An experiment highlighting threats to internet-facing industrial control systems (ICS) left researchers with troubling evidence that these devices and systems are prime targets for attackers.
Security firm Trend Micro on Friday released a report, titled “Who’s Really Attacking Your ICS Equipment?,” which tracked the frequency and types of attacks made on computer system traps, known as honeypots, that are meant to entice adversaries. These honeypots mimicked real ICS devices and supervisory control and data acquisition (SCADA) networks, even down to commonly found vulnerabilities in the equipment.
SCADA systems communicate with ICS devices to help monitor and manage large-scale processes deemed critical to the nation’s infrastructure, such as power and oil production or water treatment plants.
Kyle Wilhoit, threat researcher at Trend Micro and the report’s author, discovered that the honeypot became immediate bait for attackers. Within 18 hours of being set up, the first attack attempts began.
Over the course of 28 days, 39 attacks from 11 countries occurred. The majority of the attacks were traced to China, using internet protocol (IP) addresses and other techniques, according to Wilhoit. The experiment was conducted during the last quarter of 2012.
In a Friday interview with SCMagazine.com, Wilhoit said that the devices targeted most frequently were Nano-10 programmable logic controllers and Siemens devices. He presented his findings Friday at the Black Hat Europe 2013 Conference in Amsterdam.
“The biggest [thing] I saw was unauthorized access attempts – [intruders] trying to access areas that were locked down,” Wilhoit said of attacks. “There were also instances where the attackers were trying to modify protocols themselves.”
After attacks believed to originate from China, which accounted for 35 percent of incursions, the United States accounted for the second highest amount, 19 percent. Twelve percent of intrusions originated in southeastern Asian nation of Laos.
Attackers also tried to use malware, which had password-stealing capabilities and features that permitted backdoor access, to exploit servers, Wilhoit said.
Last month, Austin-based security firm NSS Labs released a study that showed a 600 percent jump in the number of ICS system vulnerabilities disclosed between 2010 and 2012. In the study, 124 security flaws were reported during the time period.
Wilhoit said attackers have increasingly used Google searches to identify ICS devices. Then, they post data about the targeted machines on Pastebin, from which others can leverage the information for future exploits.
Trend Micro’s report highlighted that security professionals must consider a number of remediation steps to protect ICS equipment and networks.
“As things changed over time, most of these systems’ purposes have been re-established, along with the way they were configured,” the report said. “A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the internet, with very little hindrance.”
Wilhoit suggested a number of steps to mitigate threats to these devices, including disabling internet access wherever possible, requiring login credentials to access all systems, using two-factor authentication for user accounts, and disabling insecure remote protocols.