Attackers are actively targeting Internet-connected industrial control systems (ICS) according to data collected from a global network of honeypots that simulate water pumps.
Kyle Wilhoit, Threat Researcher at Trend Micro, shared some findings earlier this year based on his ICS honeypots deployed in the US, and he shared more data at the BlackHat Security Conference last Thursday – The SCADA that Didn’t Cry Wolf – Who’s Really Attacking your ICS Devices – Part Deux!
Since March, Wilhoit made several changes to his honeypots’ architecture. He’d also deployed it in many more countries – Australia, Brazil, China, Ireland, Japan, and Singapore.
Wilhoit’s new honeypot design now uses Browser Exploitation Framework (BeEF) to inject JavaScript into attackers’ browsers when they break into ad access his honeypots. The JavaScript allows the honeypot operator to obtain information about the attackers by performing triangulation to determine the attacker’s location and gathering information about the attacker’s machine and network (e.g. operating system, computer name, and IP address).
Of all 74 attacks against the ICS honeypots, ten of which can be considered critical and could have compromised the integrity of the water pump. In one case, the attacker tried to change the water temperature to 54.44 degree Celsius, and in two cases, the attackers issued commands to shut down the water pump.
References
Industrial Control Systems Targeted by Malicious Attackers, Research Show,. Lucian Constantin. Aug 01, 2013.
The SCADA That Didn’t Cry Wolf – Who’s Really Attacking Your ICS Devices – Part Deux!, Kyle Wilhoit
Water-Utility Honeynet Illuminates Real-World SCADA Threats, Robert Lemos. Aug 02, 2013.
Hacking Industrial Systems Turns Out to be Easy, Tom Simonite. Aug 01, 2013.
Shared by Emil Tan, Chapter Lead, The Honeynet Project, Singapore Chapter