Analysis of Programmable Logic Controller Firmware for Threat Assessment and Forensic Investigation

ABSTRACT

Industrial Control Systems are developing into highly networked collections of
distributed devices. The next generation of threats is likely to focus on PLC firmware. Just as traditional computer malware evolved to hide itself using operating system-level rootkits, so will ICS attacks evolve to embed themselves in the PLC equivalent: the firmware. This paper discusses the techniques and procedures required to access, inspect, and manipulate the firmware of an Allen-Bradley PLC. A detailed analysis provides details about the capabilities and methods required by an attacker, and the effectiveness of recovering PLC firmware for forensic investigation of a potential attack.


AUTHORS

Department of Electrical & Computer Engineering
Air Force Institute of Technology
Wright-Patterson Air Force Base, OH, United States

Zachary Basnight (1st Lt, USAF) 90th Information Operations Squadron San Antonio-Lackland AFB, TX. 1st Lt Zachry Basnight is a Deputy Flight Commander with the 90th Information Operations Squadron. He received an MS in Cyber Operations from the Air Force Institute of Technology in 2013, and a BS in Computer Science from the US Air Force Academy in 2009. He is currently serving on active duty at Joint Base San Antonio-Lackland Air Force Base in San Antonio, Texas.

Department of Electrical & Computer Engineering
Air Force Institute of Technology
Wright-Patterson Air Force Base, OH, United States

Jonathan Butts, PhD (Major, USAF) Center for Cyberspace Research Air Force Institute of Technology Dr. Jonathan Butts is an assistant professor of computer science and member of the Center for Cyberspace Research at the Air Force Institute of Technology. He received his PhD in Computer Science from the University of Tulsa in 2010, an MS in Information Assurance from the Air Force Institute of Technology in 2006, and a BS in Computer Science from Chapman University in 2001. Jonathan is an active duty Major in the United States Air Force with 15 years of service. He is a fellow of the National Board of Information Security Examiners and committee Chair for the International Federation for Information Processing Working Group on Critical Infrastructure Protection. He has performed research and worked extensively with the Department of Defense, Department of Homeland Security, Department of Energy, National Security Agency, Central Intelligence Agency and US Secret Service.

Department of Electrical & Computer Engineering
Air Force Institute of Technology
Wright-Patterson Air Force Base, OH, United States

Thomas Dube, PhD (Major, USAF) Center for Cyberspace Research Air Force Institute of Technology Dr. Thomas Dube is an assistant professor of computer science and member of the Center for Cyberspace Research at the Air Force Institute of Technology. He received a PhD in Computer Engineering from the Air Force Institute of Technology in 2011, an MS in Information Assurance form the Air Force Institute of Technology in 2006, and a BS in Computer Engineering from Auburn University in 2000. His research interests include reverse engineering, malware analysis, vulnerability discovery, operating systems and software engineering.

Journal of Information Warfare

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.

Quick Links

View the latest issue of JIW.

Latest Edition

Purchase a subscription to JIW.

Subscribe

Keywords

C

C2
C2S
CDX
CIA
CIP
CPS

D

DNS
DoD
DoS

I

IA
ICS

S

SOA

X

XRY

Quill Logo

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.

SUBSCRIBE NOW

Get in touch

  • Journal of Information Warfare
    114 Ballard Street
    Yorktown, VA
    23690
  • 757.871.3949
  • jiw@gbpts.com