JTAG-based PLC memory acquisition framework for industrial control systems

Muhammad Haris Rais, Rima Asmar Awad, Juan Lopez, Irfan Ahmed

Research output: Contribution to journalArticlepeer-review

24 Scopus citations

Abstract

In industrial control systems (ICS), programmable logic controllers (PLC) are the embedded devices that directly control and monitor critical industrial infrastructure processes such as nuclear plants and power grid stations. Cyberattacks often target PLCs to sabotage a physical process. A memory forensic analysis of a suspect PLC can answer questions about an attack, including compromised firmware and manipulation of PLC control logic code and I/O devices. Given physical access to a PLC, collecting forensic information from the PLC memory at the hardware-level is risky and challenging. It may cause the PLC to crash or hang since PLCs have proprietary, legacy hardware with heterogeneous architecture. This paper addresses this research problem and proposes a novel JTAG (Joint Test Action Group)-based framework, Kyros, for reliable PLC memory acquisition. Kyros systematically creates a JTAG profile of a PLC through hardware assessment, JTAG pins identification, memory map creation, and optimizing acquisition parameters. It also facilitates the community of interest (such as ICS owners, operators, and vendors) to develop the JTAG profiles of PLCs. Further, we present a case study of Kyros implementation over Allen-Bradley 1756-A10/B to help understand the framework's application on a real-world PLC used in industry settings. The sample PLC memory dumps are shared with the research community to facilitate further research.

Original languageEnglish
Article number301196
JournalForensic Science International: Digital Investigation
Volume37
DOIs
StatePublished - Jul 2021

Funding

This work was supported, in part, by the Virginia Commonwealth Cyber Initiative , an investment in the advancement of cyber R&D, innovation, and workforce development. For information, visit www.cyberinitiative.org .

Keywords

  • Critical infrastructure protection
  • Embedded devices
  • ICS
  • IoT forensics
  • JTAG
  • Memory forensics
  • PLC
  • SCADA

Fingerprint

Dive into the research topics of 'JTAG-based PLC memory acquisition framework for industrial control systems'. Together they form a unique fingerprint.

Cite this