Specialized Honeypots for SCADA Systems

In this chapter we examine the role of specialized honeypots for detecting and profiling cyber attacks on SCADA-based Industrial Control Systems, debate how to implement such honeypots and provide a complete example of such an appliance. The honeypot concept has been used in general-purpose intrusion detection systems for a long time, with well-recognized contributions in revealing and analysing cyber attacks. However, a number of specialized requirements associated with SCADA systems within Industrial Control Systems in general are not addressed by typical honeypots. In this paper we discuss how the different approaches to security of typical information systems and industrial control systems lead to the need of specialized SCADA honeypots for process control networks. Based on that discussion, we propose a reference architecture for a SCADA network honeypot, discuss possible implementation strategies—based on the lessons learned from the development of a proof-of-concept Modbus honeypot—and propose two alternative deployment strategies, one based on low cost hardware appliances physically and logically located in the automation or field networks and the other based on virtualized field network honeypots physically located in the datacentre and logically located in the field or automation network.

[1]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[2]  Jeffrey D. Case,et al.  Simple Network Management Protocol (SNMP) , 1989, RFC.

[3]  Rhianne Stone Equipment and protective systems intended for use in potentially explosive atmospheres , 2014 .

[4]  Felix C. Freiling,et al.  The Nepenthes Platform: An Efficient Approach to Collect Malware , 2006, RAID.

[5]  Deon Reynders,et al.  Open SCADA protocols DNP3 and IEC 60870 , 2003 .

[6]  S. Shankar Sastry,et al.  A Taxonomy of Cyber Attacks on SCADA Systems , 2011, 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing.

[7]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[8]  T.J. Overbye,et al.  SCADA Cyber Security Testbed Development , 2006, 2006 38th North American Power Symposium.

[9]  Dong-Joo Kang,et al.  Proposal strategies of key management for data encryption in SCADA network of electric power systems , 2009 .

[10]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[11]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..

[12]  tcpdump Tcpdump/Libpcap public repository , 2010 .

[13]  G. Manimaran,et al.  Vulnerability Assessment of Cybersecurity for SCADA Systems , 2008, IEEE Transactions on Power Systems.

[14]  E.J. Byres,et al.  Industrial cybersecurity for power system and SCADA networks , 2005, Record of Conference Papers Industry Applications Society 52nd Annual Petroleum and Chemical Industry Conference.

[15]  Hervé Debar,et al.  The Intrusion Detection Message Exchange Format (IDMEF) , 2007, RFC.

[16]  Ronald L. Krutz Securing SCADA systems , 2005 .