Trend Micro analyses attacks on industrial control systems
Complex malware such as Stuxnet, Duqu or Flame has focused security experts' attention on how vulnerable industrial systems are to attacks. To better understand the current threat scenario, Trend Micro conducted a practical test and presented its findings at the Black Hat Europe conference.
Trend Micro's experts created a honeypot architecture with various emulated ICS/SCADA devices that tend to have internet connections in "real life". The honeypots contained these systems' typical vulnerabilities. The installation framework was a pressure control system for a (fictitious) water pumping station in a small town in the US. The researchers set up this installation to find out who will attack which parts of the connected ICS/SCADA devices for what purpose, and whether the attackers use a targeted approach.
Only 18 hours after going live, Trend Micro registered the first attacks. Rather than focusing on port scans or automated SQL injection and "drive-by" attacks, the researchers looked at anything that can actually threaten ICS/SCADA devices with an internet connection, for example unauthorised access to protected web site areas, modifications in detected controllers, and attacks on these devices' typical protocols (modbus), as well as targeted attempts to access servers and provoking server security incidents.
Within one month, the honeypot data produced 39 attacks from 14 countries. The largest number of attacks (35%) originated in China. 19% originated in the US, 12% in Laos, 8% in the UK, and 6% in Russia. The rest was distributed almost evenly (2%) across various Asian, South American and European countries. The researchers identified 12 of the attacks as "targeted", and 13 were repeatedly carried out over several days. Apart from these "targeted" and/or "automated" attacks, the researchers are currently still investigating 14 further attacks. However, they say that it is already clear that these attacks can also be considered "targeted" attacks. Trend Micro noted that, while the attackers' motivation is unclear, it is very obvious that there is global interest even in components as harmless as water pumps.
- Who’s Really Attacking Your ICS Equipment?, a research paper from Trend Micro.