Who is attacking industrial control systems?
Since the discovery of Stuxnet, industrial control systems (ICS) and supervisory control and data acquisition (SCADA) networks have received a fair share of attention from researchers and attackers alike.
Introduced decades ago when security was not that great a concern and when most of them weren’t connected to the Internet or to a LAN, these systems are now getting bolt-on security. Realistically, problems related to this are only starting.
If you don’t believe that these systems make such great targets, consider the results of a recent report by a Trend Micro researcher who set up honeypot architecture emulating a number of of SCADA and ICS devices and featuring typical vulnerabilities found on similar systems.
Accessible from the Internet through simple Google searches (as many of these systems are), his honeypots were targeted both by automated and targeted attacks, and it took only 18 hours for the first one to be detected.
“Out of these 39 attacks, 12 were unique and could be classified as ‘targeted’ while 13 were repeated by several of the same actors over a period of several days and could be considered ‘targeted’ and/or ‘automated.’ All of these attacks were prefaced by port scans performed by the same IP address or an IP address in the same /27 netblock,” says Threat Researcher Kyle Wilhoit.
Unsurprisingly, 35 percent of these attacks originated in China, and 19 percent in the United States. All other “players” didn’t surpass the one digit limit, except for a unexpected “third place” occupied by hits from Laos:
Wilhoit also made a list of different types of attacks that were attempted (including spearphishing a site administrator) and covered good advice for preventing them. He also included a lot of details concerning the setup of such honeypots.