Honeypots Attacked But Not Real ICS?

We have been seeing a couple of reports (for example) about organizations setting up ICS honeypots and finding that they are attacked fairly routinely. If the honeypot results are translatable to actual control systems, we should be seeing lots of reports about attacks on actual systems.

We are hearing about some sort of ‘attacks’ on energy company control systems, but very little information about those is making it into public discussion. The public reports seem to indicate that these are more system information gathering attempts rather than actual attacks (though they may be preludes to attacks), so even these are not the same as being reported from the ICS honeypot experiences.

So, are the honeypots being targeted because they are honeypots, or are they really representative of what is happening in real world control systems. If we assume that honeypots aren’t being specifically targeted (And what self-respecting hacker would waste their time on such a target?) then why are we not seeing evidence of more attacks on control systems? I think there may be a couple of explanations.

First off, the vast majority of deployed control systems are relatively unsophisticated and have little to no security. For most of these facilities there are no cybersecurity professionals on staff and there may not even be a trained control systems engineer working at the facility. Indications of a simple hack may be nothing more than a hiccup in the control system; an intermittent failure in a particular control. The standard response would be to replace the ‘faulty’ control or maybe even just monitor for future failures. Even an ICS DOS attack might not be recognized as an attack by most organizations.

A sophisticated attack could seriously damage equipment or shut the plant down, but there is little incentive for a sophisticated attacker to hack most control systems; no economic or political gain to justify the expense. The average hacker, however, is not going to have both the cyber-system knowledge and the process knowledge necessary to cause serious harm to these systems, except by accident. They might be able to gain that level of sophistication by constant observation and tweaking of the system, but few hackers will have the incentive to spend that amount of time and effort on the average control system.

The average hacker will use these most vulnerable control systems to refine and develop their ICS skills. They will establish backdoors that they can use to verify to their friends and competitors that they have hacked these systems and they may leave the hacker equivalent of Easter eggs in the system to mark their passage, but their goal will be to remain undectected by the system owners. Being detected by unsophisticated owners will be a pre-requisite to their moving up the hierarchy of control system sophistication.

The organized hackers (nation states, terrorists, criminal gangs, hacktavists) are going to go after the big guys, the ones with at least some compute security savvy. These are the ones that would justify the time and knowledge necessary to have a significant, planned and controlled attack on a control system. The other systems, however, are going to be the ones that experience the most frequent attacks, and unfortunately, they are the ones least likely to be able to deter, detect or delay such attacks.