www.elsevier.com/locate/ijcip
Available online at www.sciencedirect.com
Firmware modification attacks on programmable
logic controllers
Zachry Basnight, Jonathan Butts
n
, Juan Lopez Jr., Thomas Dube
Air Force Institute of Technology, Wright-Patterson Air Force Base, Ohio 45433, USA
article info
Article history:
Received 12 January 2013
Accepted 18 April 2013
Available online 2 May 2013
Keywords:
Industrial control systems
Programmable logic controllers
Firmware
Modification attacks
Reverse engineering
abstract
Recent attacks on industrial control systems, such as the highly publicized Stuxnet
malware, have intensified a “race to the bottom” where lower-level attacks have a tactical
advantage. Programmable logic controller (PLC) firmware, which provides a software-
driven interface between system inputs and physical outputs, can be easily modified at the
user level. Efforts directed at protecting against firmware modi fication are hindered by the
lack of foundational research about attack development and implementation. This paper
examines the vulnerability of PLCs to intentional firmware modifications in order to obtain
a better understanding of the threats posed by PLC firmware modification attacks and the
feasibility of these attacks. A general firmware analysis methodology is presented, and
a proof-of-concept experiment is used to demonstrate how legitimate firmware can be
updated and uploaded to an Allen-Bradley ControlLogix L61 PLC.
Published by Elsevier B.V.
1. Introduction
Modern industrial applications employ advanced automation
and management networks that are collectively referred to as
industrial control systems. These systems are responsible for
the precise and consistent operation of critical infrastructure
assets. The reliance of industrial control systems on modern
information technology solutions, including IP-based network-
ing and embedded computing, has raised serious security
concerns [19]. The inexorable amalgamation of technologies
from two traditionally distinct cultures has created a schism
with regard to the security capabilities of information technol-
ogy and industrial control systems. Indeed, industrial control
system security is well behind information technology system
security in terms of the sophistication and scale of security
policies, techniques and tools.
Meanwhile, cyber attacks on industrial control systems
are increasing in intensity [20]. Examples such as Stuxnet
provide insight into future cyber threats on industrial control
systems [7]. Like traditional attacks on information technol-
ogy systems, attacks on industrial control systems are target-
ing lower-level control to allow for more powerful and flexible
system manipulation. The allure of industrial control system
attacks – and the ultimate goal of malicious manipulation – is
the ability to elicit physical manifestations through cyber
means. As the final link between cyber and physical compo-
nents of industrial control systems, programmable logic
controllers (PLCs) are critical to the operation of critical
infrastructure assets. PLCs are embedded devices that are
programmed to manage and control physical components
based on system inputs and requirements. The lowest pro-
gramming abstraction layer of a PLC is the firmware. Mal-
icious modification or counterfeiting of PLC firmware can
provide an adversary with complete control over an indus-
trial control device and any physical system components that
come under its purview.
This paper examines the feasibility of firmwa re modification
attacks on PLCs. Specifically, it investigates and assesses the
1874-5482/$ - see front matter Published by Elsevier B.V.
http://dx.doi.org/10.1016/j.ijcip.2013.04.004
n
Corresponding author.
E-mail address: jonathan.butts@afit.edu (J. Butts).
international journal of critical infrastructure protection 6 (2013) 76–84
