The study, titled Who’s really attacking your ICS Equipment?, was undertaken and presented by Kyle Wilhoit of Trend Micro. It describes setting up three false but realistic Industrial Control Systems, and monitoring the cyber attacks against them. In reality, the title is a misnomer. The paper states, “In sum, China accounted for the majority of the attack attempts at 35%, followed by the United States at 19% and Lao at 12%.” But the paper concludes, “The attack sources nor the attackers’ motives were not discussed.” Asked to clarify, Trend Micro told Infosecurity, “We used a Geo IP Locator, and we tracked the origin of attack by this. Of course, someone could have spoofed this and used a hub in China, while being located in US. We didn’t try to trace back and to identify the attacker for this research.”
The paper does not, therefore, answer the question in its title. That said, it is valuable evidence on how quickly and simply ICS systems can be found by hackers, and how frequently they are attacked. Wilhoit notes that potentially vulnerable ICS systems – that is, those connected to the internet – can be easily found by Google dorking (the use of some of Google’s advanced search commands), and that the location of vulnerable systems is increasingly distributed via Pastebin. He set up his honeypot sites to emulate genuine ICS systems, made sure that they could be found via search engines, and waited.
But he did not have to wait long. “It took only 18 hours to find the first signs of attack on one of the honeypots.” He ran the honeypots for 28 days, and collected data on 39 different attacks coming from 11 different countries. Of these attacks, “12 were unique and could be classified as ‘targeted’ while 13 were repeated by several of the same actors over a period of several days and could be considered ‘targeted’ and/or ‘automated’.” He didn’t bother counting “port scans, automated attack attempts like SQL injection or other automated attacks that are typically considered ‘drive-by’ attacks.”
The basic problem goes back to the origins of many ICS systems. They first came into service some 20 years ago, when security was barely an issue and the internet was young. “Many of them,” says Wilhoit, “at that time, were not even capable of accessing the Internet or connecting to LANs. Physical isolation addressed the need for security.” But over years, things have changed. “A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the Internet, with very little hindrance.” And that is the problem: the systems that drive critical infrastructures are frequently old in design and poorly secured.
“This is a wake up call,” says Raimund Genes, CTO at Trend Micro, “for operators of these infrastructures to check the security of these systems and ensure they are properly separated from the Internet/Open Networks. The research also shows that it is not only usual suspects attacking, but that these attacks also happen in your own backyard.”
But, concludes Wilhoit, “Until proper ICS security is implemented, these types of attack will likely become more prevalent and advanced or destructive in the coming years. This research paper was a first foray into the attacks that are performed on Internet-facing ICS.”