HRPDF: A Software-Based Heterogeneous Redundant Proactive Defense Framework for Programmable Logic Controller

Ke Liu; Jing-Yi Wang; Qiang Wei; Zhen-Yong Zhang; Jun Sun; Rong-Kuan Ma; Rui-Long Deng

doi:10.1007/s11390-021-1647-7

AI Chat Paper

Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.

Chat more with AI

| Sign up

Browse by Subject

Search for peer-reviewed journals with full access.

Journals A - Z

About Us

Discover the SciOpen Platform and Achieve Your Research Goals with Ease.

About Us

Publish with Us

Support

Search articles, authors, keywords, DOl and etc.

Published Date

Reset Search

{{expandStatus?'Exit ':''}}Advanced Search

Journals A - Z

About Us

Publish with Us

Support

Article Link

Cite

EndNote(RIS) BibTeX

Collect

Submit Manuscript

Show Outline

Outline

Show full outline

Hide outline

Outline

Show full outline

Hide outline

Regular Paper

HRPDF: A Software-Based Heterogeneous Redundant Proactive Defense Framework for Programmable Logic Controller

Ke Liu^¹, Jing-Yi Wang^², Qiang Wei^¹(

), Zhen-Yong Zhang^{²^,³}, Jun Sun^⁴, Rong-Kuan Ma^¹, Rui-Long Deng^²

State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou, 450001, China

College of Control Science and Engineering, Zhejiang University, Hangzhou, 310027, China

College of Computer Science and Technology, Guizhou University, Guiyang, 550025, China

School of Information Systems, Singapore Management University, Singapore, 689867, Singapore

Show Author Information

Abstract

Programmable logic controllers (PLCs) play a critical role in many industrial control systems, yet face increasingly serious cyber threats. In this paper, we propose a novel PLC-compatible software-based defense mechanism, called Heterogeneous Redundant Proactive Defense Framework (HRPDF). We propose a heterogeneous PLC architecture in HRPDF, including multiple heterogeneous, equivalent, and synchronous runtimes, which can thwart multiple types of attacks against PLC without the need of external devices. To ensure the availability of PLC, we also design an inter-process communication algorithm that minimizes the overhead of HRPDF. We implement a prototype system of HRPDF and test it in a real-world PLC and an OpenPLC-based device, respectively. The results show that HRPDF can defend against multiple types of attacks with 10.22% additional CPU and 5.56% additional memory overhead, and about 0.6 ms additional time overhead.

Keywords

industrial control system programmable logic controller proactive defense heterogeneous redundant architecture

Electronic Supplementary Material

Download File(s)

jcst-36-6-1307-Highlights.pdf (145.6 KB)

References

[1]

McLaughlin S, Konstantinou C, Wang X, Davi L, Sadeghi A, Maniatakos M, Karri R. The cybersecurity landscape in industrial control systems. Proceedings of the IEEE, 2016, 104(5): 1039-1057. DOI: 10.1109/JPROC.2015.2512235.

Crossref Google Scholar

[2]

Knowles W, Prince D, Hutchison D, Disso J F P, Jones K. A survey of cyber security management in industrial control systems. International Journal of Critical Infrastructure Protection, 2015, 9: 52-80. DOI: 10.1016/j.ijcip.2015.02.002.

Crossref Google Scholar

[3]

Zonouz S, Rrushi J, McLaughlin S. Detecting industrial control malware using automated PLC code analytics. IEEE Security & Privacy, 2014, 12(6): 40-47. DOI: 10.1109/MSP.2014.113.

Crossref Google Scholar

[4]

Farwell J P, Rohozinski R. Stuxnet and the future of cyber war. Survival, 2011, 53(1): 23-40. DOI: 10.1080/00396338.2011.555586.

Crossref Google Scholar

[5]

Bencsáth B, Ács-Kurucz G, Molnár G, Vaspöri G, Buttyán L, Kamarás R. Duqu 2.0: A comparison to Duqu. Technical Report, CrySyS Lab, 2015. https://www.crysys.hu/publications/files/duqu2.pdf, Nov. 2021.

[6]

Lee R M, Assante M, Conway T. Analysis of the cyber attack on the Ukrainian power grid. Technical Report, Electricity-Information Sharing and Analysis Center, 2016. https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2016/05/20081514/E-ISAC_SANS_Ukraine_DUC_5.pdf, Nov. 2021.

[7]

Lee R, Slowik J, Miller B, Cherepanov A, Lipovsky R. Industroyer/Crashoverride: Zero things cool about a threat group targeting the power grid. Technical Report, Black Hat, 2017. https://www.blackhat.com/docs/us-17/wednesday/us-17-Lee-Industroyer-Crashoverride-Zero-Things-Cool-About-A-Threat-Group-Targeting-The-Power-Grid.pdf, Nov. 2021.

[8]

Di Pinto A, Dragoni Y, Carcano A. TRITON: The first ICS cyber attack on safety instrument systems. Technical Report, Nozomi Networks, 2018. https://www.nozominetworks.com/downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf, Nov. 2021.

[9]

Ponomarev S, Atkison T. Industrial control system network intrusion detection by telemetry analysis. IEEE Transactions on Dependable and Secure Computing, 2016, 13(2): 252-260. DOI: 10.1109/TDSC.2015.2443793.

Crossref Google Scholar

[10]

Zhang F, Kodituwakku H A D E, Hines W, Coble J B. Multilayer data-driven cyber-attack detection system for industrial control systems based on network, system and process data. IEEE Transactions on Industrial Informatics, 2019, 15(7): 4362-4369. DOI: 10.1109/TII.2019.2891261.

Crossref Google Scholar

[11]

Feng C, Palleti V R, Mathur A, Chana D. A systematic framework to generate invariants for anomaly detection in industrial control systems. In Proc. the 2019 Network and Distributed System Security Symposium, February 2019. DOI: 10.14722/ndss.2019.23265.

Crossref

[12]

Cifranic N, Hallman R, Romero-Mariona J, Souza B, Calton T, Coca G. Decepti-SCADA: A cyber deception framework for active defense of networked critical infrastructures. Internet of Things, 2020, 12: Article No. 100320. DOI: 10.1016/j.iot.2020.100320.

Crossref Google Scholar

[13]

Lin H, Zhuang J, Hu Y C, Zhou H. DefRec: Establishing physical function virtualization to disrupt reconnaissance of power grids’ cyber-physical infrastructures. In Proc. the 27th Network and Distributed System Security Symposium, February 2020. ndss.2020.24365.

Crossref

[14]

López-Morales E, Rubio-Medrano C, Doupé A, Shoshitaishvili Y, Wang R, Bao T, Ahn G J. HoneyPLC: A next-generation honeypot for industrial control systems. In Proc. the 2020 ACM SIGSAC Conference on Computer and Communications Security, November 2020, pp.279-291. DOI: 10.1145/3372297.3423356.

Crossref

[15]

Abbasi A, Holz T, Zambon E, Etalle S. ECFI: Asynchronous control flow integrity for programmable logic controllers. In Proc. the 33rd Annual Computer Security Applications Conference, December 2017, pp.437-448. DOI: 10.1145/3134600.3134618.

Crossref

[16]

Garcia L, Zonouz S, Wei D, De Aguiar L P. Detecting PLC control corruption via on-device runtime verification. In Proc. the 2016 Resilience Week, August 2016, pp.67-72. DOI: 10.1109/RWEEK.2016.7573309.

Crossref

[17]

Salehi M, Bayat-Sarmadi S. PLCDefender: Improving remote attestation techniques for PLCs using physical model. IEEE Internet of Things Journal, 2021, 8(9): 7372-7379. DOI: 10.1109/JIOT.2020.3040237.

Crossref Google Scholar

[18]

McCune J M, Li Y, Qu N, Zhou Z, Datta A, Gligor V, Perrig A. TrustVisor: Efficient TCB reduction and attestation. In Proc. the 2010 IEEE Symposium on Security and Privacy, May 2010, pp.143-158. DOI: 10.1109/SP.2010.17.

Crossref

[19]

Dessouky G, Zeitouni S, Nyman T, Paverd A J, Davi L, Koeberl P, Asokan N, Sadeghi A. LO-FAT: Low-overhead control ow attestation in hardware. In Proc. the 54th Annual Design Automation Conference, June 2017, Article No. 24. DOI: 10.1145/3061639.3062276.

Crossref

[20]

Cheminod M, Durante L, Seno L, Valenzano A. Performance evaluation and modeling of an industrial application-layer firewall. IEEE Transactions on Industrial Informatics, 2018, 14(5): 2159-2170. DOI: 10.1109/TII.2018.2802903.

Crossref Google Scholar

[21]

Li D, Guo H, Zhou J, Zhou L, Wong J W. SCADAWall: A CPI-enabled firewall model for SCADA security. Computers & Security, 2019, 80: 134-154. DOI: 10.1016/j.cose.2018.10.002.

Crossref Google Scholar

[22]

Jiang N, Lin H, Yin Z, Xi C. Research of paired industrial firewalls in defense-in-depth architecture of integrated manufacturing or production system. In Proc. the 2017 IEEE International Conference on Information and Automation, July 2017, pp.523–526. DOI: 10.1109/ICInfA.2017.8078963.

Crossref

[23]

Zeitouni S, Dessouky G, Arias O, Sullivan D, Ibrahim A, Jin Y, Sadeghi A R. ATRIUM: Runtime attestation resilient under memory attacks. In Proc. the 2017 IEEE/ACM International Conference on Computer-Aided Design, November 2017, pp.384-391. DOI: 10.1109/ICCAD.2017.8203803.

Crossref

[24]

Stój J. Cost-effective hot-standby redundancy with synchronization using EtherCAT and real-time ethernet protocols. IEEE Transactions on Automation Science and Engineering, 2021, 18(4): 2035-2047. DOI: 10.1109/TASE.2020.3031128.

Crossref Google Scholar

[25]

Schwartz M D, Mulder J, Trent J, Atkins W D. Control system devices: Architectures and supply channels overview. Technical Report, Sandia National Laboratories, 2010. https://energy.sandia.gov/wp-content/gallery/uploads/JCSW_Report_Final.pdf, Nov. 2021.

[26]

Yoo H, Kalle S, Smith J, Ahmed I. Overshadow PLC to detect remote control-logic injection attacks. In Proc. the 16th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, June 2019, pp.109-132. DOI: 10.1007/978-3-030-22038-9_6.

Crossref

[27]

Bryan L A, Bryan E A. Programmable Controllers: Theory and Implementation (2nd edition). Industrial Text Company, 1997.

[28]

Ma R, Cheng P, Zhang Z, Liu W, Wang Q, Wei Q. Stealthy attack against redundant controller architecture of industrial cyber-physical system. IEEE Internet of Things, 2019, 6(6): 9783-9793. DOI: 10.1109/JIOT.2019.2931349.

Crossref Google Scholar

[29]

Basnight Z, Butts J, Lopez J, Dube T. Firmware modification attacks on programmable logic controllers. International Journal of Critical Infrastructure Protection, 2013, 6(2): 76-84. DOI: 10.1016/j.ijcip.2013.04.004.

Crossref Google Scholar

[30]

Schuett C, Butts J, Dunlap S. An evaluation of modification attacks on programmable logic controllers. International Journal of Critical Infrastructure Protection, 2014, 7(1): 61-68. DOI: 10.1016/j.ijcip.2014.01.004.

Crossref Google Scholar

[31]

Garcia L, Brasser F, Cintuglu M, Sadeghi A, Mohammed O, Zonouz S. Hey, my malware knows physics! Attacking PLCs with physical model aware rootkit. In Proc. the 26th Network and Distributed System Security Symposium, February 26–March 1, 2017. DOI: 10.14722/ndss.2017.23313.

Crossref

[32]

Govil N, Agrawal A, Tippenhauer N O. On ladder logic bombs in industrial control systems. In Proc. the 2017 International Workshop on Security and Privacy Requirements Engineering and the 2017 International Workshop on the Security of Industrial Control Systems and Cyber-Physical Systems, September 2017, pp.110-126. DOI: 10.1007/978-3-319-72817-9_8.

Crossref

[33]

Senthivel S, Dhungana S, Yoo H, Ahmed I, Roussev V. Denial of engineering operations attacks in industrial control systems. In Proc. the 8th ACM Conference on Data and Application Security and Privacy, March 2018, pp.319-329. DOI: 10.1145/3176258.3176319.

Crossref

[34]

Yoo H, Ahmed I. Control logic injection attacks on industrial control systems. In Proc. the 34th IFIP TC 11 International Conference on ICT Systems Security and Privacy Protection, June 2019, pp.33-48. DOI: 10.1007/978-3-030-22312-0_3.

Crossref

[35]

Kalle S, Ameen N, Yoo H, Ahmed I. CLIK on PLCs! attacking control logic with decompilation and virtual PLC. In Proc. the Workshop on Binary Analysis Research, February 2019. DOI: 10.14722/bar.2019.23074.

Crossref

[36]

Sun R, Mera A, Lu L, Choffnes D. SoK: Attacks on industrial control logic and formal verification-based defenses. In Proc. the 2021 IEEE European Symposium on Security and Privacy, September 2021, pp.385-402. DOI: 10.1109/EuroSP51992.2021.00034.

Crossref

[37]

Abbasi A, Hashemi M. Ghost in the PLC designing an undetectable programmable logic controller rootkit via pin control attack. In Proc. the 2016 Black Hat Europe, November 2016.

[38]

Robles-Durazno A, Moradpoor N, McWhinnie J, Russell G, Maneru-Marin I. Implementation and detection of novel attacks to the PLC memory of a clean water supply system. In Proc. the 4th International Conference on Technology Trends, August 2019, pp.91-103. DOI: 10.1007/978-3-030-05532-5_7.

Crossref

[39]

Robles-Durazno A, Moradpoor N, McWhinnie J, Russell G, Maneru-Marin I. PLC memory attack detection and response in a clean water supply system. International Journal of Critical Infrastructure Protection, 2019, 26: Article No. 100300. DOI: 10.1016/j.ijcip.2019.05.003.

Crossref Google Scholar

[40]

Hou Y, Such J, Rashid A. Understanding security requirements for industrial control system supply chains. In Proc. the 5th IEEE/ACM International Workshop on Software Engineering for Smart Cyber-Physical Systems, May 2019, pp.50-53. DOI: 10.1109/SEsCPS.2019.00016.

Crossref

[41]

Behera C K, Bhaskari D L. Different obfuscation techniques for code protection. Procedia Computer Science, 2015, 70: 757-763. DOI: 10.1016/j.procs.2015.10.114.

Crossref Google Scholar

[42]

Keliris A, Maniatakos M. ICSREF: A framework for automated reverse engineering of industrial control systems binaries. In Proc. the 26th Annual Network and Distributed System Security Symposium, February 2019. DOI: 10.14722/ndss.2019.23271.

Crossref

[43]

Valois J D. Lock-free linked lists using compare-and-swap. In Proc. the 14th Annual ACM Symposium on Principles of Distributed Computing, August 1995, pp.214-222. DOI: 10.1145/224964.224988.

Crossref

[44]

Michael M M, Scott M L. Simple, fast, and practical non-blocking and blocking concurrent queue algorithms. In Proc. the 15th Annual ACM Symposium on Principles of Distributed Computing, May 1996, pp.267-275. DOI: 10.1145/248052.248106.

Crossref

[45]

Ang K H, Chong G, Li Y. PID control system analysis, design, and technology. IEEE Transactions on Control Systems Technology, 2005, 13(4): 559-576. DOI: 10.1109/TCST.2005.847331.

Crossref Google Scholar

[46]

Vollmer T, Alves-Foss J, Manic M. Autonomous rule creation for intrusion detection. In Proc. the 2011 IEEE Symposium on Computational Intelligence in Cyber Security, April 2011, pp.1-8. DOI: 10.1109/CICYBS.2011.5949394.

Crossref

[47]

Lin H, Slagell A, Di Martino C, Kalbarczyk Z, Iyer R K. Adapting bro into SCADA: Building a specification-based intrusion detection system for the DNP3 protocol. In Proc. the 8th Annual Cyber Security and Information Intelligence Research Workshop, January 2013, Article No. 5. DOI: 10.1145/2459976.2459982.

Crossref

[48]

Graveto V, Rosa L, Cruz T, Simões P. A stealth monitoring mechanism for cyber-physical systems. International Journal of Critical Infrastructure Protection, 2019, 24: 126-143. DOI: 10.1016/j.ijcip.2018.10.006.

Crossref Google Scholar

[49]

Assante M J, Lee R M. The industrial control system cyber kill chain. Technical Report, SANS Institute, 2015. https://sansorg.egnyte.com/dl/HHa9fCekmc, Nov. 2021.

[50]

Caselli M, Zambon E, Kargl F. Sequence-aware intrusion detection in industrial control systems. In Proc. the 1st ACM Workshop on Cyber-Physical System Security, April 2015, pp.13-24. DOI: 10.1145/2732198.2732200.

Crossref

[51]

Kovah X, Kallenberg C, Weathers C, Herzog A, Albin M, Butterworth J. New results for timing-based attestation. In Proc. the 2012 IEEE Symposium on Security and Privacy, May 2012, pp.239-253. DOI: 10.1109/SP.2012.45.

Crossref

[52]

Frey G, Litz L. Formal methods in PLC programming. In Proc. the 2000 IEEE International Conference on Systems, Man and Cybernetics, October 2000, pp.2431-2436. DOI: 10.1109/ICSMC.2000.884356.

Crossref

[53]

Adiego B F, Darvas D, Vinuela E B, Tournier J C, Bliudze S, Blech J O, Suarez V G. Applying model checking to industrial-sized PLC programs. IEEE Transactions on Industrial Informatics, 2015, 11(6): 1400-1410. DOI: 10.1109/TII.2015.2489184.

Crossref Google Scholar

[54]

Kuzmin E, Sokolov V A, Ryabukhin D. Construction and verification of PLC-programs by LTL-specification. Automatic Control and Computer Sciences, 2015, 49(7): 453-465. DOI: 10.3103/S014641161407013X.

Crossref Google Scholar

[55]

Ryabukhin D, Kuzmin E. LTL-specification, verification and construction of PLC programs. In Proc. the Spring/Summer Young Researchers’ Colloquium on Software Engineering, May 2014, pp.19-26. DOI: 10.15514/SYRCOSE-2014-8-3.

Crossref

[56]

Janicke H, Nicholson A, Webber S, Cau A. Runtime-monitoring for industrial control systems. Electronics, 2015, 4: 995-1017. DOI: 10.3390/electronics4040995.

Crossref Google Scholar

Journal of Computer Science and Technology

Volume 36 Issue 6,
November 2021

Pages 1307-1324

DOI: 10.1007/s11390-021-1647-7

Cite this article:

Liu K, Wang J-Y, Wei Q, et al. HRPDF: A Software-Based Heterogeneous Redundant Proactive Defense Framework for Programmable Logic Controller. Journal of Computer Science and Technology, 2021, 36(6): 1307-1324. https://doi.org/10.1007/s11390-021-1647-7

479

Views

Crossref

Web of Science

Scopus

CSCD

Google Scholar
Citation

Altmetrics

Received: 01 June 2021

Accepted: 15 November 2021

Published: 30 November 2021