A security researcher has shown that hackers, including an infamous group from China, are trying to break into the control systems tied to water supplies in the U.S. and other countries.
Last December, a decoy water control system disguised as belonging to a U.S. municipality, attracted the attention of a hacking group tied to the Chinese military, according to Trend Micro researcher Kyle Wilhoit. A dozen similar traps set up in eight countries lured a total of 74 attacks between March and June of this year.
Wilhoit's work, presented last week at the Black Hat conference in Las Vegas, is important because it helps build awareness that the threat of a cyberattack against critical infrastructure is real, security experts said Tuesday.
"What Kyle is saying is really neat and important," said Joe Weiss, a security expert and consultant in industrial control systems (ICS). "What he's saying is that when people see what they think is a real control system, they're going to try and go after it. That's a scary thought."
Indeed, people behind four of the attacks tinkered with the special communication protocol used to control industrial hardware. While their motivation is unknown, the attackers had taken a path that could be used to destroy pumps and filtration systems or whole facilities.
To sabotage specific systems, attackers would need design documents. Wilhoit's research showed that there are hackers willing to destroy without knowing the exact consequences, according to Andrew Ginter, vice president of industrial security at Waterfall Security. "If you just start throwing random numbers into (control systems), the world is going to change," said Ginter, who studied Wilhoit's research. "Things are going to happen. You don't know what. It's a random type of sabotage."
The Chinese hacking group, known as APT1, is the same team that security vendor Mandiant had tied to China's People's Liberation Army. The group, also called the Comment Crew, is focused on stealing design information, not sabotage, experts said.
Because sabotage would open itself up to retaliation and possibly war, China is unlikely to mount that type of attack. Those kinds of restraints do not exist for terrorists, however.
While Wilhoit did not identify any terrorist groups, his research did show that the attackers are interested in small utilities. He created eight honeypots, each masked by Web-based login and configuration screens created to look as if they belonged to a local water plant. The decoys were set up in Australia, Brazil, China, Ireland, Japan, Russia, Singapore and the U.S.
Attackers will often start with smaller targets to test software tools and prepare for assaults on larger facilities, Weiss said. "The perception is that they'll have less monitoring, less experience and less of everything else (in security) than the big guys," he said.
While Wilhoit's honeypots showed that a threat exists, they did not reflect a real-world target. Control systems are typically not as easy to access through the Internet, particularly in larger utilities.
Buried within a company's infrastructure, a control system would not be accessed without first penetrating a company's defensive perimeter and then finding the IP address of the hosting computer, said Eric Cosman, vice president of standards and practices for the International Society of Automation.
None of the attackers in Wilhoit's research showed a high level of sophistication, which wasn't surprising. That's because hackers typically use only the technology needed to succeed, nothing more.
"(Advanced attackers) are known to have many cards in their pockets, and they pull out the cheapest card first," Ginter said. "If they can win the game with a two of hearts, then that's the card they'll play."
Wilhoit's research is seen as one more step toward building public awareness of the threats to critical infrastructure. In addition, such reports are expected to have an impact on regulators.
"You're going to have public utilities commissions reading this report and asking the utilities questions," Ginter said. "In a sense, this is a good thing. The awareness level needs to go up."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.