research-article

Towards High-Interaction Virtual ICS Honeypots-in-a-Box

Authors:

Daniele Antonioli,

Nils Ole TippenhauerAuthors Info & Claims

CPS-SPC '16: Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy

Pages 13 - 22

https://doi.org/10.1145/2994487.2994493

Published: 28 October 2016 Publication History

Abstract

In this work, we address the problem of designing and implementing honeypots for Industrial Control Systems (ICS). Honeypots are vulnerable systems that are set up with the intent to be probed and compromised by attackers. Analysis of those attacks then allows the defender to learn about novel attacks and general strategy of the attacker. Honeypots for ICS systems need to satisfy both traditional ICT requirements, such as cost and maintainability, and more specific ICS requirements, such as time and determinism.

We propose the design of a virtual, high-interaction and server-based ICS honeypot to satisfy the requirements, and the deployment of a realistic, cost-effective, and maintainable ICS honeypot. An attacker model is introduced to complete the problem statement and requirements.

Based on our design and the MiniCPS framework, we implemented a honeypot mimicking a water treatment testbed. To the best of our knowledge, the presented honeypot implementation is the first academic work targeting Ethernet/IP based ICS honeypots, the first ICS virtual honeypot that is high-interactive without the use of full virtualization technologies (such as a network of virtual machines), and the first ICS honeypot that can be managed with a Software-Defined Network (SDN) controller.

References

[1]

D. Antonioli. MiniCPS public repository. https://github.com/scy-phy/minicps.

[2]

D. Antonioli and N. O. Tippenhauer. MiniCPS: A toolkit for security research on CPS networks. In Proceedings of the Workshop on Cyber-Physical Systems-Security and/or PrivaCy (CPS-SPC), pages 91--100. ACM, 2015.

Digital Library

[3]

D. I. Buza, F. Juhász, G. Miru, M. Félegyházi, and T. Holczer. CryPLH: Protecting smart energy systems from targeted attacks with a PLC honeypot. In Proceedings of the Workshop on Smart Grid Security, pages 181--192. Springer, 2014.

[4]

B. Cheswick. An Evening with Berferd in Which a Cracker is Lured, Endured, and Studied. In Proceedings of the Winter USENIX Conference, pages 163--174, 1992.

[5]

CISCO. Industrial ethernet: A control engineer's guide. www.cisco.com/web/strategy/docs/manufacturing/industrial_ethernet.pdf.

[6]

M. Damien and F. Markus. Chroot in OpenSSH. http://undeadly.org/cgi?action=article&sid=20080220110039.

[7]

X. Dong, H. Lin, R. Tan, R. K. Iyer, and Z. Kalbarczyk. Software-defined networking for smart grid resilience: Opportunities and challenges. In In Proc. of The Cyber-Physical System Security Workshop (CPSS), April 2015.

Digital Library

[8]

N. Falliere, L. Murchu, and E. Chien. W32. stuxnet dossier (Symantec Security Response), 2011.

[9]

N. Feamster, J. Rexford, and E. Zegura. The road to SDN. ACM Queue, 11(12):20--40, 2013.

Digital Library

[10]

B. Galloway and G. P. Hancke. Introduction to industrial control networks. IEEE Communications Surveys & Tutorials, 15(2):860--880, 2013.

[11]

J. B. Grizzard, S. Krasser, and H. L. Owen. The Use of Honeynets to Increase Computer Network Security and User Awareness. Journal of Security Education, 1(2--3):23--37, 2005.

[12]

T. Holczer, M. Félegyházi, and L. Buttyán. The design and implementation of a PLC honeypot for detecting cyber attacks against industrial control systems. https://www.crysys.hu/publications/files/HolczerFB2015CN.pdf, 2015.

[13]

I. S. R. G. (ISRG). Let's Encrypt. https://letsencrypt.org/.

[14]

P. Kundert. Communications protocol python parser and originator. https://github.com/pjkundert/cpppo. {Online; accessed 31-July-2016}.

[15]

B. Lantz, B. Heller, and N. McKeown. A Network in a Laptop: Rapid Prototyping for Software-defined Networks. In Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks. ACM, 2010.

Digital Library

[16]

M. Liljenstam, J. Liu, D. Nicol, Y. Yuan, G. Yan, and C. Grier. RINSE: The real-time immersive network simulation environment for network security exercises. In Proc. of Workshop on Principles of Advanced and Distributed Simulation (PADS), pages 119--128, 2005.

Digital Library

[17]

M. Liljenstam, J. Liu, D. M. Nicol, Y. Yuan, G. Yan, and C. Grier. Rinse: The real-time immersive network simulation environment for network security exercises (extended version). Simulation, 82(1):43--59, 2006.

Digital Library

[18]

S. Litchfield, D. Formby, J. Rogers, S. Meliopoulos, and R. Beyah. Poster: Re-thinking the honeypot for cyber-physical systems. Poster at IEEE Symposium on Security and Privacy, 2016.

[19]

J. C. Matherly. SHODAN the computer search engine. https://www.shodan.io. Accessed: 2016-08-01.

[20]

J. R. Moyne and D. Tilbury. The emergence of industrial control networks for manufacturing control, diagnostics, and safety data. Proceedings of the IEEE, 95(1):29--47, Jan. 2007.

[21]

ODVA. Ethernet/IP technology overview. https://www.odva.org/Home/ODVATECHNOLOGIES/EtherNetIP.aspx. Accessed: 2016-08-01.

[22]

Y. M. P. Pa, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama, and C. Rossow. IoTPOT: Analysing the Rise of IoT Compromises. In 9th USENIX Workshop on Offensive Technologies (WOOT). USENIX Association, 2015.

Digital Library

[23]

V. Paxson. Bro: a system for detecting network intruders in real-time. Computer Networks, pages 2435--2463, 1999.

Digital Library

[24]

T. Phinney. IEC 62443: Industrial network and system security. https://www.isa.org/pdfs/autowest/phinneydone/.

[25]

N. Provos. A virtual honeypot framework. In Proc. of the USENIX Security Symposium, 2004.

Digital Library

[26]

A. Ronacher. Flask: web development, one drop at a time. http://flask.pocoo.org/.

[27]

C. Scott. Desigining and implementing a honeypot for SCADA network, 2014. White paper published by SANS Institute Infosec Reading Room.

[28]

J. Slay and M. Miller. Lessons learned from the maroochy water breach. IFIP International Federation for Information Processing, 253:73--82, 2007.

[29]

L. Spitzner. Honeypots: Tracking Hackers. Addison-Wesley Reading, 2002.

Digital Library

[30]

L. Spitzner. The honeynet project: Trapping the hackers. IEEE Security & Privacy, 1(2):15--23, 2003.

Digital Library

[31]

C. Stoll. The cuckoo's egg: tracking a spy through the maze of computer espionage. Simon and Schuster, 2005.

Digital Library

[32]

K. Stouffer, J. Falco, and K. Scarfone. Guide to Industrial Control Systems (ICS) Security. http://industryconsulting.org/pdfFiles/NIST Draft-SP800-82.pdf, 2006. Recommendations of the National Institute of Standards and Technology.

[33]

K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, and A. Hahn. Guide to Industrial Control Systems (ICS) Security (Revision 2). http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf, 2015. Recommendations of the National Institute of Standards and Technology Revision 2.

[34]

The Honeynet Project. Conpot. http://conpot.org/.

[35]

Wikipedia. Continuity Equation. https://en.wikipedia.org/wiki/Continuity_equation. Accessed: 2016-08-01.

[36]

K. Wilhoit. The SCADA that didn't cry wolf, 2013. Whitepaper.

[37]

K. Wilhoit. Who's really attacking your ICS equipment? http://www.edgis-security.org/honeypot/whos-really-attacking-your-ics-devices/, 2013. Whitepaper.

Cited By

Liu HZhou YFang BSun YHu NTian Z(2025)PHCG: PLC Honeypoint Communication Generator for Industrial IoTIEEE Transactions on Mobile Computing10.1109/TMC.2024.345556424:1(198-209)Online publication date: 1-Jan-2025
https://dl.acm.org/doi/10.1109/TMC.2024.3455564
SASAKI TKAWAGUCHI MKUMAGAI TYOSHIOKA KMATSUMOTO T(2024)Observation of Human-Operated Accesses Using Remote Management Device HoneypotIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences10.1587/transfun.2023CIP0018E107.A:3(291-305)Online publication date: 1-Mar-2024
https://doi.org/10.1587/transfun.2023CIP0018
Gardiner JAbaimov SWilliams JShahbi FAnastasakis KChowdhury PEllis WSameen MSamanis ERashid AFawaz KAlmgren M(2024)"If You Build it, They will Come" - A Blueprint for ICS-focused Capture-The-Flag CompetitionsProceedings of the Sixth Workshop on CPS&IoT Security and Privacy10.1145/3690134.3694818(27-40)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3690134.3694818
Show More Cited By

Index Terms

Towards High-Interaction Virtual ICS Honeypots-in-a-Box
1. Computing methodologies
  1. Modeling and simulation
2. Security and privacy

Recommendations

Characterizing Background Noise in ICS Traffic Through a Set of Low Interaction Honeypots
CPS-SPC'19: Proceedings of the ACM Workshop on Cyber-Physical Systems Security & Privacy

Industrial Control Systems (ICS) are nowadays interconnected with various networks and, ultimately, with the Internet. Due to this exposure, malicious actors are interested into compromising ICS - not only for advanced and targeted attacks, but also in ...
Collecting Autonomous Spreading Malware Using High-Interaction Honeypots
Information and Communications Security
Abstract
Autonomous spreading malware in the form of worms or bots has become a severe threat in today’s Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop ...
Collecting autonomous spreading malware using high-interaction honeypots
ICICS'07: Proceedings of the 9th international conference on Information and communications security

Autonomous spreading malware in the form of worms or bots has become a severe threat in today's Internet. Collecting the sample as early as possible is a necessary precondition for the further treatment of the spreading malware, e.g., to develop ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CPS-SPC '16: Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy

October 2016

144 pages

ISBN:9781450345682

DOI:10.1145/2994487

Conference Chairs:
Mathias Payer
Purdue University, USA
,
Stefan Mangard
IAIK TU Graz, Austria
,
General Chairs:
Edgar Weippl
SBA Research, Austria
,
Stefan Katzenbeisser
Technische Universität Darmstadt, Germany
,
Program Chairs:
Alvaro Cárdenas
UT Dallas, USA
,
Rakesh B. Bobba
Oregon State University, USA

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 October 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'16

Sponsor:

SIGSAC

CCS'16: 2016 ACM SIGSAC Conference on Computer and Communications Security

October 28, 2016

Vienna, Austria

Acceptance Rates

CPS-SPC '16 Paper Acceptance Rate 12 of 26 submissions, 46%;

Overall Acceptance Rate 53 of 66 submissions, 80%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

48
Total Citations
View Citations
1,322
Total Downloads

Downloads (Last 12 months)102
Downloads (Last 6 weeks)10

Reflects downloads up to 19 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Liu HZhou YFang BSun YHu NTian Z(2025)PHCG: PLC Honeypoint Communication Generator for Industrial IoTIEEE Transactions on Mobile Computing10.1109/TMC.2024.345556424:1(198-209)Online publication date: 1-Jan-2025
https://dl.acm.org/doi/10.1109/TMC.2024.3455564
SASAKI TKAWAGUCHI MKUMAGAI TYOSHIOKA KMATSUMOTO T(2024)Observation of Human-Operated Accesses Using Remote Management Device HoneypotIEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences10.1587/transfun.2023CIP0018E107.A:3(291-305)Online publication date: 1-Mar-2024
https://doi.org/10.1587/transfun.2023CIP0018
Gardiner JAbaimov SWilliams JShahbi FAnastasakis KChowdhury PEllis WSameen MSamanis ERashid AFawaz KAlmgren M(2024)"If You Build it, They will Come" - A Blueprint for ICS-focused Capture-The-Flag CompetitionsProceedings of the Sixth Workshop on CPS&IoT Security and Privacy10.1145/3690134.3694818(27-40)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3690134.3694818
Salazar LLópez-Morales ELozano JRubio-Medrano CCárdenas ÁFawaz KAlmgren M(2024)ICSNet: A Hybrid-Interaction Honeynet for Industrial Control SystemsProceedings of the Sixth Workshop on CPS&IoT Security and Privacy10.1145/3690134.3694813(68-79)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3690134.3694813
Maesschalck SFantom WGiotsas VRace N(2024)These are Not the PLCs You are Looking for: Obfuscating PLCs to Mimic HoneypotsIEEE Transactions on Network and Service Management10.1109/TNSM.2024.336191521:3(3623-3635)Online publication date: Jun-2024
https://doi.org/10.1109/TNSM.2024.3361915
Zhu HLiu MChen BChe XCheng PDeng R(2024) HoneyJudge : A PLC Honeypot Identification Framework Based on Device Memory Testing IEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.340752019(6028-6043)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3407520
O’Toole SMehrpouyan H(2024)Towards Cyber-Physical Representation and Cyber-Resilience Against Attack and Failure within a Hydraulic Network Simulation Toolkit2024 IEEE Security and Privacy Workshops (SPW)10.1109/SPW63631.2024.00029(246-252)Online publication date: 23-May-2024
https://doi.org/10.1109/SPW63631.2024.00029
Couillard MHale B(2024)DRACO: Production Network Deployment and Evaluation of Deceptive Defense As-a-Service2024 IEEE International Conference on Big Data (BigData)10.1109/BigData62323.2024.10825309(2606-2615)Online publication date: 15-Dec-2024
https://doi.org/10.1109/BigData62323.2024.10825309
Aslam MTufail AApong RDe Silva LRaza M(2024)Scrutinizing Security in Industrial Control Systems: An Architectural Vulnerabilities and Communication Network PerspectiveIEEE Access10.1109/ACCESS.2024.339484812(67537-67573)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3394848
Krishnaveni SChen TSathiyanarayanan MAmutha B(2024)CyberDefender: an integrated intelligent defense framework for digital-twin-based industrial cyber-physical systemsCluster Computing10.1007/s10586-024-04320-x27:6(7273-7306)Online publication date: 1-Sep-2024
https://dl.acm.org/doi/10.1007/s10586-024-04320-x
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten