Skip Links

Honeypot for phony waterworks gets hammered on Internet

Black Hat Europe: Trend Micro's SCADA experiment finds 17 targeted attacks, mainly from China, US, Laos

By , Network World
March 15, 2013 11:08 AM ET

Network World - An experiment in which a Trend Micro researcher set up two instances of an Internet-based simulation of an industrial-control system (ICS) for a nonexistent water-pump facility in rural Missouri found the simulated system was targeted 17 times over about four months in ways that would have been catastrophic if it had been a real waterworks operation.

The purpose of this "honeypot" ICS that mimicked a water-pump supervisory control and data acquisition (SCADA) network was to find out how frequent targeted attacks might be for those real-world SCADA systems that are reachable via the Internet, said threat researcher Kyle Wilhoit, who is presenting his findings today at the Black Hat Europe Conference (which features a host of intriguing sessions). Wilhoit -- whose background includes working at real-world energy and water companies -- says his honeypot setup closely resembles what's in actual use at companies today.

[ SECURITY NEWS: Securing SCADA systems still a piecemeal affair ]

The existence of his ICS water-pump station mock-up, set up last November, was found by online attackers within a few days and the tampering attempts began. As time went by, there included 12 serious targeted attempts to shut down the water pump and five attempts to modify the pump processes -- all of which would have been successful if it had been a real water system. About one-third of the attacks came from China, 19% from the U.S. and 12% from Laos, with a variety of other countries, such as Russia and the Palestinian territories, the source of targeted attacks.

Trend Micro

The honeypots, which are still in operation, each consist of a SCADA system and a server with salted documents intended to give attackers something to steal in the way of fake operational documents.

The first honeypot setup is a network based on physical hardware, including the Siemens Controller Simatic S7-1200 operated out of Wilhoit's St. Louis basement. The second honeypot is a virtualized version of it running in the Amazon EC2 cloud. Via the Google and Shodan search engines, attackers quickly identified the online existence of Wilhoit's Siemens programmable-logic controller and the fake rural Missouri water-pump company he'd created.

There were plenty of scans against the honeypot system, but the main targeted attacks, which were of most interest to Wilhoit, came in through vulnerable Web front ends and computer systems that had been deliberately misconfigured -- the type of mistakes common in energy and water companies today.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News