Industrial control systems and SCADA are under attack but from who or what?

According to a Trend Micro researcher who decided to find out by setting up an be Industrial Control Systems (ICS) SCADA honeypot that mimicked among other things an imaginary US-based water pressure control system, the answer is pretty much everyone.

In the Black Hat presentation Who’s Really Attacking Your ICS Equipment?, Trend techie Kyle Wilhoit was able to record the first attack within 18 hours of going live.

Ignoring generic probes and port scans, the would-be ICS setup received a total of 39 attacks in a 28-day period, originating in 14 different countries. Twelve of the attack he classified as ‘targeted’ while a further 13 were classified as repeat or automated attacks.

There seems to be a lot of interest in targeting these systems but it is where they originated that will attract the most attention.

China led this list, accounting for 35 percent of attacks, ahead of the US at 19 percent and Laos with 12 percent, the UK on 8 percent and Russia on 6 percent.

Wilhoit also paid attention to the determination of attackers to keep attacking the honeypot if not immediately successful, recording the greatest number of these ‘repeats’ from Laos and China.

“This shows that these particular actors were likely interested in gaining access to the devices or causing further damage/exploitation,” he said.

In case the word ‘attacks’ sounds abstract, the attackers were seen attempting to modify specific settings on the system including modifying the CPU fan speed on the pump in a way that could have caused a failure.

Given that ICS and SCADA systems are now so popular with cyberattackers, Wilhoit’s recommendation is to disconnect such system from the Internet wherever possible.

Some of this other advice is basic such as setting unique login credentials and controlling remote contractor access. He also suggests sending logs to a SIEM system for analysis.

“Until proper ICS security is implemented, these types of attack will likely become more prevalent and advanced or destructive in the coming years,” said Wilhoit.

“We expect attack trends to continue in the ICS arena, with possible far-reaching consequences.”
The security lesson is clear but why it has been left to a security researcher standing up at Black Hat to say it is perhaps a bigger mystery. Nearly three years after Stuxnet, ICS and SCADA remains security’s poor relation, someone else’s worry.