Empirical Study of PLC Authentication Protocols in Industrial Control Systems

pdf

Empirical Study of PLC Authentication Protocols in Industrial Control Systems

Programmable logic controllers (PLCs) run a ‘control logic’ program that defines how to control a physical process such as a nuclear plant, power grid stations, and gas pipelines. Attackers target the control logic of a PLC to sabotage a physical process. Most PLCs employ passwordbased authentication mechanisms to prevent unauthorized remote access to control logic. This paper presents an empirical study on proprietary authentication mechanisms in five industry-scale PLCs to understand the security-design practices of four popular ICS vendors, i.e., Allen-Bradley, Schneider Electric, AutomationDirect, and Siemens. The empirical study

determines whether the mechanisms are vulnerable by design and can be exploited. It reveals serious design issues and vulnerabilities in authentication mechanisms, including lack of nonce, small-sized encryption key, weak encryption scheme, and client-side authentication. The study further confirms the findings empirically by creating and testing their proof-of-concept exploits derived from MITRE ATT&CK knowledge base of adversary tactics and techniques. Unlike existing work, our study relies solely on network traffic examination and does not employ typical reverse-engineering of binary files (e.g., PLC firmware) to reveal the seriousness of design problems. Moreover, the study covers PLCs from different vendors to highlight an industry-wide issue of secure PLC authentication that needs to be addressed.

Adeen Ayub is a PhD student at Virginia Commonwealth University, Richmond, Virginia. Her research interests include device firmware and network protocol reverse engineering, digital forensics and vulnerability discovery in industrial control systems.

Dr. Hyunguk Yoo received his Ph.D. in Computer Engineering from Ajou University, South Korea in 2017 and his B.S. degree in Information and Computer Engineering from the same university in 2011. He is currently an assistant professor in the Department of Computer Science at the University of New Orleans in Louisiana, USA. His research interests lie in systems security, digital forensics, cyber-physical systems security, and applied machine learning.

​​​​​​​

Dr. Irfan Ahmed is an Associate Professor of Computer Science at Virginia Commonwealth University (VCU). He is the Director of the Security and Forensics Engineering (SAFE) Research Lab. He is also a faculty fellow of VCU Cybersecurity Center. Before VCU, Ahmed was a Canizaro-Livingston Endowed Assistant Professor in Cybersecurity at the University of New Orleans (UNO), New Orleans, LA. His research interests are broadly in the area of cybersecurity, currently focusing on digital forensics, malware, cyber-physical systems, and cybersecurity education. Ahmed is a recipient of the ORAU Ralph E. Powe Junior Faculty Enhancement Award, an Outstanding Research Award from the American Academy of Forensic Sciences (AAFS), and the UNO’s Early Career Research Prize. His research group has received three Best Paper Awards at DFRWS'20, ISC'13, and ICRC'11, and an Outstanding Poster Award at CODASPY'16.

Tags:
License: CC-2.5
Submitted by Irfan Ahmed on