SePanner: Analyzing Semantics of Controller Variables in Industrial Control Systems based on Network Traffic
Authors: 
Jie Meng, Zeyu Yang, Zhenyong Zhang, Yangyang Geng, Ruilong Deng, Peng Cheng, Jiming Chen, Jianying ZhouAuthors Info & Claims
Pages 310 - 323
Abstract
Programmable logic controllers (PLCs), the essential components of critical infrastructure, play a crucial role in various industrial manufacturing processes. Recent attack events show that attackers have a strong interest in tampering with the controller variables, such as the device status and internal program logic. A typical attack strategy is that the attackers just send malicious network traffic of industrial control protocols (ICPs) to change the controller variables of PLCs. To defend against this attack, a lot of countermeasures have been proposed to detect anomalies in network traffic based on the semantic analysis.
However, the proprietary nature of ICPs poses a challenge to extracting the required semantics for evaluating the controller variables. In this paper, we propose a novel framework named SePanner to extract the semantics of controller variables from proprietary ICPs based on network traffic. Specifically, SePanner conducts the multi-state comparison to locate the semantic fields directly, then removes the interfering fields by the single-state comparison and filtering criteria. Our experiments demonstrate that SePanner can precisely extract the semantics of controller variables from proprietary ICPs, providing protection for PLCs while remaining compatible with various proprietary binary protocols.
References
[1]
2022. INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems. (2022). https://www.mandiant.com/resources/blog/incontroller-state-sponsored-ics-tool.
[2]
2023. UDS ISO 14229:Standardized CAN-based protocol for diagnostics. (2023). [Online].
[3]
Kelly Jackson Higgins. 2019. Triton/Trisis Attacks Another Victim. (2019). https://www.darkreading.com/vulnerabilities-threats/triton-trisis-attacks-another-victim.
[4]
Michael B Kelley. 2013. The Stuxnet Attack On Iran’s Nuclear Plant Was ’Far More Dangerous’ Than Previously Thought. (2013). https://www.businessinsider.com/stuxnet-was-far-more-dangerous-than-previous-thought-2013-11.
[5]
ISO 14230-3. 1999. Keyword Protocol 2000 Part 3. (1999). https://www.sis.se/api/document/preview/895162/.
[6]
Tejasvi Alladi, Vinay Chamola, and Sherali Zeadally. 2020. Industrial control systems: Cyberattack trends and countermeasures. Computer Communications 155 (2020), 1–8.
[7]
Ephrem Ryan Alphonsus and Mohammad Omar Abdullah. 2016. A review on the applications of programmable logic controllers (PLCs). Renewable and Sustainable Energy Reviews 60 (2016), 1185–1205.
[8]
Andrey. 2021. Lexus RX350 (III, 2011, AL10) CAN bus IDs. (2021). https://github.com/Paucpauc/lexus_canbus_id.
[9]
Uchenna P Daniel Ani, Hongmei He, and Ashutosh Tiwari. 2017. Review of cybersecurity issues in industrial critical infrastructure: manufacturing in perspective. Journal of Cyber Security Technology 1, 1 (2017), 32–74.
[10]
Control Automation. 2023. Ladder Diagram (LD) Programming Contacts and Coils. (2023). https://control.com/textbook/programmable-logic-controllers/ladder-diagram-ld-programming/.
[11]
Dillon Beresford. 2011. Exploiting siemens simatic s7 plcs. Black Hat USA 16, 2 (2011), 723–733.
[12]
Ignacio Bermudez, Alok Tongaonkar, Marios Iliofotou, Marco Mellia, and Maurizio M Munafo. 2015. Automatic protocol field inference for deeper protocol understanding. In 2015 IFIP Networking Conference (IFIP Networking). IEEE, 1–9.
[13]
Ignacio Bermudez, Alok Tongaonkar, Marios Iliofotou, Marco Mellia, and Maurizio M Munafò. 2016. Towards automatic protocol field inference. Computer Communications 84 (2016), 40–51.
[14]
Deval Bhamare, Maede Zolanvari, Aiman Erbad, Raj Jain, Khaled Khan, and Nader Meskin. 2020. Cybersecurity for industrial control systems: A survey. computers & security 89 (2020), 101677.
[15]
Eli Biham, Sara Bitan, Aviad Carmel, Alon Dankner, Uriel Malin, and Avishai Wool. 2019. Rogue7: Rogue engineering-station attacks on s7 simatic plcs. Black Hat USA 2019 (2019).
[16]
Binaryedge. 2023. Binaryedge.io: Be Ready, Be Safe, Be Secure. (2023). https://www.binaryedge.io/.
[17]
Digital Bond. 2016. Redpoint.Digital Bond’s ICS Enumeration Tools. (2016). https://github.com/digitalbond/Redpoint.
[18]
Georges Bossert, Frédéric Guihéry, and Guillaume Hiet. 2014. Towards automated protocol reverse engineering using semantic information. In Proceedings of the 9th ACM symposium on Information, computer and communications security. 51–62.
[19]
Juan Caballero and Dawn Song. 2007. Rosetta: Extracting protocol semantics using binary analysis with applications to protocol replay and natrewriting. CyLab (2007), 32.
[20]
Juan Caballero and Dawn Song. 2013. Automatic protocol reverse-engineering: Message format extraction and field semantics inference. Computer Networks 57, 2 (2013), 451–474.
[21]
Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song. 2007. Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In Proceedings of the 14th ACM conference on Computer and communications security. 317–329.
[22]
Jun Cai, Weijian Zhong, and Jianzhen Luo. 2022. SeMiner: Side-Information-Based Semantics Miner for Proprietary Industrial Control Protocols. IEEE Internet of Things Journal 9, 22 (2022), 22796–22810.
[23]
Kibum Choi, Yunmok Son, Juhwan Noh, Hocheol Shin, Jaeyeong Choi, and Yongdae Kim. 2016. Dissecting customized protocols: automatic analysis for customized protocols based on IEEE 802.15. 4. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks. 183–193.
[24]
Zhidao Chuangyu. 2023. Zoomeye. (2023). https://www.zoomeye.org/.
[25]
WinTECH Software Design. 2017. A SCADA MODBUS network scanner. (2017). https://www.win-tech.com/html/demos.htm.
[26]
Noam Erez and Avishai Wool. 2015. Control variable classification, modeling and anomaly detection in Modbus/TCP SCADA systems. International Journal of Critical Infrastructure Protection 10 (2015), 59–70.
[27]
Xuan Feng, Qiang Li, Haining Wang, and Limin Sun. 2016. Characterizing industrial control system devices on the internet. In 2016 IEEE 24th International Conference on Network Protocols (ICNP). IEEE, 1–10.
[28]
Yangyang Geng, Rongkuan Ma, Qiang Wei, and Wenhai Wang. 2022. Programmable logic controller memory management vulnerability analysis. In Journal of Physics: Conference Series, Vol. 2414. IOP Publishing, 012015.
[29]
Naman Govil, Anand Agrawal, and Nils Ole Tippenhauer. 2018. On ladder logic bombs in industrial control systems. In Computer Security: ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Oslo, Norway, September 14-15, 2017, Revised Selected Papers 3. Springer, 110–126.
[30]
Dina Hadžiosmanović, Robin Sommer, Emmanuele Zambon, and Pieter H Hartel. 2014. Through the eye of the PLC: semantic security monitoring for industrial processes. In Proceedings of the 30th Annual Computer Security Applications Conference. 126–135.
[31]
Dragos Inc. 2017. TRISIS Malware:Analysis of Safety System Targeted Malware. (2017). https://www.dragos.com/wp-content/uploads/TRISIS-01.pdf.
[32]
Anastasis Keliris and Michail Maniatakos. 2018. ICSREF: A framework for automated reverse engineering of industrial control systems binaries. arXiv preprint arXiv:1812.03478 (2018).
[33]
kmalinich. 2018. node-bmw-ref. (2018). https://github.com/kmalinich/node-bmw-ref.
[34]
Tarald O Kvalseth. 1987. Entropy and correlation: Some comments. IEEE Transactions on Systems, Man, and Cybernetics 17, 3 (1987), 517–519.
[35]
Chih-Yuan Lin, Simin Nadjm-Tehrani, and Mikael Asplund. 2018. Timing-based anomaly detection in SCADA networks. In Critical Information Infrastructures Security: 12th International Conference, CRITIS 2017, Lucca, Italy, October 8-13, 2017, Revised Selected Papers 12. Springer, 48–59.
[36]
Liras. 2017. The Unity (UMAS) protocol. (2017). http://lirasenlared.blogspot.com/2017/08/the-unity-umas-protocol-part-i.html.
[37]
Gordon Fyodor Lyon. 2008. Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure. Com LLC (US).
[38]
Leandros A Maglaras, Ki-Hyung Kim, Helge Janicke, Mohamed Amine Ferrag, Stylianos Rallis, Pavlina Fragkou, Athanasios Maglaras, and Tiago J Cruz. 2018. Cyber security of critical infrastructures. Ict Express 4, 1 (2018), 42–45.
[39]
Damien Maguire. 2023. BMW-E65-CANBUS. (2023). https://github.com/damienmaguire/BMW-E65-CANBUS.
[40]
Meeas. 2012. PLCScan. DIgital Bond (2016). (2012). https://github.com/meeas/plcscan/blob/master/plcscan.py.
[41]
Ariana Mirian, Zane Ma, David Adrian, Matthew Tischer, Thasphon Chuenchujit, Tim Yardley, Robin Berthier, Joshua Mason, Zakir Durumeric, J Alex Halderman, 2016. An internet-wide view of ics devices. In 2016 14th Annual Conference on Privacy, Security and Trust (PST). IEEE, 96–103.
[42]
Davide Nardella. 2016. Step7 Open Source Ethernet Communication Suite. (2016). https://snap7.sourceforge.net/.
[43]
Noam Even.2020. What We’ve Learned from the Dec 1st Attack on an Israeli Water Reservoir?. (2020). https://www.otorio.com/blog/what-we-ve-learned-from-the-december-1st-attack-on-an-israeli-water-reservoir/.
[44]
The one place to understand everything on the internet. 2023. The one place to understand everything on the internet. (2023). https://censys.io/.
[45]
Syed Ali Qasim, Adeen Ayub, Jordan Johnson, and Irfan Ahmed. 2022. Attacking the IEC 61131 Logic Engine in Programmable Logic Controllers. In Critical Infrastructure Protection XV: 15th IFIP WG 11.10 International Conference, ICCIP 2021, Virtual Event, March 15–16, 2021, Revised Selected Papers 15. Springer, 73–95.
[46]
Julian Rrushi and Roy Campbell. 2008. Detecting cyber attacks on nuclear power plants. In Critical Infrastructure Protection II 2. Springer, 41–54.
[47]
Saranyan Senthivel, Irfan Ahmed, and Vassil Roussev. 2017. SCADA network forensics of the PCCC protocol. Digital Investigation 22 (2017), S57–S65.
[48]
Abraham Serhane, Mohamad Raad, Raad Raad, and Willy Susilo. 2019. Programmable logic controllers based systems (PLC-BS): vulnerabilities and threats. SN Applied Sciences 1 (2019), 1–12.
[49]
Shodan. 2023. Search Engine for the Internet of Everything. (2023). https://www.shodan.io/.
[50]
Keith Stouffer, Joe Falco, Karen Scarfone, 2011. Guide to industrial control systems (ICS) security. NIST special publication 800, 82 (2011), 16–16.
[51]
taojy123. 2023. KeymouseGo. (2023). https://github.com/taojy123/KeymouseGo/.
[52]
Qun Wang, Zhonghao Sun, Zhangquan Wang, Shiping Ye, Ziyi Su, Hao Chen, and Chao Hu. 2021. A Practical Format and Semantic Reverse Analysis Approach for Industrial Control Protocols. Security and Communication Networks 2021 (2021).
[53]
Xiaowei Wang, Kezhi Lv, and Bo Li. 2020. IPART: an automatic protocol reverse engineering tool based on global voting expert for industrial protocols. International Journal of Parallel, Emergent and Distributed Systems 35, 3 (2020), 376–395.
[54]
Wireshark. 2023. The widely-used network protocol analyzer. (2023). https://www.wireshark.org/.
[55]
HuaShun XinAn. 2023. Fofa. (2023). https://fofa.info/.
[56]
Zhaoyan Xu, Antonio Nappa, Robert Baykov, Guangliang Yang, Juan Caballero, and Guofei Gu. 2014. Autoprobe: Towards automatic active malicious server probing using dynamic binary analysis. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 179–190.
[57]
An Yang, Limin Sun, Xiaoshan Wang, and Z Shi. 2016. Intrusion detection techniques for industrial control systems. Journal of Computer Research and Development 53, 9 (2016), 2039–2054.
[58]
Zeyu Yang, Liang He, Peng Cheng, Jiming Chen, David KY Yau, and Linkang Du. 2020. PLC-Sleuth: Detecting and Localizing PLC Intrusions Using Control Invariants. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2020). 333–348.
[59]
Zeyu Yang, Liang He, Hua Yu, Chengcheng Zhao, Peng Cheng, and Jiming Chen. 2022. Reverse Engineering Physical Semantics of PLC Program Variables Using Control Invariants. In Proceedings of the 20th ACM Conference on Embedded Networked Sensor Systems. 548–562.
[60]
Yapeng Ye, Zhuo Zhang, Fei Wang, Xiangyu Zhang, and Dongyan Xu. 2021. NetPlier: Probabilistic Network Protocol Reverse Engineering from Message Traces. In NDSS.
[61]
Le Yu, Yangyang Liu, Pengfei Jing, Xiapu Luo, Lei Xue, Kaifa Zhao, Yajin Zhou, Ting Wang, Guofei Gu, Sen Nie, 2022. Towards automatically reverse engineering vehicle diagnostic protocols. In 31st USENIX Security Symposium (USENIX Security 22). 1939–1956.
[62]
WY ZHANG, L Zhang, JL MAO, 2020. An Automated Methodof Unknown Protocol Fuzzing Test. ChineseJournal ofComputers 43, 4 (2020), 653G667.
Index Terms
- SePanner: Analyzing Semantics of Controller Variables in Industrial Control Systems based on Network Traffic
Recommendations
Reverse Engineering Physical Semantics of PLC Program Variables Using Control Invariants
SenSys '22: Proceedings of the 20th ACM Conference on Embedded Networked Sensor SystemsSemantic attacks have incurred increasing threats to Industrial Control Systems (ICSs), which manipulate targeted system modules by identifying the physical semantics of variables in Programmable Logic Controllers (PLCs) programs, i.e., the sensing/...
Post-exploitation and Persistence Techniques Against Programmable Logic Controller
Applied Cryptography and Network Security WorkshopsAbstractThe rising appearance of system security threats against real-world Critical Infrastructure (CI) sites over the past years brought significant research attention into the security of Industrial Control Systems (ICS). Academic institutions and ...
A PLC-based modified-fuzzy controller for PWM-driven induction motor drive with constant V/Hz ratio control
In this paper, a method to develop and design a fuzzy-hybrid control on an industrial controller to control speed of an induction motor and implementing a constant V/Hz ratio control is presented. Detailed discussions on the controller for a PWM-driven ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2023
836 pages
ISBN:9798400708862
DOI:10.1145/3627106
Copyright © 2023 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 04 December 2023
Check for updates
Badges
Best Paper
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Funding Sources
- Fundamental Research Funds for the Central Universities
- Key Lab of CS&AUS of Zhejiang Province
- National Natural Science Foundation of China
- Natural Science Foundation of Zhejiang Province
- National Research Foundation, Singapore
- Xiaomi Foundation
Conference
ACSAC '23
Acceptance Rates
Overall Acceptance Rate 104 of 497 submissions, 21%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 276Total Downloads
- Downloads (Last 12 months)276
- Downloads (Last 6 weeks)11
Reflects downloads up to 13 Dec 2024
Other Metrics
Citations
Cited By
View allView Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign inFull Access
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML Format