Designing & Deploying ICS Honeypots
Steven C. Markey, MSIS, PMP, CISSP, CIPP/US , CISM, CISA, STS-EV, CCSK, CCSP, Cloud +
Principal, nControl, LLCAdjunct Professor
Source: Drupal
ICS Honeypots
Source: Wikipedia
ICS Honeypots
• ICS Componentry– Programmable Logic Controller (PLC)– Distributed Control Systems (DCS)– Embedded Control– Safety Instrumented Systems (SIS)
ICS Honeypots
Source: Purdue
Source: MOXA
Source: MTS
Source: Open
Source: Flickr
Source: Minded Security
Source: Microsoft
Source: IEEE
Source: SAFECode & Microsoft
• Honeypot Strategies– Thick Deployments
• Small Scale: Each Entity Contains Whole Logic / Stack
– Thin Deployments• Larger Scale: Traffic Reflector
ICS Honeypots
• Honeypot Solution Options– Open-Source
• T-Pot– ELK
• HoneyDrive Framework – Kippo, Conpot, Dionaea, Honeyd, Glastopf, Amun, Wordpot, LaBrea– LAMP, ELK & Other Analytics
– Commercial• Offensive & Deceptive
– Ridgeback
• Traditional Deception– Deception Tool Kit (DTK)– KFSensor– HoneyPoint Security Server
ICS Honeypots
• One-Off Deception Maneuvers– Bastion Hosts
• Windows Environment: Telnet / SSH (like Kippo)• Linux Environment: RDP / RDC
– VLANs• Passive Sniffers
– Proxies• Forward• Reverse• Dual (WAF-like, LaBrea / Glastopf)
ICS Honeypots
ICS Honeypots
ICS Honeypots
ICS Honeypots
ICS Honeypots
ICS Honeypots
Source: RSSing
ICS Honeypots
Source: Charlie Scott
Source: Charlie Scott
ICS Honeypots
ICS Honeypots
Source: Levenetep
ICS Honeypots
Source: Jason Lefkovitz
ICS Honeypots
ICS Honeypots
Source: Ridgeback
• Demo TimeICS Honeypots
Source: Baseball Brains
• Questions?• Contact
– Email: [email protected]– Twitter: @markes1– LI: http://www.linkedin.com/in/smarkey