

# Attacks on Industrial Control Logic and Formal Verification-Based Defenses

**Ruimin Sun**, Alejandro Mera, Long Lu, David Choffnes Northeastern University <u>r.sun@notheastern.edu</u>

# **Motivation**



## **Motivation**



Figure 1: The reported common weaknesses and the affected industrial sectors. The notation denotes the number of CVEs.

# Background of PLC



### **Attacks and Defenses**

#### Control Logic Modification

- attacks that can change the behavior of PLC control logic.
  - program payload/code modification
  - program input manipulation.
- Formal Verification
  - unique and practical to the PLC industry.
  - PLCs have limited memory and are less tolerant to false positives
    - the controlled physical processes are safety-critical.
  - used in the industry
- Existing research tend to be ad-hoc



```
1 TYPE Light : (Green, Yellow, Red); END_TYPE;
2 PROGRAM TrafficLight
    VAR_INPUT
3
     SensorNS : BOOL; SensorEW : BOOL;
4
     ButtonNS : BOOL; ButtonEW : BOOL;
5
    END VAR
6
7
8
    VAR OUTPUT
9
    LightNS : Light := Green;
10
    LightEW : Light := Red;
11
    END_VAR
12
13
    IF LightNS = RED AND LightEW = RED AND NOT (ButtonNS)
         AND NOT (SensorEW) THEN
14
     (* turn green when light is red, button is reset,
          and no emergency detected *)
15
     LightNS := Green;
    ELSIF LightNS = GREEN AND LightEW = RED AND SensorEW
16
         THEN
17
     (* light must change when emergency approaches in
          EW direction *)
18
     LightNS := Yellow;
19
    ELSIF LightNS = GREEN THEN
20
     LightNS := Green;
21
    ELSE THEN
22
    LightNS := Red;
23
    END_IF;
24
25
    (* The EW light status changes in a similar way *)
    (* Omitted *)
26
27 END PROGRAM
```

Normally

when the NS light is red, and an emergency vehicle is sensed in the NS direction, the sensor will be ON *until the NS light is switched to green*.

#### Attacks

- switch the emergency sensor ON (e.g. SensorNS := TRUE) when the NS light is red and the EW light is green
- 2. switch it OFF (e.g. SensorNS := FALSE) when the NS light is red and the EW light is yellow

#### Green lights ON simultaneously for NS, EW

```
1 MODULE main
 2
      IVAR
 3
         button_NS: boolean;
 4
         button_EW: boolean;
 5
         sensor_NS: boolean;
 6
         sensor_EW: boolean;
      VAR
 8
         light_NS: {RED, YELLOW, GREEN};
 9
         light EW: {RED, YELLOW, GREEN};
10
      ASSIGN
11
         init(light_NS) := GREEN;
12
         init(light_EW) := RED;
13
14
         next(light_NS) := case
15
            light_NS = RED & light_EW = RED & button_NS =
                 FALSE & sensor EW = FALSE: GREEN;
16
            light_NS = GREEN & light_EW = RED & sensor_EW
                 = TRUE: YELLOW;
17
            light_NS = GREEN: GREEN;
18
            TRUE: {RED};
19
         esac;
20
21
         next(light_EW) := case
22
            light_EW = RED & light_NS = RED & button_EW =
                 FALSE & sensor NS= FALSE: GREEN;
23
            light_EW = GREEN & light_NS = RED & sensor_NS
                 = TRUE: YELLOW;
24
            light_EW = GREEN: GREEN;
25
            TRUE: {RED};
26
         esac;
27
28
      SPEC AG ! (light NS = GREEN & light EW = GREEN)
```

- Formal Verification model the program using SMV NuSMV
  - verify the property
  - obtain the counterexamples

Specifies the property to verify e.g. the green lights of NS and EW can never be ON simultaneously

```
1 MODULE main
 2
      IVAR
 3
         button_NS: boolean;
 4
         button_EW: boolean;
 5
         sensor_NS: boolean;
 6
         sensor_EW: boolean;
     VAR
 8
         light_NS: {RED, YELLOW, GREEN};
 9
         light EW: {RED, YELLOW, GREEN};
10
      ASSIGN
11
         init(light_NS) := GREEN;
12
         init(light_EW) := RED;
13
14
         next(light_NS) := case
15
            light_NS = RED & light_EW = RED & button_NS =
                 FALSE & sensor_EW = FALSE: GREEN;
16
            light_NS = GREEN & light_EW = RED & sensor_EW
                 = TRUE: YELLOW;
17
            light_NS = GREEN: GREEN;
18
            TRUE: {RED};
19
         esac;
20
21
         next(light_EW) := case
22
            light_EW = RED & light_NS = RED & button_EW =
                 FALSE & sensor_NS= FALSE: GREEN;
23
            light_EW = GREEN & light_NS = RED & sensor_NS
                 = TRUE: YELLOW;
24
            light_EW = GREEN: GREEN;
25
            TRUE: {RED};
26
         esac;
27
28
      SPEC AG ! (light_NS = GREEN & light_EW = GREEN)
```

- Formal Verification
   NuSMV
  - verify the property
  - obtain the counterexamples

-> State: 1.1 < $light_NS = GREEN$  $light_EW = RED$ -> Input: 1.2 <button NS = FALSEbutton EW = FALSE $sensor_NS = FALSE$ sensor EW = TRUE-> State: 1.2 <light\_NS = YELLOW -> Input: 1.3 <sensor EW = FALSE-> State: 1.3 <light NS = RED-> Input: 1.4 <--> State: 1.4 < $light_NS = GREEN$ light EW = GREEN

# Systematization Methodology

- Threat model
  - assumptions on source code, bytecode/binary, runtime.
- Security goal
  - Confidentiality, Integrity, and Availability
- Weakness
  - the flaws triggered to perform the attacks.
- Detection to evade
  - the detection that fails to capture the attacks
- Challenges in *defending* the attacks
  - the advance of attacks, and the insufficiency of defenses.
- Defense focus
  - the specific research topic in formal verification
  - e.g. behavior modeling, state reduction, specification generation, and verification.

# Attack papers

| Threat<br>Model | Paper                      | Weakness | Security<br>Goal | Attack<br>Type | Detection<br>to Evade | Network<br>Access | PLC<br>Language/Type | Tools                       |
|-----------------|----------------------------|----------|------------------|----------------|-----------------------|-------------------|----------------------|-----------------------------|
| T1              | Serhane'18 [84]            | W1,2,3   | GI1,GC,GA        | both           | Programmer            | ES                | LD, RSLogix          | N/A                         |
| source          | Valentine'13 [88]          | W1,2,3,6 | GI1,GC           | passive        | Programmer            | N/A               | LD                   | PLC-SF, vul. assessment     |
| code            | McLaughlin'11 [70]         | W4       | GI3              | both           | State verif.          | ES                | generic              | N/A                         |
| T2              | ICSREF [55]                | W4       | GI3              | passive        | NA                    | ES, PLC           | Codesys-based        | angr, ICSREF                |
| bytecode        | SABOT [68]                 | W4       | GI3              | passive        | N/A                   | ES, PLC           | IL                   | NuSMV                       |
| /binary         | McLaughlin'11 [70]         | W4       | GI3              | both           | State verif.          | ES, PLC           | generic              | N/A                         |
|                 | PLCInject [58]             | W5       | GC               | both           | N/A                   | ES, PLC           | IL, Siemens          | PLCInject malware           |
|                 | PLC-Blaster [85]           | W5       | GC,GA            | active         | N/A                   | ES, Sensor, PLC   | Siemens              | PLC-Blaster worm            |
|                 | Senthivel'18 [83]          | W4       | GI1              | active         | ES                    | ES, PLC           | LD, AB/RsLogix       | PyShark, decompiler Laddis  |
|                 | CLIK [54]                  | W4       | GI1              | both           | ES                    | PLC               | IL, Schneider        | Eupheus decompilation       |
|                 | Beresford'11 [11]          | W4,5     | GI2              | both           | N/A                   | ES, PLC           | Siemens S7           | Wireshark, Metasploit       |
| T3              | Lim'17 [ <mark>64</mark> ] | W4,5     | GI4,GA           | active         | ES                    | ES, PLC           | Tricon PLC           | LabView, PXI Chassis, Scapy |
| runtime         | Xiao'16 [92]               | W4       | GI4              | both           | State verif.          | Sensor, PLC       | generic              | N/A                         |
|                 | Abbasi'16 [3]              | W4       | GI2              | both           | Others                | N/A               | Codesys-based        | Codesys platform            |
|                 | Yoo'19 [94]                | W5       | GI1              | both           | Others                | ES, PLC           | Schneider/AB         | DPI and detection tools     |
|                 | LLB [43]                   | W4,6     | GI1,GI2          | both           | Programmer            | ES, PLC           | LD, AB               | Studio 5000, RSLinx, LLB    |
|                 | CaFDI [69]                 | W4       | GI4              | both           | State verif.          | N/A               | generic              | CaFDI                       |
|                 | HARVEY [37]                | W4,5     | GI4,GC           | both           | ES                    | ES, PLC           | AB                   | Hex, dis-assembler, EMS     |

#### TABLE 1: The studies investigating control logic modification attacks.

Engineering Station (ES), Allen-Bradley (AB). Tools: vulnerability (vul.). Detection to evade: verification (verif.).

## Formal Verification papers (a truncated list)

| Threat<br>Model      | Paper              | Security<br>Goal | Defense<br>Focus | Verification<br>Techniques | Property        | PLC<br>Language | Tools                          |
|----------------------|--------------------|------------------|------------------|----------------------------|-----------------|-----------------|--------------------------------|
|                      | Adiego'15 [4]      | GI1              | BM, SG           | MC                         | CTL, LTL        | ST,SFC          | nuXmv, PLCVerif, Xtext, UNICOS |
|                      | Bauer'04 [9]       | GI1,GI3          | FV               | MC                         | CTL             | SFC             | Cadence SMV, Uppaal            |
|                      | Bender'08 [10]     | GI3              | SG, FV           | MC                         | seLTL           | LD              | Tina Toolkit                   |
|                      | Biallas'12 [12]    | GI1,GI3          | SG, FV           | MC                         | ∀CTL, ptLTL     | generic         | PLCopen, Arcade.PLC*, CEGAR    |
|                      | Biha'11 [13]       | GI1              | SG               | TP                         | N/A             | IL              | SSReflect in Coq, CompCert     |
|                      | Kim'17 [56]        | GI1,GI3          | FV               | MC, EC                     | CTL             | FBD,LD          | CASE tools (Nude 2.0), NuSCR   |
|                      | Moon'94 [74]       | GI1              | SG               | MC                         | CTL             | LD              | N/A                            |
| <b>T</b> 1           | Newell'18 [76]     | GI1,GI3          | BM, SR           | TP                         | N/A             | FBD             | PVS Theorem prover             |
| T1<br>source<br>code | Niang'17 [77]      | GI3              | FV               | MC                         | N/A             | generic         | Uppaal, program translators    |
|                      | Pavlovic'10 [79]   | GI1,GI3          | SR               | MC                         | CTL             | FBD             | NuSMV                          |
|                      | Rawlings'18 [81]   | GI1              | SG, FV           | MC                         | CTL, ACTL       | ST              | st2smv, SynthSMV*              |
|                      |                    |                  |                  | •••                        |                 | . H             |                                |
| T2                   | Chang'18 [21]      | GI1              | ALL              | MC                         | LTL, CTL        | IL              | DotNetSiemensPLCToolBoxLibrary |
| bytecode             | McLaughlin'14 [71] | GI1,GI3          | ALL              | MC                         | LTL             | IL              | TSV, Z3, NuSMV                 |
| /binary              | Xie'20 [93]        | GI1,GC,GA        | BM, SG, FV       | MC                         | LTL             | IL              | SMT, NuXMV                     |
|                      | Zonouz'14 [100]    | GI1,GI3          | BM, SG, FV       | MC                         | LTL             | IL              | Z3, NuSMV                      |
|                      | Carlsson'12 [18]   | GI               | FV               | MC                         | CTL, LTL        | N/A             | NuSMV                          |
|                      | Cengic'06 [19]     | GI2              | BM               | MC                         | CTL             | FBD             | Supremica                      |
|                      | Galvao'18 [36]     | GI3,GI4          | SG               | MC                         | CTL             | FBD             | ViVe/SESA                      |
|                      | Garcia'16 [40]     | GI3              | FV               | MC                         | DFA             | LD,ST           | N/A                            |
|                      | Janicke'15 [53]    | GI1,GI2          | BM, SR           | MC                         | ITL             | LD              | Tempura                        |
| T3<br>runtime        | Luccarini'10 [65]  | GI3,GI4          | BM, SR, SG       | TP                         | CLIMB           | N/A             | SCIFF checker                  |
|                      | Mesli'16 [72]      | GI               | BM, SG, FV       | MC                         | TCTL            | LD,FBD          | Uppaal                         |
|                      | Wang'13 [91]       | GI1,GI2          | BM, SR, SG       | MC                         | LTL, MTL        | IL              | BIP                            |
|                      | Zhang'19 [98]      | GI,GC            | ALL              | MC                         | TPTL            | ST              | BUILDTSEQS algorithm           |
|                      | Zhou'09 [99]       | GI               | BM, SR           | MC                         | TCTL            | IL              | Uppaal                         |
|                      | Wan'09 [90]        | GI1,GI2          | BM, FV           | TP                         | Gallina         | LD              | Coq, Vernacular                |
|                      | Garcia'19 [38]     | GI               | BM               | TP                         | differential dL | ST              | KeYmaera X                     |
|                      | Mokadem'10 [73]    | GI3              | BM               | MC                         | TCTL            | LD              | Uppaal                         |
|                      | Cheng'17 [23]      | GI2,GC           | BM               | N/A                        | eFSA            | N/A             | LLVM DG                        |
|                      | Ait'98 [5]         | GI2              | SG               | TP                         | FOL             | N/A             | Atelier B                      |

TABLE 3: Existing studies using formal verification to detect control logic attacks

Defense Focus: Behavior modeling (BM), State Reduction (SR), Specification Generation (SG), and Formal Verification (FV). Verification tehcniques: model checking (MC), equivalence checking (EC), and theorem proving (TP). In tools: items in bold are self-developed, bold italics are open-source and \* represent tools no longer mantained.

# Challenges



#### Due to the advances of attacks

- Expanded attack input surfaces.
- Predefined hierarchical memory layout.
- Confidentiality and integrity of the program I/O.
- Stealthy attack detection.
- Implicit or incomplete specifications.

# Challenges



#### Due to the insufficiency of defenses

Behavior Modeling

- Lack of plant modeling.
- Lack of modeling evaluation.
- State explosion.

### State Reduction

- Lack of "ground truth" for continuous behavior.
- Implicitness and stealthy attacks from reduction

### Specification Generation

- Lack of specification-refined programming.
- Ad-hoc and unverified specification translations.
- automated domain-specific property generation.
- Specification with evolved system design.

#### **Q** Verification

- Lack of benchmarks for formal verification
- Open-source automated verification frameworks.
- High demand for runtime verification.



- Plant Modeling
  - formalize more accurate and complete program behaviors.
    - granularity and level of abstraction for the plant models and the properties
  - consider the avoidance of state explosion
    - conditions of the plant that can trigger property violations.
- Input manipulation verification
  - input manipulation is widely adopted by the attackers.
  - Orpheus prototype in a PLC setting
    - event consistency checking between the program and the plant model
    - instrumentation on the input and output variables



- the relationship between the "unrelated" states and the original program.
  - "unrelated" states are trimmed to avoid state explosion problems.
  - security validation of "unrelated" code
    - unnoticeable unsafe behaviors?
    - e.g. a stealthy logger to leak program critical information.
  - automatic program cleaning for the stealthy code.



#### **Specification Generation**

- Domain-specific property definition.
  - consider domain-specific properties as a *hybrid program* consisted of continuous plant models as well as discrete control algorithms.
  - aim at security verification
  - support arithmetic operations, multitask programs, in various domains.
- Incremental specification generation.
  - aim at the fast-evolving system design
  - a full chain of behaviors, and update in a dynamic spectrum.
  - behaviors from new interactions should be compatible with existing properties.



#### Verification

- Real-time attack detection.
  - Depend on the engineering station, which have been exposed to various vulnerabilities
  - Consider a dedicated security monitor, e.g. TSV
  - Meet the scan cycle requirement
- Open-source tools and benchmarks.
  - have led to adhoc studies without evaluations on models and verification techniques.
  - vendor-independent, industrial complexities, and a set of security metrics
- Multitasks Verification.
  - use one task to spy or spread malicious code to the other co-located tasks,
    - E.g. PLCInject, PLC-Blaster
  - verify task intervals and priorities at various granularities.

### Questions