Honeypot lures SCADA and PLC hackers

By on
Honeypot lures SCADA and PLC hackers

Most attacks traced to China.

An experiment highlighting threats to internet-facing industrial control systems (ICS) left researchers with troubling evidence that these devices and systems are prime targets for attackers.

Researchers tracked the frequency and types of attacks via honeypots that mimicked real ICS devices and supervisory control and data acquisition (SCADA) networks, and included vulnerabilities common to the equipment.

SCADA systems communicate with ICS devices to help monitor and manage large-scale processes deemed critical to national infrastructure, such as power and oil production or water treatment plants.

The first attack attempts began within 18 hours of the construction of the honeypot.

It attracted 39 attacks from 11 countries over the ensuing 28 days, most of which were traced to China via using internet protocol (IP) addresses among and other techniques.

Trend Micro researcher Kyle Wilhoit led the study during the last quarter of 2012.

He said Nano-10 programmable logic controllers and Siemens devices were targeted most frequently.

“The biggest [thing] I saw was unauthorised access attempts – [intruders] trying to access areas that were locked down,” Wilhoit said. “There were also instances where the attackers were trying to modify protocols themselves.”

After attacks believed to originate from China, which accounted for 35 percent of incursions, the United States accounted for the second highest amount, 19 percent. Twelve percent of intrusions originated in southeastern Asian nation of Laos.  

Attackers also tried to use malware, which had password-stealing capabilities and features that permitted backdoor access, to exploit servers, Wilhoit said.

Last month, NSS Labs released a study that showed a 600 percent jump in the number of ICS system vulnerabilities disclosed between 2010 and 2012. In the study, 124 security flaws were reported during the time period. 

Wilhoit said attackers have increasingly used Google searches to identify ICS devices. Then, they post data about the targeted machines on Pastebin, from which others can leverage the information for future exploits.

Trend Micro's report highlighted that security professionals must consider a number of remediation steps to protect ICS equipment and networks.

“As things changed over time, most of these systems' purposes have been re-established, along with the way they were configured,” the report said.

“A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the internet, with very little hindrance.”

Wilhoit suggested a number of steps to mitigate threats to these devices, including disabling internet access wherever possible, requiring login credentials to access all systems, using two-factor authentication for user accounts, and disabling insecure remote protocols.

The report is available online. (pdf)

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

Log In

  |  Forgot your password?