Verified Control System Hack?

There is an interesting article over at TechnologyReview.com about a honeypot research project reported at the Black Hat conference in Las Vegas. This research was a continuation of the earlier honeypot work reported by Kyle Wilhoit at TrendMicro. The article reports that:

“Between March and June this year, 12 honeypots deployed across eight different countries attracted 74 intentional attacks, 10 of which were sophisticated enough to wrest complete control of the dummy control system.”

It would be interesting to see a formal paper written on the work done to date. It would be a very informative look at how actual vulnerabilities are being exploited in the wild. It would also allow independent experts to look at Kyle’s honeypots to make sure that there wasn’t something done with them that made them more vulnerable or more attractive to attack than actual water control systems. If these honeypots were properly constructed (and I have no reason to suspect they were not) then I think that any reasonable person would have to count these as confirmed attacks on control systems.

The Bigger Question

This brings to mind a bigger question, if your local water system was hacked, would anyone know? Depending on the sophistication of the attack (and if, as reported, APT1 or the Comment Crew, is involved, I would suspect a fairly sophisticated attack) I doubt that most water system operators would not know unless a real serious process upset were caused. Even then, most times system operators are not going to question the actual system behavior if they can blame something on a piece of malfunctioning equipment, a bad sensor, human error or something else easy to fix. Almost all process upset diagnosis now relies on data from the control system so much that most people do not question the data from that system.

There are thousands of water control systems scattered across the US of varying sizes and descriptions. If twelve honeypots experienced 10 high-level attacks (“sophisticated enough to wrest complete control of the dummy control system”) in four months, then I think that it is safe to assume that a large percentage of those water systems have experienced similar attacks. This is potentially a serious public health issue.

Official Response?

I would like to think that Kyle has shared his information with ICS-CERT. Even if he hasn’t, now that it has been made public, ICS-CERT should be beginning an investigation of the issues and I would expect to see a public alert published by that organization, hopefully this week. Since the EPA has regulatory responsibility for water system security, they should also be initiating an investigation of the problem identified by Kyle.