Towards Reverse Engineering of Industrial Physical Processes

In the last years, Industrial Control Systems (ICSs) have been the target of an increasing number of cyber-physical attacks, i.e., se- curity breaches in cyberspace that adversely alter the physical processes. The main challenge attackers face in the development of cyber-physical attacks with a precise goal is obtaining an adequate level of process com- prehension. Process comprehension is defined as “the understanding of system characteristics and components responsible for the safe delivery of service” (Green et al. 2017). While there exist a number of tools (Nmap, PLCScan, Xprobe, etc) one can use to develop a level of process compre- hension through the targeting of controllers alone, they are limited by functionality, scope, and detectability. Thus, to support the execution of realistic cyber-physical attack scenario with adequate level of physical process comprehension, we propose a black-box dynamic analysis reverse engineering tool to derive from scans of memory registers of exposed con- trollers an approximated model of the controlled physical process. Such an approximated model is developed by inferring statistical properties, business processes and, in particular, system invariants whose knowledge might be crucial to build up stealthy (i.e., undetectable) attacks. We test the proposed methodology on a non-trivial case study, taken from the context of industrial water treatment systems.