Water-Utility Honeynet Illuminates Real-World SCADA Threats

After a researcher constructs a fake water-utility network and puts it online, attackers quickly target the systems

4 Min Read

BLACK HAT USA -- LAS VEGAS -- For five months, online attackers have been trying to compromise a water utility's network, attempting to change the settings of pumps and stealing documents. The utility isn't real, however, but a fake put online by a security researcher attempting to gauge attackers' interest in breaching critical infrastructure.

The network, which consisted of 12 different servers in eight different countries, came under attack 74 times from Internet addresses in Russia, China, the U.S., and Palestine, Kyle Wilhoit, a threat researcher with security firm Trend Micro, said in a presentation here yesterday. While Wilhoit classified 85 percent of the attacks as noncritical, 11 of the attacks were serious, including a basic spearphishing attack that appeared to come from the Comment Crew, also known as APT-1, a Chinese espionage group.

Wilhoit, who presented his research at Black Hat Europe in March, said that he had detected more attacks during the five months he has had the systems running and had developed better profiles of the attackers.

"A lot of the attacks were opportunists, but they are out there looking for this stuff," Wilhoit said, adding that the utilities he has audited have had abysmal security that would likely not dissuade attackers. "The [utility] networks that I've been exposed to have been lacking firewalls and access control lists, and have been lacking intrusion detection systems."

As espionage groups -- many likely funded by national governments -- continue to attack global corporations and government agencies, security experts are increasingly worried that utilities and critical infrastructure will come under attack. While the government has added regulations for energy firms and financial networks to boost their ability to protect against cyberattacks, many industrial control networks are designed for reliability, not to defend against a quickly evolving attacker.

To gauge the threat, Wilhoit created the Auburn Water utility, a fake company that had very insecure systems online. He set the network up to have very little security: no firewall, no stateful packet inspection, and loads of vulnerabilities, including security issues with the SCADA software, the human-machine interface (HMI), and vulnerable implementations of the two major industrial-control system (ICS) protocols, Modbus and the distributed network protocol version 3 (DNP3).

[Lack of security in remote oil drilling stations and other similar environments vulnerable to rudimentary but potentially disastrous attacks. See SCADA Experts Simulate 'Catastrophic' Attack.]

Attackers found the systems mainly using search engines, such as Google and SHODAN, but also found some of the information that Wilhoit seeded in places such as Twitter and Pastebin.

The Trend Micro researcher did not count attacks of the automated probes of his network and systems, of which there were 32,000 from 1,200 IP addresses in the five months that he collected data.

The 63 noncritical attacks included those that could have compromised the future integrity of the network by gaining access to credentials. The 11 critical attacks included a number of compromises that could have affected a real water utility, Wilhoit said. In addition to the Chinese data exfiltration attempt, Wilhoit detected attackers' attempts to modify a CPU fan speed, modify the control traffic on the Modbus, gain HMI access, and change the operation of critical water components.

"I actually saw an attacker go in and modify the water temperature," he said. "I was also watching individuals go in and lower the pump pressure to where it would not be able to pump water to homes and businesses."

Wilhoit did not rely on Internet addresses to attribute the attack, but used a browser exploitation kit to gain information on the attackers in his network. Reasoning that any attacker who had access to his protected network was essentially agreeing to the necessary steps to defend that network, he gathered information on registry keys, their physical location, their system, and some internal information.

The counterintelligence actions identified 58 percent of the attackers were from Russia, and single-digit percentages from China, the U.S., Germany, and Palestine.

Exploiting attackers' systems is a source of controversy, and Wilhoit joked that he may have crossed a line.

"I'm probably losing my job after this presentation," he said. "If anyone is hiring, let me know."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Read more about:

Black Hat News

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights