Honeypots in ICS
Different honeypot projects/concepts have emerged in recent years aiming to protect and secure industrial control systems (ICSs). The honeypots are evolving and being used as honeynets; a network of honeypots interacting with the environment as one entity, thus collecting even more knowledge about the incoming attacks. To predict future attacks and increase the level of response to incidents, it is very important to obtain all relevant information on potential attackers, their methodology, potential targets or systems of interest.
Honeypots in ICS
A honeypot is a useful tool to enhance control system security as it appears to contain information or resources of value inside the network, but actually, is isolated and monitored allowing the collection of information that can analyze the behavior of the attackers. Conpot is the ICS/SCADA server honeypot run by the development team of Conpot and The Honeynet Project [RIS13]. Conpot’s key advantage is that it can easily be updated, extended and deployed. A Siemens SIMATIC S7-200 PLC with basic functions, an input / output module and a Communication Processor CP 443-1 is used to simulate the basic configuration which allows connection to SIMATIC via ethernet [RIS13]. Conpot can also be linked to an actual HMI and enables the interaction with real ICS hardware. The software supports standard protocols for industrial management such as Modbus, HTTP, S7Comm, IEC104, SNMP, CIP, Ethernet/IP, BACnet and IPMI.
The ICSs consist of many types of control systems, including SCADA, Remotes Terminal Units (RTUs), Human Machine Interface (HMI), etc. EPES systems include industrial processes, corporate network services (web services, email, storage services, etc.), supervision systems (SCADA, etc.) and a series of industrial controlling devices such as programmable logic controllers (PLCs) and distributed control system (DCS). The industrial process is controllable by means of a control network, which enables information transmission to the RTU using industrial communication protocols (Modbus, IEC104, etc.) by wired or wireless means through HMI and control of industrial devices capable of opening or closing breakers and connectors.
Honeypot IEC60870-5-104 in SDN-microSENSE
Conpot honeypot supports IEC 60870-104[60870] for the monitoring, control and communication of energy systems. We use the RTU honeypot in SDN-microSENSE to imitate the actions of an RTU which control systems in an intelligent grid substation. In the controlling direction, more system information communications commands such as the counter interrogation command and the read command were added to the Conpot honeypot. It is a serial asynchronous protocol and is used for tele-control. It offers TCP/IP features and allows LAN network connectivity. An RTU device can function in real production systems as a master or as a slave. Therefore, the same action is imitated in an RTU honeypot.
You can find more details in the project website:
|