Cybersecurity firm Trend Micro recently released a report detailing their new OT honeypot research. Members may recall, in 2013 Trend Micro released research that centered on a honeypot they had developed for a water system. This time, Trend Micro Research created a highly elaborate, industrial prototyping company, complete with backstory and online presence. The honeypot consisted of real ICS hardware and a mix of physical hosts and virtual machines to run the factory, including several programmable logic controllers (PLCs), human machine interfaces (HMIs), separate robotic and engineering workstations, and a file server. After seven months online, Trend Micro reports the OT honeypot attracted mostly fraud and financially motivated exploits, confirming the on-going assertion that unsecured industrial environments are primarily victims of commodity threats from cybercriminals, not from an abundance of highly advanced state-sponsored actors bent on sabotage of key processes. These common IT-based attacks included a malicious cryptocurrency mining campaign, two ransomware attacks, another that posed as a ransomware attack, and several scanners. However, the honeypot did not go unnoticed by actors looking for control systems; Trend Micro describes traffic to their PLCs that could have been malicious or originating from lesser known scanners. The report includes details on three specific PLCs, including Siemens S7-1200 PLC, two Allen-Bradley MicroLogix 1100 PLCs, and an Omron CP1L PLC. Interestingly, the honeypot gained attention from a well-known researcher, who had escalated his findings to the appropriate parties that would need to be notified in the event of a control system getting exposed to the internet, including the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). According to Trend Micro, for their honeypot to garner this kind of attention, they practically had to do everything wrong when it came to their faux company’s general security stance. However, for many small businesses with no IT or OT security staff, such a situation is not uncommon. Members are encouraged to read this fascinating and detailed report, and apply Trend Micro’s findings, particularly organizations running similar systems as the ones included in the research. Read the report at Trend Micro
H2Oex: In Person 1 day event/exercise. Thurs Dec 5th. Washington DC. Join us!