Authors:
Gulab Kumar Mondal,Arijit Das,Moumita Pal,Biswarup Neogi,DharamPal Singh,DOI NO:
https://doi.org/10.26782/jmcms.2026.02.00003Keywords:
SCADA Security,Industrial Control Systems (ICS),YARA,Logic,Modbus,TCP,Host-Based Intrusion Detection,Static Analysis,OT Cybersecurity,Abstract
Modern Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks face a growing class of logic-layer attacks in which adversaries silently manipulate configuration or project files instead of deploying traditional malware. Existing defences, such as network intrusion de-tection systems and machine-learning-based anomaly detectors, struggle to ob-serve these pre-deployment logic changes and often incur high operational complexity. This paper presents a lightweight, host-based framework that uses YARA, a rule-based pattern-matching engine, to perform static inspection of XML configuration files generated by SCADA engineering tools. The proposed system is implemented on a Windows 10 engineering workstation using Mod-busPal as a Modbus TCP simulator, Python for file monitoring and GUI devel-opment, and YARA CLI/Python bindings for rule execution. Custom YARA rules are crafted to detect unauthorized Modbus function code 5 (Write Single Coil) operations targeting critical coil addresses, modelling malicious logic injections such as covert actuator activations. In a controlled lab environment, using a va-riety of ModbusPal project files, a combination of benign (no infiltration) and tampered project files, as well as our detection framework, achieved less than 200 milliseconds of latency for detecting true positives (and 0 false positives and 0 false negatives) for the defined ruleset and under a negligible resource over-head. These findings indicate that static logic validation at the host-level would fulfil an effective integrity pre-deployment check for PLC logic in addition to current network-based and behaviour-based ICS security mechanisms, without requiring modification of the installed PLC hardware and network protocol.Refference:
I. Adepu, M., and A. Mathur. “SCADAhunt: Framework for Detecting Pro-cess Control Attacks.” International Journal of Critical Infrastructure Protection, vol. 19, 2017. https://www.sciencedirect.com/science/article/pii/S1874548217300279
II. Cheminod, M., L. Durante, and A. Valenzano. “Review of Security Issues in Industrial Networks.” IEEE Transactions on Industrial Informatics, vol. 9, no. 1, 2013, pp. 277–293. 10.1109/TII.2012.2198666
III. Chung, S. P., et al. “Host-Based Detection of ICS Configuration Tamper-ing.” Proceedings of the Annual Computer Security Applications Confer-ence (ACSAC), 2022. 10.1145/3564625.3564629
IV. Claroty Team82. “MITRE ATT&CK for ICS: Detecting Logic Manipula-tion TTPs.” Claroty Research, 2024. https://claroty.com/team82/research
V. Costin, A. “Towards a Framework for ICS Intrusion Detection.” Black Hat USA, 2020. https://www.blackhat.com/us-20/
VI. Dragos. “FrostyGoop: Modbus Malware Targeting Coils.” ICS Threat De-tection Bulletin, 2024. https://www.dragos.com/
VII. Dragos, Inc. “INCONTROLLER (PIPEDREAM): Highly Capable ICS Toolkit.” Threat Intelligence Report, Apr. 2022. https://www.dragos.com/resources/
VIII. Dressler, F., and P. Sommer. “Using Zeek for ICS Protocol Detection.” Proceedings of the 9th USENIX Workshop on Cyber Security Experimen-tation and Test (CSET), 2021. https://www.usenix.org/conference/cset21
IX. ENISA. “Threat Landscape for Industrial Control Systems.” ENISA Threat Report, 2025. https://www.enisa.europa.eu/publications
X. Forescout Research. The State of Modbus Security. Forescout Labs Tech-nical Brief, 2023. https://www.forescout.com/resources/
XI. Ike, H., et al. “SCAPHY: Behavior-Aware ICS Security Using Physical Traces.” Proceedings of the IEEE International Conference on Industrial Cyber-Physical Systems, 2022. https://ieeexplore.ieee.org/
XII. ICS-CERT. “Advisory (ICS-ALERT-14-281-01) — BlackEnergy Mal-ware.” U.S. Department of Homeland Security, 2014. https://www.cisa.gov/news-events/ics-alerts/ics-alert-14-281-01
XIII. ICS-CERT. “Havex Malware Targeting ICS/SCADA Systems.” Industrial Control Systems Cyber Emergency Response Team, 2013. https://www.cisa.gov/ics
XIV. Kravchik, M., and A. Shabtai. “Detecting Cyber Attacks in Industrial Control Systems Using Convolutional Neural Networks.” Proceedings of the ACM Workshop on Cyber-Physical Systems Security & Privacy, 2018. 10.1145/3264888.3264896
XV. Langner, R. “Stuxnet: Dissecting a Cyberwarfare Weapon.” IEEE Securi-ty & Privacy, vol. 9, no. 3, 2011, pp. 49–51. 10.1109/MSP.2011.67
XVI. Mandiant. “FrostyGoop ICS Malware Technical Analysis.” Mandiant Threat Intelligence, 2024. https://www.mandiant.com/resources
XVII. McLaughlin, S., et al. “The Cybersecurity Landscape in Industrial Con-trol Systems.” Proceedings of the IEEE, vol. 104, no. 5, 2016, pp. 1039–1057. 10.1109/JPROC.2015.2512235
XVIII. Modbus Organization. “Modbus Application Protocol Specification V1.1b3.” 2015. http://modbus.org/docs/Modbus_Application_Protocol_V1_1b3.pdf
XIX. NIST. Guide to Industrial Control Systems (ICS) Security. SP 800-82 Re-vision 3, 2025. https://csrc.nist.gov/publications/detail/sp/800-82/rev-3/final
XX. Nguyen, N., T. Ogawa, and M. Saito. “Integrity Verification for PLC Log-ic Files Using Lightweight Hash Trees.” IEEE Transactions on Industrial Informatics, vol. 21, no. 2, 2025, pp. 1204–1213. https://ieeexplore.ieee.org/
XXI. Searle, J., et al. “LogicLocker: Ransomware for Programmable Logic Controllers.” Georgia Tech ICS Security Lab, 2017. https://arxiv.org/
XXII. TXOne Networks. “PIPEDREAM Local Exploit Analysis.” TXOne Threat Research, 2025. https://www.txone.com/blog/
View Download