North American drinking water treatment plants are far from secure from hackers intent on breaching control system security, says Kyle Wilhoit, a senior threat researcher with security company Trend Micro.
About one quarter of the company’s 5,000 employees devote their efforts to researching potential security lapses and vulnerabilities in software and control systems.
One of Wilhoit’s research projects involved setting up water system honeypots —virtual water systems created through cloud software and designed to lure potential attackers into the open.
The team established a dozen honeypots that appeared as water systems located in countries around the world, including the U.S., Ireland, Russia, Singapore, China, Japan, Australia and Brazil.
Vulnerabilities take a hit
“To an outside attacker, these honeypots look like the controls of a real water system, with a Web-based login and configuration screens for a water plant,” Wilhoit says. “Each of the control parameters was customized using regional language variances that would be authentic for that location. For example, the Chinese honeypot used Mandarin terminology.”
Potential water system attackers range from bored student hackers to more malicious intruders, including agents of foreign governments. Some of them simply conduct generic Internet scans looking for open ports that might lead to an Industrial Control System (ICS). Others use more sophisticated software to identify log-in screens and human-machine interfaces that resemble ICSs.
“During a four-month period in 2013, we watched 74 attempts from attackers who clearly thought they were doing anything from changing the temperature or pressure of the water to shutting down pumps,” Wilhoit says.
The attacks were launched from 16 countries, including Russia, the U.S., China, Germany, the U.K., France, Palestine and Japan.
“In many cases, attackers are just testing their capabilities against the vulnerabilities of the plants,” he says. “In others, they’re collecting statistical data about the plants or examining the type of technology that’s being used. In 10 of the attacks, they believed they were taking complete control of the system and shutting it down.”
In one security breach during an earlier research project, an attacker used a Word document containing malicious software to launch an offensive against an American honeypot. Wilhoit says the attack was consistent with others undertaken by APT1, a group associated with the Chinese army.
Proactive security
Wilhoit also notes that these virtual attacks have been mirrored in real life in unpublicized incidents at water plants across the globe.
While water plants aren’t likely to eliminate the functionality that allows engineers to remotely access and manage a plant in an emergency, more can be done to improve security at those plants, he says.
Potential strategies include: increased use of air-gapped systems employing measures such as cryptographic devices; and virtual private networks, in which local networks are secured through encryption and only trusted parties have access to these networks.
“These facilities should also make sure that they eliminate lax security policies in which they fail to terminate clearance for former employees and contractors,” says Wilhoit.
Wilhoit plans to expand his research to an actual facility in which attackers would be monitored as they harmlessly gain access to representations of all the controls across an entire ICS.
“That would give us a better understanding of what they are attempting to do and how adept they are at doing it,” he says. “Ultimately, our goal is to raise awareness about these security threats and to help industrial defenders better protect their facilities.”
