Honeypot lures SCADA and PLC hackers

Powered by SC Magazine
 

Most attacks traced to China.

An experiment highlighting threats to internet-facing industrial control systems (ICS) left researchers with troubling evidence that these devices and systems are prime targets for attackers.

Researchers tracked the frequency and types of attacks via honeypots that mimicked real ICS devices and supervisory control and data acquisition (SCADA) networks, and included vulnerabilities common to the equipment.

SCADA systems communicate with ICS devices to help monitor and manage large-scale processes deemed critical to national infrastructure, such as power and oil production or water treatment plants.

The first attack attempts began within 18 hours of the construction of the honeypot.

It attracted 39 attacks from 11 countries over the ensuing 28 days, most of which were traced to China via using internet protocol (IP) addresses among and other techniques.

Trend Micro researcher Kyle Wilhoit led the study during the last quarter of 2012.

He said Nano-10 programmable logic controllers and Siemens devices were targeted most frequently.

“The biggest [thing] I saw was unauthorised access attempts – [intruders] trying to access areas that were locked down,” Wilhoit said. “There were also instances where the attackers were trying to modify protocols themselves.”

After attacks believed to originate from China, which accounted for 35 percent of incursions, the United States accounted for the second highest amount, 19 percent. Twelve percent of intrusions originated in southeastern Asian nation of Laos.  

Attackers also tried to use malware, which had password-stealing capabilities and features that permitted backdoor access, to exploit servers, Wilhoit said.

Last month, NSS Labs released a study that showed a 600 percent jump in the number of ICS system vulnerabilities disclosed between 2010 and 2012. In the study, 124 security flaws were reported during the time period. 

Wilhoit said attackers have increasingly used Google searches to identify ICS devices. Then, they post data about the targeted machines on Pastebin, from which others can leverage the information for future exploits.

Trend Micro's report highlighted that security professionals must consider a number of remediation steps to protect ICS equipment and networks.

“As things changed over time, most of these systems' purposes have been re-established, along with the way they were configured,” the report said.

“A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the internet, with very little hindrance.”

Wilhoit suggested a number of steps to mitigate threats to these devices, including disabling internet access wherever possible, requiring login credentials to access all systems, using two-factor authentication for user accounts, and disabling insecure remote protocols.

The report is available online. (pdf)

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Honeypot lures SCADA and PLC hackers
 
 
 
Top Stories
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
A call for timely reporting
[Blog post] Businesses need incentives to keep customer data secure.
 
Doubts cast on Queensland's ICT Dashboard
Opposition, former Govt CIO say it can't be trusted.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  26%
 
Application integration concerns
  3%
 
Security and compliance concerns
  29%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  5%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 853

Vote