Visible to the public POSTER: Towards Highly Interactive Honeypots for Industrial Control Systems

TitlePOSTER: Towards Highly Interactive Honeypots for Industrial Control Systems
Publication TypeConference Paper
Year of Publication2016
AuthorsLau, Stephan, Klick, Johannes, Arndt, Stephan, Roth, Volker
Conference NameProceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4139-4
Keywordscompositionality, honeypot, Human Behavior, industrial control systems (ICS), programmable logic controller (PLC), pubcrawl, Resiliency, SCADA, SCADA Systems Security
AbstractHoneypots are a common tool to set intrusion alarms and to study attacks against computer systems. In order to be convincing, honeypots attempt to resemble actual systems that are in active use. Recently, researchers have begun to develop honeypots for programmable logic controllers (PLCs). The tools of which we are aware have limited functionality compared to genuine devices. Particularly, they do not support running actual PLC programs. In order to improve upon the interactive capabilities of PLC honeypots we set out to develop a simulator for Siemens S7-300 series PLCs. Our current prototype XPOT supports PLC program compilation and interpretation, the proprietary S7comm protocol and SNMP. While the supported feature set is not yet comprehensive, it is possible to program it using standard IDEs such as Siemens' TIA portal. Additionally, we emulate the characteristics of the network stack of our reference PLC in order to resist OS fingerprinting attempts using tools such as Nmap. Initial experiments with students whom we trained in PLC programming indicate that XPOT may resist cursory inspection but still fails against knowledgeable and suspicious adversaries. We conclude that high-interactive PLC honeypots need to support a fairly complete feature set of the genuine, simulated PLC.
Citation Keylau_poster:_2016