Second in a series of SCADA Honeynet posts

We wanted to expose and test both physical and simulated honeypots in our SCADA Honeynet project. Physical honeypots are actual equipment and provide the highest level and most realistic interaction with attackers. The downside is actual SCADA devices can be expensive and difficult to deploy. However, this cost in time and money could potentially be shared if multiple honeynets could leverage a common honeypot.

Terminology Check: A honeynet consists of (1) a honeywall which captures the attack data, controls the attacker, and manages the honeynet and (2) a honeypot which can be physical (real equipment) or simulated.

One of our project goals was to determine if shared physical SCADA honeypot was feasible. Our partner in this project, BCIT, had a Modicon Quantum PLC that was connected to realistic input/output. This served as the physical honeypot. The honeynet was exposed at various locations and IP addresses in the US and transported to the PLC in Vancouver (see diagram below).

The results and performance was very positive. We did have some issues early on in keeping the connections from going dormant and slowing response times, but a ping every five minutes addressed this issue. The response was similar to other responses from the Internet. Response time may be an issue for local attacks on the same WAN.

The honeynets receive no authorized traffic and there are significant gaps between serious attacks, so a physical honeynet supporting many honeynets should not be an issue. It certainly isn’t an issue with less than five honeynets and likely can support many more than this.

There are many potential interesting deployments of shared physical honeynets.

- thanks to significant grant money from I3P, NSF and the USG, many universities have SCADA equipment in the lab. We get at least an email a week from a grad student asking what they should study – - here is an idea.

- vendors could expose their systems to the Internet and get some practical attack data and see how they hold up against automated tools. This might be particularly interesting for vendors that took short cuts with their TCP/IP stacks or web server applications. Probably unlikely but they certainly have equipment available.

- asset owners with multiple locations could share a realistic physical honeynet that matches their environment. Honeynets at multiple plants or other locations would be used as early attack warning devices.

Previous SCADA Honeynet Posts
SCADA Honeynet Overview