S7commTrace: A High Interactive Honeypot for Industrial Control System Based on S7 Protocol
Abstract
Intensively happened cyber-attacks against industrial control system pose a serious threat to the critical national infrastructure. It is significant to capture the detection and the attacking data for industrial control system by means of honeypot technology, as it provides the ability of situation awareness to reveal potential attackers and their motivations before a fatal attack happens. We develop a high interactive honeypot for industrial control system-S7commTrace, based on Siemens’ S7 protocol. S7commTrace supports more function codes and sub-function codes in protocol simulation, and improves the depth of interaction with the attacker to induce more high-level attacks effectively. A series of comparative experiments is carried out between S7commTrace and Conpot, by deploying these two kinds of honeypots under the same circumstance in four countries. Data captured by these two kinds of honeypots is analyzed respectively in four dimensions, which are query results in Shodan, count of data and valid data, coverage of function code and diversity of source IP address. Experiment results show that S7commTrace has better performance over Conpot.
Keywords
Industrial control system Honeypot S7 ConpotNotes
Acknowledgment
This study is supported by National Natural Science Foundation of China (U1605251).
References
- 1.Chen, T.M., Abu-Nimeh, S.: Lessons from Stuxnet. Comput. 44(4), 91–93 (2011)CrossRefGoogle Scholar
- 2.Kushner, D.: The real story of stuxnet. IEEE Spectrum 50(3), 48–53 (2013)CrossRefGoogle Scholar
- 3.Zetter, K.: A cyberattack has caused confirmed physical damage for the second time ever. http://www.wired.com//2015//01//german-steel-mill-hack-destruction. Accessed 8 July 2017
- 4.Zetter, K.: Inside the cunning, unprecedented hack of Ukraine’s power grid. https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/. Accessed 8 July 2017
- 5.
- 6.Stouffer, K., et al.: Guide to industrial control systems (ICS) security. NIST special publication vol. 800, no. 82, p. 16 (2011)Google Scholar
- 7.Hink, R.C.B., Goseva-Popstojanova, K.: Characterization of cyberattacks aimed at integrated industrial control and enterprise systems: a case study. In: IEEE International Symposium on High Assurance Systems Engineering, pp. 149–156 (2016)Google Scholar
- 8.Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing Co. Inc., Boston (2002)Google Scholar
- 9.Zhuge, J.-W., et al.: Honeypot technology research and application. Ruanjian Xuebao/J. Softw. 24(4), 825–842 (2013)Google Scholar
- 10.Jicha, A., et al.: SCADA honeypots: an in-depth analysis of Conpot. In: 2016 IEEE Conference on Intelligence and Security Informatics (ISI)Google Scholar
- 11.Pothamsetty, V., Franz, M.: SCADA Honeynet Project: Building Honeypots for Industrial Networks. SCADA Honeynet Project, 15 July 2005Google Scholar
- 12.CONPOT ICS/SCADA Honeypot. http://conpot.org/. Accessed 16 July 2017
- 13.Serbanescu, A.V., et al.: ICS threat analysis using a large-scale honeynet. In: Proceedings of the 3rd International Symposium for ICS & SCADA Cyber Security Research. British Computer Society (2015)Google Scholar
- 14.Buza, D.I., Juhász, F., Miru, G., Félegyházi, M., Holczer, T.: CryPLH: protecting smart energy systems from targeted attacks with a PLC honeypot. In: Cuellar, J. (ed.) SmartGridSec 2014. LNCS, vol. 8448, pp. 181–192. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10329-7_12CrossRefGoogle Scholar
- 15.Shodan. https://www.shodan.io/. Accessed 15 July 2017
- 16.Censys. https://censys.io/. Accessed 15 July 2017
- 17.Durumeric, Z., et al.: A search engine backed by internet-wide scanning. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM (2015)Google Scholar
- 18.Zoomeye. https://www.zoomeye.org/. Accessed 16 July 2017
- 19.Ics-radar. https://ics-radar.shodan.io/. Accessed 15 July 2017
- 20.Bodenheim, R., et al.: Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices. Int. J. Crit. Infrastruct. Protect. 7(2), 114–123 (2014)CrossRefGoogle Scholar
- 21.https://wiki.wireshark.org/S7comm. Accessed 15 July 2017
- 22.http://plcscan.org/blog/. Accessed 16 July 2017