Honeynet Project Researchers Build Publicly Available ICS Honeypot

Two industrial control system researchers have built an ICS honeypot they hope others will deploy on critical infrastructure networks.

Industrial control system and SCADA honeypots have been tried before with relative success. While those systems were enticing to hackers who hammered away on them, they were also complicated, required real ICS and SCADA gear, and weren’t publicly available.

Two researchers from Norway and Denmark hope to change that dynamic with Conpot, short for Control Honeypot. Their project is a simple configuration for now, with a relatively small attack surface. They’re hoping to collect data from those who take what they started, deploy it on their own critical infrastructure networks and share the findings.

“The main goal is to make this kind of technology available for a general audience,” said Lukas Rist, a member of The Honeynet Project.  “Not just for security researchers, but also people who are sysadmins setting up ICS systems who have no clue what could happen and want to see malware attacks against their systems and not put them in any danger,”

Rist and his fellow Honeynet Project partner Johnny Vestergaard have deployed one ICS honeypot already in a default configuration that simulates a basic Siemens SIMATIC S7-200 programmable logic controller (PLC). The configuration includes an input/output module and a Siemens communications processor CP 443-1 needed for network connectivity. Conpot supports two major ICS protocols, Modbus and SNMP, standard interfaces connecting industrial control systems and controllers.

“We formatted Conpot in such a way that it’s easy to customize and adjust it as a proof of concept,” Vestergaard said. “One of the main points is how easy it is to configure this honeypot.  All of the configurations, everything from Modbus to the values of the internals and memory is all contained in a single XML file. We hope at one point, people will begin to customize this XML file and send it to us.”

Unlike other experiments with ICS honeypots that had access to real control systems, such as one conducted by Trend Micro’s Kyle Wilhoit and presented this spring at Black Hat EU, Conpot is strictly a copycat with some values of real gear making it look realistic enough for hackers to test.

“You want to emulate the fingerprint of a machine,” Rist said. “What Kyle deployed was one real machine in a honeypot. To achieve the same result, we need to emulate the realistic values of acertain kind of controller. Siemens has some special addresses it uses. If your  honeypot runs on the SNMP protocol used by Siemens, the attacker can confirm this. It’s a look-alike competition.”

Rist and Vestergaard found documentation online for the Siemens gear they’re emulating, finding the values they were looking for in screenshots from real PLC gear. They have deployed one instance of their honeypot with a relatively small attack surface and have already been attacked three times. For example, there is no HMI or human machine interface, a visualization of SCADA or industrial control equipment, connected to their PLC. Doing so would make their honeypot much easier to find via a special Google or SHODAN search, they said.

Rist said it was Wilhoit’s project that sparked his interest in building Conpot. Wilhoit’s honeypot ran for 28 days and mimicked an Internet management interface for a water pressure station, a server hosting an HMI system and another server hosting a PLC. Wilhoit told Threatpost that attackers had purpose-built malware for the particular gear he was using and tried to modify industrial processes once they accessed a system. Wilhoit’s honeypot was attacked 39 times, most of those attacks originating in China, Laos and the U.S. His dummy sites were ripe targets: default configurations and credentials were left in place, and the system names were optimized for Google searches.

Wilhoit said he observed attackers logging in, making changes to processes such as raising water temperatures or shutting down pumps, and logging out. A dozen of the 39 attacks targeted the specific gear in the honeypot and 13 were repeated by the same attackers.

Once others make use of Conpot, the data collected could be invaluable, Rist and Vestergaard said. The duo said they’ve already been contacted by a number of national CERTs as well as different academic institutions.

“One university guy contacted us who is created an IPS for industrial control systems,” Rist said. “This data will be helpful to train systems that attackers are looking for. There are a lot of different applications for this data.”

Rist said they hope to support more protocols in the future such as DNP3, as well as general protocols such as HTTP, FTP and SSH in order to simplify HMI integration.

“This is such an interesting topic because most of those systems never expected to show up on the Internet,” Rist said. “It’s quite a critical topic. No matter if it’s a big power plant or a small water pump, it’s easy to find those systems and play around with them. This stuff is so critical to national infrastructures and our needs; that’s what makes this so important.”

Suggested articles