Power Transmission Substation Honeypot Yields Unexpected Results

We’ve discussed the security of critical infrastructure many times on this blog. From the hijacking of the Dallas, TX tornado warning system, to discussions at Davos, selfies revealing sensitive information and even a video showing a white hat hacker team physically compromising a substation security system.

The security of the nation’s critical infrastructure is, well, critical, so we were quite intrigued by a recent honeypot experiment conducted by researchers at Cybereason.

Honeypot Yields Unexpected Results

Looking to further understand the threats facing critical infrastructure Cybereason set up a honey pot late in Q2 2018 that emulated the network of a major electric provider’s power transmission substation. All significant network systems including an IT environment, an OT environment and HMI (human machine interface) management system were included in the honeypot to make it appear as legitimate a network as possible.


Cybereason expected the honeypot to reveal attack vectors that targeted individuals with network access. Instead what they found was that the honeypot was compromised by a set of actors who sourced their access tools off a dark web forum!

According to Cybereason CISO Israel Barak, the honeypot infrastructure was first discovered by a black-market seller conducting a broad internet reconnaissance. “The seller was able to compromise a single machine in the honeypot and posted it for sale in a black market called xDedic – along with the network identifiers of the compromised environment, which disclosed its probable affiliation with a large utility provider.”

Dark Web = Lights Out?

While the genesis of the threat, purchasing access off the darkweb, was unexpected Cybereason believes that those using the purchased access are very familiar with ICS environments. They moved quickly from the honeypot’s IT environment into the OT (operational technology) environment which is the system environment that actually controls the equipment used to deliver the utility in question whether it be electricity, natural gas or water.  The attackers appear to have been singularly focused on getting to the OT network. And, while some of their techniques were sloppy and raised red flags that would have likely elicited a security team’s response, had they been left unchallenged for some reason it appears possible they would have achieved their goal.

Can We Help You Achieve Your Goals?

When it comes to security, having an end goal in mind makes sense. Let us help you discover what goals make sense for your organization. It’s simple to get started, we’re just a phone call away.



Loudest Cyberattack in History Leaves Dallas Citizens Wailing

The sirens started at 11:42 p.m. Friday 4/7/17 and weren’t silenced until 1:20 a.m. Saturday 4/8/17. During that time millions of Dallas residents repeatedly had their dreams interrupted by no fewer than 156 tornado emergency sirens.

The alarms have a duration of 90 seconds per cycle and were activated 15 times during the cyberattack.

Hackers Were Local

What was at first described as a “malfunction” by officials was later deemed to be a hack of the emergency system. According to the Washington Post

“Officials have ruled out a remote hack — telling reporters someone gained physical access to a hub connecting all the sirens, which may not be turned on again until Monday as the city tries to figure out who, how and why.”

Critical Infrastructure Attacks Remain a Global Concern

Last January we reported that critical infrastructure vulnerability was a hot topic at the annual Davos conference and 15 months later the Dallas incident has literally and figuratively sounded the critical infrastructure alarm.

According to federal data, critical infrastructure attacks are on the rise. In 2012 less than 200 attacks were documented. By 2015 that number had risen to nearly 300.

Regardless of the intent of the hackers and regardless of the fact that the “hack” appears to have required physical access it serves as another example of how critical infrastructure can be compromised with apparent ease.

As Texas and federal officials continue their investigation it will be interesting to learn the motives, the details surrounding the vulnerabilities that were exploited and exactly how the hack was orchestrated.

Konsultek Knows Security

Our customized security solutions don’t stop with technology. A comprehensive Konsultek security assessment looks at all aspects of information and network security including human factors and physical security procedures. Is your information vulnerable? Let us help you find out. Call today to learn more about our comprehensive security assessments.


© Copyright 2018 Konsultek