Improved ICS Honeypot Techniques

Abstract

As work continues to advance the security posture of ICS systems across the UKNDA estate, opportunities arise to consider the deployment of deception technologies. With high-profile attacks on ICS occurring more frequently, and increasing numbers of adversaries developing ever more sophisticated techniques, strategies to try and stay ahead of the curve become increasingly necessary. Honeypots are an important research tool for discovering both new threat actors and any new techniques they are developing before they can cause harm. Outside of research, Honeypots are deployed internally as a tool to be used during defensively where they act as a distraction or early warning. This paper will examine current state of ICS Honeypots, and propose a new high-interaction honeypot technique using common industry tools. It is this new honeypot is made cheap and simple to deploy by making use of Siemens PLCSIM software, already in wide use in the nuclear industry. Offline validation testing and live internet deployment will be used to test and compare directly with other existing low and high interactivity honeypots. The results from the honeypots will be compared to examine scanning activity, reconnaissance activity and attacks to look for differences in both type and amount of activity seen.