Security surprise: Four zero-days spotted in attacks on researchers' fake networks

Previously unknown attacks used against fake systems show big problems remain with industrial systems security.
Written by Steve Ranger, Global News Director

Four new zero-day attacks were discovered when hackers employed them against fake systems set up by researchers studying hacking attempts on industrial systems.

Industrial control systems (ICS) are used to manage a vast range of critical devices, anything from chemical processing through to power generation or even building automation – like fire-suppression systems.

Many of these use old communications systems that assume they are connected via dedicated, secure networks. But now many are using IP-based networks, including the internet, to communicate, creating potentially huge security problems. 

SEE: How to become a cybersecurity pro: A cheat sheet (TechRepublic)    

Bugs in these systems are rarely patched by vendors or users, and few of the industrial protocols use authentication or encryption, which means they will trust most commands sent to them, regardless of who sends them.

"Together, these factors result in a vulnerable industrial environment and create unique security challenges," the researchers note.

To examine the security threats to industrial systems, the researchers used a network of 120 high-interaction honeypots – fake industrial infrastructure – in 22 countries to mimic programmable logic controllers and remote terminal units.

Over a period of 13 months, there were 80,000 interactions with the honeypots – mostly scans – and nine interactions that made malicious use of an industrial protocol.

While that might sound like a small number, four of the nine interactions also featured previously unknown attacks, or zero-days, one being the first use of a previously identified proof-of-concept attack in the wild. 

The attack types include denial-of-service and command-replay attacks. These vulnerabilities and associated exploits were disclosed to the device manufacturers.

"While the yield was small, the impact was high, as these were skilled, targeted exploits previously unknown to the ICS community," the researchers said. The research was presented at a NATO-backed cybersecurity conference.

Mikael Vingaard, industrial security researcher at Industrial Defenica, and one of the authors of the study, said the dataset is the largest used – so far – in academic research, and that the number of zero days discovered was a reflection of how believable the honeypots were.

SEE: Google removes 106 Chrome extensions for collecting sensitive user data

Michael Dodson at the Department of Computer Science and Technology at the University of Cambridge, another of the authors, told ZDNet that if used against a real device rather than a honeypot, the denial-of-service attacks would have meant the devices would have either shut down completely during the attack or been unable to communicate over the network.

For the replay attacks, the sky is the limit, he said. "If you can replay commands to change state or write to registers, then you have full control over the device's behaviour, and therefore over whatever part of the process it controls."

However, it's also a reflection of the generally dismal state of ICS security that one honeypot could turn up four zero-day attacks.

"There are so few people looking at ICS device security, the landscape is so heterogeneous, and the software is largely proprietary, so I don't think it's surprising that any attack you happen to observe might be 'new' to the community," he said.

Editorial standards