• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Internet of Things   »   The GasPot Experiment: Hackers Target Gas Tanks

The GasPot Experiment: Hackers Target Gas Tanks

  • Posted on:August 5, 2015 at 5:32 pm
  • Posted in:Internet of Things, Targeted Attacks
  • Author:
    Trend Micro
1

Physically tampering with gasoline tanks is dangerous enough, given how volatile gas can be. Altering a fuel gauge can cause a tank to overflow, and a simple spark can set everything ablaze. But imagine how riskier it is if a hacker can do all this remotely, especially now that a number of fuel companies worldwide use Internet-connected systems to monitor their tanks.

As we shared in our presentation in BlackHat today, we wanted to test the security of these automated gas tank systems. Using a custom honeypot we call GasPot, we got an idea of how several attackers are abusing the system and which targets they prefer. The GasPots in the United States, for example, were very popular for attackers. This result was in line with our expectations set at the beginning of the research. Some evidence suggests links to either the Iranian Dark Coders (IDC) Team, as well as the Syrian Electronic Army.

You can find the full details of the study in our paper, The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems.

What can attackers do?

The types of attacks depend entirely on the sophistication of the tank monitoring systems installed. Simple ones can only enable attackers to monitor the status of the system, while more sophisticated systems allow attackers to take control of and manipulate their targets’ tanks.

The possible attacks and the motivations behind them vary significantly. They can either be simple acts of vandalism (modifying the gas tank’s product label is very popular), or be far more malicious attacks (changing the behavior of the tanks, turning them into public safety hazards).

How Hard Will Patching Be?

Patching has always been a key challenge when it comes to online attacks that affect Internet-connected devices or infrastructure. We always have to ask how these gadgets or systems can be updated. Whether they’re cars, million-dollar SCADA systems, or gasoline tanks, updating their software poses several questions. Who will be responsible for applying the patch; will it be the vendor or the user? What kinds of expertise or tools are needed? What are the costs? Will all of the vulnerable devices get patched?

The available information from the world of SCADA systems suggests that organizations are simply unprepared to deal with patching devices. A 2013 European Union Agency for Network and Information Security (ENISA) report cited two numbers that are accepted within the SCADA security community: patches fixing problems in ICS software had a 60% failure rate, and that less than half of vulnerabilities had a patch in the first place. Overall, it is estimated that only 10-20% of organizations bother to install the ICS/SCADA patches that their vendors do provide.

In the world of consumer software, such statistics would be unacceptable. However, thanks to the multiple of challenges facing ICS patching (technical, operational, and financial), this is not considered out of the ordinary. Simply put, these systems are in situations where patching is either expensive, impractical, or not feasible.

Device security is a priority

Security has simply not been a priority for device manufacturers up to this point. Why would it? The rough-and-tumble online world, where anything can be attacked from anywhere, is not exactly a part of their corporate experience. They may not completely understand the risks of making their devices Internet-ready; the benefits may be evident to them, but the downsides are not.

Manufacturers and security vendors should work together to help secure these devices from these new threats. Physical security has been understood to be important for some time. It’s about time for online threats to reach this level of significance as well.

 

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: black hatgas tanksgaspotinternet of things

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.