CryPLH: Protecting Smart Energy Systems from Targeted Attacks with a PLC Honeypot

  • Dániel István Buza
  • Ferenc Juhász
  • György Miru
  • Márk Félegyházi
  • Tamás HolczerEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8448)


Smart grids consist of suppliers, consumers, and other parts. The main suppliers are normally supervised by industrial control systems. These systems rely on programmable logic controllers (PLCs) to control industrial processes and communicate with the supervisory system. Until recently, industrial operators relied on the assumption that these PLCs are isolated from the online world and hence cannot be the target of attacks. Recent events, such as the infamous Stuxnet attack [15] directed the attention of the security and control system community to the vulnerabilities of control system elements, such as PLCs. In this paper, we design and implement the Crysys PLC honeypot (CryPLH) system to detect targeted attacks against industrial control systems. This PLC honeypot can be implemented as part of a larger security monitoring system. Our honeypot implementation improves upon existing solutions in several aspects: most importantly in level of interaction and ease of configuration. Results of an evaluation show that our honeypot is largely indistinguishable from a real device from the attacker’s perspective. As a collateral of our analysis, we were able to identify some security issues in the real PLC device we tested and implemented specific firewall rules to protect the device from targeted attacks.


Virtual Machine Target Attack Python Script Real Device Simple Network Management Protocol 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to acknowledge the help and the provided Siemens PLC device to Óbuda University and the company evopro. This work is partially funded by the EIT ICTLabs through activity ASES 13030.


  1. 1.
    The conpot project. Accessed 4 August 2013
  2. 2.
    Crash per webinterface. Accessed 16 October 2013
  3. 3.
    Introducing conpot. Accessed 4 August 2013
  4. 4.
    Miniweb project webpage. Accessed 7 October 2013
  5. 5.
    Nginx site. Accessed 16 October 2013
  6. 6.
    Openssl: The open source toolkit for ssl/tls. Accessed 16 October 2013
  7. 7.
    Scada honeynet. Accessed 17 June 2013
  8. 8.
    Shodan - expose online devices. Accessed 1 March 2014
  9. 9.
    Simatic step 7 engineering software - software for simatic controllers - siemens. Accessed 18 October 2013
  10. 10.
    Honeywall project site. (2009). Accessed 17 June 2013
  11. 11.
    Backtrack linux - penetration testing distribution (2013). Accessed 23 October 2013
  12. 12.
    Nessus vulnerability scanner. (2013). Accessed 10 October 2013
  13. 13.
    Nmap - free security scanner for network exploration & security audits. (2013). Accessed 23 October 2013
  14. 14.
  15. 15.
    Bencsáth, B., Pék, G., Buttyán, L., Felegyhazi, M.: The cousins of Stuxnet: Duqu, Flame, and Gauss. Future Internet 4(4), 971–1003 (2012)CrossRefGoogle Scholar
  16. 16.
    Gorzelak, K., Grudziecki, T., Jacewicz, P., Jaroszewski, P., Juszczyk, Ł., Belasovs, A.: Proactive detection of network security incidents (2012)Google Scholar
  17. 17.
    Koopman, P.: Embedded system security. Computer 37(7), 95–97 (2004)CrossRefMathSciNetGoogle Scholar
  18. 18.
    Provos, N.: Developments of the honeyd virtual honeypot. (2007). Accessed 16 June 2013
  19. 19.
    Provos, N.: Honeyd-a virtual honeypot daemon. In: 10th DFN-CERT Workshop, Hamburg, Germany, vol. 2 (2003)Google Scholar
  20. 20.
    Provos, N., Holz, T.: Virtual Honeypots: From Botnet Tracking to Intrusion Detection. Pearson Education, Boston (2007)Google Scholar
  21. 21.
    Pothamsetty, V., Franz, M.: Scada honeynet project: building honeypots for industrial networks (2005)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Dániel István Buza
    • 1
  • Ferenc Juhász
    • 1
  • György Miru
    • 1
  • Márk Félegyházi
    • 1
  • Tamás Holczer
    • 1
    Email author
  1. 1.Laboratory for Cryptography and System Security (CrySyS Lab), Department of Networked Systems and Services (HIT)Budapest University of Technology and Economics (BME)BudapestHungary

Personalised recommendations