If the results of Kyle Wilhoit's honeypot experiment are any indication, industrial control systems have become a top target for cyberattackers all over the world.
I think it will take some large companies releasing information that their ICS devices were compromised before many companies take notice.
threat researcher, Trend Micro
Wilhoit, a threat researcher for information security vendor Trend Micro, set out to discover what kinds of attacks and attackers are currently targeting industrial control systems (ICS) and SCADA systems, the computer systems that control many critical infrastructure facilities like power plants and water treatment facilities.
Conducted over a 28-day period, Wilhoit built a total of three honeypot architectures meant to mimic the security posture of ICS and SCADA systems, including typically weak ICS security aspects, such as using default login credentials. The results were harrowing: Wilhoit found that attackers needed just 18 hours to discover and begin attacks against the honeypots, a troubling indicator of how focused adversaries are on finding and exploiting critical infrastructure.
In a Trend Micro report released late last week, titled Who's Really Attacking Your ICS Equipment?, Wilhoit detailed the 39 separate attacks he observed, defined as "anything that may be deemed a threat to Internet-facing ICS/SCADA systems." That figure did not include automated attacks like SQL injection or port scans.
Perhaps unsurprisingly, China-based attacks led the way, counting for 35% of the recorded attack attempts, but even Wilhoit was caught off guard by the wide range of countries represented, including Japan, the Netherlands and the United Kingdom.
Attacks included malware via spear phishing
U.S.-based attacks accounted for 19% of the recorded attack attempts. Wilhoit declined to provide further details on those attacks, as he and Trend Micro are working with applicable law enforcement agencies to investigate them.
Wilhoit, who presented the research at Black Hat Europe 2013 last week, had expected the experiment to yield the typical automated attacks usually experienced by Internet-facing devices. Instead, the honeypot environments attracted a wide range of attacks, including one notable attempt at malware exploitation via spear phishing.
"While the malware contained within the phish was not particularly interesting," said Wilhoit via email, "the method in which it was sent/targeted was surprising."
The report (.pdf), available as a free download from Trend Micro, includes recommendations to help secure Internet-facing ICS and SCADA systems, including disabling Internet access to trusted resources, ensuring the latest software patches are applied and setting secure login credentials instead of leaving defaults. Though these measures won't necessarily protect ICS and SCADA systems from the most advanced attacks, they will serve as a deterrent to the most common exploitation attempts.
"Some of these measures wouldn't have necessarily helped prevent Stuxnet or the like, but it could have slowed propagation and spread of the malware itself," Wilhoit said. "The recommendations are more security best practices for ICS devices to help deal with low-hanging fruit."
Even though the report offers a sampling of the variety of real-world attacks critical infrastructure providers are likely facing, Wilhoit said more compromise disclosures may be needed before companies responsible for ICS and SCADA devices take these sorts of attacks seriously.
"I think it will take some large companies releasing information that their ICS devices were compromised before many companies take notice," he said.