Authors: Nauman Zubair, Adeen Ayub, Hyunguk Yoo, Irfan Ahmed



Programmable logic controllers (PLC) are special-purpose embedded devices used in various industries for automatic control of physical processes. Cyberattacks on PLCs can unleash mayhem in the physical world. In case of a security breach, volatile memory acquisition is critical in investigating the attack since it provides unique insights into the runtime system activities and memory-based artifacts. However, existing memory acquisition methods for PLCs (i.e., using a hardware-level debugging port and network protocol-based approaches) are either inapplicable in real-world forensic investigations (due to requiring disassembling of a suspect PLC or power cycling) or incomplete (i.e., acquire only partial memory contents). This paper proposes a new memory acquisition framework to remotely acquire a PLC’s volatile memory while the PLC is controlling a physical process. The main idea is to inject a harmless memory duplicator into the running control logic of a PLC to copy local memory contents into a protocol-mapped address space, which is then readable over a network. We also present a new control-logic attack that targets in-memory firmware to compromise a PLC’s built-in system functions. Since PEM can acquire the entire PLC memory, we show that its memory dump contains evidence of this attack. Further, we present a case study on a gas pipeline testbed to demonstrate the effectiveness of the attack on a physical process and how PEM plays its role in effectively identifying the attack and other important forensic artifacts such as the control logic of a PLC.