Attacks on SCADA, ICS Honeypots Modified Critical Operations

With antiquated gear running the country’s industrial control systems that oversee critical infrastructure, it’s no shock attackers targeting SCADA networks do their fair share of reconnaissance looking for weak spots in that equipment.

With antiquated gear running the country’s industrial control systems that oversee critical infrastructure, it’s no shock attackers targeting SCADA networks do their fair share of reconnaissance looking for weak spots in that equipment.

A researcher decided to put that theory to a practical test recently when he deployed three dummy websites, honeypots essentially, that accurately mimicked Internet-facing management interfaces for a real-world water pressure station, a server hosting a human machine interface (HMI) system and another machine hosting a real programmable logic controller (PLC).

What threat researcher Kyle Wilhoit of Trend Micro found during a 28-day trial was that attackers are determined to access SCADA networks and ICS devices and come armed not only with working knowledge of devices and their default configurations, but with purpose-built malware, and the desire to modify industrial processes if they’re able to successfully access a system.

“I didn’t expect the attack scenarios I saw happen,” Wilhoit told Threatpost. “I didn’t expect attackers to look at the site admin stuff and deeper into the company behind the gear. I can now draw a parallel to the reconnaissance attackers do on companies and infrastructure; we see a lot of those parallels on devices now.”

During the trial, 39 attacks were carried out against the honeypots, originating in 14 countries, most of them coming from China, Laos and the United States. For the purposes of his research, which was presented at Black Hat EU last week, Wilhoit did not consider automated port scans and SQL injection attempts as attacks. The only attempts considered attacks were those that were a threat to a secure area of the websites, attempts to modify a controller, attacks on specific SCADA protocols such as Modbus, and attempts to gain access to cause damage.

The sites were left exposed online with default configurations, including default credentials such as admin/admin or SA/SA. Text on the sites was optimized for search engines so that Google and others would easily find them, and the server names, for example, were fairly attractive names such as SCADA-1.

The result was a disturbing view into the activities around these critical systems. One incursion was able to gain access to a supposed water pumping station and shut it down or modify water output temperatures, in one case to 170 degrees Fahrenheit.

“They logged in, made a modification and logged out,” Wilhoit said. “These were repeat attacks based on default credentials for specific ICS and SCADA equipment. They were able to modify it directly and perform what was perceived to be catastrophic damage. They definitely thought they were successful.”

Wilhoit said 12 of the attacks were unique and targeted the specific equipment in use; 13 were repeated by the same attackers, indicating some sort of automation and targeting. Some attackers would come back at the same times twice a day and try to exploit the same vulnerabilities over and over, or move on to new attacks once they were unable to exploit one.

Most of the attacks logged by the honeypots were unauthorized access attempts to diagnostics pages, or attempts to modify Modbus traffic; Modbus is a communications protocol specific to ICS and SCADA equipment. One of the malware attacks originated with a spear phishing email carrying a malicious Word document exploiting CVE-2012-0158, a vulnerability that enables remote code execution used in many targeted attacks. Another attack attempted to use an unauthorized Modbus client to gain read/write access to the PLC honeypot, a sign reconnaissance is occurring, Wilhoit said.

The bigger question, however, is why. Why is this gear online with default credentials and configurations and how many attacks where pumping stations are shut down or water temperature is modified occur?

“The primary reason this is occurring is that these systems were deployed 20 to 30 years ago, prior to security architecture being the way it is today,” Wilhoit said. “The technology gap has gotten a lot larger, and ICS hasn’t caught up to where security infrastructure is at right now. It’s difficult for devices to be turned down; that will halt business in that sector for some time. If you reboot a server, coal is not coming out of the ground. That affects the bottom line.

“It also begs the question: Are companies disclosing it, or are they even aware it’s occurring,” Wilhoit said. “There’s quite a big separation from the security guy and the ICS engineer whose main responsibility is to ensure devices stay up and are operational. Would they even be aware? I don’t know, but I’d be comfortable in saying these types of attacks are occurring.”

Suggested articles