FieldFuzz: Enabling vulnerability discovery in Industrial Control Systems supply chain using stateful system-level fuzzing

With the advent of the fourth industrial revolution, Programmable Logic Controllers (PLCs) used as field devices, have been growing in their sophistication, offering extensive smart features, such as remote connectivity, support for standardized cryptography, and visualization. Such computational platforms incorporate components from various sources (vendor, platform provider, open-source), bringing along their associated vulnerabilities. This, combined with the increase in reliance on the Industrial Internet of Things (IIoT) devices for automation and feedback, has opened previously airtight networks to remote attacks. Furthermore, modern PLCs often employ commodity software such as Linux on ARM, further expanding the threat surface towards traditional vulnerabilities. Security analysis of Operational Technology (OT) software, specifically, the control runtime and IEC applications, remains relatively unexplored due to its proprietary nature. In this work, we implement FieldFuzz, a methodology for discovering supply chain vulnerabilities in every PLC component using stateful black-box fuzzing without the requirement of a real device. FieldFuzz has been built using the Codesys v3 protocol, making it applicable to at least 80 industrial device vendors ranging from over 400 devices. Fuzzing campaigns uncovered multiple vulnerabilities, leading to three reported CVE IDs. To study the cross-platform applicability of FieldFuzz, we reproduce the findings on a diverse set of Industrial Control System (ICS) devices, showing a significant improvement over the state-of-the-art.