Firmware modification attacks on programmable logic controllers

Recent attacks on industrial control systems, such as the highly publicized Stuxnet malware, have intensified a “race to the bottom” where lower-level attacks have a tactical advantage. Programmable logic controller (PLC) firmware, which provides a software-driven interface between system inputs and physical outputs, can be easily modified at the user level. Efforts directed at protecting against firmware modification are hindered by the lack of foundational research about attack development and implementation. This paper examines the vulnerability of PLCs to intentional firmware modifications in order to obtain a better understanding of the threats posed by PLC firmware modification attacks and the feasibility of these attacks. A general firmware analysis methodology is presented, and a proof-of-concept experiment is used to demonstrate how legitimate firmware can be updated and uploaded to an Allen-Bradley ControlLogix L61 PLC.