Industrial Control System Honeypot Illustrates Bad Security Practices

Security solutions provider Trend Micro has published results (PDF) from running an industrial control system (ICS) "honeypot."

The ICS honeypot used bad security practices to attract attackers, showing the kinds of methods that get used. The honeypot consisted of a fake ICS company constructed by Trend Micro, with its network going live in May. It attracted attackers that installed coin miner software and ransomware within a few months' time.

A cryptocurrency miner was installed in July, and Crysis ransomware was added in September. In November, another attack on the network occurred, disguising itself as ransomware. As time passed, the number of attacks grew.

To encourage these attacks, Trend Micro mimicked an ICS network, creating a fictitious company called MeTech with fake personnel. The company supposedly worked in the industrial design sector and had big clients in the "military, avionic and manufacturing sectors." The notion that MeTech had been attacked was also spread by Trend Micro to attract attention.

Trend Micro also did "everything wrong" in terms of security to draw the attacks. MeTech's virtual network was open with no password control for remote access. Least-privilege network access practices were not followed. Trust between routers wasn't enforced. Trend Micro even reused the same password across the network, although the attackers didn't appear to exploit that lapse.

The report noted that those sorts of bad IT practices are "not uncommon" with small businesses that have few or no IT personnel.

Trend Micro took care to make MeTech seem real, so it used AI-generated photos of nonexistent company officials on MeTech's Web site. The effort apparently fooled the attackers. At one point, Trend Micro was involved in negotiating the price of decrypting its files following a ransomware attack.

"Organizations should ensure that their equipment and the components of their ICSs are not exposed online, as we purposely did with our various 'misconfigurations,'" Trend Micro commented in the report.

Another recommendation is to avoid using the same admin passwords across the network. In addition, "strict authentication policies" in the network should be used to deter intruders, Trend Micro advised.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus