I recently gave a presentation on the SCADA Honeynet Project. During the Question and Answer session, a number of attendees requested an implementation of the Honeynet that would allow them to use a spare physical PLC as the target. Evidently many asset owners had older spare field devices available. By using a PLC commonly found on their control network, the Honeynet would provide a highly realistic look and feel. In addition to the realism of the device, the data obtained from an attack on a PLC monitored by the SCADA Honeywall would provide a more accurate representation of the attacker’s sophistication.
Our original SCADA Honeynet relies on two virtual machines. One virtual machine contains a slightly modified Honeywall implementation for monitoring purposes. The second virtual machine simulates a PLC. The PLC virtual machine provides realistic web, ftp, telnet, snmp and modbus/tcp services.
We have now created a set of instructions so asset owners can use our SCADA Honeywall virtual machine and their own PLC as a target. The setup requires a slightly more advanced user than the original SCADA Honeynet. The installation document walks the user through relevant portions of the host setup, the configuration of VMWare Server and the configuration of the virtual machine. The user must supply and configure their own PLC. Once the system is setup, traffic sent to PLC can be monitored remotely via the SCADA Honeywall web interface.
The new install guide is available to subscribers and can be found here, but it is a subscriber-only document.
We also put our marketing hats on and created a two-page brochure on the SCADA Honeynet.
I look forward to hearing your feedback on this implementation, either on the site or via email.