Honeypot for phony waterworks gets hammered on Internet

An experiment in which a Trend Micro researcher set up two instances of an Internet-based simulation of an industrial-control system (ICS) for a nonexistent water-pump facility in rural Missouri found the simulated system was targeted 17 times over about four months in ways that would have been catastrophic if it had been a real waterworks operation.

The purpose of this "honeypot" ICS that mimicked a water-pump supervisory control and data acquisition (SCADA) network was to find out how frequent targeted attacks might be for those real-world SCADA systems that are reachable via the Internet, said threat researcher Kyle Wilhoit, who is presenting his findings today at the Black Hat Europe Conference (which features a host of intriguing sessions). Wilhoit -- whose background includes working at real-world energy and water companies -- says his honeypot setup closely resembles what's in actual use at companies today.

[ SECURITY NEWS: Securing SCADA systems still a piecemeal affair ]

The existence of his ICS water-pump station mock-up, set up last November, was found by online attackers within a few days and the tampering attempts began. As time went by, there included 12 serious targeted attempts to shut down the water pump and five attempts to modify the pump processes -- all of which would have been successful if it had been a real water system. About one-third of the attacks came from China, 19% from the U.S. and 12% from Laos, with a variety of other countries, such as Russia and the Palestinian territories, the source of targeted attacks.

The honeypots, which are still in operation, each consist of a SCADA system and a server with salted documents intended to give attackers something to steal in the way of fake operational documents.

The first honeypot setup is a network based on physical hardware, including the Siemens Controller Simatic S7-1200 operated out of Wilhoit's St. Louis basement. The second honeypot is a virtualized version of it running in the Amazon EC2 cloud. Via the Google and Shodan search engines, attackers quickly identified the online existence of Wilhoit's Siemens programmable-logic controller and the fake rural Missouri water-pump company he'd created.

There were plenty of scans against the honeypot system, but the main targeted attacks, which were of most interest to Wilhoit, came in through vulnerable Web front ends and computer systems that had been deliberately misconfigured -- the type of mistakes common in energy and water companies today.

Attackers came back again and again to exploit vulnerabilities on the devices and attempt more. The experiment also made use of the malware honeypot called Dionaea, and Trend Micro is analyzing samples collected there.

The point of this project, Wilhoit emphasizes, is that in the age when there's concern about malware such as Stuxnet, Flame and more designed for cyber-espionage and cyber-sabotage, the reality is that attackers are looking for whatever critical-infrastructure pieces, such as SCADA systems, might be left exposed on the Internet. He adds no SCADA and ICS should be reachable in this way, but many likely are, and real-world attacks on them may be more prevalent than is generally known.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags trend microsecurityICSSCADA securitysecurity honeypotBLACK HAT EUROPE

More about Amazon Web ServicesGoogleIDGSiemensTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place