A Flexible Architecture for Industrial Control System Honeypots

Alexandru Vlad Serbanescu, Sebastian Obermeier, Der-Yeuan Yu

2015

Abstract

While frequent reports on targeted attacks for Industrial Control Systems hit the news, the amount of untargeted attacks using standardized industrial protocols is still unclear, especially if devices are mistakenly or even knowingly connected to the Internet. To lay the foundation for a deeper insight into the interest of potential attackers, a large scale honeynet system that captures all interactions using industrial protocols is proposed. Special for the honeynet system architecture is the automated deployment on a cloud infrastructure and its modularisation of the industrial protocols. The centralized-but-redundant data collection allows correlating attacks that happen on multiple devices. A real-world experiment confirms the feasibility of the approach, and results of the observed interactions with the honeynet are presented.

References

  1. Asgarkhani, M. and Sitnikova, E. (2014). A strategic approach to managing security in SCADA systems. In Proceedings of the 13th European Conference on Cyber warefare and Security, pages 23-32. Academic Conferences and Publishing International Limited.
  2. Beale, J., Baker, A., Esler, J., Kohlenberg, T., and Northcutt, S. (2007). Snort: IDS and IPS Toolkit. Jay Beale's open source security series. Syngress.
  3. Bodenheim, R., Butts, J., Dunlap, S., and Mullins, B. (2014). Evaluation of the ability of the Shodan search engine to identify internet-facing industrial control devices. International Journal of Critical Infrastructure Protection, 7(2):114-123.
  4. Buza, D. I., Juhász, F., Miru, G., Félegyházi, M., and Holczer, T. (2014). CryPLH: Protecting smart energy systems from targeted attacks with a PLC honeypot. In Smart Grid Security, Lecture Notes in Computer Science, pages 181-192. Springer International Publishing. http://dx.doi.org/10.1007/978-3-319-10329-7 12.
  5. Byres, E. (2013). Project SHINE: 1,000,000 InternetConnected SCADA and ICS Systems and Counting. Web page.
  6. Deng, Y. and Shukla, S. (2013). A distributed real-time event correlation architecture for SCADA security. In Critical Infrastructure Protection VII, volume 417 of IFIP Advances in Information and Communication Technology, pages 81-93. Springer Berlin Heidelberg. http://dx.doi.org/10.1007/978-3-642-45330-4 6.
  7. ICS - CERT (2013). Increasing threat to industrial control systems (update A). https://ics-cert.uscert.gov/alerts/ICS-ALERT-12-046-01A.
  8. Morris, T. H. and Gao, W. (2013). Industrial control system cyber attacks. In Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research. http://ewic.bcs.org/content/ConWebDoc/51165.
  9. NIST (2008). Guide to General Server Security - Recommendations of the National Institute of Standards and Technology. http://csrc.nist.gov/publications/nistpubs/800- 123/SP800-123.pdf.
  10. Patton, M., Gross, E., Chinn, R., Forbis, S., Walker, L., and Chen, H. (2014). Uninvited Connections: A Study of Vulnerable Devices on the Internet of Things (IoT). In Intelligence and Security Informatics Conference (JISIC), 2014 IEEE Joint, pages 232-235.
  11. Robinson, M. (2013). The SCADA threat landscape. In Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research. http://ewic.bcs.org/content/ConWebDoc/51166.
  12. Scott, C. (2014). Designing and implementing a honeypot for a SCADA network. Technical report, The SANS Institute.
  13. Wade, S. M. (2011). SCADA honeynets: The attractiveness of honeypots as critical infrastructure security tools for the detection and analysis of advanced threats. Master's thesis, Iowa State University, Ames, Iowa. http://lib.dr.iastate.edu/cgi/viewcontent.cgi?article= 3130&context=etd.
  14. Wilamowski, B. M. and Irwin, J. D. (2011). The Industrial Electronics Handbook - Industrial Communications Systems, volume 2 of The Industrial Electronics Handbook. CRC Press, Taylor & Francis Group, 2 edition.
  15. Wilhoit, K. (2013a). The SCADA that didnt cry wolf - whos really attacking your ICS equipment? - part deux! Black Hat US 2013.
  16. Wilhoit, K. (2013b). Whos really attacking your ICS equipment? Black Hat Europe 2013.
Download


Paper Citation


in Harvard Style

Vlad Serbanescu A., Obermeier S. and Yu D. (2015). A Flexible Architecture for Industrial Control System Honeypots . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 16-26. DOI: 10.5220/0005522500160026


in Bibtex Style

@conference{secrypt15,
author={Alexandru Vlad Serbanescu and Sebastian Obermeier and Der-Yeuan Yu},
title={A Flexible Architecture for Industrial Control System Honeypots},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},
year={2015},
pages={16-26},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005522500160026},
isbn={978-989-758-117-5},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - A Flexible Architecture for Industrial Control System Honeypots
SN - 978-989-758-117-5
AU - Vlad Serbanescu A.
AU - Obermeier S.
AU - Yu D.
PY - 2015
SP - 16
EP - 26
DO - 10.5220/0005522500160026