Gathering Intelligence Through Realistic Industrial Control System Honeypots
Industrial control systems and critical infrastructures have become an important target for cyber-crime, cyber-terrorism and industrial espionage. In order to protect these systems from cyber-attacks it is important to obtain accurate and up-to-date intelligence on cyber security threats. Honeypots are simulated systems, deliberately exposed on the Internet to attract the attention of cyber criminals, in order to observe attacks and gain intelligence. Whilst honeypots can be a very effective way of gathering intelligence, it is not trivial to simulate a realistic industrial control system, without raising the attacker’s suspicion. In this experience report, we describe the development of a honeypot, representing a water treatment plant, from the point of view of a cyber security service provider charged with the protection of critical infrastructure. The system has been continuously exposed and has provided intelligence for more than two years, feeding intelligence used in our monitoring toolchain and managed security services. (This work was partially supported by the Spanish Ministry for Industry, Energy and Tourism under grant number TSI-100200-2014-19 and the European Horizon 2020 Programme under grant agreement number 740477).
- 1.Ukranian power supply attack: BBC News (2016). http://www.bbc.com/news/technology-38573074
- 2.WannaCry cyber attack: Symantec Security Center (2017). https://www.symantec.com/security_response/writeup.jsp?docid=2017-051310-3522-99
- 3.Wilhoit, K.: Who’s Really Attacking Your ICS Equipment?. TrendMicro (2013). https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf
- 4.Elasticsearch Kibana: https://www.elastic.co/products
- 5.Modbus Industrial Protocol Specificacion. http://www.modbus.org/specs.php