Dewan Chowdhury of Malcrawler gave a presentation at the 15th ICS Cyber Security Conference on ICS honeypots. Malcrawler created a honeypot that replicates the Energy Management System (EMS/SCADA) of a modern electric company and the hackers came from novices to sophisticated Advanced Persistent Threat (APT) actors sponsored by nation state. The honeypot let hackers think they were controlling key parts of the power grid, including nuclear power generators, major transmission lines, smart grid distributed automation systems, and more. According to Chowdhury, large nation state attackers would steal information pertaining to the electric grid from fake transmission diagrams to RTU configuration files, but they never performed sabotage on the grid. On the other hand actors from the Middle East would perform sabotage from disconnecting nuclear plants to triggering relays on major transmission substations.
Two years ago, Kyle Wilhoit from TrendMicro gave a presentation at the 13th ICS Cyber Security Conference on ICS honeypots http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-scada-that-didnt-cry-wolf.pdf. From March to June 2013, TrendMicro observed attacks originating in 16 countries, accounting for a total of 74 attacks on seven honeypots within the honeynet. Out of these 74 attacks, 10 were considered “critical.” Critical attacks are those without established motivations but can cause the catastrophic failure of an ICS device’s operation. 20% of the critical attacks came from Middle Eastern IP addresses. The attacks from Russia were not critical attacks. TrendMicro has continued their honeypot research with very interesting results. GasPot, a honeypot also created by Kyle Wilhoit and fellow researcher Stephen Hilt, mimicked a Guardian AST gas pump monitoring ICS device. Similar to previous findings, the pair witnessed attacks across the US from several countries- namely Iran and Syria. These attacks could have caused supply chain damage, as gas pump monitors that were hacked may stop the station from receiving gasoline.
In December 2014, Cylance issued the report “Operation Cleaver” stating this is an Iranian state-sponsored campaign. According to Cylance, this campaign’s intentions may be to damage ICS/SCADA systems and impact critical infrastructures. There is an intense focus on CI companies in South Korea, which could give Iran additional clout in their burgeoning partnership with North Korea. In September 2012, Iran signed an extensive agreement for technology cooperation agreement with North Korea, which would allow for collaboration on various efforts including IT and security. I am drawing no conclusions about the December 2014 hacking of the South Korean nuclear plants. Within Cylance’s investigation, there was no direct evidence of a successful compromise of specific ICS or SCADA networks, but Cleaver did exfiltrate extremely sensitive data from many critical infrastructure companies allowing them to directly affect the systems they run. This data could enable them, or affiliated organizations, to target and potentially sabotage ICS and SCADA environments with ease.
Another relevant presentation at the 15th ICS Cyber Security Conference was by Jason Iler of Tripwire. He stated that for less than $10,000, Gleg offers a SCADA exploit pack with about 200 new ICS cyber vulnerabilities including more than 90 “zero days”. Combine this with readily available metasploits on the web for free, critical infrastructures become an “easy” target.
I reviewed several papers from Iranian scientists and engineers on ICS cyber security. The authors were very knowledgeable in this area. Moreover, there was attendance from Iran and other Middle Eastern countries at the June 2015 International Atomic Energy Agency (IAEA) Nuclear Plant Cyber Security Conference in Vienna where a demonstration was performed on hacking the water pumps in a nuclear plant.
November 12th, I attended a High Tech Criminal Investigation Association (HTCIA) meeting. The speaker was a Digital Forensic Examiner from one of the 16 ASCLD accredited laboratories. When I asked, the Digital Forensic Examiner stated they did not have the capability for assessing ICS cyber issues (more on that in a separate blog).
Considering the vulnerabilities of our critical infrastructures as demonstrated by the red team exercise discussed at the 15th ICS Cyber Security Conference (an effectively NERC CIP-compliant utility being compromised within 30 minutes with no indication), the results of the ICS honeypots and other studies, the availability of ICS cyber exploits, and the lack of attribution, there should be more concern about the very viable cyber threat to our critical infrastructures.
Joe Weiss
