A Novel and Interactive Industrial Control System Honeypot for Critical Smart Grid Infrastructure

The Industrial Control Systems (ICS) are the underlying monitoring and control components of critical infrastructures, which consist of a number of distributed field devices, such as Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs) and Human Machine Interfaces (HMIs). As modern ICS are connected to the Internet, in the context of their digitalization as a part of the Internet of Things (IoT) domain, a number of security threats are introduced, whose exploitation can lead to severe consequences. Honeypots and honeynets are promising countermeasures that attract attackers and mislead them from hacking the real infrastructure, while gaining valuable information about the attack patterns as well as the source of the attack. In this work, we implement an interactive, proof-of concept ICS honeypot, which is based on Conpot, that is able to emulate a physical ICS device, by replicating realistic traffic from the real device. As the honeypot runs inside a Virtual Machine, it is possible to emulate the entire organization's ICS infrastructure, a fact that is very important for the security of the modern critical infrastructure. In order to assess the proposed honeypot, a real-life demonstration scenario was designed, which involves a hydro power plant. The honeypot architecture is provided, while the structural components are presented in detail.

[1]  R. I. Ogie Cyber Security Incidents on Critical Infrastructure and Industrial Networks , 2017, ICCAE '17.

[2]  H. M. Newman,et al.  BACnet: The Global Standard for Building Automation and Control Networks , 2013 .

[3]  Mathias Ekstedt,et al.  Analyzing the Effectiveness of Attack Countermeasures in a SCADA System , 2017, SPSR-SG@CPSWeek.

[4]  Zhang Hui-gang Design and application of IEC60870-5-104 telecontrol protocol , 2006 .

[5]  Hsinchun Chen,et al.  SCADA honeypots: An in-depth analysis of Conpot , 2016, 2016 IEEE Conference on Intelligence and Security Informatics (ISI).

[6]  Nils Ole Tippenhauer,et al.  Towards High-Interaction Virtual ICS Honeypots-in-a-Box , 2016, CPS-SPC '16.

[7]  Chun-Hung Richard Lin,et al.  Intrusion detection system: A comprehensive review , 2013, J. Netw. Comput. Appl..

[8]  Sebastian Obermeier,et al.  A flexible architecture for Industrial Control System honeypots , 2015, 2015 12th International Joint Conference on e-Business and Telecommunications (ICETE).

[9]  Wei Li,et al.  DiPot: A Distributed Industrial Honeypot System , 2017, SmartCom.

[10]  Angela Orebaugh,et al.  Wireshark & Ethereal Network Protocol Analyzer Toolkit , 2007 .

[11]  Iyatiti Mokube,et al.  Honeypots: concepts, approaches, and challenges , 2007, ACM-SE 45.

[12]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[13]  Stefan Beyer,et al.  Gathering Intelligence Through Realistic Industrial Control System Honeypots - A Real-World Industrial Experience Report , 2018, CRITIS.

[14]  Paulo Simões,et al.  Specialized Honeypots for SCADA Systems , 2015 .

[15]  Keshnee Padayachee,et al.  A survey of honeypot research: Trends and opportunities , 2015, 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST).

[16]  Vinay M. Igure,et al.  Security issues in SCADA networks , 2006, Comput. Secur..