HoneyPLC: A Next-Generation Honeypot for Industrial Control Systems

Efrén López Morales; Carlos E. Rubio-Medrano; Adam Doupé; Ruoyu Wang; Yan Shoshitaishvili; Tiffany Bao; Gail Joon Ahn

doi:10.1007/978-3-031-16613-6_8

HoneyPLC: A Next-Generation Honeypot for Industrial Control Systems

Efrén López Morales, Carlos E. Rubio-Medrano, Adam Doupé, Ruoyu Wang, Yan Shoshitaishvili, Tiffany Bao, Gail Joon Ahn

Engineering, Ira A. Fulton Schools of (IAFSE)

Research output: Chapter in Book/Report/Conference proceeding › Chapter

Abstract

Industrial Control Systems (ICSs) provide management and control capabilities for mission-critical utilities such as the nuclear, power, water, and transportation grids. Within ICS, Programmable Logic Controllers (PLCs) play a key role as they serve as a convenient bridge between the cyber and the physical worlds, e.g., controlling centrifuge machines in nuclear power plants. Recently, ICS and PLCs have been the target of sophisticated cyberattacks designed to disrupt their operation. In this context, honeypots have been shown to be highly valuable tools for collecting real data, e.g., malware payload, to better understand the many different strategies that attackers use. However, existing state-of-the-art honeypots for PLCs lack sophisticated service simulations that are required to obtain valuable data and cannot adapt, while malware keeps evolving. This chapter presents HoneyPLC, a high-interaction, extensible, and malware-collecting honeypot supporting a broad spectrum of PLC models and vendors. Experimental results show that HoneyPLC exhibits a high level of camouflaging: it is identified as real devices by multiple widely used reconnaissance tools, and it is also able to record a large amount of interesting interactions over the Internet, showing that HoneyPLC can effectively engage and deceive attackers while collecting data samples for future analysis.

Original language	English (US)
Title of host publication	Advances in Information Security
Publisher	Springer
Pages	145-181
Number of pages	37
DOIs	https://doi.org/10.1007/978-3-031-16613-6_8
State	Published - 2023

Publication series

Name	Advances in Information Security
Volume	89
ISSN (Print)	1568-2633
ISSN (Electronic)	2512-2193

ASJC Scopus subject areas

Information Systems
Computer Networks and Communications

Access to Document

10.1007/978-3-031-16613-6_8

Cite this

@inbook{f0456b7ec8e04ff990a228cea0a21459,

title = "HoneyPLC: A Next-Generation Honeypot for Industrial Control Systems",

abstract = "Industrial Control Systems (ICSs) provide management and control capabilities for mission-critical utilities such as the nuclear, power, water, and transportation grids. Within ICS, Programmable Logic Controllers (PLCs) play a key role as they serve as a convenient bridge between the cyber and the physical worlds, e.g., controlling centrifuge machines in nuclear power plants. Recently, ICS and PLCs have been the target of sophisticated cyberattacks designed to disrupt their operation. In this context, honeypots have been shown to be highly valuable tools for collecting real data, e.g., malware payload, to better understand the many different strategies that attackers use. However, existing state-of-the-art honeypots for PLCs lack sophisticated service simulations that are required to obtain valuable data and cannot adapt, while malware keeps evolving. This chapter presents HoneyPLC, a high-interaction, extensible, and malware-collecting honeypot supporting a broad spectrum of PLC models and vendors. Experimental results show that HoneyPLC exhibits a high level of camouflaging: it is identified as real devices by multiple widely used reconnaissance tools, and it is also able to record a large amount of interesting interactions over the Internet, showing that HoneyPLC can effectively engage and deceive attackers while collecting data samples for future analysis.",

author = "Morales, {Efr{\'e}n L{\'o}pez} and Rubio-Medrano, {Carlos E.} and Adam Doup{\'e} and Ruoyu Wang and Yan Shoshitaishvili and Tiffany Bao and Ahn, {Gail Joon}",

note = "Funding Information: Acknowledgments This work was supported in part by the National Science Foundation (NSF) under grant 1651661, the Department of Energy (DoE) under grant DE-OE0000780, the Army Research Office under grant W911NF-17-1-0370, the Defense Advanced Research Projects Agency (DARPA) under the agreements HR001118C0060 and FA875019C0003, the Institute for Information & communications Technology Promotion (IITP) under grant 2017-0-00168 funded by the Korea government (MSIT), a grant from the Center for Cybersecurity and Digital Forensics (CDF) at Arizona State University, and a grant from Texas A&M University—Corpus Christi. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or any agency thereof. Publisher Copyright: {\textcopyright} 2023, This is a U.S. government work and not under copyright protection in the U.S.; foreign copyright protection may apply.",

year = "2023",

doi = "10.1007/978-3-031-16613-6_8",

language = "English (US)",

series = "Advances in Information Security",

publisher = "Springer",

pages = "145--181",

booktitle = "Advances in Information Security",

}

TY - CHAP

T1 - HoneyPLC

T2 - A Next-Generation Honeypot for Industrial Control Systems

AU - Morales, Efrén López

AU - Rubio-Medrano, Carlos E.

AU - Doupé, Adam

AU - Wang, Ruoyu

AU - Shoshitaishvili, Yan

AU - Bao, Tiffany

AU - Ahn, Gail Joon

N1 - Funding Information: Acknowledgments This work was supported in part by the National Science Foundation (NSF) under grant 1651661, the Department of Energy (DoE) under grant DE-OE0000780, the Army Research Office under grant W911NF-17-1-0370, the Defense Advanced Research Projects Agency (DARPA) under the agreements HR001118C0060 and FA875019C0003, the Institute for Information & communications Technology Promotion (IITP) under grant 2017-0-00168 funded by the Korea government (MSIT), a grant from the Center for Cybersecurity and Digital Forensics (CDF) at Arizona State University, and a grant from Texas A&M University—Corpus Christi. Any opinions, findings, conclusions, or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Government or any agency thereof. Publisher Copyright: © 2023, This is a U.S. government work and not under copyright protection in the U.S.; foreign copyright protection may apply.

PY - 2023

Y1 - 2023

N2 - Industrial Control Systems (ICSs) provide management and control capabilities for mission-critical utilities such as the nuclear, power, water, and transportation grids. Within ICS, Programmable Logic Controllers (PLCs) play a key role as they serve as a convenient bridge between the cyber and the physical worlds, e.g., controlling centrifuge machines in nuclear power plants. Recently, ICS and PLCs have been the target of sophisticated cyberattacks designed to disrupt their operation. In this context, honeypots have been shown to be highly valuable tools for collecting real data, e.g., malware payload, to better understand the many different strategies that attackers use. However, existing state-of-the-art honeypots for PLCs lack sophisticated service simulations that are required to obtain valuable data and cannot adapt, while malware keeps evolving. This chapter presents HoneyPLC, a high-interaction, extensible, and malware-collecting honeypot supporting a broad spectrum of PLC models and vendors. Experimental results show that HoneyPLC exhibits a high level of camouflaging: it is identified as real devices by multiple widely used reconnaissance tools, and it is also able to record a large amount of interesting interactions over the Internet, showing that HoneyPLC can effectively engage and deceive attackers while collecting data samples for future analysis.

AB - Industrial Control Systems (ICSs) provide management and control capabilities for mission-critical utilities such as the nuclear, power, water, and transportation grids. Within ICS, Programmable Logic Controllers (PLCs) play a key role as they serve as a convenient bridge between the cyber and the physical worlds, e.g., controlling centrifuge machines in nuclear power plants. Recently, ICS and PLCs have been the target of sophisticated cyberattacks designed to disrupt their operation. In this context, honeypots have been shown to be highly valuable tools for collecting real data, e.g., malware payload, to better understand the many different strategies that attackers use. However, existing state-of-the-art honeypots for PLCs lack sophisticated service simulations that are required to obtain valuable data and cannot adapt, while malware keeps evolving. This chapter presents HoneyPLC, a high-interaction, extensible, and malware-collecting honeypot supporting a broad spectrum of PLC models and vendors. Experimental results show that HoneyPLC exhibits a high level of camouflaging: it is identified as real devices by multiple widely used reconnaissance tools, and it is also able to record a large amount of interesting interactions over the Internet, showing that HoneyPLC can effectively engage and deceive attackers while collecting data samples for future analysis.

UR - http://www.scopus.com/inward/record.url?scp=85149946510&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85149946510&partnerID=8YFLogxK

U2 - 10.1007/978-3-031-16613-6_8

DO - 10.1007/978-3-031-16613-6_8

M3 - Chapter

AN - SCOPUS:85149946510

T3 - Advances in Information Security

SP - 145

EP - 181

BT - Advances in Information Security

PB - Springer

ER -

HoneyPLC: A Next-Generation Honeypot for Industrial Control Systems

Abstract

Publication series

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this