LAS VEGAS – BLACK HAT USA 2015 – Researchers have set up a honeypot to see just how tempting vulnerable gas tank monitoring systems are to attackers.
In January, researchers at Kachoolie and Rapid7 warned that the automatic tank gauges (ATGs) used to monitor fuel tanks at more than 5,300 gas stations in the United States were easily accessible via the Internet.
ATGs are electronic devices that monitor fuel level, temperature, and other parameters in a tank, and alert operators when a problem is detected. Experts warned in January that hackers could remotely access vulnerable devices and spoof reported fuel levels, generate false alarms, and perform other actions that could lead to a gas station being shut down.
Trend Micro researchers also analyzed these monitoring systems and even discovered evidence of attacks. Since they wanted to see just how tempting these noncritical industrial control systems (ICS) are, experts set up GasPot, a honeypot designed to mimic Guardian AST gas tank monitoring systems.
The GasPot instances have been designed to look as real as possible, allowing potential attackers not only to view information, but also to change values. The honeypots were deployed in the United States, Brazil, the United Kingdom, Jordan, Germany, the United Arab Emirates, and Russia. Some of them were visible to the Shodan search engine while others were not.
Trend Micro researchers Kyle Wilhoit and Stephen Hilt presented the results of the experiment on Wednesday at the Black Hat security conference in Las Vegas.
According to the experts, most of the activity they observed was a result of automated scanners performing basic connection attempts. However, valid commands were also entered.
The most common command, entered 33 times during Trend Micro’s experiment, allows users to list basic tank information. A command that allows users to make changes to the system was entered nine times to modify the name of the gas tank.
The names of two of the gas tanks, both located in Jordan, were changed apparently by an Iranian hacktivist group known as “Iranian Dark Coders Team” or “IDC-TEAM.” In the real-world attack spotted by researchers earlier this year, the name of the pump was changed from “DIESEL” to “WE_ARE_LEGION,” a slogan of the Anonymous hacktivist movement.
A distributed denial-of-service (DDoS) attack that seemed to be launched by the Syrian Electronic Army, the notorious pro-Syrian hacktivist group, was also detected against one of the GasPot instances. However, since the group didn’t take credit for the attack and since it doesn’t usually launch DDoS attacks, experts believe someone might have just wanted to put the blame on the Syrian Electronic Army.
The most targeted gas tanks were the ones in the United States (44 percent), followed by the ones in Jordan (17%). Interestingly, no attacks were recorded against the honeypot in Germany. The attacks aimed at GasPot instances were traced back to Canada, the United States, Romania, Mexico, Iran, Syria and China. However, researchers have pointed out that the attackers might have used proxies or VPNs to hide their true location.
There are several reasons why someone would target gas tank monitoring systems. The devices could be attacked by pranksters and hackers who simply want to test their skills, threat actors that might be looking for information that they can use in targeted attack campaigns, and extortionists hoping to make some money by changing the password on the device and asking the owner for a ransom to restore access.
Small-scale sabotage is also a possible scenario. While in the GasPot experiment attackers only changed the names of the gas tanks, similar commands can be used to modify other parameters, such as tank levels and overflow limits, tank tilt and diameter values, and temperature compensation values.
Tampering with these parameters can have serious consequences. For example, the failure of a gas tank monitoring system led to a massive fire at a Puerto Rico storage facility in 2009. The incident occurred because gasoline levels in the tank were not shown correctly to employees, which led to a gas overflow.
“As shown, attacks against Internet-facing gas-tank-monitoring systems are no longer hypothetical. In the course of doing research, we found existing attacks on Guardian AST gas-tank-monitoring systems, and not only against our GasPot deployments,” researchers noted in their report.
“On a broader scale, the implications of this research highlight the lack of security awareness surrounding Internet-connected devices. We would like the conversation to revolve around unsecured SCADA devices, of which ATG systems comprise only one example. Vendors of these devices should become accountable for the security weaknesses of both the devices they offer and the OSs used to manage them. Security should be built from the ground up,” the experts added.
Related: Learn More at the ICS Cyber Security Conference