Jan-Ole Malchow, Daniel Marzin, Johannes Klick, Robert Kovacs, and Volker Roth
In Communications and Network Security (CNS), 2015 IEEE Conference on
full paper: IEEE Xplore, PDF
freie universität berlin /
secure identity research group
SCADACS
Equipped with the rights tools to find and access ICS, adversaries can download and analyze the code on a programmable logic controller (PLC). Adversaries can then analyze and modify the code and load it back onto the PLC in order to perform sabotage. This process can be performed online or it can be automated by means of malware that infects engineering workstations, similar to Stuxnet.
In order to arrive at realistic PLC code examples, we implemented a miniature packaging plant as well as attacks on it.
The objective of the plant is to sort and fill smarties into round metal boxes with a snap lid. The color and the number of smarties is configurable through an Human Machine Interface (HMI).
A PLC Guard intercepts traffic between a, potentially compromised, engineering workstation and a PLC. Whenever code is transferred to a PLC, the guard intercepts the transfer and gives the engineer an opportunity to compare that code with a previous version. The guard supports the comparison through various levels of graphical abstraction and summarization.
The smarties sorting and packaging plant
Sorting the smarties in a row is solved by a vibration bowl, where a stepper motor lets the bowl vibrate at a frequency that moves smarties from the inside up along a spiral slide until they drop onto a conveyor belt.
After filling up the box a vacuum gripper places the lid on it, than two pneumatic cylinders closes the box.
At the final station the box gets disposed by a five servo robotic arm. When a human hand is placed under the box, the robotic arm drops the box into the hand.
hardware
The control unit consists of a Simatic S7-313C PLC, a KTP 400 touch-sensitive color HMI, a CP 343 lean Ethernet module, a CP 341 RS-485 communication module and a PS 307 5A 24V DC power supply mounted upright on a top-at rail.IEEE publication
Malchow, Jan-Ole, Daniel Marzin, Johannes Klick, Robert Kovacs, and Volker Roth. "PLC Guard: A practical defense against attacks on cyber-physical systems." In Communications and Network Security (CNS), 2015 IEEE Conference on, pp. 326-334. IEEE, 2015.
dowload PDF