Dr Ian Buffey

The OT Honeypot: Reloaded

atkinsglobal.com/cyber

Operational technology (OT) controls the production and distribution of energy and water, the smooth running of our transport systems (air, road, rail and sea) and the production of chemicals and pharmaceuticals. This critical national infrastructure (CNI) that we rely on needs to be safe and resilient to accidental or malicious actions, whether that’s a physical security breach or a cyber attack.

The need for resilience is what separates the cyber security requirements of OT from IT. An attack on an IT system may result in vital information being lost or stolen, or websites and other online services may not be available for some time. However, the impact on the physical world will not usually be immediate and may not be noticed. In contrast, a cyber attack on the OT that manages and monitors essential services such as power and water would be felt immediately and it may put our safety or the environment at risk.

The threat to OT is well known and many security professionals would agree that having an OT system visible from the internet, without adequate protection, significantly increases its vulnerability. And yet search engines such as Shodan, which are used to identify devices connected to the internet, show many systems are exposed.

Atkins’ experimentsIn 2014, we set up a high-interaction OT ‘honeypot’ to enable us to understand how these systems were being targeted and to learn more about the attackers’ tools, tactics and procedures (TTPs). In computing, a honeypot is a system or device designed to entice a would-be attacker. Using one is like playing a game of cat and mouse: attackers understand honeypots are used to investigate their activities and if they’re not careful they’ll reveal their TTPs for no benefit. There’s also a chance their activities will be attributed and they may be prosecuted or named publicly.

We developed an application that resembled real automated processes and used common control system components and operator interfaces to ensure the honeypot was attractive to hackers. The technologies were chosen in collaboration with selected infrastructure asset owners.

The attacks on our honeypot ranged in their degree of sophistication and in some cases, the hackers demonstrated an in-depth knowledge of OT. A full account of the experiment can be found on Atkins’ website.

Recently, we repeated a part of the project to see if the level of interest in OT, or the actions of attackers, had changed over the past five years. We found:

› There was a significant increase in interest in OT devices – activity rose by a factor of over 100.

› Scanning for other protocols and vulnerabilities increased too, which could cause issues for OT.

› There are also things we didn’t see this time but expect to in the future.

The OT honeypot: reloaded

Our operational technology is at greater riskIn the 2014 experiment, we distinguished between attackers looking for devices exposing OT communication protocols and attackers looking for more generic protocols that could be a part of an OT system, for example, the commonly used HTTP(S), which is used to transfer data over the web. We also ensured the honeypot could easily be found on Google. There was very little probing for the OT communication protocols we exposed. In fact, 100 days into the experiment the only activity was from Shodan. By contrast, scanning of common IT protocols such as HTTP started within a couple of hours and continued throughout.

In the latest test, we exposed a commonly used OT communications protocol on its own. That is, we didn’t reveal other protocols to entice a would-be attacker. Some of the key findings from our experiment included:

› Activity increased by a factor of around 100. We only had to wait two hours for the first connection (compared with around 100 days in 2014).

› The honeypot was scanned by 120+ IP addresses in 70 days.

› 60+ of those devices sent messages to our server (i.e., they didn’t just open or half open a connection). This would have enabled them to change vital system information.

› It was clear that many people were looking specifically for OT devices.

› Scanning the network for common software and communication protocols on ports other than the standard port for that protocol. Port obfuscation is no longer a useful security technique.

› Some messages (e.g., from nmap scans) look like messages to read or write data. Therefore, there’s a chance an attacker/researcher could accidentally cause a real device to execute an action. The results of analysis of the messages we received using standard tools differ – a poor parser in a real device might be worse, although most reputable manufacturers will have their protocol implementations tested.

› There were connections from around the world, some easily attributed to universities and other researchers (e.g., Shodan) and others that were harder to attribute.

› Some attackers/researchers were clearly employing multiple machines to scan the internet and in some cases it appears their systems were a little clumsy, resulting in heavy and repeated scanning.

What we didn’t seeWe were surprised to find none of the visitors to the honeypot deliberately read or wrote process data. When an attacker reads data from a device, for example, temperature, flow, pressure or whether or not a pump is running at a water plant, they are not doing anything which will cause harm, unless they do so at such a high rate that the normal function of a device is impacted. But if they are writing data, they could alter critical details, such as alarms that may have been set to warn operators of a problem, the level of chemicals in the water supply, or they may be able to start or stop a pump or other equipment.

In the 2014 experiment, an attacker did reconfigure a programmable logic controller (PLC) to lock us out but they didn’t do anything that would cause an impact in the real world. There are potential benefits to attackers in reading or writing process data:

› Industrial processes generally have time-based patterns. Some power stations only generate power at peak times, demand for water varies over a 24-hour period, etc. Looking at these patterns would help attackers understand if the system they were interested in was controlling a real industrial process.

› Writing to a PLC could cause disruption to the controlled process. Writing random values to random addresses in the PLC would be a hit and miss process but it doesn’t require much effort from the attacker.

There are checks and balances in place to stop a security breach of this kind. However, it’s still a concern because of its potential impact and because there could be people who are willing to spend their timing carrying out random attacks in the hope one will have a significant effect.

The OT honeypot: reloaded

How do we explain the changes?We expected attackers to show greater interest in industrial control systems during our most recent experiment, compared with our 2014 test. But the extraordinary 100-fold rise in activity demonstrates just how much our world has changed in the years since the first experiment.

Now, hackers are explicitly targeting our CNI. There have already been several high profile attacks including in Ukraine in 2015 and 2016, where the power grid and other corporate systems were compromised. While in Saudi Arabia in 2017, a security breach at the Petro Rabigh oil refinery forced the operator to temporarily halt its operations.

But there has been good news in recent years too. Our awareness of cyber security has increased in line with the emerging threats, and taking the steps necessary to protect our vital infrastructure is no longer optional – it’s required by law. In the European Union, the Network and Information Systems Directive (NIS Directive) applies to the operators of our essential services. That is, our energy, transport, water, digital infrastructure and our healthcare services. These organisations must be able to demonstrate they understand the threat to their network and systems and have wide-reaching measures in place to protect against, detect and manage a security breach.

The introduction of legislation has focused people’s attention on cyber security. It’s now the concern of many senior executives and board members and they are openly discussing and investing in initiatives that will help them develop resilience.

The OT honeypot: reloaded

The next five yearsWhat can we expect to happen in the next five years, given the recent pace of change? As previously stated, the threat to OT is already significant so should we expect it to grow?

› As an industry, we’re just starting to embrace the Internet of Things (IoT) and the opportunities for hackers will increase as more devices are connected. Some of the weaknesses in the security of domestic products have already been exposed so we must ensure industrial devices and data are protected before we embed them within our organisations.

› We’ll become more reliant on OT as we look for ways to improve efficiency and productivity, and as we embrace automation. Having people with the technical skills and knowledge to address problems as they arise will be key to ensuring our infrastructure is resilient.

› Hackers will become better at categorising devices. That is, they’ll understand what a particular device is doing and what network or system it might be a part of. Currently, the techniques people are using tell you what the device is but not what it’s doing. That means a hacker could spend a lot of time targeting a trivial device. As their approaches become more sophisticated, they’ll be able to focus their activity.

› We expect to see an increasing number of nation-state driven cyber security incidents.

› We must change the way we do business. Hackers can trade information, devise new strategies and launch attacks swiftly so organisations need to be able to respond quickly too. We’ll have to become more agile if we’re to operate successfully in a more connected world.

How should CNI operators respond?Our original experiment was conducted to help infrastructure owners and operators understand the threats to their organisations and assets, and it helped us learn more about potential attackers’ approaches and tools. The honeypot was visible from the internet, and OT shouldn’t be but it can happen by accident, for example, during plant pre-commissioning or commissioning. As a result, we believe operators should consider:

› Ensuring staff members and contractors are trained to maintain robust cyber security. That includes adhering to approved access methods and avoiding direct connections between OT and the internet.

› Systems should be designed so people can’t access them if they don’t pass several technical controls.

› Deploying honeypots or other detection technology in real control systems so anomalies can be detected and attackers identified before they inflict any damage or do any harm.

› There must also be a robust response procedure to ensure any alerts generated are acted upon, not ignored.

The OT honeypot: reloaded

snclavalin.comatkinsglobal.com/cyber

Or contact us at cyber@atkinsglobal.com

About the author

Dr Ian BuffeyTechnical Director, ICS Security

Ian has worked with ICS (SCADA and DCS) for over 30 years, specialising in security since 2004. He has a record of successful delivery on complex systems controlling the Critical National Infrastructure in a variety of countries worldwide.

He has seen many changes in the ICS arena and a key focus area now is how the security and resilience of systems is affected by the introduction of distributed resources including cloud.