Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
162 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

On Practicality of Using ARM TrustZone Trusted Execution Environment for Securing Programmable Logic Controllers (2403.05448v1)

Published 8 Mar 2024 in cs.CR

Abstract: Programmable logic controllers (PLCs) are crucial devices for implementing automated control in various industrial control systems (ICS), such as smart power grids, water treatment systems, manufacturing, and transportation systems. Owing to their importance, PLCs are often the target of cyber attackers that are aiming at disrupting the operation of ICS, including the nation's critical infrastructure, by compromising the integrity of control logic execution. While a wide range of cybersecurity solutions for ICS have been proposed, they cannot counter strong adversaries with a foothold on the PLC devices, which could manipulate memory, I/O interface, or PLC logic itself. These days, many ICS devices in the market, including PLCs, run on ARM-based processors, and there is a promising security technology called ARM TrustZone, to offer a Trusted Execution Environment (TEE) on embedded devices. Envisioning that such a hardware-assisted security feature becomes available for ICS devices in the near future, this paper investigates the application of the ARM TrustZone TEE technology for enhancing the security of PLC. Our aim is to evaluate the feasibility and practicality of the TEE-based PLCs through the proof-of-concept design and implementation using open-source software such as OP-TEE and OpenPLC. Our evaluation assesses the performance and resource consumption in real-world ICS configurations, and based on the results, we discuss bottlenecks in the OP-TEE secure OS towards a large-scale ICS and desired changes for its application on ICS devices. Our implementation is made available to public for further study and research.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (66)
  1. 2005. IEEE Standard Communication Delivery Time Performance Requirements for Electric Power Substation Automation. IEEE Std 1646-2004 (2005), 1–36. https://doi.org/10.1109/IEEESTD.2005.95748
  2. 2010. GlobalPlatform: TEE Client API Specification v1.0. https://globalplatform.org/specs-library/tee-client-api-specification/
  3. 2018. GlobalPlatform: TEE Internal Core API Specification v1.1.2. https://globalplatform.org/specs-library/tee-internal-core-api-specification/
  4. 2018. PLC features dual-core 800MHz ARM Cortex processor. https://www.engineeringspecifier.com/control-systems/plc-features-dual-core-800mhz-arm-cortex-processor
  5. 2020. Platform Security Boot Guide. https://developer.arm.com/documentation/den0072/
  6. 2021. GlobalPlatform TEE Sockets API Specification V1.0. https://globalplatform.org/specs-library/tee-sockets-api-specification/
  7. 2021. WAGO 750-8212 PFC200 G2 2ETH RS 03.05.10(17) USER COOKIE ACCESS CONTROL. https://vuldb.com/?id.193199
  8. 2022. ICS-CERT Advisories. https://www.cisa.gov/uscert/ics/advisories
  9. 2022. libmodbus: A Modbus library for Linux, Mac OS, FreeBSD and Windows. https://libmodbus.org/
  10. 2022. Open Portable Trusted Execution Environment. https://www.op-tee.org/
  11. 2022. Programmable Logic Controller (PLC) Scan Time- Types, Theory. https://www.electricalvolt.com/2022/07/programmable-logic-controller-plc-scan-time/#:~:text=The%20Scan%20cycle%20of%20a,a%20PLC%20is%20continuously%20running.
  12. 2022. pyModbus: A Python Modbus Stack. https://github.com/riptideio/pymodbus/
  13. 2022. WolfSSL: Embedded TLS Library for Applications, Devices, IoT, and the Cloud. https://www.wolfssl.com/
  14. 2023. CONTROLLERS. https://www.mitsubishielectric.com/fa/dctlg/catalog/01/pdf/cnt.pdf
  15. 2023. Cortex-A8 Technical Reference Manual. https://developer.arm.com/documentation/ddi0344/b/programmer-s-model/trustzone-technology
  16. 2023a. Critical Vulnerabilities Allow Hackers to Take Full Control of Wago PLCs. https://www-securityweek-com.cdn.ampproject.org/c/s/www.securityweek.com/critical-vulnerabilities-allow-hackers-to-take-full-control-of-wago-plcs/amp/
  17. 2023. PLC Automation. https://new.abb.com/docs/librariesprovider104/pact-china-brochure-library/3adr020077c0204-rev-b-plc-automation.pdf?sfvrsn
  18. 2023b. WAGO PFC 200 Controller. https://www.wago.com/sg/automation-technology/discover-plcs/pfc200
  19. Ali Abbasi and Majid Hashemi. 2016. Ghost in the plc designing an undetectable programmable logic controller rootkit via pin control attack. Black Hat Europe 2016 (2016), 1–35.
  20. ECFI: Asynchronous control flow integrity for programmable logic controllers. In Proceedings of the 33rd Annual Computer Security Applications Conference. 437–448.
  21. Epic: An electric power testbed for research and training in cyber physical systems security. In Computer Security. Springer, 37–52.
  22. Good Night, and Good Luck: A Control Logic Injection Attack on OpenPLC. Technical Report. EasyChair.
  23. Thiago Alves and Thomas Morris. 2018. OpenPLC: An IEC 61,131–3 compliant open source industrial controller for cyber security research. Computers & Security 78 (2018), 364–379.
  24. Richard Barry et al. 2008. FreeRTOS. Internet, Oct 4 (2008).
  25. ED4GAP: Efficient detection for GOOSE-based poisoning attacks on IEC 61850 substations. In 2020 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm). IEEE, 1–7.
  26. TEEMo: trusted peripheral monitoring for optical networks and beyond. In Proceedings of the 4th Workshop on System Software for Trusted Execution. 1–6.
  27. Legacy-compliant data authentication for industrial control system traffic. In International Conference on Applied Cryptography and Network Security. Springer, 665–685.
  28. AttkFinder: Discovering Attack Vectors in PLC Programs Using Information Flow Analysis. In Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses (San Sebastian, Spain) (RAID ’21). Association for Computing Machinery, New York, NY, USA, 235–250. https://doi.org/10.1145/3471621.3471864
  29. Secure and efficient software-based attestation for industrial control devices with arm processors. In Proceedings of the 33rd Annual Computer Security Applications Conference. 425–436.
  30. Frances Cleveland. 2012. IEC tc57 wg15: IEC 62351 security standards for the power system information infrastructure. White Paper (2012).
  31. MoCFI: A Framework to Mitigate Control-Flow Attacks on Smartphones.. In NDSS, Vol. 26. 27–40.
  32. Mario de Sousa. 2001. MATIEC - IEC 61131-3 compiler. https://openplcproject.gitlab.io/matiec/
  33. Defence Use Case. 2016. Analysis of the Cyber Attack on the Ukrainian Power Grid. (2016).
  34. A malware-tolerant, self-healing industrial control system framework. In ICT Systems Security and Privacy Protection: 32nd IFIP TC 11 International Conference, SEC 2017, Rome, Italy, May 29-31, 2017, Proceedings 32. Springer, 46–60.
  35. TRITON: The first ICS cyber attack on safety instrument systems. In Proc. Black Hat USA, Vol. 2018. 1–26.
  36. F-Pro: A fast and flexible provenance-aware message authentication scheme for smart grid. In 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm). IEEE, 1–7.
  37. Lomos: Less-online/more-offline signatures for extremely time-critical systems. IEEE Transactions on Smart Grid 13, 4 (2022), 3214–3226.
  38. Message Authentication and Provenance Verification for Industrial Control Systems. ACM Trans. Cyber-Phys. Syst. (jul 2023). https://doi.org/10.1145/3607194 Just Accepted.
  39. Hey, My Malware Knows Physics! Attacking PLCs with Physical Model Aware Rootkit. Internet Society. https://doi.org/10.14722/ndss.2017.23313
  40. {{\{{PAtt}}\}}: Physics-based Attestation of Control Systems. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). 165–180.
  41. GateKeeper: Operator-centric Trusted App Management Framework on ARM TrustZone. In 2022 IEEE Conference on Communications and Network Security (CNS). IEEE, 100–108.
  42. {{\{{vTZ}}\}}: Virtualizing {{\{{ARM}}\}}{{\{{TrustZone}}\}}. In 26th USENIX Security Symposium (USENIX Security 17). 541–556.
  43. A review of IEC 62351 security mechanisms for IEC 61850 message exchanges. IEEE Transactions on Industrial Informatics 16, 9 (2019), 5643–5654.
  44. Nandha Kumar Kandasamy. 2019. An investigation on feasibility and security for cyberattacks on generator synchronization process. IEEE Transactions on Industrial Informatics 16, 9 (2019), 5825–5834.
  45. Survey of intrusion detection systems: techniques, datasets and challenges. Cybersecurity 2, 1 (2019), 1–22.
  46. Eduard Kovacs. 2014. OpenVPN Vulnerable to ShellShock Attacks: Researcher. https://www.securityweek.com/openvpn-vulnerable-shellshock-attacks-researcher
  47. Ralph Langner. 2011. Stuxnet: Dissecting a Cyberwarfare Weapon. IEEE Security & Privacy 9, 3 (2011), 49–51. https://doi.org/10.1109/MSP.2011.67
  48. Adapting bro into scada: building a specification-based intrusion detection system for the dnp3 protocol. In Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop. 1–4.
  49. Cybersecurity for Modern Smart Grid Against Emerging Threats. Foundations and Trends® in Privacy and Security 5, 4 (2023), 189–285.
  50. Aditya P Mathur and Nils Ole Tippenhauer. 2016. SWaT: A water treatment testbed for research and training on ICS security. In 2016 international workshop on cyber-physical systems for smart water networks (CySWater). IEEE, 31–36.
  51. Jannik Pewny and Thorsten Holz. 2013. Control-flow restrictor: Compiler-based CFI for iOS. In Proceedings of the 29th Annual Computer Security Applications Conference. 309–318.
  52. Sandro Pinto and Nuno Santos. 2019. Demystifying arm trustzone: A comprehensive survey. ACM computing surveys (CSUR) 51, 6 (2019), 1–36.
  53. Edmand: edge-based multi-level anomaly detection for scada networks. In 2018 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm). IEEE, 1–7.
  54. A quantitative evaluation of the target selection of havex ics malware plugin. In Industrial control system security (ICSS) workshop.
  55. Trusted execution environment: what it is, and what it is not. In 2015 IEEE Trustcom/BigDataSE/ISPA, Vol. 1. IEEE, 57–64.
  56. Machine Learning Assisted Bad Data Detection for High-throughput Substation Communication. arXiv preprint arXiv:2302.05949 (2023).
  57. Attacking TrustZone on devices lacking memory protection. Journal of Computer Virology and Hacking Techniques 18 (09 2022). https://doi.org/10.1007/s11416-021-00413-y
  58. CoToRu: Automatic Generation of Network Intrusion Detection Rules from Code. In IEEE INFOCOM 2022-IEEE Conference on Computer Communications. IEEE, 720–729.
  59. Caching-based multicast message authentication in time-critical industrial control systems. In IEEE INFOCOM 2022-IEEE Conference on Computer Communications. IEEE, 1039–1048.
  60. Michael Tiegelkamp and Karl-Heinz John. 2010. IEC 61131-3: Programming industrial automation systems. Vol. 166. Springer.
  61. vBump: Securing Ethernet-based Industrial Control System Networks with VLAN-based Traffic Aggregation. In Proceedings of the 2th Workshop on CPS&IoT Security and Privacy. 3–14.
  62. Attacking fieldbus communications in ICS: Applications to the SWaT testbed. In Proceedings of the Singapore Cyber-Security Conference (SG-CRC) 2016. IOS Press, 75–89.
  63. RusTEE: developing memory-safe ARM TrustZone applications. In Annual Computer Security Applications Conference. 442–453.
  64. RT-TEE: Real-time System Availability for Cyber-physical Systems using ARM TrustZone. In 2022 IEEE Symposium on Security and Privacy (SP). 352–369. https://doi.org/10.1109/SP46214.2022.9833604
  65. Hyunguk Yoo and Irfan Ahmed. 2019. Control logic injection attacks on industrial control systems. In IFIP International Conference on ICT Systems Security and Privacy Protection. Springer, 33–48.
  66. Overshadow PLC to detect remote control-logic injection attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 109–132.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets