Attacking the IEC 61131 Logic Engine in Programmable Logic Controllers

• Published in: Critical Infrastructure Protection XV pp. 73 - 95
• Main Authors: Qasim, Syed Ali, Ayub, Adeen, Johnson, Jordan, Ahmed, Irfan
• Format: Book Chapter
• Language: English
• Published: Cham Springer International Publishing 2022
• Series: IFIP Advances in Information and Communication Technology
• Subjects: attacks; IEC 61131 logic engine; Programmable logic controllers
• ISBN: 3030935108; 9783030935108
• ISSN: 1868-4238; 1868-422X
• DOI: 10.1007/978-3-030-93511-5_4

Programmable logic controllers monitor and control physical processes in critical infrastructure assets, including nuclear power plants, gas pipelines and water treatment plants. They are equipped with control logic written in IEC 61131 languages such as ladder diagrams and structured text that define how the physical processes are monitored and controlled. Cyber attacks that seek to sabotage physical processes typically target the control logic of programmable logic controllers. Most of the attacks described in the literature inject malicious control logic into programmable logic controllers. This chapter presents a new type of attack that targets the control logic engine that is responsible for executing the control logic. It demonstrates that a control logic engine can be disabled by exploiting inherent features such as the program mode and starting/stopping the engine. Case studies involving control logic engine attacks on real programmable logic controllers are presented. The case studies present internal details of the logic engine attacks to enable industry and the research community to understand the control logic engine attack vector. Additionally, control engine attacks on power substation, conveyor belt and elevator testbeds are presented to demonstrate their impacts on physical systems.