Black Hat 2015: Honeypots gather data on gas pump monitoring system attacks

A change of pump names that could result in the wrong fuel being added to a tank, a change in pumping volume could result in an underfill, or a pump compromise to siphon off data possibly for espionage.

Black Hat 2015: Honeypots gather data on gas pump monitoring system attacks
Black Hat 2015: Honeypots gather data on gas pump monitoring system attacks

Kyle Wilhoit and Stephen Hilt, presented their findings at a Wednesday session at Black Hat USA 2015 in Las Vegas.

Intrigued by an uptick of interest in supervisory control and data acquisition (SCADA) systems, two senior researchers with Trend Micro set up several honeypots to collect data on attacks against gas pump monitoring systems.

The researchers, Kyle Wilhoit and Stephen Hilt, presented their findings at a Wednesday session at Black Hat USA 2015 in Las Vegas. The duo said they were spurred to investigate after identifying an attack against the Guardian AST Monitoring System, which is deployed at gas stations to monitor the volume, temperature, water content and more of underground tanks at gas stations.

For their research, Wilhoit and Hilt created a honeypot - dubbed Gaspot - and deployed it in the U.S., Brazil, U.K., Jordan, Germany, UAE and Russia. They classified attacks as successful commands resulting in failures, targeted malware, and denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.

Potential attack scenarios, they said, included DoS and DDoS attacks that bring inventory control and distribution to a standstill, a change of pump names that could result in the wrong fuel being added to a tank, a change in pumping volume that could result in an underfill, or a pump compromise to siphon off data possibly for espionage.

The results: from February to July, the researchers said they observed 12 pump identifications, four pump modifications and two DoS/DDoS attacks. The majority of attacks targeted the U.S., with Jordan being the runner-up and Germany sustaining no attacks.

“Attribution is only as good as the data we have,” Wilhoit said, reiterating that point several times. However, based on the data, the researchers suggested that the attacks could be the work of either hacktivist collective Syrian Electronic Army, or Iranian Dark Coder, a group operating out of Iran.

Wilhoit and Hilt said that not much is being done on these devices to prevent these types of attacks. Although certain products allow for a four digit numeric PIN code, the pair said that it is not enough. Better defense involves building security into the systems, stronger authentication and limitations on who has access, the researchers said.

This article was first published in our sister publication SC Magazine.

Sign up to our newsletters