Hackers Aggressively Scanning ICS, SCADA Default Credentials, Vulnerabilities

Attacks against industrial control systems and SCADA equipment are progressing beyond automated scans for vulnerabilities or default credentials hitting honeypots, and are leading to service disruptions.

Honeypots and honeynets have long been used as enticements to lure hackers into a false network in order to study attacks. While long a favorite of many high-end enterprises and security researchers studying attacks against traditional IT infrastructures, a number of industrial control system honeypots have also been deployed.

Hackers have taken the bait too, exploiting either would-be vulnerabilities in ICS or SCADA gear, or scanning Internet-facing devices for default passwords that provide hackers easy access to anything from building control systems to water pumps inside hydro utilities.

However, how many real-world attacks happen because of the same circumstances? How many times do pumping stations fail, blackouts happen, or elevators and HVAC systems shut down because a hacker is on a network flicking switches on and off?

There have been a few reported failures where the Department of Homeland Security was called in to investigate, lending credence to the occurrence of a targeted attack or one where a serious service disruption occurred. In two instances last ¬†year, hackers were able to beat weak authentication credentials to attack a New Jersey manufacturing company and a state government facility building EMS. In both attacks, Tridium’s Niagara AX was the target, and in both instances, DHS had to intervene; Niagara has since patched its framework.

“I don’t have any details, but I’m thinking, if it was simple, I doubt DHS would have been brought in to investigate,” said researcher Billy Rios, who along with his Cylance colleague Terry McCorkle found and reported the vulnerabilities to Tridium. “It probably did disrupt something. I’m not sure how widespread it was, but if it was small, I think an integrator could come in and reset everything. Instead DHS came in to investigate.”

Default credentials have been an issue for private critical infrastructure operators. With Internet-facing devices such as Human Machine Interface (HMI) panels and gear deployed online with weak credentials (admin/admin), they’ve been easy pickings for hackers with automated scanners as well as anyone capable of using the Shodan search engine. Attackers are also exploiting a dynamic where engineers working inside critical infrastructure are worried more about availability and uptime than discovering the root cause of a failure, even if that failure is directly related to malware or a hacker roaming a network.

ICS-CERT on Friday released its quarterly report and noted a serious rise in the number of brute-force attacks against critical infrastructure. In all of fiscal year 2012, ICS-CERT said it responded to 198 incidents across all critical infrastructure, a number that’s been surpassed already in this fiscal year starting in October 2012 through May. Energy continues to be the hardest hit sector with 53 percent of attacks targeting energy compared to 41 percent last year. Manufacturing is next at 17 percent.

Rios said that a honeypot his organization has set up with a systems integrator is catching a number of targeted attacks.

“We see attacks specific to a particular building management systems, not only brute-force attacks, but exploits for specific systems, not just a Nessus scan or Nmap,” Rios said, adding they saw two IP addresses running behind a Tor exit node that knew exactly what they were after. “They’re literally trying to gain access.”

Stressed ICS and SCADA operators, in the meantime, aren’t up to speed on security and don’t call for help until attackers have already infiltrated. Web and system logs are invaluable assets for operators who either aren’t trained to spot log activity as an attack, or don’t have visibility into industrial processes that could fall under the auspices of facilities managers or corporate security officers, for example.

“We’re working with a major Fortune 500 company who had their building management system segregated onto a different network and managed by facilities. It wasn’t until they decided to bring facilities onto the corporate network and VLAN them, did they realize they had been attacked,” Rios said. “They had no visibility until then because these systems are either configured or run by facilities or physical security rather than IT security and are not seeing attacks occur against these devices.”

Recently, two researchers from Norway and Denmark deployed an ICS honeypot called Conpot, which was configured to mimic a Siemens programmable logic controller (PLC) as well as an HMI. Now that it’s been online for a bit and has been crawled by search engines, the team is starting to collect more data and evidence that hackers are manually scanning and targeting ICS and SCADA gear, and that not all of these attempts originate from automated scans.

“Adversaries seem to probe for easy targets and use the help of search engines to find their victims,” said Lukas Rist, a member of the Honeynet Project and one of the builders, along with Johnny Vestergaard, of this ICS honeypot. “If their search is successful, they try to gain access with as least effort as required.”

That means exploiting any number of known default or weak username-password combinations as possible.

“We have seen (SNMP or Modbus) probes even before we started to advertise the honeypot and
on the same day we started the honeypot for the first time. This lets us assume that there is either some aggressive probing going on or we were just lucky,” Rist said. “Judging from the frequency we see this kind of probes we tend more to the first assumption.”

ICS-CERT, meanwhile, urges operators to share attack data, specifically indicators of compromise. The organization has a secure portal where it recently shared 10 IP addresses participating in an a recent attack against a gas compressor station. The alert prompted other station owners to investigate their own networks and they eventually reported another 39 IP addresses; the attacks, which began in January, subsided in March.

“The ability to detect anomalous network activity and network intrusions early in an incident greatly increases the chance of a successful mitigation and resolution,” ICS-CERT said in its newsletter on Friday. “The Control Systems Center compartment on the US-CERT portal is an excellent resource for information on current vulnerabilities in control systems as well as indicators of compromise that companies can use to check their networks for intrusions.”

Suggested articles