Sushma Kalle (University of New Orleans), Nehal Ameen (University of New Orleans), Hyunguk Yoo (University of New Orleans), Irfan Ahmed (Virginia Commonwealth University)

This paper presents CLIK, a new remote attack on the control logic of a programmable logic controller (PLC) in industrial control systems. The control logic defines how a PLC controls a physical process such as a nuclear plant. A full control logic attack faces two critical challenges: 1) infecting the control logic in a PLC at a field site and, 2) hiding the infection from engineering software at a control center since the software can obtain the infected logic from the PLC and reveal it to a control engineer. The existing academic efforts only (partially) address the former. CLIK is a first practical control-logic attack that deals with both challenges successfully. It modifies the control logic running in a remote target PLC automatically to disrupt a physical process. CLIK also employs a new virtual PLC approach that hides the malicious modifications by engaging the engineering software with a captured network traffic of the original (uninfected) control logic. It is fully implemented on real hardware/software used in industrial settings and is made publicly available for academic research on control logic attacks1. CLIK consists of four phases and takes less than a minute to complete an attack cycle. As part of the implementation, we found a critical (zero-day) vulnerability in the password authentication mechanism of a target PLC, which allows the attacker to overwrite password hash in the PLC during the authentication process and gain access to the (protected) control logic. We have disclosed the vulnerability responsibly to the PLC vendor who has already patched the vulnerability2.

View More Papers

A Cross-Architecture Instruction Embedding Model for Natural Language Processing-Inspired...

Kimberly Redmond (University of South Carolina), Lannan Luo (University of South Carolina), Qiang Zeng (University of South Carolina)

Read More

FirmDiff: Improving the Configuration of Linux Kernels Geared Towards...

Ioannis Angelakopoulos (Boston University), Gianluca Stringhini (Boston University), Manuel Egele (Boston University)

Read More

JMPscare: Introspection for Binary-Only Fuzzing

Dominik Maier, Lukas Seidel (TU Berlin)

Read More

Symbolic Path Tracing to Find Android Permission-Use Triggers

Kristopher Micinski (Haverford College), Thomas Gilray (University of Alabama, Birmingham), Daniel Votipka (University of Maryland), Michelle L. Mazurek (University of Maryland), Jeffrey S. Foster (Tufts University)

Read More