Ants on a jar of honey

Industrial control 'honeypots' show systems are under attack

Security experts have been warning for years that industrial control systems (ICS) are vulnerable to cyberattacks, but a recent work with ICS “honeypots” shows just how actively they’re being probed and attacked.

Kyle Wilhoit, a threat researcher at Trend Micro, demonstrated at last week’s Black Hat Briefings in Las Vegas how he set up 12 honeypots in eight countries earlier this year and recorded 74 attacks on them between March and June. He also explained to MIT Technology Review how he watched as the Chinese hacking group APT1 one staged an attack on a fake U.S. municipal water system.

The attack by APT1, aka Comment Crew, also demonstrated that the attacks weren’t automated probes that happened to hit an ICS, but were intentional. “I actually watched the attacker interface with the machine,” Wilhoit told Technology Review. “It was 100 percent clear they knew what they were doing.”

In all, the attacks came from 16 different countries. Wilhoit broke them into two groups: non-critical attacks, in which the attackers gain access and could do damage to systems in the future, and critical attacks designed to cause immediate disruption. Sixty-three of the attacks were non-critical, the majority of them (67 percent) coming from Russia. Half of the critical attacks came from China.

The vulnerability of industrial controls systems — such as water plants, power plants and oil refineries — has been of growing concern since the discovery of Stuxnet, Flame and Duqu, which reportedly were created as part of a U.S.-Israeli program targeting Iran’s nuclear program. ICS and Supervisory Control and Data Acquisition (SCADA) systems are increasingly being connected to the Internet so operators can gain remote access, but they often lack basic security because they weren’t intended to attract visitors. Even if they require passwords, they often use the easily crackable default password.

That creates a potential target, though how actively control systems have been attacked has often been speculative. But research with honeypots is finding some hard evidence.

At a Black Hat conference in Amsterdam in March, Wilhoit presented the findings of an earlier test, in which he created three honeypots that, over 28 days, were attacked 25 times from 11 countries. In that case, 35 percent of the attacks came from China, with the United States in second place at 19 percent.

Although a major attack against water or power systems hasn’t happened, the research shows that ICS and SCADA systems are being targeted in some ways. And they’re not hard to find. In his report from March, Wilhoit describes how Google dorks — advanced searches that look for security weaknesses — could easily find exposed, embedded systems. And for the purposes of his test, he made sure his honeypots would appear on Shodan, a search engine that specifically looks for industrial and other embedded devices, and collects information on about 500 million of them each month.

Protecting against attacks to industrial control systems isn’t easy, especially when they are already in place, but it could soon become necessary. The National Institute of Standards and Technology outlines steps agencies can take with their systems in its Special Publication 800-82, “Guide to Industrial Control Systems (ICS) Security.”

NIST’s recommendations include separating ICS from corporate networks (including using separate authentication for each), keeping critical communications in the most secure layer of a network and establishing security policies and training, all as part of a defense-in-depth strategy.

The Homeland Security Department’s Industrial Control Systems Cyber Emergency Response Team also offers recommended practices, along with breakdowns of typical vulnerabilities and alerts about potential threats.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above