Industrial Control System Honeypot Illustrates Bad Security Practices -- Redmondmag.com

Industrial Control System Honeypot Illustrates Bad Security Practices

By Kurt Mackie
01/21/2020

Security solutions provider Trend Micro has published results (PDF) from running an industrial control system (ICS) "honeypot."

The ICS honeypot used bad security practices to attract attackers, showing the kinds of methods that get used. The honeypot consisted of a fake ICS company constructed by Trend Micro, with its network going live in May. It attracted attackers that installed coin miner software and ransomware within a few months' time.

A cryptocurrency miner was installed in July, and Crysis ransomware was added in September. In November, another attack on the network occurred, disguising itself as ransomware. As time passed, the number of attacks grew.

To encourage these attacks, Trend Micro mimicked an ICS network, creating a fictitious company called MeTech with fake personnel. The company supposedly worked in the industrial design sector and had big clients in the "military, avionic and manufacturing sectors." The notion that MeTech had been attacked was also spread by Trend Micro to attract attention.

Trend Micro also did "everything wrong" in terms of security to draw the attacks. MeTech's virtual network was open with no password control for remote access. Least-privilege network access practices were not followed. Trust between routers wasn't enforced. Trend Micro even reused the same password across the network, although the attackers didn't appear to exploit that lapse.

The report noted that those sorts of bad IT practices are "not uncommon" with small businesses that have few or no IT personnel.

Trend Micro took care to make MeTech seem real, so it used AI-generated photos of nonexistent company officials on MeTech's Web site. The effort apparently fooled the attackers. At one point, Trend Micro was involved in negotiating the price of decrypting its files following a ransomware attack.

"Organizations should ensure that their equipment and the components of their ICSs are not exposed online, as we purposely did with our various 'misconfigurations,'" Trend Micro commented in the report.

Another recommendation is to avoid using the same admin passwords across the network. In addition, "strict authentication policies" in the network should be used to deter intruders, Trend Micro advised.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Multi-Tenant Organization Hooks Released for Microsoft 365

Microsoft Entra ID's new multi-tenant organization capabilities have reached general availability (GA).
Real-World Ransomware Recovery

Here's how I was (mostly) successful in recovering a family PC infected with malware.
Microsoft Launches Small AI Models Family Phi-3

Recognizing that bigger isn't always better, Microsoft has released its smallest open AI models to date, Phi-3.
Microsoft and OpenAI Continue Global AI Expansions

Microsoft and OpenAI each continued their global expansion this month, with the announcements of new infrastructure investments and service rollouts in new regions, like Asia and the Middle East.
Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.