Abstract: Industrial Control System（ICS） is the key national infrastructure, and its core device is Programmable Logic Controller（PLC）. Stuxnet attacks PLC and destroys physical devices, indicating the threat brought by PLCs’ vulnerability. Firstly, the status in ICS and structure of PLC are described. Then according to the definition of the attack surface, the attack surface of PLC is proposed to conduct the analysis of vulnerability of PLC protocol, program and data. Meanwhile, the analysis technique of proprietary PLC protocol and bytecode is presented and realized. Finally, the exploitation and attack process of PLC is provided. This paper provides a basis for the analysis and research of the security assessment and protection of PLC and ICS.

Key words: industrial control system, programmable logic controller, attack surface, analysis of vulnerability

摘要： 工业控制系统是国家的重要基础设施，可编程逻辑控制器（PLC）是工业控制系统的核心。震网病毒通过对PLC的攻击，实现对物理设备的破坏，说明PLC的脆弱性带来的威胁。阐述了PLC在工业控制系统中的地位及PLC的组成结构，根据攻击表面的定义提出了PLC的攻击表面，以此为指导对PLC的协议、程序和数据中存在的脆弱性进行分析，同时提出并实现了非公开的PLC协议与程序字节码的分析技术，给出了PLC脆弱性利用和攻击过程。为PLC及工业控制系统的安全评估和防护提供了分析与研究的基础。

关键词: 工业控制系统, 可编程逻辑控制器, 攻击表面, 脆弱性分析