Detecting Ladder Logic Bombs in IEC 61131-3 PLC Programs using ESBMC-PLC+: A Formal Verification Approach with Trigger Synthesis

arXiv:2607.08417v1 Announce Type: new Abstract: A Ladder Logic Bomb (LLB) is malicious control logic in a Programmable Logic Controller (PLC) program that lies dormant until a trigger activates a payload to manipulate actuators, forge sensor readings, or deny operator control. We observe that real malicious logic hides inside function-block bodies, which existing ladder-diagram verifiers drop from their intermediate representation (IR), making bombs invisible to provers. We present ESBMC-LLB, which uses ESBMC-PLC+ as its verification engine and adds a modeling layer that exposes function-block
The increasing sophistication of cyber threats targeting industrial control systems, coupled with advancements in formal verification techniques, makes the detection of 'logic bombs' a pressing concern.
This development highlights the growing vulnerability of critical infrastructure to sophisticated, stealthy cyberattacks embedded within operational technology (OT) and the urgent need for robust defensive measures.
The ability to formally verify PLC programs for hidden malicious logic changes the cybersecurity posture for industrial systems, moving towards proactive detection rather than reactive incident response.
- · Industrial cybersecurity firms
- · Critical infrastructure operators
- · Governments focused on national security
- · State-sponsored hacking groups
- · Industrial systems integrators with poor security practices
- · Organizations with legacy, unverified control systems
Improved detection capabilities for hidden malicious code in industrial control systems will reduce the attack surface for critical infrastructure.
The cost and complexity of developing and deploying advanced industrial cyberattacks will increase, potentially shifting threat actor tactics.
Formal verification tools may become a mandatory component of PLC development and deployment, driving new standards and compliance requirements in industrial automation.
This signal links to a primary source. Continuum Brief monitors and indexes it as part of the live intelligence stream — we do not republish source content.
Read at arXiv cs.CL