I recently gave a presentation on the SCADA Honeynet Project. During the Question and Answer session, a number of attendees requested an implementation of the Honeynet that would allow them to use a spare physical PLC as the target. Evidently many asset owners had older spare field devices available. By using a PLC commonly found [...]

This honeywall update includes our four latest IDS signatures which aid in detecting points list and function code scans on DNP3 and Modbus TCP. These signatures play an important role in identifying a reconnaissance scan on PLC’s, RTU’s, and IED’s in a control system environment. In regards to the honeywall, roo-1.2 has been released for [...]

The summer 2007 edition of InfraGard’s Gardian publication has an article we wrote on SCADA Honeynets. The article provides a brief overview of the topic and some of the results from the SCADA Honeynets, which appears to the attacker to be a PLC, we have deployed in substations and on the Internet

We pulled one of our SCADA Honeynets out of an electric substation after about six months, and we are looking for another interesting place to put it.  Ideally it would be an environment where 802.11 wireless would be likely to be used and somewhere that is close to people that might try to piggyback on [...]

This update includes the current version (roo 1.1) of the honeywall and a patched target which had a vulnerability in one of the service components. After a large number of bug fixes and IDS signature interface changes, the honeywall is stable and reports all SCADA alerts correctly in Walleye (as shown below).

Thanks to Neutralbit for [...]

We had the SCADA Honeynet attached to a wireless access point at the PCSF Annual Meeting March 6 and 7 in Atlanta, GA. PCSF attendees were encouraged to connect to it to check out the realism of this simulated PLC target and attack it as much as they desired. Of course, others connected simply looking [...]

In his S4 comments, Ty Bodell suggested we have the SCADA Honeynet live at S4 2008 so attendees can see it, hack it or otherwise interact with it. We thought why wait until next January, so the SCADA Honeynet will be available via a wireless access point at the PCSF annual event in Atlanta next [...]

So I’ve been using Afterglow quite a bit to visualize data from a couple of our SCADA Honeynet projects. Some of the output is starting to be added to our Honeynet Stats & Reports page and some I’m still automating.
Another tool, developed/hosted by IBM, that might be useful for visualizations is “Many Eyes“. Through a [...]

For one week we are making two of the 13 one-hour S4 sessions available to our loyal blog readers.
SCADA Honeynets:  How to Build and Analyzing Attacks by Landon Lewis, Digital Bond
and
OPC Exposed Part II:  Denial of Service Attacks by Ralph Langner, Langner Communications
The password for these two presentations is 9udg#ves.
This is a good opportunity to [...]

For those of you who have downloaded our latest release of the SCADA Honeynet, you have probably noticed that the SCADA IDS signatures display ‘unknown signature’ in the Walleye interface. I’m sure this is true for anyone who has put a custom IDS snort signature on their honeywall as well. The steps below outline what [...]