PLCPrint: fingerprinting memory attacks in programmable logic controllers

Cook, M. M. , Marnerides, A. K. and Pezaros, D. P. (2023) PLCPrint: fingerprinting memory attacks in programmable logic controllers. IEEE Transactions on Information Forensics and Security, (doi: 10.1109/TIFS.2023.3277688) (Early Online Publication)

[img] Text
297746.pdf - Accepted Version

19MB

Abstract

Programmable Logic Controllers (PLCs) constitute the functioning basis of Industrial Control Systems (ICS) and hence are often a focal point for attackers to exploit. Previous attacks have seen PLC memory maliciously altered in order to disrupt the underlying physical process. Different types of memory attack can cause a similar impact on the PLC’s operation and result in indistinguishable physical manifestations. Consequently, delays in triaging attacks through digital forensic practices can induce significant financial loss, physical damage to the infrastructure, and degradation of safety. In this work, we propose PLCPrint, a novel vendor-independent fingerprinting approach that utilises PLC memory artefacts to perform detection and classification of memory attacks. PLCPrint uses PLC memory register mapping, a novel method exploiting the relationship between PLC registers and memory artefacts including the PLC application code. Through this, registers are assigned a Mapping Condition (MC) to indicate how they exist within the PLC memory artefacts. We evaluate the performance of PLCPrint over realistic emulations conducted at a real testbed emulating water filtration and distribution. Through PLCPrint we depict how MC deviations are utilised within supervised learning schemes such as to adequately classify PLC memory attacks with high accuracy performance. In general, we demonstrate that PLCPrint fills the gap in the context of attack technique triaging since this has been a missing element within current ICS forensics schemes.

Item Type:Articles
Status:Early Online Publication
Refereed:Yes
Glasgow Author(s) Enlighten ID:Cook, Mr Marco and Marnerides, Dr Angelos and Pezaros, Professor Dimitrios
Authors: Cook, M. M., Marnerides, A. K., and Pezaros, D. P.
College/School:College of Science and Engineering > School of Computing Science
Journal Name:IEEE Transactions on Information Forensics and Security
Publisher:IEEE
ISSN:1556-6013
ISSN (Online):1556-6021
Published Online:22 May 2023
Copyright Holders:Copyright © 2023 IEEE
First Published:First published in IEEE Transactions on Information Forensics and Security 2023
Publisher Policy:Reproduced in accordance with the publisher copyright policy

University Staff: Request a correction | Enlighten Editors: Update this record