Login attack detection

Control Engineering just posted an article on a study performed by Trend Micro where they setup virtual SCADA systems on the Internet and then observed attempts to attack and break into them. One finding from the study was that many of the more serious attacks were prefaced by multiple login attempts.

This made us start looking at how we would know if we had a run of failed login attempts on one of our Ignition systems. We need a way to generate an alarm when a system is under attack.

you should be able to accomplish this by running a gateway timer script that queries your audit log for failed login attempts. you could setup your own metric, like more than 1 per minute = intrusion alert, etc.

1 Like