Microsoft debuts ICSpector framework to enable examining information and configurations of industrial PLCs
Tech giant Microsoft has rolled out ICSpector, an open-source framework that facilitates examining the information and configurations of industrial programmable logic controllers (PLCs). The framework simplifies the process of locating PLCs and detecting any anomalous indicators that are compromised or manipulated and can assist in safeguarding the PLCs from adversaries who intend to harm or disrupt their operations.
Written in Python and available on GitHub, ICSpector is a framework with tools that enable investigators to scan their network for PLCs; extract project configuration and code from controllers; and detect any anomalous components within ICS environments. Security experts can use these forensic artifacts to identify compromised devices as part of manual verification, automated monitoring of tasks, or incident response. The framework’s modular, flexible design makes it convenient for investigators to customize it to their specific needs.
Furthermore, the framework provides investigators with a convenient way to scan for PLCs and identify any suspicious artifacts within ICS environments, which can be used for manual checking, automated monitoring tasks, or incident response operations to detect compromised devices. By being an open-source tool, ICS Forensics Tools allows investigators to review the output and customize it to their specific requirements.
Escalating threats and attacks have led to the security of ICS installations becoming a matter of concern for many years due to state-sponsored ICS-targeting malware, supply-chain attacks, and spying concerns. The potential harm from a breach to critical infrastructure such as water treatment facilities, power plants, and nuclear reactors is significant. Unfortunately, forensics for ICS devices are not as advanced as in IT environments, which can hinder investigations into incidents.
Many operational technology (OT) security tools based on network layer monitoring provide network protection for OT/IoT environments, allowing analysts to discover their devices and respond to alerts on vulnerabilities and anomalous behavior. However, one of the biggest challenges is retrieving the code running on the PLC and scanning it as part of an incident response to understand if it was tampered with. This act requires caution because the PLCs are actively operating vital industrial processes. This is where ICSpector can help individuals or facilities perform this task with best practices.
ICSpector enables OT experts and cybersecurity analysts to enhance their reactive and proactive incident response capabilities in ICS environments. The OT cybersecurity community can participate in and benefit from security efforts in OT forensics, advancing their vision of better security practices in the OT field.
Currently, the system supports three OT protocols including Siemens S7Comm, which is compatible with the S7-300/400 series; Rockwell RSLogix, using the Common Industrial Protocol; and Codesys V3, which is a widely used SDK for industrial control devices and is implemented by different vendors. “There are configurations that can be changed, such as the port to be used, which may vary for different environments. Detailed information about each plugin can be found in the GitHub repository, under the respective protocol plugin folder.”
The ICSpector framework is composed of several components that can be developed and executed separately. The main modules of the ICSpector framework architecture include input handling, network scanner, protocol plugin, data analyzer, and output.
“The network scanner identifies devices that communicate in the supported OT protocol and ensures they are responsive, based on a provided IP subnet,” Maayan Shaul, a senior security researcher at Microsoft, wrote in a blog post last week. “Alternatively, a user can provide a specific IP list that was exported from OT security products such as MDIoT, and the network scanner will only verify these devices are connected before beginning data extraction. After feeding the plugin the list of available devices, it extracts the PLC project metadata and logic. Then, the analyzer converts the raw data into a human-readable form and extracts different logic to highlight areas of the project artifacts that usually indicate malicious activity.”
Shaul detailed that the framework lets each component run independently with the required input. “You can easily modify each component, adapting the operation to current needs, such as introducing protocol changes and analysis methods or altering the output. With the framework, users gain an inventory of assets based on the protocol scanning ability. In the data extraction phase, you can create snapshots of the controller projects and then compare changes over time,” she added.
She also pointed out that the forensic analysis component of ICSpector enables diving deep into malicious modifications of controller code. “With the ICSpector framework, you can extract timestamp outliers indicating that someone changed the controller code at an unexpected time. Author information is provided as well to help detect suspicious code writers. You can extract network capabilities to surface unexpected communication ports and network libraries.”
Shaul pointed out that tasks are the code components responsible for the entire code execution, and the framework gives you an overview of the execution flow Tasks are data structures that trigger the execution of the PLC project, and the framework gives you an overview of existing tasks and their configuration. “Additionally, the entire call graph is exported to obtain a clear view of the execution flow.”
“Stuxnet, a sophisticated computer worm that was responsible for causing significant damage to Iran’s nuclear program in 2010, altered a cyclic task to monitor its malicious activities and added malicious logic to the main block of the program,” Shaul added. “Since the code running on the controller may differ from an engineer’s hard copy, the framework lets you compare the differences between the online and the offline code to catch malicious changes. All of these analysis capabilities could have helped detect the presence of Stuxnet in the network.”
Microsoft noted that the ICSpector can be used in conjunction with Microsoft Defender for IoT, the company’s solution for defending IoT and ICS/OT devices that map out OT networks and alerts of malicious activity. Defender for IoT, or any other OT security solution, can help with proactive and reactive OT incident response.
Related
