"Unprotected Supervisory Control and Data Acquisition (SCADA) systems offer promising targets to potential attackers. Field devices, such as Programmable Logic Controllers (PLCs), are of particular concern as they directly control and monitor physical industrial processes. Althought attacks targeting SCADA systems have increased, there has been little work exploring the vulnerabilities associated with exploitation of field devices. As attacks increase in sophistication, it is reasonable to expect targeted exploitation of field device firmware. This thesis examines the feasibility of modifying PLC firmware to execute a remotely triggered attack. Such a modification is referred to as a repackaging attack. A general method is used to reverse engineer the firmware to determine its structure. Once understood, the firmware is modified to add an exploitable feature that can remotely disable the PLC. The attacks utilize a variety of triggers and take advantage of already existing functions to exploit the PLC. Notable areas of the firmware are described to demonstrate how they can be used tin attack development. The performance of the repackaged firmwares are compared to known unmodified firmwares to determine if the modifications negatively impact performance. Findings demonstrate that repackaging attacks targeting PLCs are feasible and that the repackaged firmware does not impact the PLC's ability to execute programmed tasks. Finally, design recommendations are suggested to help mitigate potential weaknesses in future firmware development."
Defense Technical Information Center (DTIC): http://www.dtic.mil/dtic/