How tempting a target are companies with industrial control systems to online threat actors? A lot, according to a fake manufacturing firm set up by security vendor Trend Micro to gather intelligence.
In seven months the honeypot attracted two ransomware infections, the use of its online infrastructure for possible fraud, the installation of a malware linked to a Monero cryptocurrency mining scam and an attacker who got into the system and pretended to have installed ransomware.
Details of the test were outlined in a report from the security company released this month.
Admittedly, researchers did things to help attackers, including leaving some ports open, misconfiguring servers and using a common password to servers. In their defence, the researchers said they created openings that could realistically be found in actual smart factories.
Still, the report concludes that successful penetrations wouldn’t have happened had there been adequate security, including protection for industrial control systems.
“Too often, discussion of cyber threats to industrial control systems (ICS) has been confined to highly sophisticated, nation-state level attacks designed to sabotage key processes,” commented Greg Young, Trend Micro’s vice-president of cybersecurity. “While these do present a risk to Industry 4.0, our research proves that more commonplace threats are more likely.
Manufacturing spending billions on IoT, but still can’t patch Windows or remember passwords
“Owners of smaller factories and industrial plants should therefore not assume that criminals will leave them alone. A lack of basic protections can open the door to relatively straightforward ransomware or cryptojacking attack that could have serious consequences for the bottom line.”
The internet-connected “factory” was made to look like the infrastructure of a small industrial prototyping company with real programmable logic controllers hooked to what seemed online to be equipment on a production line, physical hosts including a file server and hardened virtual machines. The phony company, dubbed MeTech, included a website with imaginary executives and AI-generated photos, working phone numbers and email addresses.
It was not the first time Trend Micro has set up a honeypot like this. In 2013 it created a fake water treatment system, and two years later simulated an internet-connected gas tank monitoring system.
Although MeTech was successfully penetrated, there was at least one piece of good news: None of the attackers were able to leverage the four programmable logic controllers although each was from a different manufacturer. Attackers only got in through vulnerabilities in Windows or other means. Apparently the controllers were hardened enough to resist the attacks they faced.
“That shows vendors are listening,” Myla Pilao, Trend Micro’s director of technical marketing said in an interview.
The test was created to learn lessons about the kinds of ICS-related attacks organizations may face, she said. While such attacks aren’t common yet, most experts believe they will be.
Last fall Kaspersky said “a concerning percentage of industrial control system (ICS) computers in the energy sector globally were targeted by cyberattacks in the first six months of 2019.”
Using data of companies that use Kaspersky solutions on ICS computers, 41.6 per cent experienced and blocked cyber threats including worms, spyware and cryptocurrency miners. Trend Micro notes a survey by the Ponemon Institute found half of the respondents with ICS networks said they have seen attacks on their critical infrastructure in the last two years.
Successful attacks on industrial controllers could cripple a major critical infrastructure provider like a power or water treatment plant. However, in an interview with the ZDNet news service early last year a Kaspersky official said the main threat so far to industrial computers is not a targeted attack, but mass-distributed malware that gets into industrial systems by accident through email attachments or removable media such as USB sticks.
Arguably the best known successful attack was the 2015 incident which knocked out Ukraine’s power grid for six hours. Hackers remotely logged into workstations and, clicking through commands in the operator control system, shut off breakers one by one.
The Trend Micro honeypot, Pilao said, saw the typical activity of cyber attackers: Initial surveillance, port scanning for vulnerabilities, evasion and, finally, deployment of malware. That’s one lesson: Many attacks on ICS systems will start out looking like attacks on the IT network.
Terry Ingoldsby, who heads a Calgary-based threat modelling company called Amenaza Technologies, said the Trend Micro honeypot “gave a very good indication of what a moderate-capability actor seeking mostly financial gain would do against an ICS target. Due to the intrinsic limitations of the problem, the honeypot was not able to accurately reflect what a state-sponsored (or other high-capability) actor with a specific goal might do.”
Most of the risk most ICS operators face today will be from what he calls a moderately-skilled attacker, but he said don’t underestimate the potential for more serious attacks.
“It would be a mistake for ICS operators to think these types of attacks are the worst that they will face. Clearly, understanding how this mid-level attacker operates and preparing defenses for those sorts of attacks is very valuable. Nonetheless, being able to deal with this level of attacker is not likely sufficient protection for ICS operators in very critical industries,” said Ingoldsby.
Senior management at most companies believe it is the government’s responsibility to protect against nation-state actors, he said. On the other hand governments hope that private industry is taking care of the high capability threats.
“We shouldn’t be telling operators how to do security. We should be telling them that we expect them to be able to deal with threats of specific levels. If their system fails in a way that has a societal impact due to an attack from a threat lower than the level they are responsible for, they should be liable for the damages. That would transfer the societal risk on to the corporations and give them a reason to build security adequate against higher-level threats.”