SCADA ‘honeypot’ mimics water station, attracts 39 attacks from 14 different countries
Most likely, the first the person on the street ever heard tell of a “SCADA” system was about two years ago when it came out that the Stuxnet virus had attacked Iranian centrifuges for processing nuclear materials. As far as everyday people go, that story has already faded into the mists.
On the other hand, “supervisory control and data acquisition” systems remain “the talk of the security community,” says Kyle Wilhoit, a researcher at security-software supplier Trend Micro Inc., in a March-published whitepaper, “Who’s really attacking your ICS [industrial control system] equipment?”
SCADA systems are today the most common means for establishing computer-based production monitoring and control. While SCADA security challenges are widely recognized, just how bad it is can be hard to say, since, for most companies, little is to be gained by talking publicly about the problem.
Wilhoit developed a “honeypot” architecture that emulated several type of ICS/SCADA devices and “mimicked those that are commonly Internet facing.” He wanted to find out who was attacking SCADA devices and why.
It took only 18 hours to find the first signs of attack on one of the honeypots, Wilhoit says. Over the course of 28 days, there were a total of 39 attacks from 14 different countries. Of the 39, 12 were unique and could be classified as “targeted,” while 13 were repeated by several of the same actors over a period of several days and could be considered “targeted” or “automated.” China accounted for the majority of the attack attempts at 35%, followed by the United States at 19% and, surprisingly enough, Laos at 12%.
It’s true that Wilhoit sweetened his honeypot just a little bit to make it easier to find than most Internet connections to SCADA should be. At least that’s the hope. He also makes some recommendations as to what can be done to ward off attacks.
While IT-system security protects data and prevents service interruptions, SCADA device security, says Wilhoit, focuses on data reliability without impacting productivity. In most SCADA deployments, Wilhoit says, firewalls were a rarity. So he didn’t use one either.
He also found evidence that “Google-dorks searches” – which involve the use of clearly defined search parameters – can be used to find embedded systems on the web and that there is even a website, called Pastebin, where hackers are distributing posts containing data on SCADA devices, like IP addresses.
For the study, three honeypots were created. Each was Internet facing and used three different static Internet IP addresses in different subnets scattered throughout the U.S. The researchers made it easy to find the entry points using Google Search and they named the servers “SCADA-1,” etc., to make their purpose plain.
One “high-action” honeypot was based on a PLC running a virtual instance of Ubuntu hosted on Amazon EC2 and configured as a web page that mimics a water pressure station. Thus, the web server and web pages mimicked PLC functions.
The second was a “pure production” honeypot, a physical server created to be a mirror of a real production system — in Wilhoit’s study, the functioning of a human-machine interface.
Third, an actual PLC was set up to mimic temperature controllers in a factory and had temperature, fan speed and light settings that could be modified.
As to results, a simple port scan didn’t count as an attack. It’s just a “drive-by.” An attack includes unauthorized access to secure areas of sites, modifications on perceived controllers or any attack against a protocol specific to devices, e.g., Modbus. Any attempt to gain access or cause an incident to the server in a targeted fashion was considered an attack.
The country with the greatest number of repeat offenders was Laos, followed by China. Wihoit says these repeat offenders often came back at dedicated times on a 24-hour basis and attempted to not only exploit the same vulnerabilities present on the devices, but also attempted additional exploitation if they did not succeed with prior attempts. There were also a surprising number of malware exploitation attempts on the servers.
Wilhoit’s recommendations for improved SCADA security are too numerous to list here. Security can be “baked in” or “bolted on” to devices. The basics include: don’t have devices connected to the Internet if they don’t need to be. Install the latest patches. Don’t cheat on log-in credentials or two-factor authentication. After that, it’s a matter of diving into the details, which can’t in this case be avoided.Most likely, the first the person on the street ever heard tell of a “SCADA” system was about two years ago when it came out that the Stuxnet virus had attacked Iranian centrifuges for processing nuclear materials. As far as everyday people go, that story has already faded into the mists.