- Add validated mitre_attack frontmatter to all 754 skills (286 distinct
techniques), verified against MITRE ATT&CK v19.1 via the official
mitreattack-python library: 0 revoked, deprecated, or invalid IDs
- Curate precise per-skill technique IDs for forensics, malware-analysis,
threat-intel, and red-team skills (e.g. DCSync -> T1003.006,
Kerberoasting -> T1558.003, Pass-the-Ticket -> T1550.003)
- Reconcile v19.1 tactic restructuring: Defense Evasion split into
Stealth (TA0005) and Defense Impairment (TA0112); revoked T1562.*
family and T1070.001/.002 remapped to active equivalents (T1685.*)
- Normalize word-split tags across 35 skills (remove filename-derived
stopword tags, add semantic cybersecurity tags)
- Add api-reference.md for 3 skills that were missing it
- Update README ATT&CK section with accurate v19.1 tactic distribution
This skill covers analyzing Programmable Logic Controller (PLC) firmware for security vulnerabilities including hardcoded credentials, insecure update mechanisms, backdoor functions, memory corruption flaws, and undocumented debug interfaces. It addresses firmware extraction from common PLC platforms (Siemens S7, Allen-Bradley, Schneider Modicon), static analysis of firmware images, dynamic analysis in emulated environments, and comparison against known-good baselines to detect tampering.
cybersecurity
ot-ics-security
ot-security
ics
scada
industrial-control
iec62443
firmware-analysis
plc-security
1.0.0
mahipal
Apache-2.0
PR.IR-01
DE.CM-01
ID.AM-05
GV.OC-02
T1078
T1190
T1059
T1003
T1110
Performing PLC Firmware Security Analysis
When to Use
When assessing PLC security as part of an IEC 62443 component security evaluation (IEC 62443-4-2)
When validating firmware integrity after a suspected compromise or supply chain attack
When evaluating the security of a new PLC platform before deployment in critical infrastructure
When performing vulnerability research on industrial control system devices in an authorized lab
When responding to an incident where PLC logic or firmware tampering is suspected
Do not use on live production PLCs without explicit authorization and safety controls in place. Firmware extraction and analysis should be performed on lab devices or offline backups. Never upload PLC firmware to public analysis services. See performing-ics-penetration-testing for authorized live testing procedures.
Prerequisites
Isolated lab environment with the target PLC hardware or an emulated environment
PLC programming software for the target platform (Siemens TIA Portal, Rockwell Studio 5000, Schneider EcoStruxure)
Reference copy of known-good firmware for integrity comparison
Workflow
Step 1: Acquire PLC Firmware for Analysis
Extract or obtain PLC firmware through authorized methods. This can be done by downloading from the vendor, extracting from a lab device, or obtaining from a project backup.
#!/usr/bin/env python3"""PLC Firmware Acquisition and Integrity Verification.
Supports firmware extraction from project files, network downloads,
and binary image comparison against known-good baselines.
"""importhashlibimportjsonimportosimportstructimportsysimportzipfilefromdatetimeimportdatetimefrompathlibimportPathclassPLCFirmwareAcquisition:"""Handles PLC firmware acquisition from various sources."""def__init__(self,output_dir="firmware_analysis"):self.output_dir=Path(output_dir)self.output_dir.mkdir(exist_ok=True)self.manifest={"acquisition_date":datetime.now().isoformat(),"firmware_samples":[],}defextract_from_siemens_project(self,project_path):"""Extract firmware/program blocks from Siemens TIA Portal project.
TIA Portal projects (.ap16/.ap17) are ZIP archives containing
XML-encoded PLC program blocks and system configuration.
"""print(f"[*] Analyzing Siemens project: {project_path}")results={"platform":"Siemens","blocks":[]}ifzipfile.is_zipfile(project_path):withzipfile.ZipFile(project_path,"r")aszf:forinfoinzf.infolist():# Program blocks are stored as XML in specific pathsif"ProgramBlocks"ininfo.filenameor"SystemBlocks"ininfo.filename:block_data=zf.read(info.filename)block_hash=hashlib.sha256(block_data).hexdigest()block_path=self.output_dir/info.filename.replace("/","_")block_path.write_bytes(block_data)results["blocks"].append({"name":info.filename,"size":info.file_size,"sha256":block_hash,"extracted_to":str(block_path),})print(f" [+] Extracted: {info.filename} ({info.file_size} bytes)")self.manifest["firmware_samples"].append(results)returnresultsdefextract_from_rockwell_project(self,acd_path):"""Extract program data from Rockwell Studio 5000 ACD file.
ACD files contain controller program, tags, and configuration.
"""print(f"[*] Analyzing Rockwell project: {acd_path}")results={"platform":"Rockwell/Allen-Bradley","blocks":[]}withopen(acd_path,"rb")asf:header=f.read(256)# ACD files have a specific signatureifb"RSLogix"inheaderorb"Studio 5000"inheader:f.seek(0)full_data=f.read()file_hash=hashlib.sha256(full_data).hexdigest()results["blocks"].append({"name":os.path.basename(acd_path),"size":len(full_data),"sha256":file_hash,"header_signature":header[:16].hex(),})print(f" [+] Project hash: {file_hash}")self.manifest["firmware_samples"].append(results)returnresultsdefcompute_firmware_hash(self,firmware_path):"""Compute multiple hashes of a firmware image for integrity tracking."""data=Path(firmware_path).read_bytes()return{"file":str(firmware_path),"size":len(data),"md5":hashlib.md5(data).hexdigest(),"sha256":hashlib.sha256(data).hexdigest(),"sha512":hashlib.sha512(data).hexdigest(),}defcompare_firmware_integrity(self,current_fw,baseline_fw):"""Compare current firmware against known-good baseline."""current_hash=self.compute_firmware_hash(current_fw)baseline_hash=self.compute_firmware_hash(baseline_fw)match=current_hash["sha256"]==baseline_hash["sha256"]result={"comparison_date":datetime.now().isoformat(),"current_firmware":current_hash,"baseline_firmware":baseline_hash,"integrity_match":match,"verdict":"PASS - Firmware matches baseline"ifmatchelse"FAIL - Firmware modified!",}ifnotmatch:# Find the offset where files divergecurrent_data=Path(current_fw).read_bytes()baseline_data=Path(baseline_fw).read_bytes()min_len=min(len(current_data),len(baseline_data))first_diff=Nonediff_count=0foriinrange(min_len):ifcurrent_data[i]!=baseline_data[i]:iffirst_diffisNone:first_diff=idiff_count+=1result["first_difference_offset"]=f"0x{first_diff:08x}"iffirst_diffelseNoneresult["total_different_bytes"]=diff_countresult["size_difference"]=len(current_data)-len(baseline_data)returnresultdefsave_manifest(self):"""Save acquisition manifest."""manifest_path=self.output_dir/"acquisition_manifest.json"withopen(manifest_path,"w")asf:json.dump(self.manifest,f,indent=2)print(f"\n[*] Manifest saved: {manifest_path}")if__name__=="__main__":acq=PLCFirmwareAcquisition()iflen(sys.argv)<2:print("Usage:")print(" python process.py extract-siemens <project.ap17>")print(" python process.py extract-rockwell <project.acd>")print(" python process.py compare <current.bin> <baseline.bin>")sys.exit(1)cmd=sys.argv[1]ifcmd=="extract-siemens"andlen(sys.argv)>2:acq.extract_from_siemens_project(sys.argv[2])elifcmd=="extract-rockwell"andlen(sys.argv)>2:acq.extract_from_rockwell_project(sys.argv[2])elifcmd=="compare"andlen(sys.argv)>3:result=acq.compare_firmware_integrity(sys.argv[2],sys.argv[3])print(json.dumps(result,indent=2))else:print("Invalid command")sys.exit(1)acq.save_manifest()
Step 2: Perform Static Analysis of Firmware Image
Use binwalk for firmware unpacking and Ghidra for disassembly to identify security issues in the firmware binary.
# Step 2a: Unpack firmware image with binwalk
binwalk -e firmware.bin
# Output: _firmware.bin.extracted/# Identify firmware components
binwalk firmware.bin
# Look for: file system images, compressed sections, bootloader, RTOS kernel# Extract strings for credential and configuration analysis
strings -n 8 firmware.bin > firmware_strings.txt
# Search for hardcoded credentials
grep -iE "(password|passwd|pwd|secret|key|credential|login|admin|root)" firmware_strings.txt
# Search for network configuration
grep -iE "(http|ftp|telnet|ssh|snmp|modbus|192\.168|10\.|172\.)" firmware_strings.txt
# Search for debug/backdoor indicators
grep -iE "(debug|backdoor|test_mode|factory|service_port|hidden)" firmware_strings.txt
# Search for cryptographic material
grep -iE "(BEGIN RSA|BEGIN CERTIFICATE|AES|DES|private.key)" firmware_strings.txt
# Step 2b: Entropy analysis to detect encrypted/compressed sections
binwalk -E firmware.bin
# High entropy sections may contain encrypted payloads or compressed data# Step 2c: Analyze with Ghidra (headless mode)
analyzeHeadless /tmp/ghidra_project PLC_FW \
-import firmware.bin \
-processor ARM:LE:32:Cortex \
-postScript FindCryptoConstants.java \
-postScript FindHardcodedStrings.java \
-log /tmp/ghidra_analysis.log
Step 3: Analyze PLC Communication Stack Security
Examine how the PLC handles industrial protocol requests, focusing on authentication bypass, buffer overflows in packet parsing, and command injection vulnerabilities.
#!/usr/bin/env python3"""PLC Protocol Security Analyzer.
Tests PLC protocol implementation for common vulnerabilities
including authentication bypass, malformed packet handling,
and function code access control.
WARNING: Only run against lab/test PLCs, never production systems.
"""importsocketimportstructimportsysimporttimefromdataclassesimportdataclass@dataclassclassProtocolTestResult:test_name:strtarget:strprotocol:strresult:str# PASS, FAIL, ERRORseverity:strdetail:strclassModbusSecurityTester:"""Tests Modbus/TCP implementation security."""def__init__(self,target_ip,target_port=502):self.target=target_ipself.port=target_portself.results=[]def_send_modbus(self,unit_id,func_code,data=b""):"""Send a Modbus/TCP request and return response."""# MBAP Header: transaction_id(2) + protocol_id(2) + length(2) + unit_id(1)mbap=struct.pack(">HHHB",0x0001,0x0000,len(data)+2,unit_id)pdu=struct.pack("B",func_code)+datatry:sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)sock.settimeout(5)sock.connect((self.target,self.port))sock.send(mbap+pdu)response=sock.recv(1024)sock.close()returnresponseexceptExceptionase:returnNonedeftest_authentication_required(self):"""Test if PLC requires authentication for read/write operations."""# Test unauthenticated readread_data=struct.pack(">HH",0,10)# Read 10 registers from address 0response=self._send_modbus(1,3,read_data)ifresponseandlen(response)>8andresponse[7]!=0x83:self.results.append(ProtocolTestResult(test_name="Modbus Authentication - Read",target=self.target,protocol="Modbus/TCP",result="FAIL",severity="high",detail="PLC accepts unauthenticated Modbus read commands. No authentication required.",))# Test unauthenticated writewrite_data=struct.pack(">HH",100,0)# Write 0 to register 100response=self._send_modbus(1,6,write_data)ifresponseandlen(response)>8andresponse[7]!=0x86:self.results.append(ProtocolTestResult(test_name="Modbus Authentication - Write",target=self.target,protocol="Modbus/TCP",result="FAIL",severity="critical",detail="PLC accepts unauthenticated Modbus WRITE commands. Any host can modify registers.",))deftest_function_code_access_control(self):"""Test if PLC restricts dangerous function codes."""dangerous_funcs={8:"Diagnostics (can restart communications)",17:"Report Slave ID (information disclosure)",43:"Encapsulated Interface Transport (device identification)",}forfc,descindangerous_funcs.items():response=self._send_modbus(1,fc,b"\x00\x00")ifresponseandlen(response)>8:error_code=response[7]iferror_code!=(fc|0x80):# Not an exception responseself.results.append(ProtocolTestResult(test_name=f"Function Code Access - FC{fc}",target=self.target,protocol="Modbus/TCP",result="FAIL",severity="medium",detail=f"PLC responds to FC{fc} ({desc}) without access control",))deftest_invalid_unit_id(self):"""Test PLC response to broadcast and invalid unit IDs."""# Broadcast (unit ID 0) - should be carefully handledread_data=struct.pack(">HH",0,1)response=self._send_modbus(0,3,read_data)ifresponseandlen(response)>8andresponse[7]!=0x83:self.results.append(ProtocolTestResult(test_name="Broadcast Unit ID Handling",target=self.target,protocol="Modbus/TCP",result="FAIL",severity="high",detail="PLC responds to broadcast unit ID 0. This enables broadcast write attacks.",))deftest_malformed_packet_handling(self):"""Test PLC resilience against malformed Modbus packets."""# Oversized length fieldmalformed=struct.pack(">HHH",0x0001,0x0000,0xFFFF)+b"\x01\x03\x00\x00\x00\x01"try:sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)sock.settimeout(5)sock.connect((self.target,self.port))sock.send(malformed)time.sleep(1)# Verify PLC is still responsiveread_data=struct.pack(">HH",0,1)response=self._send_modbus(1,3,read_data)sock.close()ifresponseisNone:self.results.append(ProtocolTestResult(test_name="Malformed Packet - Oversized Length",target=self.target,protocol="Modbus/TCP",result="FAIL",severity="critical",detail="PLC became unresponsive after receiving oversized length field. Possible DoS vulnerability.",))else:self.results.append(ProtocolTestResult(test_name="Malformed Packet - Oversized Length",target=self.target,protocol="Modbus/TCP",result="PASS",severity="info",detail="PLC correctly handles oversized length field without crashing",))exceptExceptionase:passdefrun_all_tests(self):"""Run all Modbus security tests."""print(f"\n{'='*60}")print(f"PLC MODBUS SECURITY ANALYSIS - {self.target}:{self.port}")print(f"{'='*60}")self.test_authentication_required()self.test_function_code_access_control()self.test_invalid_unit_id()self.test_malformed_packet_handling()forrinself.results:icon="[FAIL]"ifr.result=="FAIL"else"[PASS]"print(f"\n{icon}{r.test_name}")print(f" Severity: {r.severity}")print(f" Detail: {r.detail}")returnself.resultsif__name__=="__main__":iflen(sys.argv)<2:print("Usage: python plc_protocol_tester.py <target_plc_ip> [port]")print("WARNING: Only use against lab/test PLCs!")sys.exit(1)target=sys.argv[1]port=int(sys.argv[2])iflen(sys.argv)>2else502tester=ModbusSecurityTester(target,port)tester.run_all_tests()
Key Concepts
Term
Definition
PLC Firmware
The embedded software running on a Programmable Logic Controller, including the real-time operating system, protocol stacks, and I/O drivers
Ladder Logic
Graphical programming language for PLCs that represents relay logic circuits, stored as program blocks in PLC memory
Function Block
Reusable PLC programming element that encapsulates logic with defined inputs/outputs, can be analyzed for malicious modifications
Firmware Integrity
Verification that PLC firmware has not been modified from the vendor-supplied or approved version using cryptographic hash comparison
IEC 62443-4-2
Component security requirements in the IEC 62443 standard, defining security capabilities required for IACS components including PLCs
JTAG/SWD
Hardware debug interfaces (Joint Test Action Group / Serial Wire Debug) used for firmware extraction and low-level analysis
Tools & Systems
Binwalk: Firmware analysis tool for scanning, extracting, and analyzing embedded firmware images
Ghidra: NSA-developed reverse engineering framework supporting ARM, MIPS, PowerPC architectures common in PLCs
EMUX/FIRMADYNE: Firmware emulation frameworks for dynamic analysis of embedded device firmware
PLCinject: Research tool for analyzing PLC logic injection vulnerabilities (use only in authorized lab settings)
OpenPLC: Open-source PLC platform useful as a test target for security research