Protecting critical infrastructure companies means securing the SCADA (supervisory control and data acquisition) systems that monitor and manage their activities. Unfortunately however, security in the world of SCADA networks is often bolted-on, leaving enterprises with security holes for hackers to walk through.
But just who is attacking these systems and why? Using honeypots, Trend Micro Threat Researcher Kyle Wilhoit took a close look at attacks targeting Internet-facing industrial control systems (ICS) and discovered that the majority of the attacks are coming from three places: China, the U.S. and Laos.
“There has been substantial talk in the security community for some time about ICS devices and the insecurity of these devices, but I have never witnessed any true data behind who is attacking ICS/SCADA implementations,” said Wilhoit, who presented his findings at Black Hat Europe. “The impetus for my research was spawned from the lack of knowledge around those attacks.”
A total of three honeypots were used in the project. Each of them were Internet facing and used three different static Internet IP addresses in different subnets scattered throughout the United States. Two were low-interaction honeypots hosted in the cloud, while the third was a high-interaction architecture that included ICS devices in Wilhoit’s basement. Custom code was used to mimic common ICS protocols and ICS services to fake attackers into thinking they were actively going after real devices, he said.
“The scope of the honeypot involved several deployments throughout the USA,” he said. “One honeypot was located in California and the other was located in a small town in Missouri. The scope has subsequently been expanded to include several additional countries and towns, of which, I can’t disclose at this time. We are actively gathering more data and intel from those particular countries based on attacks attempted.”
What he found was that over the course of 28 days, there were 39 attacks from 14 different countries. Out of these 39, 12 could be classified as ‘targeted’, while 13 were repeated by several of the same actors during a period of several days and were classified as ‘targeted’ and or ‘automated.’ China accounted for the largest percentage of attack attempts (35 percent), followed by the U.S. (19 percent) and Laos (12 percent).
The country with the highest percentage of repeat offenders – attackers who came back at dedicated times on a 24-hour basis – was Laos. In addition to trying to exploit the same vulnerabilities present on the devices, those attackers also attempted additional exploitation if they did not succeed with prior attempts, illustrating that they were likely interested in causing further damage, he noted in his report.
The attacks themselves were varied and included unauthorized attempts to access secure areas of sites, attempted modifications on controllers and attacks against a protocol specific to ICS/SCADA devices such as Modbus.
Protecting ICS devices is challenging because many have a stringent up-time requirement and brining them down for patches can pose a business risk, he said. There is also the issue of introducing accidental downtime by introducing firewalls and other security devices, as well as the increases in processing time when encryption and decryption is enabled.
Among his recommendations, Wilhoit suggested organizations disable Internet access to their trusted resources when possible, maintain the latest patch levels and ensure that systems require two-factor authentication whenever possible.
“Best practices are sometimes adopted- however, ICS devices are typically very hard to go back and fix,” he said. “The uptime requirements and difficulty in modifying often antiquated technology/architecture makes it very difficult to go back and adopt best practices.”
“When “baking” security into the ICS architecture, it (the architecture) lends itself to be far more successful because of bolt-on security concerns,” he added.
