FieldFuzz: Enabling vulnerability discovery in Industrial Control Systems supply chain using stateful system-level fuzzing

by   Andrei Bytes, et al.

With the advent of the fourth industrial revolution, Programmable Logic Controllers (PLCs) used as field devices, have been growing in their sophistication, offering extensive smart features, such as remote connectivity, support for standardized cryptography, and visualization. Such computational platforms incorporate components from various sources (vendor, platform provider, open-source), bringing along their associated vulnerabilities. This, combined with the increase in reliance on the Industrial Internet of Things (IIoT) devices for automation and feedback, has opened previously airtight networks to remote attacks. Furthermore, modern PLCs often employ commodity software such as Linux on ARM, further expanding the threat surface towards traditional vulnerabilities. Security analysis of Operational Technology (OT) software, specifically, the control runtime and IEC applications, remains relatively unexplored due to its proprietary nature. In this work, we implement FieldFuzz, a methodology for discovering supply chain vulnerabilities in every PLC component using stateful black-box fuzzing without the requirement of a real device. FieldFuzz has been built using the Codesys v3 protocol, making it applicable to at least 80 industrial device vendors ranging from over 400 devices. Fuzzing campaigns uncovered multiple vulnerabilities, leading to three reported CVE IDs. To study the cross-platform applicability of FieldFuzz, we reproduce the findings on a diverse set of Industrial Control System (ICS) devices, showing a significant improvement over the state-of-the-art.


page 1

page 2

page 3

page 4


The Global State of Security in Industrial Control Systems: An Empirical Analysis of Vulnerabilities around the World

Operational Technology (OT)-networks and -devices, i.e. all components u...

Snakes and Ladder Logic: PLC-VBS, a PLC Control Logic Vulnerability Discovery Tool

Cyber security risk assessments provide a pivotal starting point towards...

A Novel Model for Vulnerability Analysis through Enhanced Directed Graphs and Quantitative Metrics

Industrial components are of high importance because they control critic...

Towards Comprehensively Understanding the Run-time Security of Programmable Logic Controllers: A 3-year Empirical Study

Programmable Logic Controllers (PLCs) are the core control devices in In...


Research on optical TEMPEST has moved forward since 2002 when the first ...

A Secure Dual-MCU Architecture for Robust Communication of IIoT Devices

The Industrial Internet of Things (IIoT) has already become a part of ou...

Please sign up or login with your details

Forgot password? Click here to reset