Unveiling Physical Semantics of PLC Variables Using Control Invariants
-
Software PLC is developed based on Awlsim - S7 compatible Programmable Logic Controller.
The modifications include:
1). Supplementing a Process mimicking module (./awlsim/Process_mimic) which should be stored at the root.
2). Revising the original debugging module (./awlsim/awlsimhw_debug) to support the PLC memory state acquisition and online attack detection.
3). Supplementing an interface of PLC simulation (./awlsim/Elevator_300project.awlpro) to support the quick rebooting of the PLC execution.
4). Revising original functions of Awlsim (such as the .awlsim/core/hardware.py) to define the data interface of ./awlsim/Process_mimic module.cd ./awlsim python awlsim-server Elevator_300project.awlpro python awlsim-client -r RUN python awlsim-client -r Stop -
Hardware PLC is developed based on the OpenOPC for Python Library Module.
The interface of reading/writing PLC memory is defined as an Opc class.
import ./hardware_interface/Opc
Taking the PLC IL program as input, the developed parser generates the dependencies between input and output variables.
cd ./STL_Parser
python -m core.main
With the historical SCADA data, the developed graph construction generates causalities between sensor readings and control commands.
The construction of Gdata consists of two basic modules. Specifically,
-
Identify the node set, using the defined function (./ares/node_classification.m).
examples: load('./data_withoutattack/elevator_data_training.mat', 'data_raw'); threshold = 0.1; [sensor_set, command_set, command_delayed_set, ~, ~, ~, redundant_id, constant_id] = node_classification(data_raw, threshold) -
Identify the edge set, using the defined function (./ares/EdgeSetConstruction.m).
[G_data, ~] = EdgeSetConstruction(data_raw(1:identify_length, :), sensor_set, command_set, command_delayed_set, redundant_id, info_delta_min,occupation_min, transferdelay, autocorrelation, tau)
With the identified Gcode and Gdata, the developed matching algorithm enumerates and validates all the feasible one-to-one mapping between PLC program variables and SCADA data variables.
The construction of Gcross has two essential modules.
-
Schedule the feasible mapping in a dynamic programming way (./ares/Graph_mapping.m).
[Mappings, ~, ~] = Graph_mapping(G_code, G_data, data_for_mapping, redundant_id, constant_id, mapping_threshold, mapping_greedy, savefilepath ); % exemplary parameters mapping_threshold = 0.95 ; mapping_greedy = 1 ; savefilepath = "./data/Graphs/Graphs_length7000_occup1_info_1.000000e-01/mapping_results"; mapping_data_period = 1:7000 ; data_for_mapping = data_raw(mapping_data_period, :); -
Validate the feasible mapping by calling the PLC-Twin (./ares/PLC_Twin_CORE.m).
% *inputs* are the verifying sensor readings % *initialization* is the first record of the SCADA logs to initializing the PLC-Twin [OUTPUTS] = PLC_Twin_CORE(inputs, initialization);
An integrated example for constructing the Gcross.
cd ./ares
mrun Mapping_Parameters_analysis_CENTOR.m
Implementing real-time detection for industrial control systems relies on detailed information on the devices/software. We showcase the deployment of designed attack detection in our Elevator Control System (ECS), based on the PLC-Twin.
-
Prepare the ICS detection environment.
1). Install Siemens WinCC software in ECS.
2). Deploy a SCADA system, supporting the data logging. -
Prepare the required packets.
pip install -r requirements.txt -
Build the attack detection using PLC-Twin, including:
1). A setup interface (./detection/Elevator_300project.awlpro)
python awlsim-server Elevator_300project.awlpro python awlsim-client -r RUN python awlsim-client -r Stop2). An attack detection (./detection/awlsimhw_debug/main.py)
The CUSUM based attack detection is deployed, which will be loaded automatically when start up the ".awlpro" project.3). A data acquisition interface based on OpenOPC (./detection/awlsimhw_debug/readOpc.py)
Collect sensor readings and control commands from the SCADA database using OPC UA protocol, which is achieved based on the "OpenOPC" python library. This data collection module will be automatically loaded when start up the ".awlpro" project.4). Other utilities for data acquisition and conversion (./detection/utilsConvert/utilsConvert.py)
The data conversion between Awlsim and SCADA database is convert. This conversion module will be automatically loaded when start up the ".awlpro" project.
Once an attack is detected, the responding strategy will be automatically activated based on the compromised program variables and their corresponding expected values.
- Localize the compromised program variables according to the cross-domain mappings between SCADA data and PLC program.
Integrated in "./detection/awlsimhw_debug/main.py".
- Generate the expected values of the compromised program variables.
Integrated in "./detection/awlsimhw_debug/main.py".
- Construct the responding packets and send them to the victim PLC.
Achieved by exploiting the "Force" functions of industrial communication protocols.
The exploitation of "Force" function for Siemens PLC and Rockwell PLC is coming later...
The response to semantic attacks is built based on the "Force" function of the industrial communication protocols. However, the "Force" function may also be utilized by adversaries, threatening the real industrial control systems. For legal and ethical considerations, the exploitation of the "Force" function will be published when the authentication weakness of protocols is fixed.
If you use PLCSage for your research, please cite Unveiling Physical Semantics of PLC Variables Using Control Invariants.
bibtex
@article{yang2024Unveiling,
title={Unveiling Physical Semantics of PLC Variables Using Control Invariants},
author={Yang, Zeyu and He, Liang and Ruan, Yucheng and Cheng, Peng and Chen, Jiming},
journal={IEEE Transactions on Dependable and Secure Computing},
year={2024},
publisher={IEEE}
}