Trustworthy operation of industrial control systems depends on secure andreal-time code execution on the embedded programmable logic controllers (PLCs).The controllers monitor and control the critical infrastructures, such aselectric power grids and healthcare platforms, and continuously report back thesystem status to human operators. We present Zeus, a contactless embeddedcontroller security monitor to ensure its execution control flow integrity.Zeus leverages the electromagnetic emission by the PLC circuitry during theexecution of the controller programs. Zeus's contactless execution trackingenables non-intrusive monitoring of security-critical controllers with tightreal-time constraints. Those devices often cannot tolerate the cost andperformance overhead that comes with additional traditional hardware orsoftware monitoring modules. Furthermore, Zeus provides an air-gap between themonitor (trusted computing base) and the target (potentially compromised) PLC.This eliminates the possibility of the monitor infection by the same attackvectors. Zeus monitors for control flow integrity of the PLC program execution.Zeus monitors the communications between the human-machine interface and thePLC, and captures the control logic binary uploads to the PLC. Zeus exercisesits feasible execution paths, and fingerprints their emissions using anexternal electromagnetic sensor. Zeus trains a neural network for legitimatePLC executions, and uses it at runtime to identify the control flow based onPLC's electromagnetic emissions. We implemented Zeus on a commercial AllenBradley PLC, which is widely used in industry, and evaluated it on real-worldcontrol program executions. Zeus was able to distinguish between differentlegitimate and malicious executions with 98.9% accuracy and with zero overheadon PLC execution by design.
展开▼