Oops, It Halted Again: Exploiting PLC Memory for Fun and Profit in Industrial Control Systems

Programmable Logic Controllers (PLCs) are critical to industrial control systems (ICS), yet their memory remains a prime target for exploitation. While traditional attacks focus on network intrusions, PLC memory manipulation enables sophisticated attacks, such as malicious process control and supply chain backdoors. Existing security measures, including intrusion detection systems (IDS), fail to detect these threats, necessitating a systematic approach to analyzing and exploiting PLC memory. This paper presents a machine learning-driven framework for PLC memory exploitation, identifying critical regions vulnerable to unauthorized access and manipulation. Using extracted features such as entropy-based and structural characteristics, we classify PLC memory into exploitable segments, including metadata and control logic. Our method enables precise targeting of PLC memory for adversarial access, injection, and modification, operating independently of PLC-specific semantics. By training on an M221 PLC, we demonstrate its generalization across architectures, successfully exploiting PLCs with distinct instruction sets. We evaluate our approach on three PLCs from two vendors, actively probing memory to elicit responses such as accept, deny, halt, and compromise. The results expose inconsistencies in memory protections across PLC architectures, reinforcing the need for improved memory integrity in ICS environments. As part of our research, we identified and disclosed a critical PLC memory vulnerability (CVE-2024-11737)