Leveraging Cyber-Physical System Honeypots to Enhance Threat Intelligence

  • Michael HaneyEmail author
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 570)


Honeypots and related deception technologies have long been used to capture and study malicious activity in networks. However, clear requirements for developing effective honeypots for active defense of cyber-physical systems have not been discussed in the literature. This chapter proposes a next generation industrial control system honeynet. Enumerated requirements and a reference framework are presented that bring together the best available honeypot technologies and new adaptations of existing tools to produce a honeynet suitable for detecting targeted attacks against cyber-physical systems. The framework supports high-fidelity simulations and high interactions with attackers while delaying the discovery of the deception. Data control, capture, collection and analysis are supported by a novel and effective honeywall system. A hybrid honeynet, using virtualized and real programmable logic controllers that interact with a physical process model, is presented. The benefits provided by the framework along with the challenges to consider during honeynet deployment and operation are also discussed.


Cyber-physical systems honeypots threat intelligence 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    F. Abbasi and R. Harris, Experiences with a Generation III virtual honeynet, Proceedings of the Australasian Telecommunications Networks and Applications Conference, 2009Google Scholar
  2. 2.
    R. Bejtlich, The Tao of Network Security Monitoring: Beyond Intrusion Detection, Addison-Wesley, Boston, Massachusetts, 2004Google Scholar
  3. 3.
    J. Briffaut, J. Lalande and C. Toinard, Security and results of a large-scale high-interaction honeypot, Journal of Computers, vol. 4(5), pp. 395–404, 2009Google Scholar
  4. 4.
    C. Bronk and E. Tikk-Ringas, The cyber attack on Saudi Aramco, Survival, vol. 55(2), pp. 81–96, 2013CrossRefGoogle Scholar
  5. 5.
    D. Buza, F. Juhasz, G. Miru, M. Felegyhazi and T. Holczer, CryPLH: Protecting smart energy systems from targeted attacks with a PLC honeypot, Proceedings of the Second International Workshop on Smart Grid Security, pp. 181–192, 2014Google Scholar
  6. 6.
    E. Byres, The air gap: SCADA’s enduring security myth, Communications of the ACM, vol 56(8), pp. 29–31, 2013CrossRefGoogle Scholar
  7. 7.
    G. Chamales, The Honeywall CD-ROM, IEEE Security and Privacy, vol. 2(2), pp. 77–79, 2004Google Scholar
  8. 8.
    B. Cheswick, An evening with Berferd in which a cracker is lured, endured and studied, Proceedings of the Winter USENIX Conference, pp. 163–174, 1992Google Scholar
  9. 9.
    Conpot Development Team, Conpot ICS/SCADA Honeypot (, 2019Google Scholar
  10. 10.
    J. Coret, Kojoney – A Honeypot for the SSH Service (, 2006Google Scholar
  11. 11.
    I. Darwish, O. Igbe and T. Saadawi, Experimental and theoretical modeling of DNP3 attacks on smart grids, Proceedings of the Thirty-Sixth IEEE Sarnoff Symposium, pp. 155–160, 2015Google Scholar
  12. 12.
    P. Derler, E. Lee and A. Vincentelli, Modeling cyber-physical systems, Proceedings of the IEEE, vol. 100(1), pp. 13–28, 2012CrossRefGoogle Scholar
  13. 13.
    A. Dinaburg, P. Royal, M. Sharif and W. Lee, Ether: Malware analysis via hardware virtualization extensions, Proceedings of the Fifteenth ACM Conference on Computer and Communications Security, pp. 51–62, 2008Google Scholar
  14. 14.
    N. Falliere, L. O’Murchu and E. Chien, W32.Stuxnet Dossier, Version 1.4, Symantec, Mountain View, California, 2011Google Scholar
  15. 15.
    C. Grigg, P. Wong, P. Albrecht, R. Allan, M. Bhavaraju, R. Billinton, Q. Chen, C. Fong, S. Haddad, S. Kuruganty, W. Li, R. Mukerji, D. Patton, N. Rau, D. Reppen, A. Schneider, M. Shahidehpour and C. Singh, The IEEE reliability test system-1996, A report prepared by the reliability test system task force of the application of probability methods subcommittee, IEEE Transactions on Power Systems, vol. 14(3), pp. 1010–1020, 1999CrossRefGoogle Scholar
  16. 16.
    D. Henriksson and H. Elmqvist, Cyber-physical systems modeling and simulation with Modelica, Proceedings of the Eighth Modelica Conference, pp. 502–509, 2011Google Scholar
  17. 17.
    T. Holz and F. Raynal, Detecting honeypots and other suspicious environments, Proceedings of the Sixth Annual IEEE SMC Information Assurance Workshop, pp. 29–36, 2005Google Scholar
  18. 18.
    Honeynet Project, Know Your Enemy: Sebek – A Kernel Based Data Capture Tool (, 2003Google Scholar
  19. 19.
    Honeynet Project, Honeynet Definitions, Requirements and Standards (, 2004Google Scholar
  20. 20.
    P. Huang, C. Yang and T. Ahn, Design and implementation of a distributed early warning system combined with intrusion detection system and honeypot, Proceedings of the International Conference on Hybrid Information Technology, pp. 232–238, 2009Google Scholar
  21. 21.
    Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), Trends in Incident Response in 2013, Idaho Falls, Idaho, 2013Google Scholar
  22. 22.
    F. Knobbe, SnortSam – A firewall blocking agent for Snort (, 2001
  23. 23.
    V. Koganti, Cyber-Attack Simulation in MATLAB/Simulink, M.S. Thesis, Department of Computer Science, University of Idaho, Moscow, Idaho, 2017Google Scholar
  24. 24.
    B. Krebs, Cyber incident blamed for nuclear power plant shutdown, The Washington Post, June 5, 2008Google Scholar
  25. 25.
    S. Kuman, S. Gros and M. Mikuc, An experiment in using IMUNES and Conpot to emulate honeypot control networks, Proceedings of the Fortieth International Convention on Information and Communications Technology, Electronics and Microelectronics, pp. 1262–1268, 2017Google Scholar
  26. 26.
    T. Lengyel, J. Neumann, S. Maresca, B. Payne and A. Kiayias, Virtual machine introspection in a hybrid honeypot architecture, Proceedings of the Fifth USENIX Workshop on Cyber Security Experimentation and Test, 2012Google Scholar
  27. 27.
    J. Mahseredjian, V. Dinavahi, and J. Martinez, An overview of simulation tools for electromagnetic transients in power systems, Proceedings of the IEEE Power Engineering Society General Meeting, 2007Google Scholar
  28. 28.
    J. Mahseredjian, V. Dinavahi and J. Martinez, Simulation tools for electromagnetic transients in power systems: Overview and challenges, IEEE Transactions on Power Delivery, vol. 24(3), pp. 1657–1669, 2009CrossRefGoogle Scholar
  29. 29.
    A. Mairh, D. Barik, K. Verma and D. Jena, Honeypot in network security: A survey, Proceedings of the International Conference on Communications, Computing and Security, pp. 600–605, 2011Google Scholar
  30. 30.
    S. McLaughlin, C. Konstantinou, X. Wang, L. Davi, A. Sadeghi, M. Maniatakos and R. Karri, The cybersecurity landscape in industrial control systems, Proceedings of the IEEE, vol 104(5), pp. 1039–1057, 2016CrossRefGoogle Scholar
  31. 31.
    Modbus Organization, Modbus Application Protocol Specification, V1.1b3, Hopkinton, Massachusetts (, 2012
  32. 32.
    National Instruments, LabVIEW, Austin, Texas (, 2019
  33. 33.
    S. Nunes, Web Attack Risk Awareness with Lessons Learned from High Interaction Honeypots, M.S. Thesis, Information Networking Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, 2009Google Scholar
  34. 34.
    V. Paxson, Bro: A system for detecting network intruders in real-time, Computer Networks, vol. 31(23-24), pp. 2435–2463, 1999CrossRefGoogle Scholar
  35. 35.
    N. Perlroth, Hackers are targeting nuclear facilities, Homeland Security Dept. and FBI say, The New York Times, July 6, 2017Google Scholar
  36. 36.
    V. Pothamsetty and M. Franz, SCADA HoneyNet Project: Building Honeypots for Industrial Networks(, 2008Google Scholar
  37. 37.
    N. Provos, A virtual honeypot framework, Proceedings of the Thirteenth Annual USENIX Security Symposium, 2004Google Scholar
  38. 38.
    Z. Puljiz and M. Mikuc, IMUNES based distributed network emulator, Proceedings of the International Conference on Software in Telecommunications and Computer Networks, pp. 198–203, 2006Google Scholar
  39. 39.
    QoSient, Argus: Network Audit Record Generation and Utilization System, New York (, 2014Google Scholar
  40. 40.
    T. Rodrigues Alves, M. Buratto, F. de Souza and T. Rodrigues, OpenPLC: An open source alternative to automation, Proceedings of the IEEE Global Humanitarian Technology Conference, pp. 585–589, 2014Google Scholar
  41. 41.
    M. Roesch, Snort – Lightweight intrusion detection for networks, Proceedings of the Thirteenth USENIX Conference on System Administration, pp. 229–238, 1999Google Scholar
  42. 42.
    C. Song, B. Hay and J. Zhuge, Know Your Tools: Qebek – Conceal the monitoring, The Honeynet Project (, 2010
  43. 43.
    L. Spitzner, Honeytokens: The other honeypot, Symantec Connect (, Ju- ly 16, 2003
  44. 44.
    L. Spitzner, The Honeynet Project: Trapping the hackers, IEEE Security and Privacy, vol. 1(2), pp. 15–23, 2003CrossRefGoogle Scholar
  45. 45.
    C. Stoll, The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage, Doubleday New York, 1989Google Scholar
  46. 46.
    H. Tsai, C. Tu and Y. Su, Development of a generalized photovoltaic model using MATLAB/Simulink, Proceedings of the World Congress on Engineering and Computer Science, 2008Google Scholar
  47. 47.
    U.S. Department of Homeland Security, Common Cybersecurity Vulnerabilities in Industrial Control Systems, Washington, DC, 2011Google Scholar
  48. 48.
    U.S. Department of Homeland Security, NCCIC Year in Review 2017: Operation Cyber Guardian, Washington, DC (, 2018
  49. 49.
    C. Valli and A. Woodward, SCADA security – Slowly circling a disaster area, Proceedings of the International Conference on Security and Management, pp. 613–617, 2009Google Scholar
  50. 50.
    T. Vollmer and M. Manic, Cyber-physical system security with deceptive virtual hosts for industrial control networks, IEEE Transactions on Industrial Informatics, vol. 10(2), pp. 1337–1347, 2014CrossRefGoogle Scholar
  51. 51.
    S. Wade, SCADA Honeynets: The Attractiveness of Honeypots as Critical Infrastructure Security Tools for the Detection and Analysis of Advanced Threats, M.S. Thesis, Department of Electrical and Computer Engineering, Iowa State University, Ames, Iowa, 2011Google Scholar
  52. 52.
    D. Watson and J. Riden, The Honeynet Project: Data collection tools, infrastructure, archives and analysis, Proceedings of the WOMBAT Workshop on Information Security Threats Data Collection and Sharing, pp. 24–30, 2008Google Scholar
  53. 53.
    Western Services Corporation, Power Plant Simulation Overview, Frederick, Maryland (, 2019
  54. 54.
    K. Wilhoit, Who’s really attacking your ICS equipment, Trend Micro Security Intelligence Blog (, Mar- ch 15, 2013Google Scholar
  55. 55.
    T. Williams, Computer control technology – Past, present and probable future, Transactions of the Institute of Measurement and Control, vol 5(1), pp. 7–19, 1983MathSciNetCrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  1. 1.University of IdahoIdaho FallsUSA

Personalised recommendations