Black Hat: ICS SCADA Honeypot Finds Threats

Thursday, August 1, 2013 @ 07:08 PM gHale


By Gregory Hale
Imagine a global water system with Internet facing devices, which would be an open target for anyone to attack.

That is just what Kyle Wilhoit threat researcher with Trend Micro created in his basement and it drew in attackers to his classic honeypot scenario.

RELATED STORIES
Black Hat: Weeding Out Insider Threats
Black Hat: NSA Know the Facts
DHS to Create Security Shop
Survey: Security Metrics Too Complicated

“The bad guys can see it via the Internet,” Wilhoit said during his session entitled, “The SCADA that didn’t cry wolf: Who is really attacking your ICS devices – Part Deux” at the Black Hat security conference in Las Vegas Thursday.

With a typical control system set up, which Wilhoit said is usually not chocked full of security, it is easy pickings for the intruder to get in through the usual protocols like Modbus and DNP3 and set up shop.

“It is very easy for them to get in,” he said. “The majority of the world right now is still using default passwords.”

During his honeypot experiment, which started in January this year and then pulled numbers after five months, WIlhoit said he saw the usual range of vulnerability attacks: SNMP vulnerabilities, HMI server vulnerabilities, specific ICS vendor vulnerabilities, limits on modbus/DNP3, and VxWorks vulnerabilities.

One of the things he had to establish just to set the ground work a bit was to define an attack. He looked at an attack as:
• Something that was targeted
• Attempted modification of a pump system
• Attempted modification of Modbus or DNP3 protocols
• Denial of Service (DoS) or a Distributed Denial of Service (DDoS)

With that definition of an attack established, Wilhoit had 74 attacks that fit against his global water system. Of those attacks, 63 were non-critical attacks, with attackers in Russia being the top country leading the assaults. In addition, there were 11 attacks deemed critical.

In the five month period, there were 32,000 external attacks from 1,200 unique IPs.

“That actually seems like a small number and I can’t really explain why there were not more attacks,” Wilhoit said.

The various attacks that took place included:
• Data exfiltration
• Modification of CPU fan speed
• HMI access
• Modbus modifications
• Modify pump pressure
• Modify temperature output
• Modify the pump system

One particular attack came from China, and it started with a spear phishing scheme, Wilhoit said.

He received a bogus email full of bad English and grammar from an acting city administrator asking to fill out a document. When the document opened up, it contained no data, but it ended up dropping files full of malware and it was able to communicate to its command and control (C&C) server.

It was interesting, he said, the malware would gather information, but would not send anything for five days.

The question he kept asking himself was, “Why would attackers go after a municipal water site? I was thinking it was some kind of script kiddie.” Maybe it was someone just trying to prove he could break in and do something. In the end, Wilhoit only had theories as to why his system was under attack.

“ICS engineers are smart people, but they are not thinking about security,” Wilhoit said. “They want to keep their systems up and running and if they have a problem they fix it. They don’t worry about how the problem happened.”

This kind of attack was not out of the ordinary and attackers still have pretty easy access to most systems. Knowing that, Wilhoit offered some recommendations to secure a system:
• Disable Internet to trusted resources
• Maintain your trusted resources at the latest patch levels
• Require two-factor authentication
• Control contractor access
• Use network segmentation
• Don’t allow ICS protocols across corporate networks or other non-control networks
• Implement a USB lockdown
• Use proactive protection
• Use whitelisting
• Classify data and assets
• Follow a standard
• Use red-team training often
• Manage your vulnerabilities



Leave a Reply

You must be logged in to post a comment.