Protecting industrial control systems (ICS) has been a major focus in the software security community recently, as concerns have grown over vulnerabilities in the appliances that run power plants, water treatment facilities and other critical infrastructure. Reports have shown dramatic spikes in the number of known ICS and supervisory control and data acquisition (SCADA) system vulnerabilities, and the issue has entered into the national conversation on cybersecurity, with experts claiming that ICS security lags years behind that of standard IT systems.
A recent experiment from researchers at security firm Trend Micro sought to understand how likely an attack on an exposed, internet-facing system might be. The research team created three honeypots, two of which were servers configured to resemble programmable logic controller (PLC) systems and one of which was an actual PLC device set with default login credentials. The first attacks began within 18 hours of the systems being set live.
After 28 days of deployment, the honeypots had sustained a total of 39 attacks from 14 different countries. Of these, 12 were unique, while 13 were repeated by some of the same perpetrators over the course of several days or different tactics. These attacks could all be considered targeted attempts. Researchers also found four types of malware used to target systems, including two that had not previously been found in the wild. The countries responsible for the most attacks were China, the United States and Laos, respectively.
“The biggest [thing] I saw was unauthorized access attempts – [intruders] trying to access areas that were locked down,” Kyle Wilhoit, a Trend Micro threat researcher who presented the findings at the recent Black Hat Europe 2013 Conference in Amsterdam, told SCMagazine.com. “There were also instances where the attackers were trying to modify protocols themselves.”
Protecting against attacks
The report noted that ICS/SCADA software security is “often considered ‘bolt-on’ or thought of ‘after the fact.'” Many of the systems date back 20 years or longer, and they were often rolled out at a time when they were not capable of being connected to the internet or local area networks. With modernization, these configurations have changed, exposing systems that were designed to be protected primarily by physical isolation.
Trend Micro recommended operators take precautions such as disabling internet access to these resources when possible, ensuring these systems do not use default username/password configurations but rather two-factor authentication and adopting real-time anti-malware and network scanning tools. Additionally, device and system manufacturers can reduce the risk of an attack by mitigating vulnerabilities in the development process. Using tools such as source code analysis software, manufacturers can catch errors that could enable unauthorized access or remote code executions. With the proven existence of these attacks in the wild, prevention remains essential.
“As you can see, Internet-facing ICS are readily targeted,” Trend Micro researchers wrote. “Until proper ICS security is implemented, these types of attack will likely become more prevalent and advanced or destructive in the coming years.”
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.