TY - GEN
T1 - SNIFU
T2 - 38th IEEE VLSI Test Symposium, VTS 2020
AU - Benkraouda, Hadjer
AU - Chakkantakath, Muhammad Ashif
AU - Keliris, Anastasis
AU - Maniatakos, Michail
N1 - Publisher Copyright:
© 2020 IEEE.
PY - 2020/4
Y1 - 2020/4
N2 - Attacks on Industrial Control Systems (ICS) are increasingly targeting field devices and the firmware that instruments their operation. Securing the firmware images and their update procedure has, therefore, become an important challenge. This is especially true for widely deployed legacy devices which are not equipped with the necessary security mechanisms/capabilities. In this paper, we address the problem by reverse engineering PLC firmware update tools to build a device that ensures the integrity and authenticity of firmware updates, before allowing them to be flashed onto a field device. Our tool is directly connected to field devices and consists of a firmware signing mechanism, a PLC emulation module, and a payload detection classifier - all integrated in a bump-in-the-wire device, SNIFU. SNIFU monitors serial traffic sent to the PLC for firmware update commands. When it identifies such commands, it emulates a PLC, capturing the entire firmware image and verifying it before relaying it to the PLC. We implement and evaluate a prototype of SNIFU using a Raspberry Pi, that secures the update process of a commercial PLC by Wago.
AB - Attacks on Industrial Control Systems (ICS) are increasingly targeting field devices and the firmware that instruments their operation. Securing the firmware images and their update procedure has, therefore, become an important challenge. This is especially true for widely deployed legacy devices which are not equipped with the necessary security mechanisms/capabilities. In this paper, we address the problem by reverse engineering PLC firmware update tools to build a device that ensures the integrity and authenticity of firmware updates, before allowing them to be flashed onto a field device. Our tool is directly connected to field devices and consists of a firmware signing mechanism, a PLC emulation module, and a payload detection classifier - all integrated in a bump-in-the-wire device, SNIFU. SNIFU monitors serial traffic sent to the PLC for firmware update commands. When it identifies such commands, it emulates a PLC, capturing the entire firmware image and verifying it before relaying it to the PLC. We implement and evaluate a prototype of SNIFU using a Raspberry Pi, that secures the update process of a commercial PLC by Wago.
KW - Industrial Control Systems
KW - Machine Learning
KW - Secure firmware updates
UR - http://www.scopus.com/inward/record.url?scp=85086502077&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85086502077&partnerID=8YFLogxK
U2 - 10.1109/VTS48691.2020.9107609
DO - 10.1109/VTS48691.2020.9107609
M3 - Conference contribution
AN - SCOPUS:85086502077
T3 - Proceedings of the IEEE VLSI Test Symposium
BT - Proceedings - 2020 IEEE 38th VLSI Test Symposium, VTS 2020
PB - IEEE Computer Society
Y2 - 5 April 2020 through 8 April 2020
ER -