SCADA water station ‘honeypot’ attracts 39 attacks from 14 countries
SCADA hit the front pages about two years ago when it came out that the Stuxnet virus had attacked Iranian centrifuges for processing nuclear materials.
Supervisory control and data acquisition systems remain “the talk of the security community,” says Kyle Wilhoit, a researcher at security-software supplier Trend Micro Inc., in a March-published whitepaper, “Who’s really attacking your ICS [industrial control system] equipment?”
While the SCADA security challenge is widely recognized, just how bad it is can be hard to say, since, for most companies, little is to be gained by talking publicly about the problem.
Wilhoit developed a “honeypot” architecture that emulated several type of ICS/SCADA devices and “mimicked those that are commonly Internet facing.” It took only 18 hours to find the first signs of attack on one of the honeypots, Wilhoit says.
Over the course of 28 days, there were a total of 39 attacks from 14 different countries. Of the 39, 12 were unique and could be classified as “targeted,” while 13 were repeated by several of the same actors over a period of several days and could be considered “targeted” or “automated.” China accounted for the majority of the attack attempts at 35%, followed by the United States at 19% and, surprisingly enough, Laos at 12%.
In most SCADA deployments, Wilhoit says, firewalls are a rarity. So he didn’t use one either. He also found evidence that “Google-dorks searches” — which involve the use of clearly defined search parameters — can be used to find embedded systems on the Web. Hackers use a website called Pastebin to share information about SCADA devices.
For the study, three honeypots were created. Each was Internet facing, with three different static Internet IP addresses in different subnets scattered throughout the U.S. The researchers made it easy to find the entry points using Google Search and they named the servers “SCADA-1,” etc., to make their purpose plain. As to results, a simple port scan didn’t count as an attack. It’s just a “drive-by.”
Wilhoit says repeat offenders often came back at dedicated times on a 24-hour basis and tried again to exploit the same vulnerabilities, as well as others. There were also a surprising number of malware exploitation attempts on the servers.
Wilhoit’s recommendations for improved SCADA security are too numerous to list here. Security can be “baked in” or “bolted on” to devices. The basics include: don’t have devices connected to the Internet if they don’t need to be. Install the latest patches. Don’t cheat on log-in credentials or two-factor authentication. After that, it’s a matter of diving into the details, which can’t in this case be avoided.