Journal of Computer Science and Technology ›› 2021, Vol. 36 ›› Issue (6): 1307-1324.doi: 10.1007/s11390-021-1647-7

Special Issue: Software Systems

• Special Section on Software Systems 2021-Theme: Dependable Software Engineering • Previous Articles     Next Articles

HRPDF: A Software-Based Heterogeneous Redundant Proactive Defense Framework for Programmable Logic Controller

Ke Liu1, Jing-Yi Wang2, Qiang Wei1,*, Zhen-Yong Zhang2,3, Jun Sun4, Rong-Kuan Ma1, and Rui-Long Deng2        

  1. 1 State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450001, China;
    2 College of Control Science and Engineering, Zhejiang University, Hangzhou 310027, China;
    3 College of Computer Science and Technology, Guizhou University, Guiyang 550025, China;
    4 School of Information Systems, Singapore Management University, Singapore 689867, Singapore
  • Received:2021-06-01 Revised:2021-11-15 Online:2021-11-30 Published:2021-12-01
  • Contact: Qiang Wei E-mail:12132013@zju.edu.cn
  • Supported by:
    This work is supported by the National Key Research and Development Program of China under Grant No. 2020YFB2010900, and the Fundamental Research Funds for the Central Universities (Zhejiang University NGICS Platform) of China under Grant No. TC190A449.

Programmable logic controllers (PLCs) play a critical role in many industrial control systems, yet face increasingly serious cyber threats. In this paper, we propose a novel PLC-compatible software-based defense mechanism, called Heterogeneous Redundant Proactive Defense Framework (HRPDF). We propose a heterogeneous PLC architecture in HRPDF, including multiple heterogeneous, equivalent, and synchronous runtimes, which can thwart multiple types of attacks against PLC without the need of external devices. To ensure the availability of PLC, we also design an inter-process communication algorithm that minimizes the overhead of HRPDF. We implement a prototype system of HRPDF and test it in a real-world PLC and an OpenPLC-based device, respectively. The results show that HRPDF can defend against multiple types of attacks with 10.22% additional CPU and 5.56% additional memory overhead, and about 0.6 ms additional time overhead.

Key words: industrial control system; programmable logic controller; proactive defense; heterogeneous redundant architecture;

[1] McLaughlin S, Konstantinou C, Wang X, Davi L, Sadeghi A, Maniatakos M, Karri R. The cybersecurity landscape in industrial control systems. Proceedings of the IEEE, 2016, 104(5): 1039-1057. DOI: 10.1109/JPROC.2015.2512235.
[2] Knowles W, Prince D, Hutchison D, Disso J F P, Jones K. A survey of cyber security management in industrial control systems. International Journal of Critical Infrastructure Protection, 2015, 9: 52-80. DOI: 10.1016/j.ijcip.2015.02.002.
[3] Zonouz S, Rrushi J, McLaughlin S. Detecting industrial control malware using automated PLC code analytics. IEEE Security & Privacy, 2014, 12(6): 40-47. DOI: 10.1109/MSP.2014.113.
[4] Farwell J P, Rohozinski R. Stuxnet and the future of cyber war. Survival, 2011, 53(1): 23-40. DOI: 10.1080/00396338.2011.555586.
[5] Bencsáth B, Ács-Kurucz G, Molnár G, Vaspöri G, Buttyán L, Kamarás R. Duqu 2.0: A comparison to Duqu. Technical Report, CrySyS Lab, 2015. https://www.crysys.hu/publications/files/duqu2.pdf, Nov. 2021.
[6] Lee R M, Assante M, Conway T. Analysis of the cyber attack on the Ukrainian power grid. Technical Report, Electricity-Information Sharing and Analysis Center, 2016. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2016/05/20081514/E-ISAC SANS Ukraine DUC 5.pdf, Nov. 2021.
[7] Lee R, Slowik J, Miller B, Cherepanov A, Lipovsky R. Industroyer/Crashoverride: Zero things cool about a threat group targeting the power grid. Technical Report, Black Hat, 2017. https://www.blackhat.com/docs/us-17/wednesday/us-17-Lee-Industroyer-Crashoverride-Zero-Things-Cool-About-A-Threat-Group-Targeting-The-Power-Grid.pdf, Nov. 2021.
[8] Di Pinto A, Dragoni Y, Carcano A. TRITON: The first ICS cyber attack on safety instrument systems. Technical Report, Nozomi Networks, 2018. https://www.nozominetworks.com/downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf, Nov. 2021.
[9] Ponomarev S, Atkison T. Industrial control system network intrusion detection by telemetry analysis. IEEE Transactions on Dependable and Secure Computing, 2016, 13(2): 252-260. DOI: 10.1109/TDSC.2015.2443793.
[10] Zhang F, Kodituwakku H A D E, Hines W, Coble J B. Multilayer data-driven cyber-attack detection system for industrial control systems based on network, system and process data. IEEE Transactions on Industrial Informatics, 2019, 15(7): 4362-4369. DOI: 10.1109/TⅡ.2019.2891261.
[11] Feng C, Palleti V R, Mathur A, Chana D. A systematic framework to generate invariants for anomaly detection in industrial control systems. In Proc. the 2019 Network and Distributed System Security Symposium, February 2019. DOI: 10.14722/ndss.2019.23265.
[12] Cifranic N, Hallman R, Romero-Mariona J, Souza B, Calton T, Coca G. Decepti-SCADA: A cyber deception framework for active defense of networked critical infrastructures. Internet of Things, 2020, 12: Article No. 100320. DOI: 10.1016/j.iot.2020.100320.
[13] Lin H, Zhuang J, Hu Y C, Zhou H. DefRec: Establishing physical function virtualization to disrupt reconnaissance of power grids’ cyber-physical infrastructures. In Proc. the 27th Network and Distributed System Security Symposium, February 2020. DOI: ndss.2020.24365.
[14] López-Morales E, Rubio-Medrano C, Doupé A, Shoshitaishvili Y, Wang R, Bao T, Ahn G J. HoneyPLC: A next-generation honeypot for industrial control systems. In Proc. the 2020 ACM SIGSAC Conference on Computer and Communications Security, November 2020, pp.279-291. DOI: 10.1145/3372297.3423356.
[15] Abbasi A, Holz T, Zambon E, Etalle S. ECFI: Asynchronous control flow integrity for programmable logic controllers. In Proc. the 33rd Annual Computer Security Applications Conference, December 2017, pp.437-448. DOI: 10.1145/3134600.3134618.
[16] Garcia L, Zonouz S, Wei D, De Aguiar L P. Detecting PLC control corruption via on-device runtime verification. In Proc. the 2016 Resilience Week, August 2016, pp.67-72. DOI: 10.1109/RWEEK.2016.7573309.
[17] Salehi M, Bayat-Sarmadi S. PLCDefender: Improving remote attestation techniques for PLCs using physical model. IEEE Internet of Things Journal, 2021, 8(9): 7372-7379. DOI: 10.1109/JIOT.2020.3040237.
[18] McCune J M, Li Y, Qu N, Zhou Z, Datta A, Gligor V, Perrig A. TrustVisor: Efficient TCB reduction and attestation. In Proc. the 2010 IEEE Symposium on Security and Privacy, 2010, pp.143-158. DOI: 10.1109/SP.2010.17.
[19] Dessouky G, Zeitouni S, Nyman T, Paverd A J, Davi L, Koeberl P, Asokan N, Sadeghi A. LO-FAT: Low-overhead control flow attestation in hardware. In Proc. the 54th Annual Design Automation Conference, June 2017, Article No. 24. DOI: 10.1145/3061639.3062276.
[20] Cheminod M, Durante L, Seno L, Valenzano A. Performance evaluation and modeling of an industrial application-layer firewall. IEEE Transactions on Industrial Informatics, 2018, 14(5): 2159-2170. DOI: 10.1109/TⅡ.2018.2802903.
[21] Li D, Guo H, Zhou J, Zhou L, Wong J W. SCADAWall: A CPI-enabled firewall model for SCADA security. Computers & Security, 2019, 80: 134-154. DOI: 10.1016/j.cose.2018.10.002.
[22] Jiang N, Lin H, Yin Z, Xi C. Research of paired industrial firewalls in defense-in-depth architecture of integrated manufacturing or production system. In Proc. the 2017 IEEE International Conference on Information and Automation, July 2017, pp.523–526. DOI: 10.1109/ICInfA.2017.8078963.
[23] Zeitouni S, Dessouky G, Arias O, Sullivan D, Ibrahim A, Jin Y, Sadeghi A R. ATRIUM: Runtime attestation resilient under memory attacks. In Proc. the 2017 IEEE/ACM International Conference on Computer-Aided Design, November 2017, pp.384-391. DOI: 10.1109/ICCAD.2017.8203803.
[24] Stój J. Cost-effective hot-standby redundancy with synchronization using EtherCAT and real-time ethernet protocols. IEEE Transactions on Automation Science and Engineering, 2021, 18(4): 2035-2047. DOI: 10.1109/TASE.2020.3031128.
[25] Schwartz M D, Mulder J, Trent J, Atkins W D. Control system devices: Architectures and supply channels overview. Technical Report, Sandia National Laboratories, 2010. https://energy.sandia.gov/wp-content/gallery/uploads/JCSW Report Final.pdf, Nov. 2021.
[26] Yoo H, Kalle S, Smith J, Ahmed I. Overshadow PLC to detect remote control-logic injection attacks. In Proc. the 16th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, June 2019, pp.109-132. DOI: 10.1007/978–3–030–22038–96.
[27] Bryan L A, Bryan E A. Programmable Controllers: Theory and Implementation (2nd edition). Industrial Text Company, 1997.
[28] Ma R, Cheng P, Zhang Z, Liu W, Wang Q, Wei Q. Stealthy attack against redundant controller architecture of industrial cyber-physical system. IEEE Internet of Things, 2019, 6(6): 9783-9793. DOI: 10.1109/JIOT.2019.2931349.
[29] Basnight Z, Butts J, Lopez J, Dube T. Firmware modification attacks on programmable logic controllers. International Journal of Critical Infrastructure Protection, 2013, 6(2): 76-84. DOI: 10.1016/j.ijcip.2013.04.004.
[30] Schuett C, Butts J, Dunlap S. An evaluation of modification attacks on programmable logic controllers. International Journal of Critical Infrastructure Protection, 2014, 7(1): 61-68. DOI: 10.1016/j.ijcip.2014.01.004.
[31] Garcia L, Brasser F, Cintuglu M, Sadeghi A, Mohammed O, Zonouz S. Hey, my malware knows physics! Attacking PLCs with physical model aware rootkit. In Proc. the 26th Network and Distributed System Security Symposium, February 26–March 1, 2017. DOI: 10.14722/ndss.2017.23313.
[32] Govil N, Agrawal A, Tippenhauer N O. On ladder logic bombs in industrial control systems. In Proc. the 2017 International Workshop on Security and Privacy Requirements Engineering and the 2017 International Workshop on the Security of Industrial Control Systems and Cyber-Physical Systems, September 2017, pp.110-126. DOI: 10.1007/978–3–319–72817–98.
[33] Senthivel S, Dhungana S, Yoo H, Ahmed I, Roussev V. Denial of engineering operations attacks in industrial control systems. In Proc. the 8th ACM Conference on Data and Application Security and Privacy, March 2018, pp.319-329. DOI: 10.1145/3176258.3176319.
[34] Yoo H, Ahmed I. Control logic injection attacks on industrial control systems. In Proc. the 34th IFIP TC 11 International Conference on ICT Systems Security and Privacy Protection, June 2019, pp.33-48. DOI: 10.1007/978–3–030– 22312–03.
[35] Kalle S, Ameen N, Yoo H, Ahmed I. CLIK on PLCs! attacking control logic with decompilation and virtual PLC. In Proc. the Workshop on Binary Analysis Research, February 2019. DOI: 10.14722/bar.2019.23074.
[36] Sun R, Mera A, Lu L, Choffnes D. SoK: Attacks on industrial control logic and formal verification-based defenses. In Proc. the 2021 IEEE European Symposium on Security and Privacy, September 2021, pp.385-402. DOI: 10.1109/EuroSP51992.2021.00034.
[37] Abbasi A, Hashemi M. Ghost in the PLC designing an undetectable programmable logic controller rootkit via pin control attack. In Proc. the 2016 Black Hat Europe, November 2016.
[38] Robles-Durazno A, Moradpoor N, McWhinnie J, Russell G, Maneru-Marin I. Implementation and detection of novel attacks to the PLC memory of a clean water supply system. In Proc. the 4th International Conference on Technology Trends, August 2019, pp.91-103. DOI: 10.1007/978–3–030– 05532–57.
[39] Robles-Durazno A, Moradpoor N, McWhinnie J, Russell G, Maneru-Marin I. PLC memory attack detection and response in a clean water supply system. International Journal of Critical Infrastructure Protection, 2019, 26: Article No. 100300. DOI: 10.1016/j.ijcip.2019.05.003.
[40] Hou Y, Such J, Rashid A. Understanding security requirements for industrial control system supply chains. In Proc. the 5th IEEE/ACM International Workshop on Software Engineering for Smart Cyber-Physical Systems, May 2019, pp.50-53. DOI: 10.1109/SEsCPS.2019.00016.
[41] Behera C K, Bhaskari D L. Different obfuscation techniques for code protection. Procedia Computer Science, 2015, 70: 757-763. DOI: 10.1016/j.procs.2015.10.114.
[42] Keliris A, Maniatakos M. ICSREF: A framework for automated reverse engineering of industrial control systems binaries. In Proc. the 26th Annual Network and Distributed System Security Symposium, February 2019. DOI: 10.14722/ndss.2019.23271.
[43] Valois J D. Lock-free linked lists using compare-and-swap. In Proc. the 14th Annual ACM Symposium on Principles of Distributed Computing, August 1995, pp.214-222. DOI: 10.1145/224964.224988.
[44] Michael M M, Scott M L. Simple, fast, and practical non-blocking and blocking concurrent queue algorithms. In Proc. the 15th Annual ACM Symposium on Principles of Distributed Computing, May 1996, pp.267-275. DOI: 10.1145/248052.248106.
[45] Ang K H, Chong G, Li Y. PID control system analysis, design, and technology. IEEE Transactions on Control Systems Technology, 2005, 13(4): 559-576. DOI: 10.1109/TCST.2005.847331.
[46] Vollmer T, Alves-Foss J, Manic M. Autonomous rule creation for intrusion detection. In Proc. the 2011 IEEE Symposium on Computational Intelligence in Cyber Security, April 2011, pp.1-8. DOI: 10.1109/CICYBS.2011.5949394.
[47] Lin H, Slagell A, Di Martino C, Kalbarczyk Z, Iyer R K. Adapting bro into SCADA: Building a specification-based intrusion detection system for the DNP3 protocol. In Proc. the 8th Annual Cyber Security and Information Intelligence Research Workshop, January 2013, Article No. 5. DOI: 10.1145/2459976.2459982.
[48] Graveto V, Rosa L, Cruz T, Simões P. A stealth monitoring mechanism for cyber-physical systems. International Journal of Critical Infrastructure Protection, 2019, 24: 126-143. DOI: 10.1016/j.ijcip.2018.10.006.
[49] Assante M J, Lee R M. The industrial control system cyber kill chain. Technical Report, SANS Institute, 2015. https://sansorg.egnyte.com/dl/HHa9fCekmc, Nov. 2021.
[50] Caselli M, Zambon E, Kargl F. Sequence-aware intrusion detection in industrial control systems. In Proc. the 1st ACM Workshop on Cyber-Physical System Security, April 2015, pp.13-24. DOI: 10.1145/2732198.2732200.
[51] Kovah X, Kallenberg C, Weathers C, Herzog A, Albin M, Butterworth J. New results for timing-based attestation. In Proc. the 2012 IEEE Symposium on Security and Privacy, May 2012, pp.239-253. DOI: 10.1109/SP.2012.45.
[52] Frey G, Litz L. Formal methods in PLC programming. In Proc. the 2000 IEEE International Conference on Systems, Man and Cybernetics, October 2000, pp.2431-2436. DOI: 10.1109/ICSMC.2000.884356.
[53] Adiego B F, Darvas D, Vinuela E B, Tournier J C, Bliudze S, Blech J O, Suarez V G. Applying model checking to industrial-sized PLC programs. IEEE Transactions on Industrial Informatics, 2015, 11(6): 1400-1410. DOI: 10.1109/TⅡ.2015.2489184.
[54] Kuzmin E, Sokolov V A, Ryabukhin D. Construction and verification of PLC-programs by LTL-specification. Automatic Control and Computer Sciences, 2015, 49(7): 453-465. DOI: 10.3103/S014641161407013X.
[55] Ryabukhin D, Kuzmin E. LTL-specification, verification and construction of PLC programs. In Proc. the Spring/Summer Young Researchers’ Colloquium on Software Engineering, May 2014, pp.19-26. DOI: 10.15514/SYRCOSE-2014-8-3.
[56] Janicke H, Nicholson A, Webber S, Cau A. Runtimemonitoring for industrial control systems. Electronics, 2015, 4: 995-1017. DOI: 10.3390/electronics4040995.
No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] Zhou Di;. A Recovery Technique for Distributed Communicating Process Systems[J]. , 1986, 1(2): 34 -43 .
[2] Chen Shihua;. On the Structure of Finite Automata of Which M Is an(Weak)Inverse with Delay τ[J]. , 1986, 1(2): 54 -59 .
[3] Liu Mingye; Hong Enyu;. Some Covering Problems and Their Solutions in Automatic Logic Synthesis Systems[J]. , 1986, 1(2): 83 -92 .
[4] Wang Jianchao; Wei Daozheng;. An Effective Test Generation Algorithm for Combinational Circuits[J]. , 1986, 1(4): 1 -16 .
[5] Chen Zhaoxiong; Gao Qingshi;. A Substitution Based Model for the Implementation of PROLOG——The Design and Implementation of LPROLOG[J]. , 1986, 1(4): 17 -26 .
[6] Huang Heyan;. A Parallel Implementation Model of HPARLOG[J]. , 1986, 1(4): 27 -38 .
[7] Zheng Guoliang; Li Hui;. The Design and Implementation of the Syntax-Directed Editor Generator(SEG)[J]. , 1986, 1(4): 39 -48 .
[8] Huang Xuedong; Cai Lianhong; Fang Ditang; Chi Bianjin; Zhou Li; Jiang Li;. A Computer System for Chinese Character Speech Input[J]. , 1986, 1(4): 75 -83 .
[9] Xu Xiaoshu;. Simplification of Multivalued Sequential SULM Network by Using Cascade Decomposition[J]. , 1986, 1(4): 84 -95 .
[10] Tang Tonggao; Zhao Zhaokeng;. Stack Method in Program Semantics[J]. , 1987, 2(1): 51 -63 .

ISSN 1000-9000(Print)

         1860-4749(Online)
CN 11-2296/TP

Home
Editorial Board
Author Guidelines
Subscription
Journal of Computer Science and Technology
Institute of Computing Technology, Chinese Academy of Sciences
P.O. Box 2704, Beijing 100190 P.R. China
Tel.:86-10-62610746
E-mail: jcst@ict.ac.cn
 
  Copyright ©2015 JCST, All Rights Reserved