基于杀伤链模型的PLC安全分析

孙越; 游建舟; 宋站威; 黄文军; 陈曦; 孙利民

引用本文：

孙越,游建舟,宋站威,黄文军,陈曦,孙利民.基于杀伤链模型的PLC安全分析[J].信息安全学报,2025,10(2):139-162 [点击复制]
SUN Yue,YOU Jianzhou,SONG Zhanwei,HUANG Wenjun,CHEN Xi,SUN Limin.A Cyber Kill Chain Based Analysis of PLC Security[J].Journal of Cyber Security,2025,10(2):139-162 [点击复制]

本文已被：浏览 96次下载 36次	码上扫一扫！
基于杀伤链模型的PLC安全分析
孙越^1,2, 游建舟^1,2, 宋站威^1,2, 黄文军^1,2, 陈曦³, 孙利民^1,2
0 字体:加大+\|默认\|缩小-
(1.中国科学院信息工程研究所物联网信息安全技术北京市重点实验室, 北京中国 100093;2.中国科学院大学网络空间安全学院, 北京中国 100049;3.北京大学软件与微电子学院, 北京中国 102600)

摘要:

可编程逻辑控制器(Programmable Logic Controller,PLC)是现代工业控制系统中至关重要的组成部分,其安全性对于维持工业过程的安全和连续运行至关重要。然而,由于PLC特殊的系统架构和通信协议,缺乏针对其安全性分析的标准框架和程序。网络杀伤链(Cyber Kill Chain)模型是一种被广泛应用于描述入侵者利用漏洞的策略和技术的方法论,并已被广泛应用于网络安全领域。本文基于杀伤链模型总结了近年来PLC安全攻防技术,旨在为网络安全从业者提供技术参考,并协助研究人员了解最新进展。首先,我们介绍了PLC的基本架构、工作原理和通信协议,这对于分析PLC的漏洞和攻击至关重要。然后,我们使用杀伤链模型对各种PLC攻击技术进行了详细分类。具体而言,我们将PLC攻击技术分为侦查识别、武器构建、载荷投递、漏洞利用、隐蔽驻留、远程控制和目的实现七个阶段。对于每个阶段,我们详细分析了攻击者使用的技术。我们的分析有助于全面了解攻击的各个阶段,并可帮助开发主动的安全措施。除了对PLC攻击技术的详细分析,本文还讨论了多种PLC防御技术,包括协议安全保护、控制程序验证、执行过程监控和PLC取证技术。通过总结这些方法,我们希望为网络安全从业者提供实用的指导,更好地保护PLC免受威胁。此外,我们从不同的角度,如嵌入式设备、工业控制器和工业控制网络组件等,突出了当前PLC安全领域的研究趋势,这可以作为未来研究的路线,增强关键基础设施的安全防护。

关键词: PLC安全工控系统安全杀伤链模型 PLC攻击技术 PLC防御技术

DOI：10.19363/J.cnki.cn10-1380/tn.2025.03.10

投稿时间：2020-09-24修订日期：2021-01-29

基金项目:本课题得到科技部国家重点研发计划(No. 2018YFC1201102), 国家自然科学基金联合基金项目(No. U1766215), 国家自然科学基金(No.61702506)资助。

A Cyber Kill Chain Based Analysis of PLC Security

SUN Yue^1,2, YOU Jianzhou^1,2, SONG Zhanwei^1,2, HUANG Wenjun^1,2, CHEN Xi³, SUN Limin^1,2

(1.Beijing Key Laboratory of IoT Information Security Technology, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;3.School of Software & Microelectronics, PKU, Beijing 102600, China)

Abstract:

Programmable Logic Controllers (PLCs) are integral components of modern industrial control systems, where their security is crucial for maintaining the safe and continuous operation of industrial processes. However, the unique architecture and communication protocols of PLCs pose a significant challenge for their security analysis, as standard frameworks and procedures are lacking. The Cyber Kill Chain model is a well-established methodology for describing the tactics and techniques used by attackers to exploit vulnerabilities, and it has been widely adopted in the field of cybersecurity. This paper provides an overview of PLC security in recent years, utilizing the Cyber Kill Chain model to present the latest advances in this field. The objective of this paper is to provide a technical reference for cybersecurity practitioners and to facilitate researchers in their understanding of PLC security. Firstly, we introduce the basic architecture, operation principle, and communication protocols of PLCs, which are fundamental to analyzing the vulnerabilities and attacks on PLCs. We then use the Cyber Kill Chain model to classify the various stages of PLC attack techniques, which includes reconnaissance, weaponization, delivery, exploitation, installation, command and control, and execution. For each stage, we provide a detailed analysis of the techniques used by attackers. Our analysis helps to provide a comprehensive view of the various stages of an attack and can aid in developing proactive security measures. In addition to the detailed analysis of PLC attack techniques, we also discuss various techniques for securing PLCs in this article. These include measures such as protocol security protection, control program verification, execution process monitoring, and PLC forensics technology. By highlighting these methods, we hope to provide practical guidance for cybersecurity practitioners to better protect PLCs from threats. Moreover, we also highlight the current research trends on PLC security from different perspectives, such as embedded devices, industrial controllers, and industrial control network components, which can serve as a roadmap for future research in this field, and promote the security and resilience of critical infrastructure.

Key words: PLC security industrial control system security cyber kill chain model PLC attack technology PLC defense technology