- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
Network World - An experiment in which a Trend Micro researcher set up two instances of an Internet-based simulation of an industrial-control system (ICS) for a nonexistent water-pump facility in rural Missouri found the simulated system was targeted 17 times over about four months in ways that would have been catastrophic if it had been a real waterworks operation.
The purpose of this "honeypot" ICS that mimicked a water-pump supervisory control and data acquisition (SCADA) network was to find out how frequent targeted attacks might be for those real-world SCADA systems that are reachable via the Internet, said threat researcher Kyle Wilhoit, who is presenting his findings today at the Black Hat Europe Conference (which features a host of intriguing sessions). Wilhoit -- whose background includes working at real-world energy and water companies -- says his honeypot setup closely resembles what's in actual use at companies today.
[ SECURITY NEWS: Securing SCADA systems still a piecemeal affair ]
The existence of his ICS water-pump station mock-up, set up last November, was found by online attackers within a few days and the tampering attempts began. As time went by, there included 12 serious targeted attempts to shut down the water pump and five attempts to modify the pump processes -- all of which would have been successful if it had been a real water system. About one-third of the attacks came from China, 19% from the U.S. and 12% from Laos, with a variety of other countries, such as Russia and the Palestinian territories, the source of targeted attacks.
The honeypots, which are still in operation, each consist of a SCADA system and a server with salted documents intended to give attackers something to steal in the way of fake operational documents.
The first honeypot setup is a network based on physical hardware, including the Siemens Controller Simatic S7-1200 operated out of Wilhoit's St. Louis basement. The second honeypot is a virtualized version of it running in the Amazon EC2 cloud. Via the Google and Shodan search engines, attackers quickly identified the online existence of Wilhoit's Siemens programmable-logic controller and the fake rural Missouri water-pump company he'd created.
There were plenty of scans against the honeypot system, but the main targeted attacks, which were of most interest to Wilhoit, came in through vulnerable Web front ends and computer systems that had been deliberately misconfigured -- the type of mistakes common in energy and water companies today.