Industrial Honeypots

Posted date 23/03/2017
Author
INCIBE (INCIBE)
Honeypots industriales

More and more security analysts apply honeypots to obtain information about the techniques used in attempts to violate communication networks.

A honeypot is a tool especially designed to serve as a trap against potential attackers. Honeypots are able to simulate a service or device to attract actions that will subsequently be analysed. Sometimes real devices are used as honeypots to save time in the development stage. Honeypots, both real and simulated ones, are usually created with vulnerabilities to attract attackers.

Honeypots with IT environment features are the most common ones, but given the increasing number of attacks experienced by industrial control systems, some experts believe it would be useful to incorporate them in these environments to detect attack vectors. As already noticed some time ago in countries such as Ukraine, anticipation and detection of attacks to industrial systems prevents greater problems, such as those caused by BlackEnergy or Stuxnet.

The sophistication of persistent threats or industrial malware is such that, nowadays, detecting them can be very complex. One of the options to detect said anomalies in the system may be honeypots, with permanent monitoring of their interaction and contact with the real network.

Tipos de honeypot

Traditionally, honeypots are classified into high and low interaction honeypots, although they might also be divided in more levels according to their interaction with attackers. Like you can see in the next taxonomy.

Honeypots taxonomy

Interaction between honeypots and environment

In addition to interaction, we must consider the type of device or service that is going to be simulated. If we are dealing with an industrial system of the electricity sector, using a honeypot that simulates a device used in a different sector can alarm attackers trying to access them and therefore they will easily detect it is a trap. It is also important to take care of details such as physical addresses (MAC), IP addressing, banners, browsers' fingerprinting to access web panels, etc. because there are services, such as that provided by shodan, which, by checking a specific IP, allow you to know whether that address corresponds to a honeypot or a real system.

Honeypot or Not? SHODAN

- Servicio de shodan que muestra si la IP esconde un honeypot o no -

One of the most used honeypots to simulate industrial devices is conpot.This honeypot is characterised by the serial number of module 88111222 and the module type IM151-8 PN/DP CPU. Therefore, if these values are detected, the honeypot can be identified as a false device.

banner de conpot en shodan

Other honeypots used in industrial environments are:

  • gridpot: Open source tool to simulate electricity grids.
  • GasPot: Simulator of Veeder Root Gaurdian AST, a measuring device commonly used in the oil and gas industry for tanks at petrol stations.

Honeypots are sometimes not enough and honeynets have to be used to attract attackers. Honeynets simulate a complete network. They allow generating false traffic, but this must not affect real traffic of industrial systems to avoid false readings or delays in communications. Some honeynets specific to industrial environments are:

  • SCADA-honeynet: DigitalBond honeynet that uses 2 virtual machines, and also allows using a physical device. One of the machines has the network monitoring system WallEye and QuickDraw para IDS. The second machine simulates a PLC with services exposed to attackers.
  • SCADA HoneyNet Project: Project developed by Venkat Pothamsetty and Matthew Franz to simulate virtual PLC based on the use of honeyd, a demon used for the simulation of equipment with different operating systems and services.

Issues to keep in mind

In addition to the details mentioned above, using honeypots requires taking into account the following issues:

  • The objective of honeypots is detecting attacks through the simulation or real implementation of systems or devices to subsequently analyse the data obtained. It is therefore necessary to implement responses to face attacks and monitoring data to analyse.
  • The type of honeypot we wish to implement in our system and its future location are other aspects that must be considered. In case of exposing the honeypot to the Internet, it is necessary to segment the network to prevent hops between networks and avoid that, the attacker can obtain more information than what we want.
  • There may be a legal responsibility behind the deployment of a honeypot that needs to be analysed and taken into account. For example, if our honeypot is a high interaction one, or even if we use a real device, the attacker may use this system to carry out attacks outside our network, and this might become a legal issue. It is very important that our honeypot has filtered outgoing traffic to avoid such problem.
  • It is important to perform a review and maintenance of the honeypot so that it is fully operational and fulfils the functions it was implemented for.

camino honeypot

In general, this is a practice that allows gaining and overview of attacks experienced by a system and the generation of a log record to subsequently create rules in its security devices (firewalls, IDS, IPS, etc.) without any substantial investment being needed.

Considerations before deploying a Honeypot

Some examples of guides on quick and easy deployment of a honeypot are:

Now that you know a bit more about honeypots, dare to deploy one and discover what is passing through your network!