Towards generic memory forensic framework for programmable logic controllers

Rima Asmar Awad, Muhammad Haris Rais, Michael Rogers, Irfan Ahmed, Vincent Paquit

Research output: Contribution to journalArticlepeer-review

7 Scopus citations

Abstract

A Programmable Logic Controller (PLC) is a microprocessor-based controller that is used to automate physical processes in critical infrastructure and various other industries and manufacturing sectors. Initially, PLCs were completely isolated from the Internet, and cyber security was not incorporated at the time of development. The introduction of industry 4.0 and the evolution of ICS systems to communicate over public IP addresses from the Internet enhanced productivity and efficiency, but Internet connectivity exposed the systems and their vulnerabilities, which led to an increase in cyber attacks. When a system is sabotaged/compromised, security analysts need to get to the root cause of the attack as quickly as possible to recover the system. To do so, memory forensic analysis is critical to provide a unique insight into the run-time memory activities and extract a reliable source of evidence. In this paper, we analyze the memory structure of the Schneider Electric Modicon M221 PLC. To build a memory profile, we reverse engineer the communication protocol and conduct differential analysis to gain knowledge about the structure of the memory and the low-level representation of control logic instructions. We then identify dynamic and static memory regions by modifying different project fields and conducting differential analysis, which allows us to identify boundaries of critical memory structures and extract important forensic artifacts that can be found in the memory. The Python implementation of the memory profile can help reduce the time and effort required for manual analysis in case of cyber incident or system failure.

Original languageEnglish
Article number301513
JournalForensic Science International: Digital Investigation
Volume44
DOIs
StatePublished - Mar 2023

Funding

This manuscript has been authored by UT-Battelle, LLC, under contract DE-AC05-00OR22725 with the US Department of Energy (DOE). The US government retains and the publisher, by accepting the article for publication, acknowledges that the US government retains a nonexclusive, paid-up, irrevocable, worldwide license to publish or reproduce the published form of this manuscript, or allow others to do so, for US government purposes. DOE will provide public access to these results of federally sponsored research in accordance with the DOE Public Access Plan (http://energy.gov/downloads/doe-public-access-plan).

Keywords

  • CPS forensics
  • Embedded devices
  • ICS
  • JTAG
  • Memory forensics
  • PLC
  • SCADA

Fingerprint

Dive into the research topics of 'Towards generic memory forensic framework for programmable logic controllers'. Together they form a unique fingerprint.

Cite this