Abstract
Industrial control systems connected to the Internet represent attractive targets for remote attacks. While targeted attacks are often publicly reported, there is no clear information regarding non-targeted attacks. In order to analyse potentially malicious behaviour, we develop a large-scale honeynet system to capture and investigate network activities that use industrial protocols. The honeynet is composed of multiple honeypots that can be automatically deployed to cloud infrastructures as well as on-premises networks, and employs a modular design to support a multitude of industrial protocols. The collected data is aggregated at a series of centralised yet redundant nodes to resist single points of failure or adversarial compromise. We deploy the honeynet to demonstrate the feasibility of our approach and present our observations.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Shodan Computer Search Engine. http://www.shodanhq.com/.
- 2.
V. Pothamsetty and M. Franz. SCADA HoneyNet Project: Building Honeypots for Industrial Networks. http://scadahoneynet.sourceforge.net/.
- 3.
Digital Bond Inc. SCADA Honeynet. http://www.digitalbond.com/tools/scada-honeynet/.
- 4.
Conpot. http://www.conpot.org.
- 5.
The Beeswarm project. http://www.beeswarm-ids.org/.
- 6.
HoneyDrive. http://sourceforge.net/projects/honeydrive/.
- 7.
ABB, June 2013. ABB and GlobaLogix partner to provide SCADAvantage in the cloud for oil and gas companies. http://www.abb.ch/cawp/seitp202/5e226590a23709f8c1257b790031ccb8.aspx.
- 8.
Larry Combs, InduSoft, 2011. Cloud computing for SCADA. http://www.indusoft.com/Portals/0/PDF/White-Papers/Whitepaper_CloudComputing.pdf.
- 9.
Amplification DDoS Tracker Project, Chair for System Security of the Ruhr University Bochum, Germany: http://scanresearch1.syssec.ruhr-uni-bochum.de/.
- 10.
University of Michigan: research aiming at a better understanding of the global use of Internet protocols. http://researchscan273.eecs.umich.edu/.
- 11.
Linode: https://www.linode.com/.
- 12.
Santrex. See http://krebsonsecurity.com/2013/10/bulletproof-hoster-santrex-calls-it-quits/ for additional details.
References
Asgarkhani, M., Sitnikova, E.: A strategic approach to managing security in SCADA systems. In: Proceedings of the 13th European Conference on Cyber warefare and Security, pp. 23–32. Academic Conferences and Publishing International Limited, July 2014
Beale, J., Baker, A., Esler, J., Kohlenberg, T., Northcutt, S.: Snort: IDS and IPS Toolkit. Jay Beale’s open source security series. Syngress (2007). http://books.google.ch/books?id=M9plZZxJB_UC
Bodenheim, R., Butts, J., Dunlap, S., Mullins, B.: Evaluation of the ability of the shodan search engine to identify internet-facing industrial control devices. Int. J. Crit. Infrastruct. Prot. 7(2), 114–123 (2014). http://www.sciencedirect.com/science/article/pii/S1874548214000213
Bodenheim, R.C.: Impact of the Shodan Computer Search Engine on Internet-facing Industrial Control System Devices. Master’s Thesis, AIR FORCE INSTITUTE OF TECHNOLOGY WRIGHT-PATTERSON AFB OH, March 2014. http://www.dtic.mil/cgi-bin/GetTRDoc?Location=U2&doc=GetTRDoc.pdf&AD=ADA601219
Buza, D.I., Juhász, F., Miru, G., Félegyházi, M., Holczer, T.: CryPLH: protecting smart energy systems from targeted attacks with a PLC honeypot. In: Cuellar, J. (ed.) SmartGridSec 2014. LNCS, vol. 8448, pp. 181–192. Springer, Switzerland (2014)
Byres, E.: Project SHINE: 1,000,000 internet-connected SCADA and ICS systems and counting, September 2013
Deng, Y., Shukla, S.: A distributed real-time event correlation architecture for SCADA security. In: Butts, J., Shenoi, S. (eds.) Critical Infrastructure Protection VII. IFIP AICT, vol. 417, pp. 81–93. Springer, Heidelberg (2013). http://dx.doi.org/10.1007/978-3-642-45330-4_6
Di Pietro, A., Foglietta, C., Palmieri, S., Panzieri, S.: Assessing the impact of cyber attacks on interdependent physical systems. In: Butts, J., Shenoi, S. (eds.) Critical Infrastructure Protection VII. IFIP AICT, vol. 417, pp. 215–227. Springer, Heidelberg (2013). http://dx.doi.org/10.1007/978-3-642-45330-4_15
ICS - CERT: Increasing threat to industrial control systems (update A), May 2013. https://ics-cert.us-cert.gov/alerts/ICS-ALERT-12-046-01A
Ponemon Institute: Critical infrastructure: Security preparedness and maturity. Technical report, Unysis, July 2014. http://www.unisys.com/insights/critical-infrastructure-security
Morris, T.H., Gao, W.: Industrial control system cyber attacks. In: Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research (2013). http://ewic.bcs.org/content/ConWebDoc/51165
NIST: Guide to General Server Security - Recommendations of the National Institute of Standards and Technology, July 2008. http://csrc.nist.gov/publications/nistpubs/800-123/SP800-123.pdf
Patton, M., Gross, E., Chinn, R., Forbis, S., Walker, L., Chen, H.: Uninvited connections: a study of vulnerable devices on the internet of things (IoT). In: 2014 IEEE Joint Intelligence and Security Informatics Conference (JISIC), pp. 232–235, September 2014
Robinson, M.: The SCADA threat landscape. In: Proceedings of the 1st International Symposium for ICS & SCADA Cyber Security Research (2013). http://ewic.bcs.org/content/ConWebDoc/51166
Scott, C.: Designing and implementing a honeypot for a SCADA network. Technical report, The SANS Institute, June 2014
Serbanescu, A.V., Obermeier, S., Yu, D.: A flexible architecture for industrial control system honeypots. In: Proceedings of the 12th International Conference on Security and Cryptography, SECRYPT 2015, Colmar, Alsace, France, pp. 16–26, 20–22 July 2015. http://dx.doi.org/10.5220/0005522500160026
Serbanescu, A.V., Obermeier, S., Yu, D.: ICS threat analysis using a large-scale honeynet. In: 3rd International Symposium for ICS & SCADA Cyber Security Research 2015, ICS-CSR 2015. University of Applied Sciences Ingolstadt, Germany, 17–18 September 2015. http://ewic.bcs.org/content/ConWebDoc/55096
Wade, S.M.: SCADA Honeynets: The attractiveness of honeypots as critical infrastructure security tools for the detection and analysis of advanced threats. Master’s Thesis, Iowa State University, Ames, Iowa (2011). http://lib.dr.iastate.edu/cgi/viewcontent.cgi?article=3130&context=etd
Wilamowski, B.M., Irwin, J.D.: The Industrial Electronics Handbook - Industrial Communications Systems, 2nd edn., vol. 2. CRC Press, Taylor & Francis Group, Boca Raton, London (2011)
Wilhoit, K.: The SCADA that didnt cry wolf - whos really attacking your ICS equipment? - part deux! (2013). black Hat US 2013
Wilhoit, K.: Whos really attacking your ICS equipment? (2013). black Hat Europe 2013
Zeng, Y.G., Coffey, D., Viega, J.: How vulnerable are unprotected machines on the internet? In: Faloutsos, M., Kuzmanovic, A. (eds.) PAM 2014. LNCS, vol. 8362, pp. 224–234. Springer, Heidelberg (2014). http://dx.doi.org/10.1007/978-3-319-04918-2_22
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Serbanescu, A.V., Obermeier, S., Yu, DY. (2016). A Scalable Honeynet Architecture for Industrial Control Systems. In: Obaidat, M., Lorenz, P. (eds) E-Business and Telecommunications. ICETE 2015. Communications in Computer and Information Science, vol 585. Springer, Cham. https://doi.org/10.1007/978-3-319-30222-5_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-30222-5_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-30221-8
Online ISBN: 978-3-319-30222-5
eBook Packages: Computer ScienceComputer Science (R0)