SCADA Honeynet
From SCADApedia
Honeynets are a useful research tool to better understand attacks and attackers, and a useful early attack warning tool for network owners. The SCADA Honeynet mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices.
Contents |
History
The first SCADA Honeynet was released in March of 2004 by Matthew Franz and Venkat Pothamsetty of the Cisco Critical Infrastructure Assurance Group (CIAG). The design utilized Honeyd for simulating a limited set of services from a popular PLC. To date the project is not maintained, however is still available from Sourceforge.
Current
The current SCADA Honeynet managed by Digital Bond utilizes two virtual machines. One virtual machine concentrates on monitoring all network activity and statistics by utilizing a Generation III Honeywall. The Honeywall virtual machine image contains Digital Bond's SCADA IDS Signatures to detect any malicious attacks that may occur against the second virtual machine, a simulated PLC. The second virtual machine, the target, simulates a popular PLC that exposes a number of services to an attacker. The virtual machines images are available for download as the Digital Bond subscriber site.
Digital Bond has also released installation instructions to use the SCADA Honeywall virtual machine with a physical field device due to popular demand. Many asset owners wanted to use a spare field device as the target to maximize the realism for their environment.
Target Services
Modbus TCP
The SCADA Honeynet exposes the Modbus TCP protocol and contains a points list from a US Electric substation. Points represent measured values such as voltage and current and status such as a protective relay, like a circuit breaker, being open or tripped. An attacker with a easily available Modbus client could read the points and even write changes to the simulated PLC that would affect the integrity of a substation if the PLC was a real device.
FTP
The SCADA Honeynet exposes a VxWorks FTP service mimicking that of a real PLC. Banners, default logins and default passwords have all been duplicated to fool attackers into logging into the device. Since FTP is a clear text protocol all full content network communications are inspected by the Honeywall snort and SCADA IDS Signatures.
Telnet
The Telnet service and banners are exposed on the SCADA Honeynet. No interaction is available, however a VxWorks login banner is presented and available to attackers.
HTTP
The popular PLC hosts a custom embedded HTTP server for easy device management. A open source web server is available to attackers and key components such as the content (images, java applets, etc) and HTTP server types have been duplicated.
SNMP
The SCADA Honeynet supports the full SNMP MIB of the mimicked PLC.
| Service | Port | Purpose |
|---|---|---|
| FTP | tcp/21 | Firmware/Device Management |
| Telnet | tcp/23 | Device Configuration/Management |
| HTTP | tcp/80 | Device Configuration/Management |
| SNMP | udp/161 | Device/Service Health/Statistics |
| Modbus TCP | tcp/502 | Control |
External Links
Download the SCADA Honeynet Images
