The ability to hook devices or machines up to the internet helps critical infrastructure providers speed up manual processes, increase productivity, and grow the business. However, connecting to the Internet eliminates the “air gap” that kept critical networks safe for years, placing them within reach of cyber attackers. The best protection against potential data theft or industrial sabotage is collective, actionable intelligence.
Today cyber attacks on industrial environments are a reality, as proven by malware like Stuxnet. Industrial Control Systems (ICS) attract more professional attacks because of the huge damage potential or asset value at stake.
Companies looking to secure their networks should verify and minimise the visibility of their ICS resources over the internet. Due to the growing number of advanced threats, collecting and analysing threat intelligence can play a valuable role in providing security teams with detailed information about the attack vectors across the whole threat lifecycle. Initiatives like Shodan and Conpot teach security teams a lot about their own vulnerabilities and the attackers’ methods.
Shodan – Search engine for the IoT
The Shodan search engine was developed by John Matherly in 2009, allowing users to search the web for a wide variety of systems connected to the internet. In contrast to content-focused search engines like Google, Shodan uses port scans of the available IP addresses and then collects and indexes the banners it receives. This allows it to search the internet for servers or routers of a certain type, or even for specific IP-based endpoints like security cameras, medical devices, or even internet-connected machinery in a factory.
Unfortunately, little information about how attacks on industrial facilities happen is available. The Conpot security initiative wants to change that.
Conpot – Honeypots for industry
The Conpot, short for Control System Honeypot, is an initiative created under the umbrella of the Honeynet Project by a group of experienced security professionals, including Lukas Rist of Blue Coat Systems. The concept behind Conpot is to distribute interactive, virtual systems all over the internet which behave exactly like unprotected ICS servers or industrial networks. Once they are in place, the honeypot developer simply has to wait until an attacker attacks the emulated plant, Remote Terminal Unit (RTU) or ICS and watch and analyse the attack step by step.
Any security professional can take part in Conpot. The system is available as Open Source Software under www.conpot.org. With this powerful tool, any developer has the possibility to design a realistic, virtual model of his environment and connect it with the internet. Thus, the security team gains valuable insight what to expect when connecting their systems to the internet and can plan their defense accordingly.
Companies need to implement the best security practices to thoroughly protect the publicly accessible parts of their networks. For especially sensitive environments, there are dedicated ICS security solutions available. For example, ICS Protection Scanner Station can protect industry systems from USB based malware, and Security Analytics can identify potentially malicious activity targeting Supervisory Control and Data Acquisition (SCADA) systems in real-time.
A seamlessly integrated solution for the protection of industrial environments will only become a reality when various industry standards have been unified and integrated into existing security architectures. The technologies required include IPv6-based networking, full network monitoring and thorough patch and vulnerability management. These have been available for some time now. The next step will be their comprehensive implementation, which will take some time due to the longer lifecycles of industrial equipment. But, as with all good industrial processes, all good security strategies have to start somewhere.
By Christophe Birkeland
CTO Malware Analytics
