Data2Damage: Using Large Language Models to Reverse-Engineer PLC Logic in Industrial Control Systems and Discover Potential Vulnerabilities

Title: Data2Damage: Using Large Language Models to Reverse-Engineer PLC Logic in Industrial Control Systems and Discover Potential Vulnerabilities Abstract: The Data2Damage framework leverages large language models to reconstruct PLC control logic from operational data, identify critical logic-layer vulnerabilities in industrial control systems, and provide new insights for industrial control security audits. Keywords: Industrial Control Systems, PLC, Large Language Models, Vulnerability Detection, Reverse Engineering, Industrial Control Security, ICS Security Original Author/Maintainer: mujeebch Source Platform: GitHub Original Title: Data2Damage Original Link: https://github.com/mujeebch/Data2Damage Publication Date: 2026-06-05

Industrial Control Systems (ICS) are the nerve center of modern manufacturing, energy, transportation, and other critical infrastructure. Programmable Logic Controllers (PLCs), as core components of ICS, are responsible for executing control logic to manage physical processes. However, these systems face severe security challenges. Traditional security audit methods often rely on source code review or binary analysis, but in industrial environments, PLC programs usually exist in compiled binary form, and source code may be lost or unavailable. Worse still, many old systems lack complete documentation, making security assessment extremely difficult. Additionally, the特殊性 of ICS systems lies in that their failures can lead to physical damage, not just data leaks, which makes vulnerability discovery even more critical.

Data2Damage is an innovative research framework that cleverly uses the capabilities of Large Language Models (LLMs) to solve the above problems. The core idea of the framework is to reverse-engineer the control logic by analyzing the PLC's runtime data and identify potential security vulnerabilities based on this. The unique aspect of this method is that it does not require access to source code or binary files; instead, it is entirely based on data generated during system operation. This provides a feasible path for security audits of old industrial systems that lack documentation.

The workflow of Data2Damage can be divided into several key stages. First, the framework collects the PLC's runtime data, including input signals, output signals, and changes in internal states. These data reflect the PLC's behavior patterns in real working environments. Next, large language models are involved in processing these operational data. The task of the LLM is to identify patterns from these seemingly messy data and reconstruct the PLC's control logic. This includes identifying typical PLC programming elements such as conditional judgments, loop structures, timers, and counters. Once the logic is reconstructed, the framework performs vulnerability analysis. The vulnerabilities here include not only traditional software vulnerabilities (such as buffer overflows) but more importantly, logic-layer vulnerabilities—for example, whether a sensor failure will lead to a dangerous state, or whether there are race conditions that may cause unexpected behavior.

Unlike vulnerabilities in traditional IT systems, logic-layer vulnerabilities in ICS are often more hidden but more harmful. A typical example: if the reading of a temperature sensor is maliciously tampered with, the PLC may make decisions based on incorrect data, leading to equipment overheating or even explosion. Data2Damage focuses on identifying such logic-layer issues. By understanding the true intent of the control logic, the framework can detect problems such as "lack of safety interlocks", "inadequate exception handling", and "insufficient state transition conditions". These issues may seem completely legitimate at the code level, but they can lead to catastrophic consequences in actual operation.

Data2Damage has a wide range of application scenarios. For factory operators, it can be used for regular security audits to ensure that control logic complies with safety standards. For equipment manufacturers, it can serve as an auxiliary tool for quality control to find potential problems before product delivery. In the field of security research, Data2Damage opens up new directions for ICS security analysis. Traditional ICS security research is often limited by proprietary protocols and closed systems, but this framework demonstrates how to use AI technology to break through these limitations. Additionally, with the advancement of Industry 4.0 and smart manufacturing, more and more traditional devices need to be connected to the network, which expands the attack surface. The method provided by Data2Damage can help enterprises better understand and protect their critical assets while undergoing digital transformation.

Although Data2Damage shows exciting potential, this technology is still in the research stage. One main challenge is the accuracy of the reconstructed logic—large language models may produce seemingly reasonable but actually incorrect logical inferences. Therefore, the reconstructed results still need expert verification. Another challenge is data quality. If the runtime data is not rich enough or representative, the reconstructed logic may be incomplete. This requires sufficient data collection planning in practical applications. Looking to the future, as the capabilities of large language models continue to improve and industrial IoT data becomes increasingly abundant, methods like Data2Damage are expected to play a greater role in the industrial security field. Combined with formal verification technology, a complete chain from data to logic to strict security proof may be realized in the future.

Data2Damage represents an innovative application of AI technology in the industrial security field. It reminds us that when facing the dilemma of old systems and data scarcity, large language models may provide unexpected solutions. For practitioners concerned with industrial control security, this framework is worth paying close attention to—it is not only a tool but also a paradigm shift from relying on source code to embracing data-driven security analysis.