You Snooze, You Lose: Measuring PLC Cycle Times under Attacks Matthias Niedermaier 1 , Jan-Ole Malchow 2 , Florian Fischer 1 , Daniel Marzin 2 , Dominik Merli 1 , Volker Roth 2 and Alexander von Bodisco 1 1 Hochschule Augsburg, Augsburg, Germany 2 Freie Universit¨ at Berlin, Berlin, Germany Abstract In this work, we show that the electrical side of a Pro- grammable Logic Controller (PLC), that is, the controlled process, can be influenced by packet flooding. This dif- fers from already known Denial of Service (DoS) attacks as the target is the actual process and not network con- nectivity. We conducted our experiments with 16 devices from six vendors, giving a good overview of the current market. Except for one device, all are susceptible to net- work flooding attacks. In three cases, an attack even lead to a DoS on the electrical side, completely disrupting any controlled process. In addition, we show that well-known scanning tools have measurable impacts on PLCs. These findings should be taken into consideration by adminis- trators and researchers planning scanning activities. 1 Introduction Programmable Logic Controllers (PLCs) are pervasive in modern societies and form a vital part of modern infras- tructure. Nearly all aspects of automation are controlled by them in one way or another. Controlled systems in- clude air-conditioning, traffic lights, factories, and power plants. Security and safety violations in these systems can lead not only to inconveniences but also risks to human lives. When PLCs were first introduced, it was uncommon for them to be interconnected on a larger network. Mean- while, PLCs come with Ethernet interfaces and are in- creasingly connected to TCP/IP networks due to benefits related to cost and convenience. This makes PLCs vulner- able to network-based intrusion. PLCs run control programs that can be thought of as the software implementation of a switching circuit. Con- trol programs use sensor data as input and set outputs to activate actors. In the following, we refer to the sen- sor and actuator connections as the electrical side of the PLC. We focus on the question whether network traffic can influence the electrical side of PLCs. If the electrical side can be influenced, then a controlled process may be dis- turbed or even stop altogether. Obviously, such a capa- bility can be used in cyberattacks. This question is also relevant when scanning the internet for benign purposes, which is currently a trend in academic research. If scans potentially affect controlled processes, then enhanced pre- cautions are required to assure the safety and security of (largely unknown) scan targets. We are not interested in flooding attacks that seek to saturate a network or a net- work interface in order to deny service to communicating devices. To assess the risks that arise in controlled processes from network traffic, we conducted three types of exper- iments in a testbed with 16 PLCs from six different ven- dors. We explored the effects of: 1. SYN flooding, 2. four- teen high-level protocols and 3. three popular scanning tools on the electrical side of PLCs. To this end, we used a control program that switched the outputs of PLCs at the maximum supported rate (e.g. freewheeling task) and measured deviations from that rate. Various settings of lower switching frequencies can be used as a benchmark as well. We decided against this because the maximum rate is conservative and application-neutral. We found that all except one PLCs are prone to being influenced by network traffic. Most PLCs were affected by SYN packet floods. The effects of high-level protocols varied for different PLCs. Several PLCs stopped working completely, resulting in a Denial of Service (DoS) condi- tion on the electrical side. However, we also found that data rate-limiting features available on Wago PLCs can reduce the effects. The rest of the paper is organized as follows. We begin with a description of related work in § 2. We provide background information on the functions of a PLC and PLC certification in § 3. In item 3.3, we summarize our experimental methods and materials. We report the results of our experiments in § 5 and provide conclusions in § 6.
17
Embed
You Snooze, You Lose: Measuring PLC Cycle Times under Attacks · You Snooze, You Lose: Measuring PLC Cycle Times under Attacks Matthias Niedermaier1, Jan-Ole Malchow2, Florian Fischer1,
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
You Snooze, You Lose: Measuring PLC Cycle Times under Attacks
Matthias Niedermaier1, Jan-Ole Malchow2, Florian Fischer1, Daniel Marzin2,Dominik Merli1, Volker Roth2 and Alexander von Bodisco1
In this work, we show that the electrical side of a Pro-grammable Logic Controller (PLC), that is, the controlledprocess, can be influenced by packet flooding. This dif-fers from already known Denial of Service (DoS) attacksas the target is the actual process and not network con-nectivity. We conducted our experiments with 16 devicesfrom six vendors, giving a good overview of the currentmarket. Except for one device, all are susceptible to net-work flooding attacks. In three cases, an attack even leadto a DoS on the electrical side, completely disrupting anycontrolled process. In addition, we show that well-knownscanning tools have measurable impacts on PLCs. Thesefindings should be taken into consideration by adminis-trators and researchers planning scanning activities.
1 Introduction
Programmable Logic Controllers (PLCs) are pervasive inmodern societies and form a vital part of modern infras-tructure. Nearly all aspects of automation are controlledby them in one way or another. Controlled systems in-clude air-conditioning, traffic lights, factories, and powerplants. Security and safety violations in these systems canlead not only to inconveniences but also risks to humanlives.
When PLCs were first introduced, it was uncommonfor them to be interconnected on a larger network. Mean-while, PLCs come with Ethernet interfaces and are in-creasingly connected to TCP/IP networks due to benefitsrelated to cost and convenience. This makes PLCs vulner-able to network-based intrusion.
PLCs run control programs that can be thought of asthe software implementation of a switching circuit. Con-trol programs use sensor data as input and set outputsto activate actors. In the following, we refer to the sen-sor and actuator connections as the electrical side of thePLC.
We focus on the question whether network traffic caninfluence the electrical side of PLCs. If the electrical sidecan be influenced, then a controlled process may be dis-turbed or even stop altogether. Obviously, such a capa-bility can be used in cyberattacks. This question is alsorelevant when scanning the internet for benign purposes,which is currently a trend in academic research. If scanspotentially affect controlled processes, then enhanced pre-cautions are required to assure the safety and security of(largely unknown) scan targets. We are not interested inflooding attacks that seek to saturate a network or a net-work interface in order to deny service to communicatingdevices.
To assess the risks that arise in controlled processesfrom network traffic, we conducted three types of exper-iments in a testbed with 16 PLCs from six different ven-dors. We explored the effects of: 1. SYN flooding, 2. four-teen high-level protocols and 3. three popular scanningtools on the electrical side of PLCs. To this end, we useda control program that switched the outputs of PLCs atthe maximum supported rate (e.g. freewheeling task) andmeasured deviations from that rate. Various settings oflower switching frequencies can be used as a benchmarkas well. We decided against this because the maximumrate is conservative and application-neutral.
We found that all except one PLCs are prone to beinginfluenced by network traffic. Most PLCs were affectedby SYN packet floods. The effects of high-level protocolsvaried for different PLCs. Several PLCs stopped workingcompletely, resulting in a Denial of Service (DoS) condi-tion on the electrical side. However, we also found thatdata rate-limiting features available on Wago PLCs canreduce the effects.
The rest of the paper is organized as follows. We beginwith a description of related work in § 2. We providebackground information on the functions of a PLC andPLC certification in § 3. In item 3.3, we summarize ourexperimental methods and materials. We report the resultsof our experiments in § 5 and provide conclusions in § 6.
2 Related Work
DoS attacks on SCADA/PLC/ICS systems have been atopic in academic research since at least 2005 [4, 11].However, most studies only outline the potential of at-tacks and do not present evidence derived from experi-mentation or simulation. In what follows we limit ourdiscussion to the literature that provides at least partialevidence for possible DoS attacks.
Teixeira et al. [20] describe a variety of attacks on con-trol systems. They focus on the disruption of commu-nication between sensors/actuators and a PLC but over-look the effects on the electrical side. The authors of [2]present a formalization of DoS attacks on control systemsand derive an ‘optimal’ attack plan. However, they do notevaluate their attack plan against an actual PLCs. [9] con-ducted flooding experiments on an unspecified remotetelemetry unit (RTU) based on IP, SYN, and 104APCIpackets. In all cases, they measured an impact on the re-sponse time of the RTU. However, their report lacks clar-ity with respect to what exactly caused the effects theymeasured. The reasons for this may range from RTU re-source depletion to the saturation of other componentsin their test network. The authors of [12] simulated UserDatagram Protocol (UDP) flooding attacks in a Supervi-sory Control And Data Acquisition (SCADA) networkmodel. They concluded that CPU utilization, packet drop,and traffic delays increased. In [11], the impact of DoSsattacks on network-based control is simulated and twocountermeasures are proposed. The authors focus on thecommunication without analysing the behaviours of thedevices. A method of testing the communication robust-ness of industrial devices is introduced in [21]. However,their article mentions no concrete results. [16] set upa testbed with an Omron PLC CJ1M-CPU11-ETN anddemonstrated DoS attacks on the network interface of thedevice based on TCP/IP SYNs, UDP, and HTTP traffic.They did not measure effects on the electrical side, nordid they test different PLCs systematically as we did inour experiments.
3 Technical Background
Programmable Logic Controllers (PLCs) are industrialdigital computers designed to control physical processes.A PLC is electrically connected to sensors and actuators.A user-specific program running on the PLC controls theactuators based on the inputs read from the sensors. Sincethe majority of PLCs operate in a cycle-oriented fashion(see next section for details), we focus on this type ofdevice.
PLCs are usually part of a larger architecture that in-cludes Enterprise Resource Planing (ERP) and Manufac-turing Execution System (MES). The latter systems of-
Phase 1: Read Inputs
Phase 2: Program Execution
Phase 3: Diagnostic, Com-munication, ...
Phase 4: Write Outputs
CycleTime
Figure 1: Simplified sequence of a PLC cycle.
ten have a data exchange time of several hours or days.For SCADA systems, a common requirement is that datatransfer time must be in the order of seconds to minutes.This is in contrast to mostly hard real-time processes atthe control and field levels, where transmissions mustcomplete in milliseconds. These timings must be ensuredin order for the processes to run correctly.
3.1 PLC Cycle Time
The run mode of a cycle-oriented PLC consists of a loopof four phases, as illustrated in Fig. 1. In the first phase,inputs such as sensors are read into the internal registersof the PLC. In the second stage, the program execution isperformed. The third phase handles internal housekeep-ing, for example diagnostic functions and communication.At the end of the scan cycle, the outputs are written backfrom internal registers to the electrical circuits. Typicalcycle times are between one and 10 milliseconds. In morepowerful models, or small programs, cycle times may bein the order of microseconds. There are versions witheither fixed or asynchronous cycles. The user programmay include branches and conditional calls, resulting invarying execution times.
3.2 Controlled Process
Fig. 2 shows a simple example application where a PLCcontrols the filling of a container on a conveyor belt. Thesensor reports to the PLC when a container passes it. ThePLC then controls the valve that opens and fills the con-tainer. This process must have the right timing, or elsethe liquid would not end up in the container. If the cycletime is too high, the opening or closing of the valve getsdelayed and occurs at false container positions [6].
3.3 Certification Programs
There are three certification programs for Industrial In-ternet of Things (IIoT) components. In the following,we mention three such programs which were previouslydiscussed by Schierholz and McGareth [17], and Xie et
PLCEthernet
Sensor
Container
Valve
Figure 2: Example application where liquid/goods isfilled in a container
al. [23]. Certificates of these three programs communi-cate an acceptable level of stack robustness. Schierholzand McGareth argue that security-related certificates maysend incorrect signals regarding security. This is primarilybecause not all threat vectors may be covered by a certi-fication program. Our reports support this argument aswe found that nearly all PLCs we tested are vulnerable tonetwork flooding attacks. We give a short overview of thementioned programs with respect to network robustness.
(i) Achilles Certification1 – Initially developed by Wur-dtech Security Technologies, the Achilles Programwas later bought by General Electric. The programrelies on a proprietary test device called the ‘AchillesSatellite’. Applied tests include protocol fuzzing andpacket storms. We are especially interested in thepacket storm sub-test. While the Satellite is propri-etary, the requirements for a certification are publiclydocumented. For the level 2 certification of Achilles,the PLC is configured with a period cycle output of1000ms (500ms high output and 500ms low output)with an acceptable tolerance of 4%.
(ii) ISASecure EDSA Certification2 – The EDSA in-cludes CRT Test Requirements for Protocols for Eth-ernet, ARP, IPv4, ICMPv4, UDP, and TCP. With theexception of Ethernet, the requirements state that thedevice under test maintains its essential services un-der high load but can reduce or cease network com-munication during periods of high load. In all cases,the high load period (maximum supported data rate)must be long enough to allow saturation effects tomanifest.
(iii) Mu Dynamics MUSIC Certification3 – Mu Dynam-ics Inc. was acquired by Spirent Communication Inc.in 2012. The current status of the certification pro-gram is unknown. According to Xie et al. [23], MU-SIC operated similarly to Achilles.
The basic idea of a PLC cycle time attack is to in-fluence the timing of a PLC by means of network traf-fic. In other words, the attacker aims to alter the timing
output
cycle
24V
1 2 3 4 5
∆t
expected delayed
Figure 3: Electrical view of a PLC toggling an output.
of PLC outputs. Wedgbury and Jones [22], as well asCardens [5], already predicted that extra network trafficmight affect the process controlled by an Industrial Con-trol System (ICS). However, they did not present evidencefor their prediction. Our experiments lend support to theirassertion because we found that network traffic can affectuser programs running on PLCs.
The attack surface is a combination of device designand software implementation; more precisely, it is theimplementation of the network stack, PLC-specific pro-tocols, and PLC runtime. For example, sharing resourcesbetween system tasks and the actual control program canbe problematic. If an attacker is able to exhaust the re-sources available to system tasks, he also succeeds in pre-venting normal operation of the control program.
3.4 Attacker ModelWe assume that the attacker is able to send network pack-ets to the target PLC at the maximum rate supported bythe device. This may be feasible because the device isconnected to the internet, or another device on the samenetwork is compromised by the adversary. The compro-mised device may well be another PLC [10]. With regardto the types of attacks we consider, we do not assumethat the adversary has or needs specific knowledge aboutthe actual process controlled by the PLC or the programrunning on the PLC.
4 Materials and Methods
The basic idea is to measure the changes to the signalcaptured on the electrical (digital) outputs of PLCs. Weconducted three sets of experiments. In the first set (§ 5.1),we focused on the reaction of devices to different loads ofSYN packets. In the second set (§ 5.2), we measured thereaction to different protocols including device-specificcontrol protocols. In the final set of experiments (§ 5.3),we assessed the impact of scanning tools. In the remain-der of this section, we give an overview of our methodsand materials.
DuT 0
DuT 1
DuT N
Network
Power
CaptureDevice
Attack Machine
ControllerMachine
Attack traffic
Control
OutputControl
Figure 4: Test set-up for the measurement.
Regarding the electrical side, we configured the PLCsunder test to run on their maximum performance (short-est possible cycle time). This means that an output isswitched at the maximum rate. Depending on the actualdevice, this leads to a more or less periodic reference sig-nal. If an attack is successful, the reference signal will beshifted. Fig. 3 depicts the reference signal (blue, solid)and the shifted signal under attack (red, dotted). For theattack scenario proposed in this paper, the attacker doesnot need to know the details of the ICS.
We expected the impact of attacks on the cycle timeof a PLC to differ across devices. This is due to differ-ences in the system design, quality of implementation,and possible safety mechanisms. For example, some man-ufacturers indirectly tie cycle time to the cost-efficiencyof their devices, since the manufacturing process can beoperated at a higher speed if the cycle time is shorter. Anextreme example is provided by Schneider Electric [3],where a reduction in the cycle time from 30ms to 6msresulted in the gain of two million dollars per year.
In our experiments, we flooded the device under testwith packets for a specific protocol and measure the cycletime of the device. The used protocols are depicted inTab. 1. We designed and implemented a test set-up forour experiments. The set-up comprises a capture device,an attack machine, and a controller machine (see Fig. 4).The capture device can digitize the outputs of the PLCs.The attacker machine generates traffic for the respectiveprotocol under test. The controller device starts and stopsthe attack traffic, and stores the data sent by the capturedevice. It has the option to power on and off the Deviceunder Tests (DuTs).
In the following, we detail our measurement set-up andtest cases.
4.1 Capture DeviceThe influences of the different test cases are monitoredwith a capture device that measures one digital output pinof each PLC. We use a BeagleBone Black from Texas
Instruments with a custom measurement Printed CircuitBoard (PCB) to handle the 24V square wave signal. ThePCB consists of a protection circuit and a level shifterIntegrated Circuit (IC). The BeagleBone runs a DebianLinux with the BeagleLogic application 4, which makesuse of the AM335x processor’s two programmable real-time units. It is possible to analyse up to 14 channels in acontinuous mode with a maximum of 100 Mega samplesper second (Ms/s). The Ethernet interface (100 Mbps)was used to send the data to a computer for further analy-sis. We captured on a fixed rate of 1 MHz, which allowedus to calculate the timing without an additional timestamp.We were only interested in the state of the output of thedevice currently under test. Therefore, a byte per samplewas needed to transfer data over the network, leading toa feasible data rate.
To ensure the validity of our tests, we used a functiongenerator and a Picoscope 22085 oscilloscope to measurethe capabilities of the BeagleLogic. We used 1 Ms/s onthe BeagleLogic, which is also the sample rate in the testset-up. The deviation of the BeagleLogic adapter com-pared to the function-generator was always below 0.1
4.2 Controller MachineThe controller machine is a standard PC with two networkinterfaces. One interface is connected to the capture de-vice and the other to the attacker machine. The controllermachine runs a custom experimental server written in Go.The server reads the definition of an experiment definedas a JSON file. An experiment defines the tool to usespecific parameters, the target to measure, the channelto capture, and the runtime of the experiment. Based onthis definition, the controller configures the capture de-vice and attack server. In addition, the control machinestores the data produced by the capture device.
4.3 Attacker MachineThe attacker machine is a default PC with two GigabitEthernet network interfaces. One interface is connectedto the DuTs, while the other is connected to the controllermachine. The attacker machine runs a custom experimen-tal client that connects to the corresponding experimentalserver on the control machine. The purpose of the clientis to start and stop the actual load generating program.The tools used for load generation are listed in Tab. 1.
4.4 Device under Tests (DuTs)The DuTs are PLCs from different vendors. We selecteda variety of devices in order to get a representative sam-ple of the current market. A summary of the currentlydeployed PLCs in our testbed [15] is given in Tab. 2.
Table 1: Overview of programs used, corresponding protocols, and respective parameters
Table 2: Currently deployed devices in our test set-up
No. Vendor Manufacturer number Name Firmware1 Wago 750-889 Controller KNX IP 01.07.13(10)2 Wago 750-8100 Controller PFC100 02.05.23(08)3 Wago 750-880 Controller ETH. 01.07.03(10)4 Wago 750-831 Controller BACnet/IP 01.02.29(09)5 Siemens 6ES7211-1AE40-0XB0 Simatic S7-1211∗ V4.2.06 Siemens 6ES7212-1AE31-0XB0 Simatic S7-1212 V 3.0.27 Siemens 6ES7155-6AU00-0AB0 Simatic ET 200SP V 3.3.08 Siemens 6ES7314-6EH04-0AB0 Simatic S7-314∗ V 3.3.09 Siemens 6ES7516-3FN01-0AB0 Simatic S7-1516F∗ V 2.0.510 Siemens 6ED1052-1CC01-0BA8 Logo! 8∗ 1.81.0111 Phoenix 2700974 ILC 151 ETH V.4.42.0412 Phoenix 2985330 ILC 150 ETH V.3.94.0313 Phoenix 2700975 ILC 171 ETH 2TX V.4.42.0414 ABB 1SAP120600R0071 PM554-TP-ETH 2.5.4.1562615 Crouzet 88981133 em4 Ethernet 1.2.75/1.0.2716 Schneider TM221CE16T Modicon M221 1.5.1.0
∗ Achilles Level 2 Certified
We aimed to identify and measure a worst-case sce-nario. Hence, each PLC was configured to switch a digi-tal output at the maximum rate. This was configured in acyclic task and only changed if necessary (e.g. freewheel-ing task). This called for device-specific configurations,especially setting the cycle time to the device-specificminimum if applicable. We emphasize that we used thedefault settings for all controllers, wherever possible. Ofspecial interest are parameters for communication over-head. For the used Siemens devices, we kept the defaultat 20 %. Wago allows setting a data rate limit; however,this setting was disabled by default (see § 5.4 for effectsof this setting). The used control program was simple; itonly switched the value of an output from 0 to 1, and viceversa.
4.5 Protocol Implementations
In Tab. 1, we summarize the used protocols. For most ofthe protocols, we used off-the-shelf tools. If no standardtool was available, we implemented our own tool. Withthe off-the-shelf tools, we did not have much control overthe sent packets. As a result, we used custom implemen-tations for some protocols. All custom tools were imple-mented in Go and were capable of saturating the outgoingGigabit Ethernet link of the attacker machine.
syn spam – This implementation uses hard-coded SYNpackets with no additional TCP options set.arp spam – RFC 826 defines multiple variants for ARPrequests. The standard uses the following abbreviations:sender protocol address (SPA), sender hardware address(SHA), target protocol address (T PA), and target hardwareaddress (T HA). We implemented the following four ARPrequest variants: 1. Who has 2. Probe 3. Gratuitous ARPRequest T PA = SPA, T HA = 0 4. Gratuitous ARP ReplyT PA = SPA, T HA = SHA.gre spam – This implementation uses GRE-encapsulatedSYN packets. The SYN packets do not have any addi-tional TCP options. We tested with GRE packets as mod-ern DoS attacks sometimes use such packets [18].snmp spam – Our implementation uses SN-MPv1 with a hard-coded community string:302902010004067075626c6963a01c0204036a5f430
20100020100300e300c06082b060102010101000500.
4.6 Methods
Although the actual procedure differed across the threesets of experiments, the basic procedure remained thesame. Prior to each experiment, the DuTs were poweredoff and on so as to start with a clean system state.
To make the experiments more convenient, the execu-tion of individual experiments was automatized. To thisend, the individual experiments were combined in a singlelarge experiment definition for the experimental server.The gathered data was stored on the control server in asingle file per phase and experiment. After all the exper-iments had been executed, the resulting files were down-loaded for analysis.
5 Experiments, Results, and Discussion
In this sections, we present the three series of experimentswe conducted. In the first series, we measured reactionof devices under different loads of SYN packets. In thesecond series, we measured the reaction to different pro-
Figure 5: Controlled attack on PLCs with delays during packets, to achieve different network loads.
tocols. In the final series, we assessed the impact of scan-ning tools.
5.1 Increasing SYN LoadsAs a baseline for the communication robustness of thetested devices, we performed a series of tests (hping3SYN flood) with increasing inter-packet delay. Everyhping3 attack lasted 60s followed by a 30s idle phase.The delays between the flooding was created by thewait parameter of hping3 (hping3 -i u<wait for x
microseconds> <IP>). Through this, after each packet,hping3 waited x microseconds until the next packet wassent. We used the resulting mean cycle time for compari-son. The mean cycle time of each segment was calculatedas shown in Equation 1.
t =1n·
n
∑i=1
ti (1)
For better comparability, we normalized the results bydividing them by the mean idle time.
∆t =tmean
t idle(2)
An overview of the results is given in Fig. 5.We found that for some PLCs (5, 8, 9, 10, 14, and 16)
a higher network load led to higher cycle times.For some controllers (1, 3, and 4), we even observed
an ‘out-of-operation’ state under specific data rates. We
defined a device as out of operation if its cycle time wasincreased by a factor 10 or more.
Some PLCs (2 and 12) were not influenced at the max-imum packet flooding but at lower rates. This shows thatit is not always useful to execute a DoS attack at the max-imum available data rate.
During the hping3 measurement, the mean cycle timeof the Siemens ET200 (7) somewhat decreased, meaningthat the device runs fast at different packet rates.
Furthermore, four devices (6, 11, 13, and 15) in thetestbed were not influenced by the hping3 flooding at-tacks. However, most of the PLCs were affected, and fur-ther analysis showed that only the Crouzet em4 (15) wasnot influenced at all by our tests.
Conducting all the experiments summarized in Fig. 5took about a month. These experiments show that mostdevices can be influenced by sending SYN packets at a de-fined rate. Since SYN packets already have an influenceon devices, it can be expected that higher-level protocolssuch as Hypertext Transfer Protocol (HTTP), Simple Net-work Management Protocol (SNMP), and ICS-specificprotocols will be even more effective. This is due to ad-ditional resource consumption at higher levels of the net-work stack. In the following, we present a more detailedanalysis of this phenomenon.
5.2 Detailed Analysis of Protocols
Each experiment in this series consisted of four phases.First, the device to test was powered off and on to guar-antee a clean system state. The actual attack phase wasflanked by two idle phases. The idle phase prior to the at-tack served as a reference to determine the impact of theattack. The post-attack idle phase was intended to observeany possible long-term effects of the attack. Each phaselasted for 600 seconds. There was a 60-second break be-tween successive experiments.
Different impacts on the PLCs cycle time during theattacks could be observed. Due to space constraints, wecategorized the impact into six different effect classes.For each class, we only present the worst case observed.The results are detailed in the Appendix A.
The results of the measurements are shown in a boxplotwith calculated arithmetic mean (H) and median ( ). Thequantiles are respectively 25 % and 75 %, with whiskersup to factor 1.5 of the box.
5.2.1 Class 1: PLC ‘Stops’
An extreme behaviour is that the PLC ‘stops’ during theattack. This means that the outputs are not updated duringpacket injection. Fig. 6 shows this behaviour during anAddress Resolution Protocol (ARP) flood attack.
Pre idle Attack Post idle1000
1500
2000
2500
3000
Cycl
eti
me
inµ
s
Figure 6: Boxplot of a Wago 750-831 (4), where the PLCstops during ARP 3 flooding.
It is worth noticing that an ARP flooding attack canbe sent to the whole broadcast domain. Therefore, all de-vices that can be influenced in a broadcast domain can beaffected by this type of attack. However, ARP requestsdo not cross subnet boundaries, and as such only localadversaries can apply ARP flooding attacks.
In the example given in § 3.2, the valve remains open ifit is opened when the attack has started. Thus, the materialwill not be filled into the container but next to it. This canobviously lead to all sorts of trouble.
Devices in this class clearly exceed the requirementsfor a certification as described in § 3.3.
5.2.2 Class 2: High Deviation
During a flooding attack, the cycle time of some con-trollers increases by several seconds. In the measurementillustrated in Fig. 7, the cycle time increases up to 5 sec-onds. In the example, this influence is achieved throughUDP flooding. During the pre- and post-idle phase, thePLC functions as expected and toggles with about 2 ms.
Pre idle Attack Post idle102
103
104
105
106
107
Cycl
eti
me
inµ
sFigure 7: Boxplot of UDP flooding attack on a Wago 750-889 (1), resulting in a high deviation of the cycle time
Considering the example in § 3.2, the PLC will nearlystop reacting. More precisely, the outputs will remain atthe current level (on or off), only being updated everyfew seconds. This means that, if the valve is opened atthis moment, it will remain opened for several seconds,and the convey belt will still move forward, resulting in asimilar effect to the one described before.
Devices in this class break the requirements for cer-tification as described in § 3.3. Neither do the devicesmaintain essential services, nor is the deviation smallerthan 4 %.
5.2.3 Class 3: Medium Deviation
Another effect that can be observed is a ‘medium’ devi-ation of the cycle times. Devices in this class show in-creased cycle times below one second. Fig. 8 shows anexample. The device toggles in idle with about 2 ms. Dur-ing UDP flooding, the cycle time is up by a factor of about40.
The controller processes everything at a slower ratedue to this factor. It is possible that a process is still run-ning correctly, but at a much slower pace or imprecisely.Considering the example in § 3.2, the container may havealready passed the valve when the sensor input is pro-cessed. Therefore, the loading could miss the container.
As for classes 1 and 2, the criteria for certificationwould not be met.
Pre idle Attack Post idle103
104
105
Cycl
eti
me
inµ
s
Figure 8: Boxplot with medium deviation during UDPflooding with hping3 of the Schneider TM221CE16T(16).
5.2.4 Class 4: Increased Variance of Cycle Times
With regard to the results in Fig. 9, the cycle time is onlyminimally affected by packet flooding attacks. The box-plot as well as the mean value shows a delay of about25 %. However, the variance is still large under the attack.On some controllers, the boxplots and mean value repre-sentations are misleading. In fact, there may be effectswhich are only viewable in other representations.
Pre idle Attack Post idle0
100200300400500600700800900
Cycl
eti
me
inµ
s
Figure 9: Boxplot, while an attack on a Siemens S7-314(8) is generating a high network load with the S7Comimplementation of zgrab.
Fig. 10 shows the kernel density estimation in a his-togram plot. The number of bins is set to 1,000 in orderto get a good resolution of the distribution. In this, thecycle time is plotted against their probability (density).With this representation, the influenced cycles are clearlyvisible.
The density plot of the cycle time shows two peeks inidle, for the electrical low and high signals. We noticedthat the low and high signals do not have the same length.In fact, the high signal is longer than the low signal. Dur-ing the attack, the cycle time increases and new peeks areformed. The two peeks are shifted by a factor of about2, which is not obvious in the boxplot but is visible in
0 200 400 600 800 1000
Cycle time in µs
0.0000.0020.0040.0060.0080.0100.0120.0140.016
Den
sity
Pre idle
Attack
Post idle
Figure 10: Probability Density Function, to view the dis-tribution during the S7Com flooding of a Siemens S7-314(8) with zgrab.
the density representation. This in turn means that somecycle times are twice as slow. Regarding our example(§ 3.2), the result would be variable filling quantities.
For devices in this class, it is not entirely clear if theywould fulfil the requirements of the certifications. This ismainly due to the relatively broad definition of our classes.However, for the device we selected as example here, theanswer is still clear. For the Siemens S7-314 (8) under testin our study, the maximum communication load was set to20 %. As such the assurance of the device was exceeded.In addition, the Siemens S7-314 (8) is Achilles level 2-certified, but the findings indicate that the device is stillsusceptible to network-based attacks on the electrical sideof the device.
5.2.5 Class 5: Faster Cycle Time
By considering only the mean cycle time of the PLC, nochanges can be determined. However, on a closer look,the cycle time appears to be more spread and some cyclesbecome even faster during an attack. An example undera UDP flooding attack is given in Fig. 11.
Pre idle Attack Post idle101
102
103
104
Cycl
eti
me
inµ
s
Figure 11: A boxplot representing a shorter cycle timeof a Phoenix ILC151 (11) during Modbus/TCP floodingwith zgrab.
We believe that this effect is caused by a kind of bufferoverflow of the network stack and results in packet drop.Furthermore, maybe this is achieved by blocking or crash-ing the network stack, thereby allowing the Central Pro-cessing Unit (CPU) to process the control process faster.In a real-world example, this could make the process un-predictable if it gets faster than usual. In the context ofour example (§ 3.2), the container could not be positionedcorrectly, or the valve could close earlier than expected,leading insufficient filling.
To the best of our knowledge, the certification pro-grams listed in page 2 do not take into account that PLCscould work faster. As such, devices in this class wouldmeet the requirements while still being prone to attacks.
5.2.6 Class 6: No Measurable Influence
Some tests indicated no measurable influence. Fig. 12shows an example where the three phases are similar.
Pre idle Attack Post idle1985
1990
1995
2000
2005
2010
Cycl
eti
me
inµ
s
Figure 12: Example of a boxplot with no measurable in-fluence on the Crouzet em4 (15).
5.2.7 CPU Load During Attacks
In our testbed, most devices are based on Real-Time Op-erating System (RTOS) and the CPU usage cannot besupervised. However, the Wago 750-8100 is based onLinux (with root access), which allows the measurementof CPU utilization during attacks. The device has a single-core 600MHz ARM processor with 256MB of RAM. Theflooding attack started after 10 ticks and stopped after 20ticks. Fig. 13 illustrates the CPU usage during the experi-ment.
During the attack, the software Interrupt Request(IRQ), which, for example, handles the network traffic,increases to nearly 100 %. In case of an interrupt, theregular software execution is halted and the interrupt ishandled. A high interrupt load seems to affect the controlsoftware of the PLC, which influences the continuous ex-ecution, resulting in asynchronous cycle times.
0 10 20 3010−1
100
101
102
Time in Ticks
CPU
Loa
din
%
Software IRQ User Idle System
Figure 13: CPU load during SYN flooding attacks of aWago 750-8100 (2) with hping3
5.3 Effects of Active Scanning
In the literature listed in § 2, it is stated that active scansshould be avoided. However, this claim is not backedby empirical evidence. Using our testbed, we were ableto precisely assess the influences of an active scan. Forthis comparison, we used a selection of active scanners(Nmap 7.606, PLCScan version 0.17, and RiskViz SearchEngine8, which uses ZGrab [7] for application scanning)to analyse the behaviour of ICS components under an ac-tive scan. For this measurement, the default configurationof the scanners was used. For this analysis, we selecteda control system (Wago 750-880 (3)) which we alreadyknew was influenceable. Fig. 14 summarizes the mea-sured effects of these three scanners compared to the idlecycle time.
Idle Nmap PLCScan RiskViz102
103
104
105
106
Cycl
eti
me
inµ
s
Figure 14: Influences of active scanners on a Wago 750-880 (3).
Fig. 15 illustrates the influences of the cycle time ofthe three network scanners over the 30-second scan time.The data used for the plots in Fig. 14 and Fig. 15 are fromthe same scan.
Our analysis of active scanning in ICS networks showsthat there are measurable influences for some devices.
0 10 20 30
s
103
104
105C
ycl
eti
me
inµ
sNmap
PLCScan
RiskViz
Idle
Figure 15: Influences of different network scanners on aWago 750-880 (3) during network scanning
Therefore, scanning of ICS networks presents a chickenor egg problem. Specific devices should not be scanned.On the other hand, it is not known which devices are in anetwork prior to a scan. The only option, if a scan cannotbe avoided, is to keep the data rate as low as possible.
5.4 Mitigation and Future Work
In order to secure assets, systems, machines, and net-works against cyber threats, it is necessary to implementand maintain a state-of-the-art industrial security con-cept [19]. This includes validation of the communicationrobustness of single components, for example, with flood-ing tools and specialized ICS fuzzers [14]. Our resultswith these testing tools have shown that there is a lack ofsecure ICS component architectures. Furthermore, exist-ing tests are not vendor-independent or transparent to thepublic.
Data rate limitations on the network provide a possiblesoftware solution. This feature is already implementedby controllers from Wago (1,2,3,4). Our measurementsshow that this option can be an efficient mitigation (seeAppendix A). The Wago 750-8100 is not prone to flood-ing attacks for data rates of 16 MBit/s and below. Theeffect of flooding is drastically reduced for the remain-ing devices for data rates of 1 MBit/s and below. Onlythe longest measured cycle time is increased. There is nochange in the mean cycle times. For data rates of 8 MBit/sand above, the effects measured without the feature arestill evident. This possibility of rate-limiting indicatesthat there are other configuration options which couldprevent cycle time influences.
Another software-based solution would be RTOSs withhard real-time scheduling like FreeRTOS [8]. Such sched-ulers guarantee a certain task tick time. If mapped toPLCs cycle times, the expected characteristics on the elec-trical side could be guaranteed.
Besides software solutions, specific hardware config-urations provide another option [13]. A possible config-uration could be a multi-controller set-up, for example,two dedicated controllers, or a System-on-a-Chip (SoC),where one controller process the real-time task and theother controls communication. A challenge in this sce-nario is to prevent feedback effects between the con-trollers. A hardware solution is obviously only possiblefor new products, but it would increase production andintegration costs.
6 Conclusion
In this paper, we tested the communication robustness ofPLCs under network flooding attacks. Our results showthat the electrical side of PLCs is prone to network flood-ing attacks. Variances in the runtime of control programscan have disastrous effects. This differs from well-knownDoS attacks, as in this case physical processes are in-volved.
Our analysis shows that most of the PLCs are affected,irrespective of manufacturers. With the exception of onedevice (Crouzet em4 (15)), all the devices in our testbedshowed measurable changes during network flooding at-tacks. Some of the controllers even ‘stopped’ operatingand did not update their outputs for the duration of theattack. Additionally, we have shown that active networkscans have a detectable effect on the electrical side ofPLCs. These results are relevant as active networks scansare a current trend in academic research. Network scanswith high data rates may influence internet facing PLCsaccidentally. We recommend taking this possibility intoaccount for the risk assessment of a planned project.
Apart from casualties, network-based DDoS attacksare another current trend [18]. This is mainly becausenetwork flooding attacks are technically simple. In thepresented scenario, an attacker can influence an actualphysical process. This increases the thread imposed byDDoS attacks.
To summarize our research, it can be said that a securesystem configuration is of great importance. We wereglad to see that Wago offers at least a partial function mit-igation feature. However, operators need to learn aboutand use configuration features to enable a secure opera-tion.
We plan to extend our analysis with more devices toprovide a broader overview. We informed all affected ven-dors about our findings using an adapted responsible dis-closure.
Acknowledgments
The work on network traffic effects on PLC cycle time ispart of the RiskViz [1] research project. It is funded bythe Federal Ministry of Education and Research (BMBF),with the aim of creating a risk map of SCADA systemsin Germany.
References[1] RiskViz - Risk Map of the Industrial IT-Security in Germany. On-
[2] A M I N , S . , C A R D E N A S , A . A . , A N D S A S T RY, S . S . Safeand Secure Networked Control Systems under Denial-of-ServiceAttacks. In International Workshop on Hybrid Systems: Compu-tation and Control (2009), Springer, pp. 31–45.
[3] B O V I L L E , J . Productivity Secrets: Don’t Underestimate thePower of PLC Scan Time. Online: https://tinyurl.com/ybrmu3py. Accessed: 2018-05-30.
[4] B O W E N , T. C . L . , A N D T H O M A S , R . W. A Plan forSCADA Security to Deter DOS Attacks. In Proceedings of theDepartment of Homeland Security: R&D Partnering Conference(2005), Citeseer.
[5] C A R D E N A S , A . A . , A M I N , S . , A N D S A S T RY, S . Re-search Challenges for the Security of Control Systems. In HotSec(2008).
[6] C O R P O R AT I O N , E . C . Scan Times. Online: https://
tinyurl.com/yc6jr5e4. Accessed: 2018-05-30.
[7] D U R U M E R I C , Z . , W U S T R O W, E . , A N D H A L D E R M A N ,J . A . Zmap: Fast internet-wide scanning and its security applica-tions. In USENIX Security Symposium (2013), vol. 8, pp. 47–53.
[8] I N A M , R . , M A K I - T U R J A , J . , S J O D I N , M . , A N DB E H N A M , M . Hard real-time support for hierarchical schedul-ing in freertos. In 23rd Euromicro Conference on Real-TimeSystems (2011), pp. 51–60.
[9] K A L L U R I , R . , M A H E N D R A , L . , K U M A R , R . S . , A N DP R A S A D , G . G . Simulation and Impact Analysis of Denial-of-Service Attacks on Power SCADA. In Power Systems Conference(NPSC), 2016 National (2016), IEEE, pp. 1–5.
[10] K L I C K , J . , L A U , S . , M A R Z I N , D . , M A L C H O W, J . - O . ,A N D R O T H , V. Internet-facing PLCs as a Network Backdoor.In Communications and Network Security (CNS), 2015 IEEE Con-ference on (2015), IEEE, pp. 524–532.
[11] L O N G , M . , W U , C . - H . , A N D H U N G , J . Y. Denial ofService Attacks on Network-based Control Systems: Impact andMitigation. IEEE Transactions on Industrial Informatics 1, 2(2005), 85–96.
[12] M A R K O V I C - P E T R O V I C , J . D . , A N D S T O J A N O V I C ,M . D . Analysis of SCADA System Vulnerabilities to DDoSAttacks. In Telecommunication in Modern Satellite, Cable andBroadcasting Services (TELSIKS), 2013 11th International Con-ference on (2013), vol. 2, IEEE, pp. 591–594.
[13] N A O , L . , PA S S A R O , P. , G I O I A , E . , A N D P E T R A C C A ,M . Asymmetric multiprocessing techniques in smart devices:Application in a drone navigation system. In Software, Telecom-munications and Computer Networks (SoftCOM), 2017 25th In-ternational Conference on (2017), IEEE, pp. 1–5.
[14] N I E D E R M A I E R , M . , F I S C H E R , F. , A N D V O N B O D I S C O ,A . PropFuzz - An IT-Security Fuzzing Framework for ProprietaryICS Protocols. In 2017 International Conference on Applied Elec-tronics (AE), Pilsen (2017), pp. 1–4.
[15] N I E D E R M A I E R , M . , V O N B O D I S C O , A . , A N D M E R L I ,D . CoRT: A Communication Robustness Testbed for IndustrialControl System Components. In 4th International Conferenceon Event-Based Control, Communication, and Signal ProcessingEBCCSP 2018 (2018).
[16] S AY E G H , N . , C H E H A B , A . , E L H A J J , I . H . , A N DK AY S S I , A . Internal Security Attacks on SCADA Systems.In Communications and Information Technology (ICCIT), 2013Third International Conference on (2013), IEEE, pp. 22–27.
[17] S C H I E R H O L Z , R . , A N D M C G R AT H , K . SecurityCertification–A Critical Review. ABB Corporate Research (2010).
[18] S E A M A N , C . Threat Advisory: Mirai Botnet. Tech. rep., Aka-mai, 2016.
[19] S T O U F F E R , K . , FA L C O , J . , A N D S C A R F O N E , K . Guideto Industrial Control Systems (ICS) Security. NIST special publi-cation 800, 82 (2011).
[20] T E I X E I R A , A . , P E R E Z , D . , S A N D B E R G , H . , A N D J O -H A N S S O N , K . H . Attack Models and Scenarios for NetworkedControl Systems. In Proceedings of the 1st international con-ference on High Confidence Networked Systems (2012), ACM,pp. 55–64.
[21] T I L A R O , F. Assessment and Testing of Industrial Devices Ro-bustness against Cyber Security Attacks. In Conf. Proc. (2011).
[22] W E D G B U RY, A . , A N D J O N E S , K . Automated Asset Dis-covery in Industrial Control Systems - Exploring the Problem.In Proceedings of the 3rd International Symposium for ICS &SCADA Cyber Security Research (2015), British Computer Soci-ety, pp. 73–83.
[23] X I E , F. , P E N G , Y. , Z H A O , W. , G A O , Y. , A N D H A N ,X . Evaluating Industrial Control Devices Security: Standards,Technologies and Challenges. In IFIP International Conferenceon Computer Information Systems and Industrial Management(2014), Springer, pp. 624–635.
We plan to publish the scripts used for the penetrationtests and for the evaluation under GPL licence. Further-more, the collected data and the results derived from thetestbed are available on request for further research.
The Appendix lists additional measurement results for every PLC in the testbed. The attack with the most influence foreach controller is marked with a grey background.
Table 3: Cycle time in µs during attacks against Wago devices
Device Attack Mean Pre Mean Att Mean Post Median Pre Median Att Median Post Min Pre Min Att Min Post Max Pre Max Att Max Post