Deployment and Evaluation

Each repackaged firmware is evaluated for functionality and stability. Repackaged firmwares are pushed to the ControlLogix 1756-L61 PLC using ControlFLASH. Once installed, each repackaged firmware must operate normally, and unexpected device failures must not occur if the attack has not been triggered. Stability is evaluated by installing each repackaged firmware on the ControlLogix 1756-L61 PLC and running

the PLC uninterrupted for a minimum of eight hours. If the ControlLogix 1756-L61 PLC operates without fault during the eight hours, the repackaged firmware is considered stable.

For the purposes of this evaluation, normal operation, device faults, and stability require specific definitions.

• During functional evaluation, normal operation is determined using the status of the front panel OK light. If the front panel OK light remains green, the ControlLogix 1756-L61 is operating normally and the firmware remains functional. The front panel OK light is used as a status indicator during functional evaluation and performance analysis. No process program is executed by the firmware during functional evaluation. During performance analysis, a process program is executed by the firmware. For both evaluations, a green front panel OK light indicates normal operation.

• If the front panel OK light switches to solid red, a major fault has caused the ControlLogix 1756-L61 PLC to halt and reset. Once the reset is complete, the front panel OK light changes from solid red to blinking red. The blinking red indicates that the ControlLogix 1756-L61 PLC requires a reset using the front panel mode switch or a power cycle. This type of fault is generated by the attacks in each repackaged firmware. During functional evaluation, such a fault should occur only when the attack is executed.

• Stability is defined as uninterrupted normal operation indicated by a green front panel OK light. Only the firmware is executed during stability evaluation, no process control program is loaded on the ControlLogix 1756-L61 PLC. The eight hour stability evaluation period was chosen because it exceeds acceptance testing

times used in some control system installations which can range from two to six hours depending on system type [13].

The time based non-persistent DoS attack is evaluated at 3 time amounts. Pilot tests show that the exploited function hooked by the iterator and fault test executes approximately 1200 times per minute. The three time amounts evaluated are one minute, ten minutes, and one hour. Therefore, using the execution rate of the hooked function, the iterator values are set to 1200, 12000, and 72000 respectively. The ControlLogix 1756- L61 PLC must fault at the expected amount of time to pass. Once the fault is generated, the ControlLogix 1756-L61 is power cycled to clear the fault. If all three evaluations pass, the iterator is set to 16777216 which is a large enough number to allow the ConrolLogix 1756-L61 PLC to run for the duration of the stability evaluation. After the iterator is altered and the repackaged firmware is installed, the ControlLogix 1756-L61 PLC runs for eight continuous hours. If no faults are generated, the repackaged firmware containing the time based non-persistent DoS is considered stable.

The mode change based non-persistent DoS attack is evaluated under three conditions. The first condition verifies that the ControlLogix 1756-L61 PLC faults after four alternating remote mode changes. The second condition verifies that mode changes using the ControlLogix 1756-L61 front panel switch do not cause a fault. The third condition is the stability evaluation. To evaluate the first condition, the repackaged firmware is installed to the ControlLogix 1756-L61 PLC where it is allowed to stabilize for 60 seconds. Once stabilized, the four mode changes are sent using the RSLOGIX 5000 program. The mode changes must alternate between REMOTE RUN and REMOTE PROGRAM starting with a switch from REMOTE PROGRAM to REMOTE RUN. After the mode change sequence is sent, the ControlLogix 1756-L61 PLC must fault. The fault is cleared using a power cycle. To evaluate the second condition, the ControlLogix 1756-L61 PLC is again allowed to stabilize for 60 seconds. Once stabilized, the front

panel mode switch, shown in Figure 3.4, is alternated between PROGRAM and RUN a minimum of eight times in less than 60 seconds. No faults should be generated during the mode changes. Once complete, the ControlLogix 1756-L61 PLC runs continuously for eight hours. If no faults are generated, repackaged firmware containing the mode change based non-persistent DoS is considered stable.

Figure 3.4: Front Panel Mode Change Switch.

The CIP based non-persistent DoS attack is evaluated under three conditions. The first condition verifies that the ControlLogix 1756-L61 PLC faults after receiving a modified CIP identity object command. The second condition verifies that a valid CIP identity object command does not cause a fault. The third condition is the stability evaluation. To evaluate the first condition, the repackaged firmware is installed to the ControlLogix 1756-L61 PLC where it is allowed to stabilize for 60 seconds. Once stabilized, the modified CIP identity object command is sent using a locally developed program. The modified CIP identity object command must cause the ControlLogix 1756-L61 PLC to fault. The fault is cleared using a power cycle. To evaluate the second condition, the ControlLogix 1756-L61 PLC is allowed to stabilize for 60 seconds. Once

stabilized, a valid CIP identity object command is sent which should not cause a fault. If all conditions pass, the ControlLogix 1756-L61 PLC runs continuously for eight hours with the repackaged firmware installed. If no faults are generated, repackaged firmware containing the CIP based non-persistent DoS is considered stable.

The CIP based persistent DoS attack is evaluated under four conditions. The first condition verifies that the ControlLogix 1756-L61 PLC faults after receiving a modified CIP identity object command. The second condition evaluates persistence and verifies that the fault remains after both a mode change reset and a power cycle. The third condition verifies that a valid CIP identity object command does not cause a fault. The fourth condition is the stability evaluation. To evaluate the first condition, the repackaged firmware is installed on the ControlLogix 1756-L61 PLC where it is allowed to stabilize for 60 seconds. Once stabilized, the modified CIP identity object command is sent using a locally developed program. The modified CIP identity object command must cause the ControlLogix 1756-L61 PLC to fault. The second condition is evaluated first by attempting the mode change switch reset method. If the fault does not clear, a power cycle is attempted. If the fault remains after the power cycle, the CIP based persistent DoS attack passes the second condition and is considered persistent. The ControlLogix 1756-L61 PLC is restored by erasing the altered portion of flash memory using the JTAG interface and debugger. To test the third condition, after restoration, the ControlLogix 1756-L61 PLC is allowed to stabilize for 60 seconds. Once stabilized, a valid CIP identity object command is sent which should not cause a fault. If all conditions pass, the ControlLogix 1756-L61 PLC is run continuously for eight hours with the repackaged firmware installed to evaluate stability. If no faults are generated, repackaged firmware containing the CIP based persistent DoS is considered stable.