Connect with us

Hi, what are you looking for?



SCADA Honeypots Shed Light on Attacks Against Critical Infrastructure

Protecting critical infrastructure companies means securing the SCADA (supervisory control and data acquisition) systems that monitor and manage their activities. Unfortunately however, security in the world of SCADA networks is often bolted-on, leaving enterprises with security holes for hackers to walk through.

Protecting critical infrastructure companies means securing the SCADA (supervisory control and data acquisition) systems that monitor and manage their activities. Unfortunately however, security in the world of SCADA networks is often bolted-on, leaving enterprises with security holes for hackers to walk through.

But just who is attacking these systems and why? Using honeypots, Trend Micro Threat Researcher Kyle Wilhoit took a close look at attacks targeting Internet-facing industrial control systems (ICS) and discovered that the majority of the attacks are coming from three places: China, the U.S. and Laos.

SCADA Systems“There has been substantial talk in the security community for some time about ICS devices and the insecurity of these devices, but I have never witnessed any true data behind who is attacking ICS/SCADA implementations,” said Wilhoit, who presented his findings at Black Hat Europe. “The impetus for my research was spawned from the lack of knowledge around those attacks.”

A total of three honeypots were used in the project. Each of them were Internet facing and used three different static Internet IP addresses in different subnets scattered throughout the United States. Two were low-interaction honeypots hosted in the cloud, while the third was a high-interaction architecture that included ICS devices in Wilhoit’s basement. Custom code was used to mimic common ICS protocols and ICS services to fake attackers into thinking they were actively going after real devices, he said.

“The scope of the honeypot involved several deployments throughout the USA,” he said. “One honeypot was located in California and the other was located in a small town in Missouri. The scope has subsequently been expanded to include several additional countries and towns, of which, I can’t disclose at this time. We are actively gathering more data and intel from those particular countries based on attacks attempted.”

What he found was that over the course of 28 days, there were 39 attacks from 14 different countries. Out of these 39, 12 could be classified as ‘targeted’, while 13 were repeated by several of the same actors during a period of several days and were classified as ‘targeted’ and or ‘automated.’  China accounted for the largest percentage of attack attempts (35 percent), followed by the U.S. (19 percent) and Laos (12 percent).

The country with the highest percentage of repeat offenders – attackers who came back at dedicated times on a 24-hour basis – was Laos. In addition to trying to exploit the same vulnerabilities present on the devices, those attackers also attempted additional exploitation if they did not succeed with prior attempts, illustrating that they were likely interested in causing further damage, he noted in his report.

The attacks themselves were varied and included unauthorized attempts to access secure areas of sites, attempted modifications on controllers and attacks against a protocol specific to ICS/SCADA devices such as Modbus. 

Advertisement. Scroll to continue reading.

Protecting ICS devices is challenging because many have a stringent up-time requirement and brining them down for patches can pose a business risk, he said. There is also the issue of introducing accidental downtime by introducing firewalls and other security devices, as well as the increases in processing time when encryption and decryption is enabled.

Among his recommendations, Wilhoit suggested organizations disable Internet access to their trusted resources when possible, maintain the latest patch levels and ensure that systems require two-factor authentication whenever possible.   

“Best practices are sometimes adopted- however, ICS devices are typically very hard to go back and fix,” he said. “The uptime requirements and difficulty in modifying often antiquated technology/architecture makes it very difficult to go back and adopt best practices.”

“When “baking” security into the ICS architecture, it (the architecture) lends itself to be far more successful because of bolt-on security concerns,” he added. 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


Siemens and Schneider Electric address nearly 100 vulnerabilities across several of their products with their February 2023 Patch Tuesday advisories.