In the last years, Industrial Control Systems (ICSs) have been the target of an increasing number of cyber-physical attacks, i.e., security breaches in cyberspace that adversely alter the physical processes. The main challenge attackers face in the development of cyber-physical attacks with a precise goal is obtaining an adequate level of process comprehension. Process comprehension is defined as "the understanding of system characteristics and components responsible for the safe delivery of service". While there exist a number of tools (Nmap, PLCScan, Xprobe, etc) one can use to develop a level of process comprehension through the targeting of controllers alone, they are limited by functionality, scope, and detectability. Thus, to support the execution of realistic cyber-physical attack scenario with adequate level of physical process comprehension, we propose a black-box dynamic analysis reverse engineering tool to derive from scans of memory registers of exposed controllers an approximated model of the controlled physical process. Such an approximated model is developed by inferring statistical properties, business processes and, in particular, system invariants whose knowledge might be crucial to build up stealthy (i.e., undetectable) attacks. We test the proposed methodology on a non-trivial case study, taken from the context of industrial water treatment systems.
PDF version of the paper.