SCADA Honeynet

Digital Bond released a high interaction / very realistic SCADA Honeynet a few years back. Actually a better name would be a PLC Honeynet because it appeared to be a Modicon PLC. It has a points list with realistic values from an actual PLC that can be accessed via Modbus TCP. The FTP, HTTP, Telnet and SNMP interfaces are also realistic. FYI, it is still available for free download and use.

For about 18 months we had Honeynets deployed in a substation and on the Internet. While they saw a number of attacks, they all appeared automated and none were ICS related. We saw no traffic on the Modbus TCP port, and the FTP password guessing attacks never attempted the default Modicon credentials which are easily learned via search. With the advent of Shodan, it may be worthwhile hanging a couple on the Internet and seeing if anything has changed.

In a tweet, @mtoecker was asking if this could be modified to detect Beresford or Stuxnet attacks on a Siemens S7 PLC. The answer is of course yes, but how much work would be required.

If you have a spare Siemens S7 PLC, it is very simple to modify the SCADA Honeywall, a subset of the SCADA Honeynet, to support the S7. Look at the drawing at the bottom of this page, and you will see how the Honeywall can sit in front of PLC to log activity and alert on attacks. Since this is not a valid PLC in the process, any activity would be unauthorized, but not necessarily malicious.

The other approach would be to create the simulated S7 PLC to replace the simulated Modicon PLC. The amount of work is directly related to level of interaction/realism, which is directly related to how long an attacker will be fooled by the Honeynet.

If you just want to identify if anyone is attempting an attack, the level of interaction and corresponding effort would be low. Just have the appropriate ports and somewhat appropriate response or error message to detect how intelligent the attacker is. A sophisticated attacker will quickly identify that something is wrong and move on. You will not learn much about the attack methodology, but it would provide an early warning capability.

If some enterprising grad student is looking for a project, we have a substantial number of different PLC’s that could be used to create low interaction / attack detection PLC Honeynets. Send us an email if you are interested.

Image by Siona Watson