Detection of Unauthorized Changes in a PLC’s Logic

April 27, 2016

The Deep-Packet-Inspection (DPI) protocol for industrial network traffic is one of the fundamental technologies currently used in protecting ICS networks. Using this technology, security products are able to accurately identify the industrial commands and parameters that are being sent.

In that way, analyze the industrial commands, physical values, tags of industrial protocols such as: Modbus, DNP3.0, IEC-104, 61850 and so on.

As the number of attacks against ICS network increased in recent years, more and more ICS operators began to realize that security devices and measures designed for mainstream IT just weren’t able to not provide an in-depth view of the industrial protocol, thus limiting their efficiency against ICS network attacks. For ICS Security officers, Industrial DPI became the go-to technology.

That said, I can safely claim that even DPI for industrial protocols is not enough, and the reason is related to the way engineers use PLCs.

Setting up a PLC in an ICS network

In order to set up a PLC to operate inside an ICS network (or inside an ICS component,) the engineer has to take a few prerequisite steps. First, design the hardware installation and the PLC’s output and input wiring to comply with the physical device. Second, the engineer needs to download the control program to the controller. Lastly, the engineer needs to send a start command to the controller to make it start working. All of these actions are done using the PLC vendor’s configuration software.

The protocols that these software applications use to operate the PLCs are NOT standard (open) industrial protocols. They are management protocols, and most of them are proprietary. Even if they are based on industrial protocols, those protocols have proprietary data that is being used.

Now comes the best part: an attacker capable of researching and understanding these protocols would be able to use them without the management software. He will also be able to use them in the field. Hence, the ICS attacker wouldn’t really need to have a solid understanding of the process. Using reverse-engineering, the attacker will be able to use these management commands, and simply turn-off controllers (very easy) or change their control software.

How does Radiflow handle this type of threat?

To mitigate the risk of an attacker taking control over ICS controllers, we at Radiflow regularly conduct thorough research, the same way the attacker would. We research the management protocols and identify the dangerous management commands.

Then, we deploy a detection code for these sensitive commands.
Radiflow advanced research helps the user to (i) gain visibility of the use of the management commands, and (ii) prevent their usage. This way, in addition to the industrial DPI, users are able to set policies for the behavior of management commands.

Radiflow’s IDS screenshot: Detection of Firmware Update and Stop Controller Commands