Critical Infrastructure: You Get What You Pay For
Abstract:
Programmable Logic Controllers (PLCs) have proliferated into multiple commercial sectors, including critical infrastructure applications. PLCs often manage resources that offer high-impact targets but with a lackadaisical treatment of security—a recipe for trouble. This paper proposes a misuser-driven approach for PLC assessment. The technique is a negativist spin on the user-story-driven software engineering approach of agile development. The paper presents a case study approach by examining a commercially available low-cost PLC; it also highlights the investigational process and describes the specific vulnerabilities uncovered by the process.
AUTHORS
School of Interdisciplinary Informatics (Cybersecurity) University of Nebraska at Omaha Nebraska,
U.S.
Gary A. Roth is a security analyst at NTT Security and a graduate student in the School of Interdisciplinary Informatics at the University of Nebraska at Omaha. He is pursuing an M.S. in Cybersecurity. He received his B.A. in Music from the University of Nebraska at Lincoln in 2008 and his B.S. in Cybersecurity from the University of Nebraska at Omaha in 2017. He holds membership in (ISC)2 as an Associate of (ISC)2 working towards CISSP certification and holds the CompTIA Security+ and Splunk Certified User certifications. His research has focused on investigating the security weaknesses of programmable logic controllers through reverse engineering their proprietary networking protocols. Gary is an avid clarinettist, who often performs with concert bands and musical theatre pit orchestras.
School of Interdisciplinary Informatics University of Nebraska-Omaha
Omaha, NE, United States
William R. Mahoney, Ph.D. is a professor in the College of Information Science and Technology at the University of Nebraska at Omaha. Dr. Mahoney is also a principal investigator for the Scholarship for Service program–a student aid program for cybersecurity students managed by the National Science Foundation. His research areas include code obfuscation, reverse engineering and anti-reverse engineering techniques, as well as vulnerability analysis, particularly with respect to critical infrastructure equipment. He regularly teaches in both the Cybersecurity and Computer Science areas and is a reviewer for several information warfare and cybersecurity publications and conferences.
School of Interdisciplinary Informatics (Cybersecurity) University of Nebraska at Omaha Nebraska,
U.S.
Dr. Matthew L. Hale is an Assistant Professor of Cybersecurity in the School of Interdisciplinary Informatics at the University of Nebraska at Omaha. He received his PhD in Computer Science from the University of Tulsa in 2014. His dissertation created a framework and interlingua for web service security certification in the cloud. His research interests lie at the intersection of software engineering and security with foci in the areas of building secure web services, evaluating internet of things devices and services, and investigating security problems in the context of human psychology. In his spare time, Dr. Hale enjoys cooking, which he thinks isn't all that different from software engineering (components, connectors, and patterns), disc golfing, and tabletop games.
Published In
Journal of Information Warfare
The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.
Quick Links
Archive