S7commTrace: A High Interactive Honeypot for Industrial Control System Based on S7 Protocol

Conference paper
First Online:
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10631)

Abstract

Intensively happened cyber-attacks against industrial control system pose a serious threat to the critical national infrastructure. It is significant to capture the detection and the attacking data for industrial control system by means of honeypot technology, as it provides the ability of situation awareness to reveal potential attackers and their motivations before a fatal attack happens. We develop a high interactive honeypot for industrial control system-S7commTrace, based on Siemens’ S7 protocol. S7commTrace supports more function codes and sub-function codes in protocol simulation, and improves the depth of interaction with the attacker to induce more high-level attacks effectively. A series of comparative experiments is carried out between S7commTrace and Conpot, by deploying these two kinds of honeypots under the same circumstance in four countries. Data captured by these two kinds of honeypots is analyzed respectively in four dimensions, which are query results in Shodan, count of data and valid data, coverage of function code and diversity of source IP address. Experiment results show that S7commTrace has better performance over Conpot.

Keywords

Industrial control system Honeypot S7 Conpot 
This is a preview of subscription content, log in to check access

Notes

Acknowledgment

This study is supported by National Natural Science Foundation of China (U1605251).

References

  1. 1.
    Chen, T.M., Abu-Nimeh, S.: Lessons from Stuxnet. Comput. 44(4), 91–93 (2011)CrossRefGoogle Scholar
  2. 2.
    Kushner, D.: The real story of stuxnet. IEEE Spectrum 50(3), 48–53 (2013)CrossRefGoogle Scholar
  3. 3.
    Zetter, K.: A cyberattack has caused confirmed physical damage for the second time ever. http://www.wired.com//2015//01//german-steel-mill-hack-destruction. Accessed 8 July 2017
  4. 4.
    Zetter, K.: Inside the cunning, unprecedented hack of Ukraine’s power grid. https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/. Accessed 8 July 2017
  5. 5.
  6. 6.
    Stouffer, K., et al.: Guide to industrial control systems (ICS) security. NIST special publication vol. 800, no. 82, p. 16 (2011)Google Scholar
  7. 7.
    Hink, R.C.B., Goseva-Popstojanova, K.: Characterization of cyberattacks aimed at integrated industrial control and enterprise systems: a case study. In: IEEE International Symposium on High Assurance Systems Engineering, pp. 149–156 (2016)Google Scholar
  8. 8.
    Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing Co. Inc., Boston (2002)Google Scholar
  9. 9.
    Zhuge, J.-W., et al.: Honeypot technology research and application. Ruanjian Xuebao/J. Softw. 24(4), 825–842 (2013)Google Scholar
  10. 10.
    Jicha, A., et al.: SCADA honeypots: an in-depth analysis of Conpot. In: 2016 IEEE Conference on Intelligence and Security Informatics (ISI)Google Scholar
  11. 11.
    Pothamsetty, V., Franz, M.: SCADA Honeynet Project: Building Honeypots for Industrial Networks. SCADA Honeynet Project, 15 July 2005Google Scholar
  12. 12.
    CONPOT ICS/SCADA Honeypot. http://conpot.org/. Accessed 16 July 2017
  13. 13.
    Serbanescu, A.V., et al.: ICS threat analysis using a large-scale honeynet. In: Proceedings of the 3rd International Symposium for ICS & SCADA Cyber Security Research. British Computer Society (2015)Google Scholar
  14. 14.
    Buza, D.I., Juhász, F., Miru, G., Félegyházi, M., Holczer, T.: CryPLH: protecting smart energy systems from targeted attacks with a PLC honeypot. In: Cuellar, J. (ed.) SmartGridSec 2014. LNCS, vol. 8448, pp. 181–192. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-10329-7_12CrossRefGoogle Scholar
  15. 15.
    Shodan. https://www.shodan.io/. Accessed 15 July 2017
  16. 16.
    Censys. https://censys.io/. Accessed 15 July 2017
  17. 17.
    Durumeric, Z., et al.: A search engine backed by internet-wide scanning. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM (2015)Google Scholar
  18. 18.
    Zoomeye. https://www.zoomeye.org/. Accessed 16 July 2017
  19. 19.
    Ics-radar. https://ics-radar.shodan.io/. Accessed 15 July 2017
  20. 20.
    Bodenheim, R., et al.: Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices. Int. J. Crit. Infrastruct. Protect. 7(2), 114–123 (2014)CrossRefGoogle Scholar
  21. 21.
    https://wiki.wireshark.org/S7comm. Accessed 15 July 2017
  22. 22.
    http://plcscan.org/blog/. Accessed 16 July 2017

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Anhui Province Key Laboratory of Big Data Analysis and Application, School of Computer Science and TechnologyUniversity of Science and Technology of ChinaHefeiChina
  2. 2.Electronic Engineering Institute of HefeiHefeiChina

Personalised recommendations