Call for Papers
AAA  AAA 

SCADA Honeywall: Use Your Own PLC As The Target

I recently gave a presentation on the SCADA Honeynet Project. During the Question and Answer session, a number of attendees requested an implementation of the Honeynet that would allow them to use a spare physical PLC as the target. Evidently many asset owners had older spare field devices available. By using a PLC commonly found on their control network, the Honeynet would provide a highly realistic look and feel. In addition to the realism of the device, the data obtained from an attack on a PLC monitored by the SCADA Honeywall would provide a more accurate representation of the attacker’s sophistication.

Our original SCADA Honeynet relies on two virtual machines. One virtual machine contains a slightly modified Honeywall implementation for monitoring purposes. The second virtual machine simulates a PLC. The PLC virtual machine provides realistic web, ftp, telnet, snmp and modbus/tcp services.

We have now created a set of instructions so asset owners can use our SCADA Honeywall virtual machine and their own PLC as a target. The setup requires a slightly more advanced user than the original SCADA Honeynet. The installation document walks the user through relevant portions of the host setup, the configuration of VMWare Server and the configuration of the virtual machine. The user must supply and configure their own PLC. Once the system is setup, traffic sent to PLC can be monitored remotely via the SCADA Honeywall web interface.

The new install guide is available to subscribers and can be found here , but it is a subscriber-only document.

We also put our marketing hats on and created a two-page brochure on the SCADA Honeynet.

I look forward to hearing your feedback on this implementation, either on the site or via email.

Author: Charles Perine
Posted: July 8th, 2008 under SCADA Honeynet.
Comments: 3

Comments

Comment from Dale Peterson
Time: July 8, 2008, 11:29 am

I was surprised at the demand for this option, but it was the most frequent comment and request. Evidently a lot of asset owners have older or spare field devices available on the shelf and are much more comfortable and interested in the physical, highly realistic target. Glad we were able to oblige and provide a Honeywall only version that can work with a physical PLC, RTU, IED . . . or for that matter a HMI, Engineering Workstation, Historian or whatever you have available.

Comment from Thorsten Holz
Time: July 14, 2008, 5:14 pm

Quick question: did you every observe a real attack against a SCADA honeynet? Or were all attacks just scans and no one actually attacked your honeypots?

Comment from Dale Peterson
Time: July 14, 2008, 6:22 pm

Thorstan – We have seen actual attacks against the common services such as ftp and http, but nothing on the Modbus slave/server and nothing that was not automated.

There was a relatively longlasting ftp password guessing attack, but it was clearly automated. All the attacker would have to do was see what the system was from the home page of the web server, google, and enter the default password.

We believe the SCADA honeynet could be a useful vehicle for determining when control system default credentials make the lists used by the hacking community.

Write a comment