Towards PLC-Specific Binary Analysis Tools: An Investigation of Codesys-Compiled PLC Software Applications

Critical infrastructures are controlled by industrial control systems. Such systems are primarily operated by Programmable Logic Controllers (PLC). In recent years, PLC vendors have been moving towards commercial-off-the-shelf components and operating systems, a trend that has decreased development and maintenance costs. It also had the side-effect of exposing these devices to a wider range of attacks. Previous research has focused on securing the network and monitoring its traffic. PLC software applications though, the programs that run on PLCs, have not been subject to diligent security analysis. This can be attributed to the proprietary nature of PLC compilers and the unique format of the PLC software binaries. Therefore, in this work we aim to closely study a PLC compiler (Codesys) that is used by more that 250 devices, including Siemens, Mitsubishi, and Schneider Electric devices. To this end, we created a varied dataset of 600 in-house programs comprised of basic operations developed in different PLC languages and spanning different architectures, Codesys compiler versions, and PLC hardware vendors.