster: a worm living solely in the PLC”, Black Hat USA, Singapore. Available: https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf. [Accessed January 22, 2022].
Govil N, Agrawal A, Tippenhauer NO (2018) On ladder logic bombs in industrial control systems. In: Computer security. Springer International Publishing, Cham, pp 110–126
Charbonnier S, Bouchair N, Gayet P (2014) "Analysis of fault diagnosability from SCADA alarms signatures using relevance indices," 2014 IEEE International Conference on Systems, Man, and Cybernetics (SMC), pp. 2739–2744. https://doi.org/10.1109/SMC.2014.6974342.
Nasr PM, Varjani AY (2014) Alarm based anomaly detection of insider attacks in SCADA system. Smart Grid Conference (SGC) 2014:1–6. https://doi.org/10.1109/SGC.2014.7090881
Rothenberg D (2018) Alarm Management for Process Control, New York:Momentum Press.
Urban P, Landryova L (2015) "Process knowledge building an optimized alarm system", Proceedings of 16th ICCC
Urban P, Landryova L (n.d.) "Identification and evaluation of alarm logs from the alarm management system", Proceedings of 17th ICCC.
Zhu J, Wang C, Li C, Gao X, Zhao J (2016) Dynamic alarm prediction for critical alarms using a probabilistic model. Chin J Chem Eng 24(7):881–885
Soares V, Pinto J, De Souza M (2016) Alarm management practices in natural gas processing plants. Control Eng Pract 55:185–196
Adnan NA, Cheng Y, Izadi I, Chen T (2013) Study of generalized delay-timers in alarm configuration. J Process Control 23(3):382–395
Mahmoudi-Nasr P (2019) Toward Modeling Alarm Handling in SCADA System: A Colored Petri Nets Approach. IEEE Trans Power Syst 34(6):4525–4532. https://doi.org/10.1109/TPWRS.2019.2916025
Hui H, Mclaughlin K (2018) "Investigating Current PLC Security Issues Regarding Siemens S7 Communications and TIA Portal" 5th International Symposium for ICS & SCADA Cyber Security Research (ICS-CSR 2018) pp. 66–72.
Yang Y, McLaughlin K, Littler T, Sezer S, Pranggono B, Wang HF (2013) "Intrusion detection system for IEC 60870–5–104 based SCADA networks", Proc. IEEE Power Energy Soc. General Meeting, pp. 1–5.
Bellettini C, Rrushi J (2007) "Vulnerability analysis of SCADA protocol binaries through detection of memory access taintedness", Proceedings of 8th IEEE SMC Information Assurance Workshop, pp. 341–348
Zhang F, Kodituwakku HADE, Hines JW, Coble J (2019) Multilayer Data-Driven Cyber-Attack Detection System for Industrial Control Systems Based on Network, System, and Process Data. IEEE Trans Industr Inf 15(7):4362–4369. https://doi.org/10.1109/TII.2019.2891261
Al-Abassi A, Karimipour H, Dehghantanha A, Parizi RM (2020) An Ensemble Deep Learning-Based Cyber-Attack Detection in Industrial Control System. IEEE Access 8:83965–83973. https://doi.org/10.1109/ACCESS.2020.2992249
P. Priyanga S, K. Krithivasan, P. S and S. Sriram V S, "Detection of Cyberattacks in Industrial Control Systems Using Enhanced Principal Component Analysis and Hypergraph-Based Convolution Neural Network (EPCA-HG-CNN)," in IEEE Transactions on Industry Applications, vol. 56, no. 4, pp. 4394–4404, July-Aug. 2020, doi: https://doi.org/10.1109/TIA.2020.2977872.
Hyunguk Y, Irfan A (2019) Control Logic Injection Attacks on Industrial Control Systems
D’Antonio S, Oliviero F, Setola R (2006) High-speed intrusion detection in support of critical infrastructure protection. Critical Information Infrastructures Security 4347:222–234
Qian J, Du X, Chen B, Qu B, Zeng K, Liu J (2020) Cyber-Physical Integrated Intrusion Detection Scheme in SCADA System of Process Manufacturing Industry. IEEE Access 8:147471–147481. https://doi.org/10.1109/ACCESS.2020.3015900
Noorizadeh M, Shakerpour M, Meskin N, Unal D, Khorasani K (2021) A cyber-security methodology for a cyber-physical industrial control system testbed. IEEE Access 9:16239–16253. https://doi.org/10.1109/ACCESS.2021.3053135
S. Kalle N. Ameen H. Yoo and I. Ahmed "Clik on plcs! attacking control logic with decompilation and virtual plc" Binary Analysis Research (BAR) Workshop Network and Distributed System Security Symposium (NDSS) 2019.
Alsabbagh W, Langendörfer P (2021) "A Stealth Program Injection Attack against S7–300 PLCs" 22nd IEEE International Conference on Industrial and Technology (ICIT 2021) March 10–12 2021.
Alsabbagh W, Langendörfer P (2020) "A Remote Attack Tool against Siemens S7–300 Controllers: A Practical Report" 11. Jahreskolloquium Kommunikation in der Automation (KommA 2020) Oct. 29 2020.
Ma., Rongkuan, W. Qiang, and W. Qingxian, "A survey of offensive security research on PLCs," Journal of Physics: Conference Series. 1976 012025, 2021. https://doi.org/10.1088/1742-6596/1976/1/012025.
Humayun M, Niazi M, Jhanjhi NZ, Alshayeb M, Mahmood S (2020) Cyber security threats and vulnerabilities: a systematic mapping study. Arab J Sci Eng 45(4):3171–3189
Funding
This work was not supported by any funding.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
On behalf of all authors, the corresponding author states that there is no conflict of interest.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Serhane, A., Raad, R., Susilo, W. et al. Applied methods to detect and prevent vulnerabilities within PLC alarms code. SN Appl. Sci. 4, 127 (2022). https://doi.org/10.1007/s42452-022-05019-7
Received:
Accepted:
Published:
DOI: https://doi.org/10.1007/s42452-022-05019-7