Abstract
Honeypots and related deception technologies have long been used to capture and study malicious activity in networks. However, clear requirements for developing effective honeypots for active defense of cyber-physical systems have not been discussed in the literature. This chapter proposes a next generation industrial control system honeynet. Enumerated requirements and a reference framework are presented that bring together the best available honeypot technologies and new adaptations of existing tools to produce a honeynet suitable for detecting targeted attacks against cyber-physical systems. The framework supports high-fidelity simulations and high interactions with attackers while delaying the discovery of the deception. Data control, capture, collection and analysis are supported by a novel and effective honeywall system. A hybrid honeynet, using virtualized and real programmable logic controllers that interact with a physical process model, is presented. The benefits provided by the framework along with the challenges to consider during honeynet deployment and operation are also discussed.
Chapter PDF
Similar content being viewed by others
References
F. Abbasi and R. Harris, Experiences with a Generation III virtual honeynet, Proceedings of the Australasian Telecommunications Networks and Applications Conference, 2009
R. Bejtlich, The Tao of Network Security Monitoring: Beyond Intrusion Detection, Addison-Wesley, Boston, Massachusetts, 2004
J. Briffaut, J. Lalande and C. Toinard, Security and results of a large-scale high-interaction honeypot, Journal of Computers, vol. 4(5), pp. 395–404, 2009
C. Bronk and E. Tikk-Ringas, The cyber attack on Saudi Aramco, Survival, vol. 55(2), pp. 81–96, 2013
D. Buza, F. Juhasz, G. Miru, M. Felegyhazi and T. Holczer, CryPLH: Protecting smart energy systems from targeted attacks with a PLC honeypot, Proceedings of the Second International Workshop on Smart Grid Security, pp. 181–192, 2014
E. Byres, The air gap: SCADA’s enduring security myth, Communications of the ACM, vol 56(8), pp. 29–31, 2013
G. Chamales, The Honeywall CD-ROM, IEEE Security and Privacy, vol. 2(2), pp. 77–79, 2004
B. Cheswick, An evening with Berferd in which a cracker is lured, endured and studied, Proceedings of the Winter USENIX Conference, pp. 163–174, 1992
Conpot Development Team, Conpot ICS/SCADA Honeypot (conpot.org), 2019
J. Coret, Kojoney – A Honeypot for the SSH Service (kojoney.sourceforge.net), 2006
I. Darwish, O. Igbe and T. Saadawi, Experimental and theoretical modeling of DNP3 attacks on smart grids, Proceedings of the Thirty-Sixth IEEE Sarnoff Symposium, pp. 155–160, 2015
P. Derler, E. Lee and A. Vincentelli, Modeling cyber-physical systems, Proceedings of the IEEE, vol. 100(1), pp. 13–28, 2012
A. Dinaburg, P. Royal, M. Sharif and W. Lee, Ether: Malware analysis via hardware virtualization extensions, Proceedings of the Fifteenth ACM Conference on Computer and Communications Security, pp. 51–62, 2008
N. Falliere, L. O’Murchu and E. Chien, W32.Stuxnet Dossier, Version 1.4, Symantec, Mountain View, California, 2011
C. Grigg, P. Wong, P. Albrecht, R. Allan, M. Bhavaraju, R. Billinton, Q. Chen, C. Fong, S. Haddad, S. Kuruganty, W. Li, R. Mukerji, D. Patton, N. Rau, D. Reppen, A. Schneider, M. Shahidehpour and C. Singh, The IEEE reliability test system-1996, A report prepared by the reliability test system task force of the application of probability methods subcommittee, IEEE Transactions on Power Systems, vol. 14(3), pp. 1010–1020, 1999
D. Henriksson and H. Elmqvist, Cyber-physical systems modeling and simulation with Modelica, Proceedings of the Eighth Modelica Conference, pp. 502–509, 2011
T. Holz and F. Raynal, Detecting honeypots and other suspicious environments, Proceedings of the Sixth Annual IEEE SMC Information Assurance Workshop, pp. 29–36, 2005
Honeynet Project, Know Your Enemy: Sebek – A Kernel Based Data Capture Tool (old.honeynet.org/papers/sebek.pdf), 2003
Honeynet Project, Honeynet Definitions, Requirements and Standards (old.honeynet.org/alliance/requirements.html), 2004
P. Huang, C. Yang and T. Ahn, Design and implementation of a distributed early warning system combined with intrusion detection system and honeypot, Proceedings of the International Conference on Hybrid Information Technology, pp. 232–238, 2009
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), Trends in Incident Response in 2013, Idaho Falls, Idaho, 2013
F. Knobbe, SnortSam – A firewall blocking agent for Snort (www.snortsam.net), 2001
V. Koganti, Cyber-Attack Simulation in MATLAB/Simulink, M.S. Thesis, Department of Computer Science, University of Idaho, Moscow, Idaho, 2017
B. Krebs, Cyber incident blamed for nuclear power plant shutdown, The Washington Post, June 5, 2008
S. Kuman, S. Gros and M. Mikuc, An experiment in using IMUNES and Conpot to emulate honeypot control networks, Proceedings of the Fortieth International Convention on Information and Communications Technology, Electronics and Microelectronics, pp. 1262–1268, 2017
T. Lengyel, J. Neumann, S. Maresca, B. Payne and A. Kiayias, Virtual machine introspection in a hybrid honeypot architecture, Proceedings of the Fifth USENIX Workshop on Cyber Security Experimentation and Test, 2012
J. Mahseredjian, V. Dinavahi, and J. Martinez, An overview of simulation tools for electromagnetic transients in power systems, Proceedings of the IEEE Power Engineering Society General Meeting, 2007
J. Mahseredjian, V. Dinavahi and J. Martinez, Simulation tools for electromagnetic transients in power systems: Overview and challenges, IEEE Transactions on Power Delivery, vol. 24(3), pp. 1657–1669, 2009
A. Mairh, D. Barik, K. Verma and D. Jena, Honeypot in network security: A survey, Proceedings of the International Conference on Communications, Computing and Security, pp. 600–605, 2011
S. McLaughlin, C. Konstantinou, X. Wang, L. Davi, A. Sadeghi, M. Maniatakos and R. Karri, The cybersecurity landscape in industrial control systems, Proceedings of the IEEE, vol 104(5), pp. 1039–1057, 2016
Modbus Organization, Modbus Application Protocol Specification, V1.1b3, Hopkinton, Massachusetts (www.modbus.org/specs.php), 2012
National Instruments, LabVIEW, Austin, Texas (www.ni.com/en-us/shop/labview.html), 2019
S. Nunes, Web Attack Risk Awareness with Lessons Learned from High Interaction Honeypots, M.S. Thesis, Information Networking Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, 2009
V. Paxson, Bro: A system for detecting network intruders in real-time, Computer Networks, vol. 31(23-24), pp. 2435–2463, 1999
N. Perlroth, Hackers are targeting nuclear facilities, Homeland Security Dept. and FBI say, The New York Times, July 6, 2017
V. Pothamsetty and M. Franz, SCADA HoneyNet Project: Building Honeypots for Industrial Networks(scadahoneynet.sourceforge.net), 2008
N. Provos, A virtual honeypot framework, Proceedings of the Thirteenth Annual USENIX Security Symposium, 2004
Z. Puljiz and M. Mikuc, IMUNES based distributed network emulator, Proceedings of the International Conference on Software in Telecommunications and Computer Networks, pp. 198–203, 2006
QoSient, Argus: Network Audit Record Generation and Utilization System, New York (qosient.com/argus), 2014
T. Rodrigues Alves, M. Buratto, F. de Souza and T. Rodrigues, OpenPLC: An open source alternative to automation, Proceedings of the IEEE Global Humanitarian Technology Conference, pp. 585–589, 2014
M. Roesch, Snort – Lightweight intrusion detection for networks, Proceedings of the Thirteenth USENIX Conference on System Administration, pp. 229–238, 1999
C. Song, B. Hay and J. Zhuge, Know Your Tools: Qebek – Conceal the monitoring, The Honeynet Project (www.honeynet.org/sites/default/files/files/KYT-Qebek-final_v1.pdf), 2010
L. Spitzner, Honeytokens: The other honeypot, Symantec Connect (www.symantec.com/connect/articles/honeytokens-other-honeypot), Ju- ly 16, 2003
L. Spitzner, The Honeynet Project: Trapping the hackers, IEEE Security and Privacy, vol. 1(2), pp. 15–23, 2003
C. Stoll, The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, Doubleday New York, 1989
H. Tsai, C. Tu and Y. Su, Development of a generalized photovoltaic model using MATLAB/Simulink, Proceedings of the World Congress on Engineering and Computer Science, 2008
U.S. Department of Homeland Security, Common Cybersecurity Vulnerabilities in Industrial Control Systems, Washington, DC, 2011
U.S. Department of Homeland Security, NCCIC Year in Review 2017: Operation Cyber Guardian, Washington, DC (www.us-cert.gov/sites/default/files/publications/NCCIC_Year_in_Review_2017_Final.pdf), 2018
C. Valli and A. Woodward, SCADA security – Slowly circling a disaster area, Proceedings of the International Conference on Security and Management, pp. 613–617, 2009
T. Vollmer and M. Manic, Cyber-physical system security with deceptive virtual hosts for industrial control networks, IEEE Transactions on Industrial Informatics, vol. 10(2), pp. 1337–1347, 2014
S. Wade, SCADA Honeynets: The Attractiveness of Honeypots as Critical Infrastructure Security Tools for the Detection and Analysis of Advanced Threats, M.S. Thesis, Department of Electrical and Computer Engineering, Iowa State University, Ames, Iowa, 2011
D. Watson and J. Riden, The Honeynet Project: Data collection tools, infrastructure, archives and analysis, Proceedings of the WOMBAT Workshop on Information Security Threats Data Collection and Sharing, pp. 24–30, 2008
Western Services Corporation, Power Plant Simulation Overview, Frederick, Maryland (www.ws-corp.com/default.asp?PageID=1&PageNavigation=Simulation-Overview), 2019
K. Wilhoit, Who’s really attacking your ICS equipment, Trend Micro Security Intelligence Blog (blog.trendmicro.com/trendlabs-security-intelligence/whos-really-attacking-your-ics-devices), Mar- ch 15, 2013
T. Williams, Computer control technology – Past, present and probable future, Transactions of the Institute of Measurement and Control, vol 5(1), pp. 7–19, 1983
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 IFIP International Federation for Information Processing
About this paper
Cite this paper
Haney, M. (2019). Leveraging Cyber-Physical System Honeypots to Enhance Threat Intelligence. In: Staggs, J., Shenoi, S. (eds) Critical Infrastructure Protection XIII. ICCIP 2019. IFIP Advances in Information and Communication Technology, vol 570. Springer, Cham. https://doi.org/10.1007/978-3-030-34647-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-34647-8_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34646-1
Online ISBN: 978-3-030-34647-8
eBook Packages: Computer ScienceComputer Science (R0)