An evaluation of modification attacks on programmable logic controllers

Unprotected supervisory control and data acquisition (SCADA) systems offer promising targets to potential attackers. Field devices, such as programmable logic controllers (PLCs), are of particular concern because they directly monitor and control industrial processes. Although attacks targeting SCADA systems have increased, relatively little research has focused on exploring the vulnerabilities directly associated with the exploitation of field devices. Attacks such as Stuxnet have targeted operating characteristics, but not low-level firmware code. As attacks increase in sophistication, it is reasonable to expect increased exploitation of the field device firmware.This paper examines the feasibility of modifying PLC firmware to execute remotely-triggered attacks. A general method is used to reverse engineer the firmware to determine its structure. After the structure is understood, the firmware is modified to add an exploitable feature that can remotely disable a PLC. The attacks described in this paper utilize a variety of triggers and leverage existing functions to exploit PLCs. Important segments of the firmware are described to demonstrate how they can be used in attack development. Finally, design recommendations are suggested to help mitigate potential weaknesses in future firmware development.