Honeypots Show ICS’ Under Attack

Monday, March 18, 2013 @ 06:03 PM gHale


To show just how vulnerable SCADA systems are, it took just 18 hours for attacks to occur on series of honeypot SCADA systems set up by Trend Micro.

On top of that over a 28-day period, these honeypots suffered an attack 39 times from 11 different countries. China accounted for the majority of the attack attempts at 35 percent, followed by the U.S. at 19 percent. The UK accounted for eight percent.

RELATED STORIES
243 Days to Discover Attack
Security Report: Use more Honeypots
Honeypot Now SQL Injection Capable
USB Malware Heart of Investigation

For some background, Trend Micro set up three separate honeypots, designed to look like genuine industrial machines, connected to the Internet. One was on Amazon’s public cloud, another on a private Dell server, while the final one included an actual Programmable Logic Controller (PLC) controller used in the industrial environment.

“The findings concerning the deployments proved disturbing,” Trend Micro said in its report, delivered during the Blackhat Europe conference in Amsterdam.

“In addition to the many attacks seen on the honeypot environment, there were also a surprising number of malware exploitation attempts on the servers.

“Utilizing the popular malware honeypot, Dionaea, four samples were collected over the testing time frame, two of which have not been seen in the wild as they had unique MD5 checksums.”

As reported over the past three years or so, SCADA systems are vulnerable. Research conducted by ICS-CERT found in 2012, 171 unique vulnerabilities affected 55 different ICS vendors.

It is easy to determine what SCADA systems connect to the Internet. Tools such as Shodan can also help attackers figure out where vulnerable industrial controls are sitting, while Pastebin contains information such as relevant IP addresses.

Trend Micro had to contact a number of companies that had systems attached to the Internet with no security mechanisms preventing unauthorized access.

“Until proper [industrial control system] security is implemented, these types of attacks will likely become more prevalent and advanced or destructive in the coming years,” the security firm added.

Click here for a copy of the report.



2 Responses to “Honeypots Show ICS’ Under Attack”

  1. […] for 35% of the attacks while the US was responsible for 19% of all attacks. Via ISS Source, more here. CTOvision content related to this post60 days of hacker assaults, GSA will stop recruiting […]

  2. […] Honeypots Show ICS’ Under Attack – Over a 28 day period, honeypots set up by Trend Micro were attacked 39 times, by 11 countries. "For some background, Trend Micro set up three separate honeypots, designed to look like genuine industrial machines, connected to the Internet. One was on Amazon’s public cloud, another on a private Dell server, while the final one included an actual Programmable Logic Controller (PLC) controller used in the industrial environment." China was responsible for 35% of the attacks while the US was responsible for 19% of all attacks. Via ISS Source, more here. […]


Leave a Reply

You must be logged in to post a comment.