Kyle Wilhoit, a 29-year-old Missourian working for a cybersecurity company called Trend Micro, has spent the last year building fake water plant control systems that mimic the online control systems used by real American utilities. Dubbed “honeypots,” these sorts of decoys are deployed to draw in the ill-mannered beasts of the internet—malicious hackers.
Wilhoit’s traps appear to be working. Hackers employing a software tool used by the Chinese army—as well as hackers that appear to originate from Russia, Palestine, Germany, and other countries—have been breaking into Trend Micro’s phony US water systems. In some cases, they have gone so far as to steal files so they can access the systems again. They also have gained access to imaginary pumps, which in a real scenario would allow them to modify water pressure, temperature, purification level, and even shut off the flow entirely.
“Everyone has talked of [these systems] getting attacked, but I wanted true numbers to prove the attacks were occurring,” says Wilhoit, who presented the report of his company’s findings at the Black Hat conference in Las Vegas last week. “I was expecting typical drive-by automated attacks, but never dreamed of having a true targeted attack.”
Matthew Rhoades, a cybersecurity expert and director of legislative affairs for the Truman National Security Project, told Mother Jones that he’s “not totally surprised” by the report, given the past allegations of foreign entities attempting to infiltrate America’s critical infrastructure. (In May, for example, the Wall Street Journal reported that Iran was hacking into our oil, gas, and power firms.) “The question is,” Rhoades says, “what would the Chinese army want? Do they want to contaminate US water plants? Are they mapping it out as a contingency for some sort of future conflict? The latter seems like it’s a potential, and that wouldn’t surprise me either.”
Since late last year, Wilhoit and Trend Micro have deployed 12 honeypots in eight countries, mimicking servers that control water pumps. (Earlier this year, a study supported by the Department of Homeland Security found that more than 7,000 industrial control systems—a broad term encompassing water, gas, and electrical systems—were connected to the internet in the United States.) The traps feature control toggles for temperature, on/off functionality, and other password-protected settings. Water systems are easy to imitate since their cybersecurity is “typically very lax,” Wilhoit explains. “Attempting to mimic a nuclear plant would be very difficult.”
Trend Micro set up the decoys to draw attention to the state of critical infrastructure cybersecurity. After the honeypots were deployed in November 2012, it took only 18 hours for the first hacker to visit. In December, using HACKSFASE—the same tool used by the Chinese army to attack US government agencies, according to the New York Times and a security company called Mandiant—a Chinese-based hacker infiltrated one of the US honeypots and tried to access multiple pages. The person also made a successful spearphishing attempt, sending a fake email to the owner’s account in order to automatically collect login information. Richard Bejtlich, chief security officer for Mandiant, says that claiming the Chinese army is attacking water plants because a hacker is using HACKSFASE is “weak attribution.” However, he wasn’t aware of other countries using the tool.
Trend Micro has also traced cyberattacks in the US coming from Russia, Germany, France, the United Kingdom, and Palestine—and attacks originating in the United States that targeted honeypots in Russia and China. Ten of the cyberattacks, including the Chinese attack, were deemed “critical”—meaning that, in a real-life scenario, a hacker could have altered or turned off a city’s water supply. (None of the attacks originating from the United States fell into that category.)
Trend Micro also reported that some American water control systems could be found online using a simple Google search. The cities I contacted were cagey about whether their systems had online controls and what steps they took to defend them against hackers. But they all promised that their supplies were secure. For instance, Pamela Mooring, a spokeswoman for the DC Water and Sewer Authority, writes in an email: “DC Water staff attend briefings on cyberattacks and other threats to utilities, and the Authority has a Cyber Response Plan.”
Alan Roberson, director of federal relations at the American Water Works Association, says most American utility companies “are aware that they need to separate their control systems from the internet…but we still don’t know how many have done that, and how many vulnerabilities are left.” He adds however, that if a utility company knew it was under cyberattack, it could manually take control of the system and easily block intruders.
Last week, the Senate Committee on Commerce, Science & Transportation cleared the Cybersecurity Act of 2013 (introduced in the wake of President Obama’s corresponding executive order), which addresses vulnerabilities in American infrastructure by encouraging companies to follow set cybersecurity standards. If it passes, Roberson says, it will help safeguard water supplies by giving utility companies a way to justify the added cost of security to their boards and customers.
Wilhoit also supports the bill, although he’d like to see the federal government test the specific software and hardware that utility companies are using. “If my system is a realistic depiction of a real water pumping system,” he says, then “compromising a real water system would be very easy.”