Abstract
In industrial control systems (ICS), programmable logic controllers (PLCs) directly monitor and control a physical process such as nuclear power plants, gas pipelines, and water treatment. They are equipped with a control logic written in IEC-61131 languages (e.g., ladder logic and structured text) that defines how a PLC should control a physical process. A PLC's control logic is a usual target of a cyberattack to sabotage a physical process. For instance, Stuxnet targets a control logic of a Siemens S7-300 PLC to damage a nuclear facility's centrifuges. The existing attacks in the literature generally focus only on injecting malicious control logic into a PLC. This paper presents a new dimension of control logic attacks that target the control logic engine (responsible for running a control logic) of a PLC. It demonstrates that a cyberattack can disable the control logic engine successfully by exploiting inherent PLC features such as program mode and starting/stopping engine. We develop two novel case studies on control logic engine attacks by employing the MITRE ATT\&CK knowledge base on the real-world PLCs used in industry settings, i.e., 1) Schweitzer Engineering Laboratory (SEL)'s Real-Time Automation Controller (SEL-3505 RTAC) equipped with security features such as encrypted traffic and device-level access control, and 2) traditional PLCs, i.e., Schneider Electric's Modicon M221, Allen-Bradley's MicroLogix 1400 and 1100 that do not have security features. The case studies present the internals of the logic engine attacks and facilitate the ICS research community and industry to understand the attack vectors on the control logic engine. We evaluate the effectiveness of the control engine attacks on a power substation, a 4-floor elevator, and a conveyor belt to demonstrate their real-world impact of halting a physical process.
