Utilities infrastructure like the electric grid have been the target of more sophisticated cyberattacks designed to disrupt their operation and create social unrest and economical losses. Just in 2016, a cyberattack targeted the Ukrainian power grid and successfully caused a blackout that affected 225,000 customers.
Industrial Control Systems (ICS) are a critical part of this infrastructure. Honeypots are one of the tools that help us capture attack data to better understand new and existing attack methods and strategies. Honeypots are computer systems purposefully left exposed to be broken into. They do not have any inherent value, instead, their value comes when attackers interact with them. However, state-of-the-art honeypots lack sophisticated service simulations required to obtain valuable data.
Worst, they cannot adapt while ICS malware keeps evolving and attacks patterns are increasingly more sophisticated.
This work presents HoneyPLC: A Next-Generation Honeypot for ICS. HoneyPLC is, the very first medium-interaction ICS honeypot, and includes advanced service simulation modeled after S7-300 and S7-1200 Siemens PLCs, which are widely used in real-life ICS infrastructures.
Additionally, HoneyPLC provides much needed extensibility features to prepare for new attack tactics, e.g., exploiting a new vulnerability found in a new PLC model.
HoneyPLC was deployed both in local and public environments, and tested against well-known reconnaissance tools used by attackers such as Nmap and Shodan's Honeyscore. Results show that HoneyPLC is in fact able to fool both tools with a high level of confidence. Also, HoneyPLC recorded high amounts of interesting ICS interactions from all around the globe, proving not only that attackers are in fact targeting ICS systems, but that HoneyPLC provides a higher level of interaction that effectively deceives them.