Bridging the PLC Binary Analysis Gap: A Cross-Compiler Dataset and Neural Framework for Industrial Control Systems

--Industrial Control Systems (ICS) rely heavily on Programmable Logic Controllers (PLCs) to manage critical infrastructure, yet analyzing PLC executables remains challenging due to diverse proprietary compilers and limited access to source code. T o bridge this gap, we introduce PLC-BEAD, a comprehensive dataset containing 2431 compiled binaries from 700+ PLC programs across four major industrial compilers (CoDeSys, GEB, OpenPLC-V2, OpenPLC-V3). We demonstrate the dataset's utility through PLCEmbed, a transformer-based framework for binary code analysis that achieves 93% accuracy in compiler provenance identification and 42% accuracy in fine-grained functionality classification across 22 industrial control categories. Through comprehensive ablation studies, we analyze how compiler optimization levels, code patterns, and class distributions influence model performance. We provide detailed documentation of the dataset creation process, labeling taxonomy, and benchmark protocols to ensure reproducibility. Both PLC-BEAD and PLCEmbed are released as open-source resources to foster research in PLC security, reverse engineering, and ICS forensics, establishing new baselines for data-driven approaches to industrial cybersecurity. Industrial Control Systems (ICS) rely heavily on Programmable Logic Controllers (PLCs) to manage critical infrastructure such as manufacturing, power generation, and transportation [1], [2]. Despite the advent of newer systems, many industrial sites continue to operate legacy PLCs that lack up-to-date documentation and source code [3]. This creates significant challenges for security analysis and maintenance, particularly in facilities that must remain operational around the clock [4], [5], [6]. High-profile incidents like Stuxnet and Triton demonstrate how attackers can target the PLC layer to disrupt physical processes with severe real-world consequences [7], [8]. In these cases, threat actors exploited vulnerabilities in the toolchain or the deployed PLC program. Such attacks underscore the urgent need for methods to inspect and analyze PLC executables even when source code is unavailable [7], [8], [5], [3].