Visible to the public LED Alert: Supply Chain Threats for Stealthy Data Exfiltration in Industrial Control Systems

TitleLED Alert: Supply Chain Threats for Stealthy Data Exfiltration in Industrial Control Systems
Publication TypeConference Paper
Year of Publication2019
AuthorsTychalas, Dimitrios, Keliris, Anastasis, Maniatakos, Michail
Conference Name2019 IEEE 25th International Symposium on On-Line Testing and Robust System Design (IOLTS)
ISBN Number978-1-7281-2490-2
Keywordsanomaly detection techniques, attack vector, computer security, CPU performance, cyber domain, Data Exfiltration, device tree, direct memory access, DMA transfer speed, Embedded systems, Embedded Systems Security, firmware, firmware modification, firmware trojan, Hardware, industrial control, industrial control systems, industrial domain, industrial Internet-of-Things, invasive software, Kernel, LED alert, light emitting diodes, Measurement, Metrics, operation technology, persistent threats, privacy, programmable controllers, programmable logic controller, pubcrawl, real-time operation, smart systems, supply chain attack, supply chain security, supply chain threats, Supply chains, threat vectors, Trojan horses

Industrial Internet-of-Things has been touted as the next revolution in the industrial domain, offering interconnectivity, independence, real-time operation, and self-optimization. Integration of smart systems, however, bridges the gap between information and operation technology, creating new avenues for attacks from the cyber domain. The dismantling of this air-gap, in conjunction with the devices' long lifespan -in the range of 20-30 years-, motivates us to bring the attention of the community to emerging advanced persistent threats. We demonstrate a threat that bridges the air-gap by leaking data from memory to analog peripherals through Direct Memory Access (DMA), delivered as a firmware modification through the supply chain. The attack automatically adapts to a target device by leveraging the Device Tree and resides solely in the peripherals, completely transparent to the main CPU, by judiciously short-circuiting specific components. We implement this attack on a commercial Programmable Logic Controller, leaking information over the available LEDs. We evaluate the presented attack vector in terms of stealthiness, and demonstrate no observable overhead on both CPU performance and DMA transfer speed. Since traditional anomaly detection techniques would fail to detect this firmware trojan, this work highlights the need for industrial control system-appropriate techniques that can be applied promptly to installed devices.

Citation Keytychalas_led_2019