TY - CHAP
T1 - HoneyPLC
T2 - A Next-Generation Honeypot for Industrial Control Systems
AU - Morales, Efrén López
AU - Rubio-Medrano, Carlos E.
AU - Doupé, Adam
AU - Wang, Ruoyu
AU - Shoshitaishvili, Yan
AU - Bao, Tiffany
AU - Ahn, Gail Joon
N1 - Publisher Copyright:
© 2023, This is a U.S. government work and not under copyright protection in the U.S.; foreign copyright protection may apply.
PY - 2023
Y1 - 2023
N2 - Industrial Control Systems (ICSs) provide management and control capabilities for mission-critical utilities such as the nuclear, power, water, and transportation grids. Within ICS, Programmable Logic Controllers (PLCs) play a key role as they serve as a convenient bridge between the cyber and the physical worlds, e.g., controlling centrifuge machines in nuclear power plants. Recently, ICS and PLCs have been the target of sophisticated cyberattacks designed to disrupt their operation. In this context, honeypots have been shown to be highly valuable tools for collecting real data, e.g., malware payload, to better understand the many different strategies that attackers use. However, existing state-of-the-art honeypots for PLCs lack sophisticated service simulations that are required to obtain valuable data and cannot adapt, while malware keeps evolving. This chapter presents HoneyPLC, a high-interaction, extensible, and malware-collecting honeypot supporting a broad spectrum of PLC models and vendors. Experimental results show that HoneyPLC exhibits a high level of camouflaging: it is identified as real devices by multiple widely used reconnaissance tools, and it is also able to record a large amount of interesting interactions over the Internet, showing that HoneyPLC can effectively engage and deceive attackers while collecting data samples for future analysis.
AB - Industrial Control Systems (ICSs) provide management and control capabilities for mission-critical utilities such as the nuclear, power, water, and transportation grids. Within ICS, Programmable Logic Controllers (PLCs) play a key role as they serve as a convenient bridge between the cyber and the physical worlds, e.g., controlling centrifuge machines in nuclear power plants. Recently, ICS and PLCs have been the target of sophisticated cyberattacks designed to disrupt their operation. In this context, honeypots have been shown to be highly valuable tools for collecting real data, e.g., malware payload, to better understand the many different strategies that attackers use. However, existing state-of-the-art honeypots for PLCs lack sophisticated service simulations that are required to obtain valuable data and cannot adapt, while malware keeps evolving. This chapter presents HoneyPLC, a high-interaction, extensible, and malware-collecting honeypot supporting a broad spectrum of PLC models and vendors. Experimental results show that HoneyPLC exhibits a high level of camouflaging: it is identified as real devices by multiple widely used reconnaissance tools, and it is also able to record a large amount of interesting interactions over the Internet, showing that HoneyPLC can effectively engage and deceive attackers while collecting data samples for future analysis.
UR - http://www.scopus.com/inward/record.url?scp=85149946510&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85149946510&partnerID=8YFLogxK
U2 - 10.1007/978-3-031-16613-6_8
DO - 10.1007/978-3-031-16613-6_8
M3 - Chapter
AN - SCOPUS:85149946510
T3 - Advances in Information Security
SP - 145
EP - 181
BT - Advances in Information Security
PB - Springer
ER -