Stealth Low-Level Manipulation of Programmable Logic Controllers I/O by Pin Control Exploitation

  • Ali AbbasiEmail author
  • Majid Hashemi
  • Emmanuele Zambon
  • Sandro Etalle
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10242)


Input/Output is the mechanism through which Programmable Logic Controllers (PLCs) interact with and control the outside world. Particularly when employed in critical infrastructures, the I/O of PLCs has to be both reliable and secure. PLCs I/O like other embedded devices are controlled by a pin based approach. In this paper, we investigate the security implications of the PLC pin control system. In particular, we show how an attacker can tamper with the integrity and availability of PLCs I/O by exploiting certain pin control operations and the lack of hardware interrupts associated to them.


PLC Exploiting SoC ICS 


  1. 1.
    Abbasi, A., Wetzels, J., Bokslag, W., Zambon, E., Etalle, S.: On emulation-based network intrusion detection systems. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 384–404. Springer, Cham (2014). Google Scholar
  2. 2.
    Basnight, Z., Butts, J., Lopez Jr., J., Dube, T.: Firmware modification attacks on programmable logic controllers. Int. J. Crit. Infrastruct. Prot. 6(2), 76–84 (2013)CrossRefGoogle Scholar
  3. 3.
    Beresford, D.: Exploiting siemens simatic S7 PLCs. In: Black Hat USA (2011)Google Scholar
  4. 4.
    Beresford, D., Abbasi, A.: Project IRUS: multifaceted approach to attacking and defending ICS. In: SCADA Security Scientific Symposium (S4) (2013)Google Scholar
  5. 5.
    Cui, A., Stolfo, S.J.: Defending embedded systems with software symbiotes. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 358–377. Springer, Heidelberg (2011). CrossRefGoogle Scholar
  6. 6.
    DigitalBond: 3S CoDeSys, Project Basecamp (2012).
  7. 7.
    Embleton, S., Sparks, S., Zou, C.C.: SMM rootkit: a new breed of os independent malware. Secur. Commun. Netw. 6(12), 1590–1605 (2013)CrossRefGoogle Scholar
  8. 8.
    Falliere, N., Murchu, L.O., Chien, E.: W32. stuxnet dossier. White paper, Symantec Corp., Security Response 5 (2011)Google Scholar
  9. 9.
    ICS-CERT: Abb ac500 plc webserver codesys vulnerability (2013).
  10. 10.
    ICS-CERT: Schneider electric modicon quantum vulnerabilities (update b) (2014).
  11. 11.
    ICS-CERT: Schneider electric modicon m340 buffer overflow vulnerability (2015).
  12. 12.
    ICS-CERT: Rockwell automation micrologix 1100 plc overflow vulnerability (2016).
  13. 13.
    Igure, V.M., Laughter, S.A., Williams, R.D.: Security issues in SCADA networks. Comput. Secur. 25(7), 498–506 (2006)CrossRefGoogle Scholar
  14. 14.
    Koopman, P.: Embedded system security. Computer 37(7), 95–97 (2004)CrossRefGoogle Scholar
  15. 15.
    Langner, R.: To kill a centrifuge: A technical analysis of what stuxnets creators tried to achieve (2013).
  16. 16.
    Larsen, J.: Physical damage 101: bread and butter attacks. In: Black Hat USA (2015)Google Scholar
  17. 17.
    Liang, Z., Yin, H., Song, D.: HookFinder: identifying and understanding malware hooking behaviors. In: Proceeding of the 15th Annual Network and Distributed System Security Symposium (NDSS 2008) (2008).
  18. 18.
    Maxino, T.C., Koopman, P.J.: The effectiveness of checksums for embedded control networks. IEEE Trans. Dependable Secure Comput. 6(1), 59–72 (2009)CrossRefGoogle Scholar
  19. 19.
    McLaughlin, S., McDaniel, P.: SABOT: specification-based payload generation for programmable logic controllers. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 439–449. ACM, New York (2012)Google Scholar
  20. 20.
    McLaughlin, S.E.: On dynamic malware payloads aimed at programmable logic controllers. In: HotSec (2011)Google Scholar
  21. 21.
    Peck, D., Peterson, D.: Leveraging ethernet card vulnerabilities in field devices. In: SCADA Security Scientific Symposium, pp. 1–19 (2009)Google Scholar
  22. 22.
    PREEMPTIVE-Consortium: Reference taxonomy on industrial control systems networks for utilities (2014).
  23. 23.
    Reeves, J., Ramaswamy, A., Locasto, M., Bratus, S., Smith, S.: Intrusion detection for resource-constrained embedded control systems in the power grid. Int. J. Crit. Infrastruct. Prot. 5(2), 74–83 (2012)CrossRefGoogle Scholar
  24. 24.
    Schiffman, J., Kaplan, D.: The smm rootkit revisited: fun with USB. In: 9th International Conference on Availability, Reliability and Security (ARES), pp. 279–286 (2014)Google Scholar
  25. 25.
    Sparks, S., Embleton, S., Zou, C.C.: A chipset level network backdoor: bypassing host-based firewall & IDS. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pp. 125–134. ACM (2009)Google Scholar
  26. 26.
    Spenneberg, R., Brüggemann, M., Schwartke, H.: PLC-blaster: a worm living solely in the PLC. In: Black Hat Asia (2016)Google Scholar
  27. 27.
    Wightman, R.: Project basecamp at s4. SCADA Security Scientific Symposium (2012).
  28. 28.
    Wrightman, K.R.: Vulnerability inheritance in PLCs. DEFCON 23 IoT Village (2015)Google Scholar
  29. 29.
    Yin, H., Song, D.: Hooking behavior analysis. In: Automatic Malware Analysis, pp. 43–58. Springer, New York (2013).

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Ali Abbasi
    • 1
    Email author
  • Majid Hashemi
    • 2
  • Emmanuele Zambon
    • 1
    • 4
  • Sandro Etalle
    • 1
    • 3
  1. 1.Services, Cyber Security and Safety GroupUniversity of TwenteEnschedeThe Netherlands
  2. 2.QuarkslabParisFrance
  3. 3.Eindhoven University of TechnologyEindhovenThe Netherlands
  4. 4.SecurityMatters BVEindhovenThe Netherlands

Personalised recommendations