SCADA Honeywall
From SCADApedia
Honeynets are a useful research tool to better understand attacks and attackers, and a useful early attack warning tool for asset owners. Digital Bond developed a SCADA Honeynet that included a SCADA Honeywall and simulated PLC target. Many asset owners requested the ability to replace the simulated PLC target with a physical field device of their own. Digital Bond's SCADA Honeywall is a modified version of the SCADA Honeynet that can be placed in front of a real PLC or other control system device.
The SCADA Honeywall is based on the roo from the Honeynet Project and runs on Linux. The Honeywall is used to track and manage the attacker. It includes the Snort IDS in packet capture mode, and Digital Bond has added their SCADA IDS signatures. The SCADA Honeywall image also includes:
- Sebek - a white hat rootkit
- Argus - to collect network statistics
- Walleye - web-based management interface
- Mysql - store data
The SCADA Honeywall can create periodic activity reports or be configured to alarm when attacks are identified. Since there is no reason for any activity to pass through the SCADA Honeywall, any attack activity is likely to warrant immediate investigation.
Using a PLC or control system device commonly found on an asset owners control network as the Honeynet target provides a highly realistic look and feel. In addition to the realism of the device, the data obtained from an attack on a PLC monitored by the SCADA Honeywall would provide a more accurate representation of the attacker's sophistication.
Diagram
