Authors: Syed Ali Qasim, Wooyeon Jo, Irfan Ahmed



Industrial control systems (ICS) play a critical role in the operation of our vital infrastructures. They consist of field sites and a control center, with programmable logic controllers (PLCs) used at field sites to control physical processes directly. These systems communicate with the control center using proprietary protocols for remote monitoring, control, and configuration. The ability to reverse engineer these protocols can improve digital forensics techniques for investigating ICS attacks. The existing methods for reversing ICS protocols are manual forensics, binary analysis, probabilistic methods, or predefined network traffic analysis tools. ICS protocols, designed to operate in industrial environments, exhibit overlapping functionality, like uploading/downloading control logic to a PLC, which results in shared standard fields, such as function code and PLC memory address. Our hypothesis is that knowledge of one ICS protocol can aid in reverse engineering other proprietary ICS protocols. The paper introduces a heuristic builder, PREE, which enables control engineers with ICS protocol knowledge to create heuristics for identifying fields in other ICS protocols. We test our hypothesis by creating seven heuristic variants using the rolling window, vertical window, and frequency table techniques. We evaluate our heuristics on six ICS protocols, i.e., Modbus TCP, UMAS, ENIP, Omron FINS, CLICK, and PCCC. The evaluation involves five PLCs from four vendors: Modicon M221, Allen Bradley 1400 and 1100, Omron CP1L, and AutomationDirect CLICK Koyo. Results show that PREE can effectively identify common fields in multiple protocols, such as function code, message type, message length, PLC memory address, data size, and session/transaction IDs. PREE outperforms existing reverse engineering tools like NetPlier, Netzob, and Discoverer in terms of accuracy, conciseness, completeness, and consistency. We also demonstrate PREE‘s applications in a vulnerability study on CLICK Koyo PLC and present SNORT rules for investigating various attacks on it.