Design and implementation of a honeynet for an ICS environment (Part 1/2)

Industrial Control Systems (ICS) are becoming attack objectives more a more often. This is caused mainly because of the impact that the compromise of an ICS can cause. At the same time, these systems have a very long lifetime and initially were not designed with security in mind.

Traditionally, ICS systems are not bound to the IT world and use their own (sometimes proprietary) protocols different from th IT standards. For these reasons it's not really well-known how to exploit these systems and what the implications of and exploitation mean. A good way to know the attack vectors and attackers objectives is to use honeypots to obtain the maximum information about the movements these attackers perform during the attack phase.

Honeypots and Honeynets

A honeypot, or trap system, is a software or combination of systems whose intention is to attract attackers, simulating to be vulnerable or weak systems. It's a computer tool used to gather information about the attackers and their techniques. Honeypots can distract attackers from the most critical systems, and quickly warn the system administrator of an attack attempt, appart from allowing a deep attack & attackers examination, during and after the attack to the honeypot system.

A Honeynet is a special type of honeypot. It's a high interaction honeypot that act over a whole network, designed to be attacked and therefore recover mauch more information about the possible attackers. In a honeynet real systems are used with real operative systems and running real application. This type of noneypots are mainly used for researching of new attack techniques and therefore testing the modus-operandi of intruders.

What are honeynets for in an ICS environment?

Presently is difficult to reproduce a standard SCADA network, given that there is a hugh variety of different industrial network deployments. This is caused by the heterogeneous nature of industrial sectors and by a lack of standard architectures for each of these specific sectors. One of the main reasons why control network emulation becomes very hard to implement is difficulty to simulate communication networks, due to the fact that there are many different and complex networks and network topologies.

As a honeynet is a dynamic environment, this allows the quick modification of the honeynet infrastructure to adapt it to different environments or industrial sectors. Critical data acquisition obtained from the possible attacks reeived by the honeynet will allow the development of mechanisms, tools and procedures to mitigate these attacks in a near future or recover in a most effective way.

Honeynet development phases

To develope a honeynet there are a number of phases that need to be followed:

• Phase 0: Project initial phase. In this phase a set of different systems are connected directly to internet. These systems will only collect attack attempts, ports, services, IPs, etc.
• Phase 1: In this phase, different devices inside the honeynet network will interact among them. Starting from the data acquired in phase 0, a network infrastructure will be formed following the attack preferences found in phase 0. In this phase the software applications will be deployed in the different systems in order to run their own roles inside the honeynet. In this phase there will be a more thorough process of information gathering and willl focus in media and methods used during the attacks.
• Fase 2: research phase and honeynet dynamic changes. Starting with the data obtained in phase 1, different elements from the honeynet will be modified to improve the network infrastructure and the securization process. In this phase first reports will be obtained and printed.

Glossary

Low interaction honeypot

A Low interaction honeypot simulates some services to detect directed attacks to those services. Depending on the quality of simulation, these honeypots will obtain more or less information. This type of honeypots are mainly used to detect attack attampts and protect a network infrastructure.

High interaction honeynet

High interaction honeypots are used to be able to analyze in depth the previously detected attacks. To obtain as much information as possible to be as close to reality as possible, real devices are used, from which all possible information is extracted about the different attacks they receive.

When talking about ICS, devices like PLCs, RTUs, IEDs, etc, do not generally have enough computing power to include them in the information gathering process. For this reason a better alternative is to use a gateway system, that will relay connections to ICS device and that will extract all the attack data and will send them to a centralized server which will be the responsible for the analysis in depth.

Available tools

In the next post, some freely available tools like the following will be discussed:

• Modern Honey Network (MHN)
• Conpot
• Honeytokens
• Gridpot
• ScadaHoneynet
• GasPot
• HoneyComb
• IOThoneypot
• PlanetLab