back to article SCADA honeypots attract swarm of international hackers

Vulnerable internet-facing industrial systems controlling crucial equipment used by power plants, airports, factories and other critical systems are subjected to sustained attacks within hours of appearing online, according to new honeypot-based research by Trend Micro. The security weaknesses of SCADA (supervisory control and …

COMMENTS

This topic is closed for new posts.
  1. TeeCee Gold badge
    Coat

    Laos?

    Obviously this is because it's a honeypot system and its attracted attention from the Plain of Jars.......

  2. Gordon 10
    WTF?

    Relationship between SCADA and Smart Grids

    Are these 2 things being lumped together simply because the both are deployed by Utility industries or do they share a common code lineage?

    If the latter - thats another reason to refuse a Smart Meter.

  3. Alan Brown Silver badge

    just because...

    ...the attacks originate from a particular countries netspace doesn't mean that the perpetrators are there.

    See previous articles about the number of systems with stupid default passwords. Why on earth would an attacker leave a trail directly back to their home netspace?

    (Previous experience shows that chinese netspace is riddled with vulnerable systems and a response to "headsup" warnings consisting mainly of fingers in the ears, yelling "I can't hear you!")

    1. This post has been deleted by its author

  4. Anonymous Coward
    Happy

    What journal ....

    ... was the 12 peer cent published in?

  5. John Smith 19 Gold badge
    Unhappy

    So there are people out there looking for these systems with the tools to do damage.

    That on its own should be a big wake up call. to people who run SCADA systems.

    People have taken the time and effort to develop exploits for those vulns.

    Will it change anything?

    Probably not. I fear it's only when Board level staff do time that maybe some of them will decide "Gee perhaps we ought to do something about this."

    1. Destroy All Monsters Silver badge
      Holmes

      Re: So there are people out there looking for these systems with the tools to do damage.

      While I conceive that protecting these systems is just good business practice (aka. "Striving for Excellence" in a Total Quality Management program), please do explain why "board level staff" should "do time" when the recommended quality assurance processes are not in place or handled well.

      If your arse depends on these systems being locked down, why -- you know how to order up audits, dontcha?

      And then we have the "gov't owned" stuff letting it all hang out. What you gonna do about it? Probably wait until horse bolted, then slap on the wrist, then more money injections.

    2. koolholio
      Facepalm

      Re: So there are people out there looking for these systems with the tools to do damage.

      jumping to a conclusion that it MUST be ex-employees springs to mind... just like the origin of everything bad in the world?

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: So there are people out there looking for these systems with the tools to do damage.

        Ex-employees haxxoring out of the Occupied Palestinian Territories?

    3. Charles Manning

      Board level? Why?

      Why the hell should board members be doing time on this? It is unrealistic to expect board members to know all the technical ins and outs.

      Do you expect the board members to recommend what programming languages to use? Perhaps they should give recommendations on using CAT6 vs fibre?

      What board members should be doing is ensuring the corporate culture is tuned to take care of these matters properly and that there is sufficient budget to do the right thing rather than just hope...

  6. Shasta McNasty
    Happy

    This just in

    If you want a system to be secure from internet attacks, don't connect it to the internet. Just because you CAN connect it to the internet, doesn't mean you HAVE to.

    From the Ministry of Common Sense.

    1. Chris Miller

      Re: This just in

      If you're talking about a power plant, or some other facility that's staffed 24x7, I'd agree. But SCADA also covers a lot of small stuff, perhaps a power transformer for a remote village that would need an engineer to drive for 2 hours to reach it or could be reset remotely. I imagine that simply translating to a non-standard port would be sufficient to hide non-critical facilities from automated attacks.

      1. JimC

        Re: This just in

        Not to mention outsourced systems and all the rest of it... All makes me wonder if in the medium term the anonymous internet is doomed. I can't see the world being prepared to g back for private lines for everything, but if the level of threats becomes unacceptable then its going to end up with everything and everyone being identifiable and responsible... Look at S. Korea this morning...

      2. Psyx
        Pint

        Re: This just in

        "If you're talking about a power plant, or some other facility that's staffed 24x7, I'd agree. But SCADA also covers a lot of small stuff, perhaps a power transformer for a remote village that would need an engineer to drive for 2 hours to reach it or could be reset remotely."

        That approach is no longer viable and should be abandoned in the face of overwhelming evidence. Times change. 70 years ago bombers used to evade flak by flying really high. It was really convenient and easy on the navigator and pilot compared to flying really low. Then someone invented SAMs and that tactic no longer worked. But they didn't carry on flying really high even though it was dangerous, just because it was still convenient.

        We shouldn't cling onto things which are easy but inherently dangerous.

      3. Anonymous Coward
        Anonymous Coward

        Re: This just in

        "If you're talking about a power plant, or some other facility that's staffed 24x7, I'd agree. But SCADA also covers a lot of small stuff, perhaps a power transformer for a remote village that would need an engineer to drive for 2 hours to reach it or could be reset remotely. I imagine that simply translating to a non-standard port would be sufficient to hide non-critical facilities from automated attacks."

        or use a dedicated/secure circuit instead of the public internets. Even a simple, bog standard phone/ISDN line is enough to give you the basic telemetry/control connections you'd need and they're a tad more secure.

        1. Alan Brown Silver badge

          Re: This just in

          Or just use a VPN.Stuff "on the internets" doesn't have to have be actually accessible "from the internets"

        2. Charles Manning

          Re: This just in

          "or use a dedicated/secure circuit instead of the public internets"

          In the case of a remote village power transformer a dedicated circuit would quite likely be prohibitive.

          At the minimum, remote SCADA connections should be secured with VPN, ssh or similar. Having anything less is completely insane.

          1. Anonymous Coward
            Anonymous Coward

            Re: This just in

            "

            "or use a dedicated/secure circuit instead of the public internets"

            In the case of a remote village power transformer a dedicated circuit would quite likely be prohibitive."

            Leased line/EFM: Yes. POTS/ISDN line? No.

            My old man works for a water supply firm in the UK, and from what I've seen most of their remote sites are phone line/ISDN supplied. Your only really transferring telemetry data and control commands over them, not giggabytes of data.

      4. Alan Brown Silver badge

        Re: This just in

        "I imagine that simply translating to a non-standard port would be sufficient to hide non-critical facilities from automated attacks."

        GIven we see as many attacks on SSH ports listening on non-standard ports as those on the standard one, I'd be willing to take your wager and would be confident of collecting.

        Security-by-obscurity never works for terribly long and it's no substitute for locking things down.

        (OTOH Security-by-misdirection is useful. Honeypots are an example. They enable evidence gathering and showing the perpetrator's intent without putting real systems at risk)

        1. Destroy All Monsters Silver badge
          Angel

          Re: This just in

          > GIven we see as many attacks on SSH ports listening on non-standard ports as those on the standard one

          Interesting as I don' see that at all. I specifically moved the port to get rid of all the stupid login scans in the log...

          1. Chemist

            Re: This just in

            "Interesting as I don' see that at all. I specifically moved the port to get rid of all the stupid login scans in the log..."

            Same here. Although I see attempts all the time on standard port I've never seen ANY on my (very non-standard port). Mind of course it's just one of the mitigation measures and I certainly wouldn't rely on it alone.

            1. Anonymous Coward
              Anonymous Coward

              Re: This just in

              I have my SSH on a non-standard port, AND I have my firewall configured so that any attempt to access the standard port immediately adds the offending IP to a blacklist for a period of time. And of course, I have SSH set for keypair-only (no tunneled passwords), as well as several other measures to increase security.

        2. Chris Miller

          @Alan 11:58

          Is your SSH on a public web server? I can't see people scanning 1-65535 across the Internet trying to find the tiny proportion of SCADA ports, but if I know an active IP address, I might well try a full port scan and see what falls out.

          I'm not arguing that port camouflage should be the only line of defence, but it remains surprisingly effective in some areas.

        3. Stuart Castle Silver badge

          Re: This just in

          Indeed. While I am no expert on hacking (although I did do a CCNA a few years back, so have a fair idea of how networks work at the packet level, if you know what sort of response a given system will give, it's possible to use a script to try a few ports looking for that response.

          Going on to the main topic of the article, I think the root of the problem is twofold. First, technology is moving faster than most people can cope with. SCADA systems will stay in place for years. It can cost a lot of money to replace a mid to large size one, and they need as near to 100% uptime as they can get. Even the likes of Npower and other similarly sized companies aren't going to spend potentially millions upgrading their control systems every couple of years. This is a problem because the length of time the control systems are in place gives hackers plenty of time to find vulnerabilities, and it also means the hackers will have had time to develop quicker or more advanced techniques for finding and exploiting those vulnerabilities. It also means that even assuming the SCADA system manufacturer admits there is a problem (and it's not a given that they will), the system owners are less likely to actually patch it.

          The second problem is cost cutting. It's far easier (and cheaper) to stick a SCADA system on a publicly accessible IP, then have one or two staff monitoring (and adjusting or repairing, if necessary) several SCADA systems from a central control centre (which can be in a different country). This can be a secure way of doing things, but the connection needs to be on a dedicated line (even a phone line will sometimes do), or you need a VPN connecting the two buildings.

          OK, while VPNs are technically still hackable, a well configured one can be a hell of an obstacle to most hackers.

          I think the other part of the second problem is that SCADA systems are increasingly being run by what are essentially standard PCs with special hardware so they can interface with whatever machinery they control. This means that not only can the system be attacked using flaws in the SCADA hardware/software, but it can also be attacked using flaws in the PC Architecture and PC OS (usually Windows). Both of which are considerably better known to hackers than specialist SCADA hardware/software.

        4. amanfromMars 1 Silver badge
          Devil

          Every Cloud has a Solid Gold Lining although Never on its Smoke and Mirrored Side.

          (OTOH Security-by-misdirection is useful. Honeypots are an example. They enable evidence gathering and showing the perpetrator's intent without putting real systems at risk)

          That sort of entrapment catches dumb monkeys and ignorant donkeys and does nothing at all to stop exploitation of zeroday vulnerabilities and systemic problems, which are both real and virtual opportunities for others, some of whom may be novel key players in the Great Game and wwwider scheme of things, invariably remaining, and decidedly designedly so, relatively anonymous as per Scarlet Pimpernels

        5. Roland6 Silver badge

          Re: This just in

          "I imagine that simply translating to a non-standard port would be sufficient to hide non-critical facilities from automated attacks."

          I expect Chris Miller wrote this before he had read the Internet Census 2012 [ http://www.theregister.co.uk/2013/03/19/carna_botnet_ipv4_internet_map/ ]

          However, there are good reasons for using non-standard ports (and other settings):

          1. It reduces the noise in security event monitoring systems logs, making abnormal events easier to spot.

          2. It can help to minimise the execution of relevant packet inspection rules, which will help reduce system load and network delays.

          The use of honeypots or zombie systems as camouflage, overseen by a security monitoring system is an interesting idea, particularly with the rise of VM's they could be deployed relatively cheaply.

          1. Chris Miller

            Re: This just in

            I did indeed read it, Roland, perhaps you should too. From the report: "These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans." So, no, this scan could not have found systems listening on non-standard ports.

            I suppose it would be possible to extend the concept to a full 1-65535 scan of the Internet, but it would take 600x as long and be so noisy that it would surely be detected.

    2. koolholio
      Thumb Up

      Re: This just in

      and be careful to avoid contamination between the two... ;-)

    3. Wize

      Re: This just in

      "Just because you CAN connect it to the internet, doesn't mean you HAVE to."

      But sometimes you have to.

      Customer wants to gather statistical data from the plant (eg production uptime, production rate per hour, etc) and wants that emailed round a department via email.

      Someone needs a PC that is connected to both the control system and the internet.

      Yes, you can firewall the hell out of it, but there is always a way.

      Even separating two systems with an air gap and transferring data via USB isn't foolproof.

      1. Psyx
        Stop

        Re: This just in

        "Customer wants to gather statistical data from the plant (eg production uptime, production rate per hour, etc) and wants that emailed round a department via email."

        That's not a 'have to' situation though. You simply explain that connecting said plant to internet means that it can be hacked, and that not connecting it to the internet makes it impossible to hack from off-site. If that doesn't work, write up a lurid and blunt risk assessment and ask them to sign off on the risk, taking responsibility for any electronic intrusion and outages caused by such. It'll get bumped up to a level where someone will either see sense and put THEIR job on the line, instead of yours.

        Metrics and performance figures on up-time aren't worth risking a plant for.

        There's no point having up-time figures at the cost of down-time! If it's crucial enough to monitor, it's crucial enough to secure.

  7. amanfromMars 1 Silver badge

    The Colossal Enigma Enjoyed by Dual and MultiUse Project Programmers and SMARTR Systems Analysts?

    Wilhoit called for further research into motives, sources and delivery techniques of the increasingly sophisticated attackers who target industrial control systems.

    Whenever the motives are the collapse and destruction of corrupted and inequitable systems of vulnerable control for a perverse power grid, are such actions as result in such actions being pimped as attacks on SCADA not to be reclassified and regarded as quite something else to be highly regarded and protected ….. by the Mainstream and Main Street.

    Don't worry about the Alternatively Invested Market Place and the SMARTR Virtual Spaces, for its IT Command and Control of Information with Intelligence will do all that is necessary to ensure its own security requirements are met and exceeded.

    And that has particular and peculiar reference and resonance whenever the targeted SCADA Systems be Man Management, for they are also powered by Supervisory Control and Data Acquisition and/or Supervisory Controlled Acquisition to Data Accessed, which is similar but quite something completely different and much more powerful and constructive and potentially disruptive and destructive.

    Some things you just can't ever win against, and it be utterly useless and worthless and cripplingly expensive fighting against the progressive flow of novel information. Embrace Extend Enjoy is a Better Beta Meme to Accept for Virtual Reality Drive in SMARTR IntelAIgent Systems for Creative CyberSpace Command and Control Of Computers and Communications and Virtual Machine Human Beings. ....... Really QuITe Smart and Quiet IntelAIgent Bots.

    Adopt anything else, and one will always be led and encouraged naturally to adapt and comply with that which always provides the Best of the Best to the Best for the Rest to Test and Enjoy and Enjoy as a Tested Quest in a Program which Presents the Future to replace a Corrupted Past ....... which is what Media and IT are Intelligently Designed and used for, is it not/are they not? Or is that something which is currently being serially abused and misused by the powers that be in a crazy state of conflict and madness, sadness and badness?

    1. Anonymous Coward
      Anonymous Coward

      amanfromMars home movie ..

      Real footage ...

      1. amanfromMars 1 Silver badge

        Re: amanfromMars home movie ..

        Methinks, AC, that is a wanton abuse of El Reg's generosity in support of free speech and edutainment. But hey, whatever floats your boat ...... there's certainly more crazies out there than are confined securely in institutions for everyone'e protection, that's for sure. :-)

      2. John Smith 19 Gold badge
        Unhappy

        Re: amanfromMars home movie ..

        Err not to spoil your fun but consensus for AMFM is that they are (mostly) a bot, as in an NPC.

        Suggested explanations for their posts are mostly.

        a) A simulation of mental illness like the "parry" program (sort of the flip side of Eliza)

        b) A sort of textual "numbers station," issuing instructions to assorted (human) agents around the world for unknown purposes.

        Historically mental hospitals ran guided tours of their patients (look up the history of Bedlam asylum for example). Another way to make money out of the mentally ill, perhaps (they'll probably call it "therapy" this time round).

  8. JaitcH
    FAIL

    America's so called Bogeyman is supposed to be a source of risk

    So I guess GE-USA SCADA Division hasn't heard of this as all their SCADA work is being done in ... China!

    Go figure!

    1. Destroy All Monsters Silver badge
      Devil

      Re: America's so called Bogeyman is supposed to be a source of risk

      Obligatory DOOM CHART

      1. amanfromMars 1 Silver badge
        Pirate

        Re: Re: America's so called Bogeyman is supposed to be a source of risk

        Obligatory DOOM CHART .... Destroy All Monsters Posted Wednesday 20th March 2013 10:57 GMT

        I think the colour to represent present conditions and ongoing operations/remote current program adjustments, is BIKINI Black, Destroy All Monsters.

        And can you imagine how far ahead of opposition/competition/defence systems, attacking players are in any technology/methodology/cyberology, with at least a sixteen year/generation head start? Do you think they be uncatchable and untouchable because they be virtually invisible and practically non-existent ....... Real Spooky MkUltraSensitive Great Game Players ....... in AI SMARTR Program Delivering Reality Providing Alternative Virtual Realities ....... Future Colossal and/or Cataclysmic Events? ....... http://cryptome.org/2013/03/nsa-think-cyberspace.htm

        Or would a delusional state of denial kick in to protect units from damaging self-destructive information and intelligence overloads/buffer overflows/descents into insane madness, which in Magic Circles of Intelligence Circuses are Transformed for Morphs/Remote Teleports with Enlightening Ascents into Virtual Team Terrain Realms which are the quite simply complex result of pure genius?

        Are you a Virtual Team Terrain Player, El Reg, or just Another Silent Spectator of the Great Game in Live Operational Virtual Environments and NEUKlearer HyperRadioProActive IT? Super Advanced Intelligence Services in SMARTR InterNetworking Systems ….. with Sublime and Surreal EMPowerdD Control of the Novel Invisible Power in HyperRadioProActive Intellectual Property Shares and CyberIntelAIgent Dumps/Caches/Stores/Banks are clearly asking.

        1. Uffish

          Re: amanfromMars 1

          Upvoted because I liked these posts.

  9. Ru
    Facepalm

    "This is a wake-up call for operators of these infrastructures"

    Ha ha! No.

    This might be a wake up call if security researchers hadn't been banging the "SCADA connected to the internet is stupid" gong for years. This might be a wakeup call if it weren't for that little Natanz incident involving vulnerable SCADA systems.

    Maybe a powerplant going offline or a factory burning down might beconsidered a wake-up call... and even then, what are the chances that job number one will be to allocate blame and cover arses, and fixing the underlying issues will be secondary?

    I suspect it'll take aggressive and concerted government intervention with hefty penalties to wake up any of the folk responsible for these systems.

    1. Destroy All Monsters Silver badge
      Holmes

      Re: "This is a wake-up call for operators of these infrastructures"

      Natanz was a USB stickjob IIRC, so no Internet involved, at least directly.

    2. John Smith 19 Gold badge
      Unhappy

      Re: "This is a wake-up call for operators of these infrastructures"

      "Ha ha! No."

      I wrote should not "will" for a reason.

      "I suspect it'll take aggressive and concerted government intervention with hefty penalties to wake up any of the folk responsible for these systems."

      Perhaps loss of rights to any bonuses might focus their minds as well.

      "Natanz was a USB stickjob IIRC, so no Internet involved, at least directly."

      I think that's sort of his point.

      If SCADA systems are vulnerable even when not connected to the internet PHBs can say "well it got infected anyway so why give up on linking them to the net and using that fixed (and expensive) leased line tech instead.

  10. Alan Brown Silver badge

    Let's hope...

    ... that someone doesn't get the bright idea of switching off the oil pumps to the bearings of a 600MW hydro turbine.

    This happened in Germany a long time ago. "Thankfully" the rotor left the building on the downstream side (the upstream side was the dam wall). The rotor was found 5 miles down the relatively flat valley, having trashed everything in its path - and that was a tiny 2MW generator. 600MW ones are a hell of a lot larger - and 600MW is only average tech these days.

    Lest you think this kind of thing is impossible - the oil pumps _were_ accidentally switched off on one such beast in the 1980s thanks to a SCADA failure. Within a couple of minutes the turbine shaft was glowing red hot and the generator had to be written off. (FWIW these things take the best part of a day to spin up or down.)

    1. Roland6 Silver badge

      Re: Let's hope...

      >FWIW these things take the best part of a day to spin up or down.

      Must be something to do with the design; Dinorwig's turbines spin up in under 12 seconds and take slightly longer to spin down...

      1. Anonymous Coward
        Anonymous Coward

        Re: Let's hope...

        The day to spin up or down sounds much more characteristic of a thermal delay somewhere (boilers/reactors warming up from cold) than it does of the actual turbine.

        Dinorwig's 'under twenty seconds' applies when notice has been given in advance, so the turbines can be rotating at speed but without actually generating. From stationary ie without advance notice, eg in response to unplanned outage elsewhere, takes a little while (but not much) longer.

        Sources: Wikipedia and www.fhc.co.uk and visitor tours via Electric Mountain.

  11. ecofeco Silver badge
    Facepalm

    Keys in car, door unlocked, just popping in...

    To make ANY critical process exposed to the Internet is beyond stupid.

    It's criminal.

  12. Neoc

    WTF?

    "... Steps were taken to make sure the honeypots were easily discovered. The sites were optimised for searches and published on Google...."

    "It took only 18 hours to find the first signs of attack on one of the honeypots"

    No shit, Sherlock. The only thing you didn't do was stand on top of a tall building and scream out the IP addresses. "Hey, let's make them easy to find and act surprised when they are found in record time!"

  13. Anonymous Coward
    Anonymous Coward

    Re: why "board level staff" should "do time"

    [For Charles, D A M, etc]

    It's about a better balance of risk and reward than we currently see at senior levels in the corporate world.

    In any business sector, board level folk may not design systems or write code, but when things go well, they pay themselves huge sums of money, as though the organisation's success is down to their actions and their input.

    But if/when things go badly, suddenly the smooth working of the organisation is rarely their responsibility, let alone their fault.

    On the rare occasions that things go so badly that there is an external financial penalty, the business (ie its customers) typically pay it in due course, not the individuals whose responsibility it was to oversee that the business was run properly.

    Often when things go badly, the responsible member may move on with a nice golden handshake. You don't have to look hard to see plenty of examples of this.

    That's why.

    TL;DR? "Pour encourager les autres".

This topic is closed for new posts.