The tool can be found here: https://github.com/microsoft/ics-forensics-tools
Attacks on PLCs have become more common and complex from the Stuxnet worm in 2010, Triton in 2017, to Incontroller in 2022, with varying capabilities including manipulating PLC behavior, injecting function blocks into ladder logic, and hiding changes in project files. These attacks can disrupt supply chains and endanger individuals and customers. In May 2022, Microsoft Defender for IoT hosted a community webinar led by senior researcher Maayan Shaul, who shared how to investigate malicious ladder logic in PLCs to identify anomalous behavior, data outliers and misconfigurations in devices.
The ICS domain has few open-source tools that allow non-experts to investigate their PLCs. Open-source tools are becoming an important diagnostic instrument, and may prevent attackers from succeeding by providing security intelligence to response teams. Microsoft’s Defender for IoT’s security research team, Section 52 is committed to ensuring that our customers are empowered to secure their networks, down to the PLC level, and to developing open-source tools alongside our research efforts. Last month at Security Week’s Industrial Control Systems (ICS) Cyber Security Conference held in Atlanta, Georgia, Maayan presented a lecture, “Deep Dive into PLC Ladder Logic Forensics” on how to use our newly released open-source tool to perform proactive incident response in a real-life environment.
Our tool helps detect the most common methods threat actors use to manipulate compromised PLCs:
From the capabilities of the tool, comparison of the PLC program in the engineering workstation and the actual program on the device:
Authors editing PLC logic blocks, highlight those editing the most and the least blocks:
The tool currently supports Siemens SIMATIC S7-300 and S7-400 families, with support for other PLC families currently in development.
For more information, you are welcome to reach out to us, via our private defender for IoT community, register here: https://aka.ms/SecurityPrP
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.