On Ladder Logic Bombs in Industrial Control Systems

  • Naman Govil
  • Anand AgrawalEmail author
  • Nils Ole Tippenhauer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10683)


In industrial control systems, devices such as Programmable Logic Controllers (PLCs) are commonly used to directly interact with sensors and actuators, and perform local automatic control. PLCs run software on two different layers: (a) firmware (i.e. the OS) and (b) control logic (processing sensor readings to determine control actions).

In this work, we discuss ladder logic bombs, i.e. malware written in ladder logic (or one of the other IEC 61131-3-compatible languages). Such malware would be inserted by an attacker into existing control logic on a PLC, and either persistently change the behavior, or wait for specific trigger signals to activate malicious behavior. For example, the LLB could replace legitimate sensor readings with manipulated values. We see the concept of LLBs as a generalization of attacks such as the Stuxnet attack. We introduce LLBs on an abstract level, and then demonstrate several designs based on real PLC devices in our lab. In particular, we also focus on stealthy LLBs, i.e. LLBs that are hard to detect by human operators manually validating the program running in PLCs.



This work was supported by SUTD’s startup grant SRIS14081.


  1. 1.
    Beresford, D.: Exploiting Siemens Simatic S7 PLCs. In: Proceedings of Black Hat USA (2011)Google Scholar
  2. 2.
    Cárdenas, A.A., Amin, S., Sastry, S.: Research challenges for the security of control systems. In: Proceedings of USENIX Workshop on Hot Topics in Security (HotSec) (2008)Google Scholar
  3. 3.
    Caselli, M., Zambon, E., Kargl, F.: Sequence-aware intrusion detection in industrial control systems. In: Proceedings of the Workshop on Cyber-Physical System Security (CPSS), pp. 13–24. ACM (2015)Google Scholar
  4. 4.
    Chabukswar, R., Sinópoli, B., Karsai, G., Giani, A., Neema, H., Davis, A.: Simulation of network attacks on SCADA systems. In: Proceedings of Workshop on Secure Control Systems (2010)Google Scholar
  5. 5.
    Falliere, N., Murchu, L.O., Chien, E.: W32.Stuxnet dossierGoogle Scholar
  6. 6.
    Goldenberg, N., Wool, A.: Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems. Int. J. Crit. Infrastruct. Prot. 6(2), 63–75 (2013)CrossRefGoogle Scholar
  7. 7.
    John, K.H., Tiegelkamp, M.: IEC 61131–3: Programming Industrial Automation Systems: Concepts and Programming Languages, Requirements for Programming Systems, Decision-Making Aids, 2nd edn. Springer, Heidelberg (2010). Google Scholar
  8. 8.
    Karnouskos, S.: Stuxnet worm impact on industrial cyber-physical system security. In: Proceedings of Conference on Industrial Electronics Society (IECON), pp. 4490–4494. IEEE (2011)Google Scholar
  9. 9.
    Kim, D.-Y.: Cyber security issues imposed on nuclear power plants. Ann. Nucl. Energy 65, 141–143 (2014)CrossRefGoogle Scholar
  10. 10.
    Kim, G.H., Spafford, E.H.: The design and implementation of tripwire: a file system integrity checker. In: Proceedings of the Conference on Computer and Communications Security (CCS), pp. 18–29. ACM (1994)Google Scholar
  11. 11.
    Kosut, O., Jia, L., Thomas, R., Tong, L.: Malicious data attacks on smart grid state estimation: attack strategies and countermeasures. In: Proceedings of the IEEE Conference on Smart Grid Communications (SmartGridComm), pp. 220–225, October 2010Google Scholar
  12. 12.
    Krotofil, M., Cárdenas, A.A., Manning, B., Larsen, J.: CPS: driving cyber-physical systems to unsafe operating conditions by timing DoS attacks on sensor signals. In: Proceedings of the Conference on Annual Computer Security Applications Conference (ACSAC), pp. 146–155. ACM (2014)Google Scholar
  13. 13.
    Lin, J., Yu, W., Yang, X., Xu, G., Zhao, W.: On false data injection attacks against distributed energy routing in smart grid. In: Proceedings of Conference on Cyber-Physical Systems (ICCPS) (2012)Google Scholar
  14. 14.
    Liu, Y., Ning, P., Reiter, M.K.: False data injection attacks against state estimation in electric power grids. ACM Trans. Inf. Syst. Secur. (TISSEC) 14(1), 13 (2011)CrossRefGoogle Scholar
  15. 15.
    McLaughlin, S.: On dynamic malware payloads aimed at programmable logic controllers. In: Proceedings of USENIX Conference on Hot Topics in Security (HotSec), p. 10, August 2013Google Scholar
  16. 16.
    McLaughlin, S., McDaniel, P.: SABOT: specification-based payload generation for programmable logic controllers. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS), pp. 439–449. ACM (2012)Google Scholar
  17. 17.
    McLaughlin, S.E., Zonouz, S.A., Pohly, D.J., McDaniel, P.D.: A trusted safety verifier for process controller code. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2014)Google Scholar
  18. 18.
    Milinkovic, S.A., Lazic, L.R.: Industrial PLC security issues. In: Proceedings of Conference on Telecommunications Forum (TELFOR), pp. 1536–1539. IEEE (2012)Google Scholar
  19. 19.
    Morris, T.H., Gao, W.: Industrial control system cyber attacks. In: Proceedings of the Symposium for ICS and SCADA Cyber Security Research (ICS-CSR). BCS Learning and Development Ltd. (2013)Google Scholar
  20. 20.
    Pollet, J.: Electricity for free? The dirty underbelly of SCADA and smart meters. In: Proceedings of Black Hat USA (2010)Google Scholar
  21. 21.
    Wang, E., Ye, Y., Xu, X., Yiu, S., Hui, L., Chow, K.: Security issues and challenges for cyber physical system. In: Proceedings of Conference on Cyber, Physical and Social Computing (CPSCom), pp. 733–738, December 2010Google Scholar
  22. 22.
    Zhu, B., Joseph, A., Sastry, S.: A taxonomy of cyber attacks on SCADA systems. In: Proceedings of Conference on Cyber, Physical and Social Computing (CPSCom), pp. 380–388 (2011)Google Scholar
  23. 23.
    Zonouz, S., Rogers, K., Berthier, R., Bobba, R., Sanders, W., Overbye, T.: SCPSE: security-oriented cyber-physical state estimation for power grid critical infrastructures. IEEE Trans. Smart Grid 3(4), 1790–1799 (2012)CrossRefGoogle Scholar
  24. 24.
    Zonouz, S., Rrushi, J., McLaughlin, S.: Detecting industrial control malware using automated PLC code analytics. IEEE Secur. Priv. 12(6), 40–47 (2014)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  1. 1.IIIT HyderabadHyderabadIndia
  2. 2.Information Systems Technology and Design PillarSingapore University of Technology and DesignSingaporeSingapore

Personalised recommendations