Honeypot lures SCADA and PLC hackers

Powered by SC Magazine
 

Most attacks traced to China.

An experiment highlighting threats to internet-facing industrial control systems (ICS) left researchers with troubling evidence that these devices and systems are prime targets for attackers.

Researchers tracked the frequency and types of attacks via honeypots that mimicked real ICS devices and supervisory control and data acquisition (SCADA) networks, and included vulnerabilities common to the equipment.

SCADA systems communicate with ICS devices to help monitor and manage large-scale processes deemed critical to national infrastructure, such as power and oil production or water treatment plants.

The first attack attempts began within 18 hours of the construction of the honeypot.

It attracted 39 attacks from 11 countries over the ensuing 28 days, most of which were traced to China via using internet protocol (IP) addresses among and other techniques.

Trend Micro researcher Kyle Wilhoit led the study during the last quarter of 2012.

He said Nano-10 programmable logic controllers and Siemens devices were targeted most frequently.

“The biggest [thing] I saw was unauthorised access attempts – [intruders] trying to access areas that were locked down,” Wilhoit said. “There were also instances where the attackers were trying to modify protocols themselves.”

After attacks believed to originate from China, which accounted for 35 percent of incursions, the United States accounted for the second highest amount, 19 percent. Twelve percent of intrusions originated in southeastern Asian nation of Laos.  

Attackers also tried to use malware, which had password-stealing capabilities and features that permitted backdoor access, to exploit servers, Wilhoit said.

Last month, NSS Labs released a study that showed a 600 percent jump in the number of ICS system vulnerabilities disclosed between 2010 and 2012. In the study, 124 security flaws were reported during the time period. 

Wilhoit said attackers have increasingly used Google searches to identify ICS devices. Then, they post data about the targeted machines on Pastebin, from which others can leverage the information for future exploits.

Trend Micro's report highlighted that security professionals must consider a number of remediation steps to protect ICS equipment and networks.

“As things changed over time, most of these systems' purposes have been re-established, along with the way they were configured,” the report said.

“A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the internet, with very little hindrance.”

Wilhoit suggested a number of steps to mitigate threats to these devices, including disabling internet access wherever possible, requiring login credentials to access all systems, using two-factor authentication for user accounts, and disabling insecure remote protocols.

The report is available online. (pdf)

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


Honeypot lures SCADA and PLC hackers
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  25%
TOTAL VOTES: 346

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  58%
 
No
  42%
TOTAL VOTES: 144

Vote