SNIFU: Secure Network Interception for Firmware Updates in legacy PLCs

Attacks on Industrial Control Systems (ICS) are increasingly targeting field devices and the firmware that instruments their operation. Securing the firmware images and their update procedure has, therefore, become an important challenge. This is especially true for widely deployed legacy devices which are not equipped with the necessary security mechanisms/capabilities. In this paper, we address the problem by reverse engineering PLC firmware update tools to build a device that ensures the integrity and authenticity of firmware updates, before allowing them to be flashed onto a field device. Our tool is directly connected to field devices and consists of a firmware signing mechanism, a PLC emulation module, and a payload detection classifier – all integrated in a bump-in-the-wire device, SNIFU. SNIFU monitors serial traffic sent to the PLC for firmware update commands. When it identifies such commands, it emulates a PLC, capturing the entire firmware image and verifying it before relaying it to the PLC. We implement and evaluate a prototype of SNIFU using a Raspberry Pi, that secures the update process of a commercial PLC by Wago.