Just 18 hours after security researcher Kyle Wilhoit connected two dummy industrial control systems and one real one to the Internet, someone began attacking one of them, and things soon got worse. Over the course of the experiment, conducted during December 2012, a series of sophisticated attacks were mounted on the “honeypots,” which Wilhoit set up to find out how often malicious hackers target industrial infrastructure.
Wilhoit’s findings provide some of the best evidence yet that people are actively looking for and attempting to take unauthorized control of the type of industrial systems that are used to control everything from energy plants to office HVAC systems. Recent years have seen U.S. politicians speak of and researchers demonstrate the vulnerability of such systems, and thousands are known to be connected to the Internet with weak or nonexistent controls against unauthorized access (see “What Happened When One Man Pinged the Whole Internet”).
“Everybody talks about [industrial control systems] being attacked, but no one has any data to back that up,” says Wilhoit, who works for the computer security company Trend Micro. “I know that my ICS honeypots have definitely been ‘owned,’ and I think there’s a reasonable likelihood that it has happened in the wild.”
Last year, the then-defense secretary Leon Panetta warned that successful attacks had been made on the control systems of U.S. electricity and water plants and transportation systems. But since then, little has been disclosed publicly about such incidents. A March newsletter from the Department of Homeland security’s Industrial Control Systems Cyber Emergency Response Team contains one of the few public disclosures of such an attack, saying that energy management systems at a factory and a state government building in New Jersey were compromised in 2012.
Wilhoit’s work suggests that this may be just the tip of the iceberg. He used three different honeypots, each of which was carefully designed so that an attacker would believe he or she had discovered a computer that controlled physical settings on an industrial system. One of the decoys offered administration Web pages for a water pump that acted like the real thing; another was a physical server installed with software commonly used to control physical industrial equipment; Wilhoit also bought a piece of hardware used to connect a computer to control industrial equipment and installed it in his basement so that it appeared to control the HVAC and lighting of a factory.
A total of 39 attacks were mounted on Wilhoit’s honeypots, some of which involved modifying the settings of the physical system they appeared to control. Attacks appeared to originate from computers in a variety of countries, with 35 percent from China, 19 percent from the U.S., and 12 percent from Laos. Attackers often appeared to use automated tools that search out industrial systems on the Internet before investigating more thoroughly.
The most striking attacks exploited bugs to change the settings of Wilhoit’s imaginary industrial systems. “They were doing things that would change the water pressure, or temperature, or stop the flow on the water pump,” says Wilhoit. “If it is happening to a honeypot, what is happening to real devices with no protections? It is apparent that there is some expertise out there.”
Because the attacks made use of techniques specific to industrial control systems, Wilhoit believes they were carried out by people intent on finding and messing with such systems. Some of the attacks involved sending e-mails to the administrator address he made available. Attachments to those e-mails hid previously unknown malicious software that Trend Micro is now investigating. “I can’t relate all the details,” he says. “It’s substantial as findings go.”
Wilhoit will say that the malware he received appeared to be designed to take over a commonly used controller for industrial control systems. Wilhoit and colleagues at Trend Micro are now operating more honeypots, setting them up in locations around the world to record a global picture of such activity. They are also working on new strategies that could help defend such systems.
Many relatively simple countermeasures do exist to protect industrial systems, but they are not routinely used, says Billy Rios, a security researcher who works on industrial control systems at security startup company Cylance, and who has disclosed hundreds of bugs in common industrial systems. Removing these systems from the publicly accessible Internet is the most crucial defensive measure, says Rios. However, even systems only accessible by a private connection could be reached by targeting a company employees for passwords, and once an attacker gains access to an industrial system there are often many security bugs for them to exploit. “The security of the industry in general is really poor,” says Rios.
Joel Young, chief technology officer of Digi International, which sells hardware used to connect industrial control systems to the Internet, says that the companies he sells to have traditionally thought of reliability and privacy as more important than security. Home energy management systems and smart meters, for example, have been carefully designed with features intended to guard privacy due to public concern about their leaking energy use data. “But if you look at putting a server out to monitor a substation, there’s just no security at all,” he says. “It’s like, who would want to hack into this?”
Rios says that companies that make industrial control systems have begun to pay more attention to security issues, but he’s still finding bugs in new products, and in many older products that remain in use. “These devices have a lifecycle of 20 to 30 years.”