Security analysis of programmable logic controllers

  • Henry Hui

Student thesis: Doctoral ThesisDoctor of Philosophy


Industrial Control Systems (ICSs) are increasingly being digitalised to harness the benefits of digitalisation. However, this also introduces greater cyber security threats to systems and processes that are dependent on ICSs. Critical infrastructures are one of the applications of ICS, which includes public utilities like energy generation and distribution. In previous cyber-attacks targeting ICSs, like the Stuxnet malware and the Ukraine power grid attacks, devices such as Programmable Logic Controllers (PLCs) have been the prime target since PLCs are the points where digital logic is translated into physical actuations. This means compromised PLCs may give adversaries a way to manipulate ordisrupt critical processes. Therefore, this thesis investigates the means to protect these industrial devices in the two following major ways: to understand the effectiveness of state-of-the-art security mechanisms built into these devices; and to provide additional security measures for PLCs to ensure process integrity and availability.In terms of understanding the effectiveness of the security mechanism built-in to PLCs, this thesis presents a vulnerability analysis on one of the most prominent PLC ecosystems, used by Siemens devices. With particular emphasis on understanding the security mechanism of the communication protocol known as S7CommPlus, novel exploits, including the manipulation of cryptographic keys, are identified based on experimental analysis. The S7CommPlus protocol enables the communication between Siemens endpoints such as TIA Portal (the engineering software from the vendor), and PLCs like the S7-1211C, which has been used for experiments in this work. Although a number of potential mitigation strategies are proposed for defending against the exploits presented, this analysis shows the closed and proprietary nature of PLC ecosystems can potentially be a weak link in the security of ICS networks. This calls for additional protections for these systems.This thesis contributes to the need for additional security of PLCs with power analysis of the devices. Power analysis is a form of side-channel analysis, which originated from the field of cryptographic analysis for identifying the secret keys used by a device by measuring the side-channel information. Other than power analysis, examples of side-channels include electromagnetic radiation leakage from processors, processor timing information and acoustic analysis on the device. This thesis further establishes the feasibility of using the power side-channel for detecting anomalies in PLC operations that may be caused by a successful cyber-attack, with a demonstration of using a signature-based approach to protect processes that have constant behaviours every cycle. Further contributions are given by demonstrating the possibility of extracting process information using only the information from the power side-channel. This allows the possibility of monitoring process anomalies, which may modify the sequence of the process states and change the behaviours of individual states. With experimental evidence presented, this thesis achieves the goal of enhancing the security of PLC processes by providing a means for monitoring process integrity.

Thesis embargoed until 31 July 2024
Date of AwardJul 2023
Original languageEnglish
Awarding Institution
  • Queen's University Belfast
SupervisorKieran McLaughlin (Supervisor) & Sakir Sezer (Supervisor)


  • Programmable
  • logic controllers
  • security
  • vulnerability analysis
  • side-channel anaylsis

Cite this