CPS-SPC 16 @ Vienna AU
Towards High-Interaction Virtual ICSHoneypots-in-a-Box
DANIELE ANTONIOLI ANAND AGRAWAL N. O. TIPPENHAUER
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box 1
Overview
In this work we:
• Present the design of a realistic ICS honeypotI Satisfying traditional, and ICS requirementsI That is high-interaction, virtualized and low-cost
• Show an implementation of such a designI Targeting ICS based on Ethernet/IPI High-interaction without full virtualizationI Compatible with Software-Defined Networking
• Discuss its evaluationI S3’s Capture-The-Flag (CTF) for ICS
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Abstract 2
Industrial Control Systems (ICS)
• Industrial Control Systems (ICS)I Connected devices, managing an industrial processI Control and monitor: PLC, SCADA, HMII Physical: sensors, actuatorsI Cyber: switches, routers, gateways
• ICS security is a major challengeI Internet-facing control networksI Cyber and physical attacker surfaceI Legacy-code, uncertified devices
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 3
Real Water Treatment ICS
Sensor
42.42
SensorsActuators
Sensor
42.42
SensorsActuators
Sensor
42.42
SensorsActuators
L1 Network
HMI
Switch
HMI
SCADA
Remote IO
PLC1a PLC1b
PLCPLC
L0 Network
RIO
Process 1
Remote IO
PLCPLC
L0 Network
RIO
Process 2
Remote IO
PLCPLC
L0 Network
RIO
Process n
...
...
PLC2a PLC2b PLCna PLCnb
HMI
Historian
Internet
VPN/Gateway
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 4
Real Water Treatment ICS
Sensor
42.42
SensorsActuators
Sensor
42.42
SensorsActuators
Sensor
42.42
SensorsActuators
L1 Network
HMI
Switch
HMI
SCADA
Remote IO
PLC1a PLC1b
PLCPLC
L0 Network
RIO
Process 1
Remote IO
PLCPLC
L0 Network
RIO
Process 2
Remote IO
PLCPLC
L0 Network
RIO
Process n
...
...
PLC2a PLC2b PLCna PLCnb
HMI
AttackerHistorian
Internet
VPN/Gateway
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 4
Our Idea: ICS Honeypots
Attacker
Internet
Sensor
42.42
SensorsActuators
Sensor
42.42
SensorsActuators
Sensor
42.42
SensorsActuators
L1 Network
HMI
Switch
HMI
SCADA
Remote IO
PLC1a PLC1b
PLCPLC
L0 Network
RIO
Process 1
Remote IO
PLCPLC
L0 Network
RIO
Process 2
Remote IO
PLCPLC
L0 Network
RIO
Process n
...
...
PLC2a PLC2b PLCna PLCnb
HMI
Historian
VPN/Gateway
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 5
ICS Honeypots: Introduction
• Systems intended be probed, attacked, and compromisedI Lures the attacker impersonating an ICSI Stop, or slow-down the attackI Study attacker’s behaviours
• ClassificationsI Infrastructure: real vs. virtual (vs. hybrid)I Realism: low-interaction vs. high-interactionI Role: client vs. serverI Usage: research vs. production
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 6
Our Honeypot: Attacker Model
• AssumptionsI Honeypot reached over the InternetI Vulnerable interface determines the attacker surface
• CapabilitiesI Fingerprinting: addresses, ports, protocolI Protocols: knowledge of all protocols used in systemI Physical system: limited knowledge of process and devices
• InteractionsI Denial-of-Service: flood the networkI Man-in-the-Middle: passive and activeI Device impersonation: valid and malformed packetsI Sabotage: trigger actions through malicious commands
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 7
Our Honeypot: Requirements
• High-interaction ICS honeypotI Simulate the physical processI Simulate the ICS devices: control logic, servicesI Emulate the network infrastructure
• Low-costI ReconfigurableI Scales
• ICS requirementsI Time: completion of tasks, and delivery of packetsI Determinism: schedule of tasks, and order of packets
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Motivation 8
Simple Design Approach
• How about an OpenPLC1 indexed on shodan.io?I Classification: real, low-interaction, serverI Pros: low-cost, configurationI Cons: realism, scale
Attacker
Internet
1http://www.openplcproject.com/[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Design 9
Our Honeypot: Design Choices
• Virtual and high-interaction:I Simulation of physical process and ICS devicesI Lightweight network emulationI Runs in-a-Box (with SDN support)
• ICS requirementsI Time: real-time emulation, and simulationI Determinism: scriptable environment
Attacker
Internet
Sensor
42.42
SensorsActuators
Sensor
42.42
SensorsActuators
Sensor
42.42
SensorsActuators
L1 Network
HMI
Switch
HMI
SCADA
Remote IO
PLC1a PLC1b
PLCPLC
L0 Network
RIO
Process 1
Remote IO
PLCPLC
L0 Network
RIO
Process 2
Remote IO
PLCPLC
L0 Network
RIO
Process n
...
...
PLC2a PLC2b PLCna PLCnb
HMI
Historian
VPN/Gateway
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Design 10
Our Honeypot: Architecture
High-Interaction virtual honeypot
Real ICS/SCADA system
SIS
Simulated PLC
Simulated HMI
AttackerGateway
PLC
HMI
PLC
Gateway
ICS networkSSH
Telnet
Device
Gateway
SSHTelnet
Device
VPN PLC
Internet
Emulatednetwork
VPN
PhysicalProcess
Simulation
PhysicalProcess
Proposed Honeypot (top) vs. Real ICS (bottom).
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Design 11
MiniCPS Framework [CPS-SPC 15]
Physical Layer Simulation
Physical Layer API
ComponentLogic
ComponentLogic
Network
"MiniCPS: A toolkit for security research on CPS Networks."https://github.com/scy-phy/minicps
(C)yber → Network Emulator(P)hysical → Physical Layer Simulation and API(S)ystem → Devices Simulation
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 12
MiniCPS Framework [CPS-SPC 15]
Physical Layer Simulation
Physical Layer API
ComponentLogic
ComponentLogic
Network
"MiniCPS: A toolkit for security research on CPS Networks."https://github.com/scy-phy/minicps
(C)yber → Network Emulator(P)hysical → Physical Layer Simulation and API(S)ystem → Devices Simulation
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 12
Honeypot Implementation
SDNController
SwitchPhysicalProcess
Simulation
PhysicalLayerAPI
Gateway192.168.1.77
Attacker
Internet
Attacker
Internet
Device192.168.1.76
PLC4192.168.1.40
VPNVPN
SSHTelnetSSH
Telnet
PLC3192.168.1.30
PLC2192.168.1.20
PLC1192.168.1.10
HMI192.168.1.100
EtherNet/IP
High-Interaction virtual honeypot
Physical Layer Simulation
Physical Layer API
ComponentLogic
ComponentLogic
Network
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 13
Honeypot Implementation
SDNController
SwitchPhysicalProcess
Simulation
PhysicalLayerAPI
Gateway192.168.1.77
Attacker
Internet
Attacker
Internet
Device192.168.1.76
PLC4192.168.1.40
VPNVPN
SSHTelnetSSH
Telnet
PLC3192.168.1.30
PLC2192.168.1.20
PLC1192.168.1.10
HMI192.168.1.100
EtherNet/IP
High-Interaction virtual honeypot
Physi
cal La
yer
Sim
ula
tion
Physi
cal La
yer
API
Com
ponent
Log
icC
om
ponent
Log
ic
Netw
ork
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 13
Realistic Attack Propagation
SDNController
SwitchPhysicalProcess
Simulation
PhysicalLayerAPI
Attacker
Internet
Attacker
Internet
Device192.168.1.76
PLC4192.168.1.40
VPNVPN
PLC3192.168.1.30
PLC2192.168.1.20
PLC1192.168.1.10
HMI192.168.1.100
EtherNet/IP
High-Interaction virtual honeypot
Attack propagates over the simulated components
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 14
PLC Implementation
• Allen-Bradley ControlLogixI Same IP, MAC, and netmaskI Simulated control logic (modifiable in real-time)I Ethernet/IP server on port 44818, and clientI Same monitoring Webserver
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 15
Network Gateway Device Implementation
• Moxa OnCell IP gatewayI Eg: provide IP over 3G connectionI SSH server with default credentialsI Telnet server with default credentials (plaintext authentication)
• Virtual implementationI Same IP, MAC, and netmaskI sshd on port 22 with default credentialsI telnetd on port 23 with default credentialsI Attacker gets a (chrooted) shell
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Implementation 16
Evaluation: S3 Capture-The-Flag (CTF)
• Capture-The-Flag (CTF)I Cybersecurity competition (online and offline)I Two types: attack-defense, and jeopardy-style
• S3 CTF was online and jeopardy-styleI Tasks divided into categories (cyber, physical)I A task has a description, some clues, and reward pointsI A task is solved finding and submitting the correct flagI Team that captures most flags (scores most points) wins
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box S3 CTF Evaluation 17
Evaluation: S3 CTF Honeypot Setup
• Honeypots running on AWS EC2 instances2
I Linux, m3-medium: 1 vCPU, 3.75 GB RAM, 1 GB SSDI Set up a single instance (tricky)I Replicate it (easy, press a button)
• Vulnerable gateway interfaceI SSH’s credentials given (CTF)I Attacker has a (chrooted) shell
• Replicated part of a water treatment ICSI Two tanks, sensors, and actuatorsI Four PLCs and a HMII Ethernet/IP protocol, star topology
2https://aws.amazon.com/ec2/[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box S3 CTF Evaluation 18
Evaluation: S3 CTF Challenges
1 Network warm upI Task: eavesdrop what PLC2 sends to PLC3I Required: testbed’s topology, MitM attack skillsI Solution: passive MitM attack between PLC2 and PLC3
2 Ethernet/IP warm upI Task: can you use cpppo3 to access README:2 tag?I Required: Ethernet/IP industrial protocolI Solution: Ethernet/IP request (read)
3 Overflow the Raw water tankI Task: overflow the Raw water tank controlled by PLC1I Required: physical process setupI Solution: Ethernet/IP packets to overflow the tank
3https://github.com/pjkundert/[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box S3 CTF Evaluation 19
Evaluation: S3 CTF Challenges II
4 Denial of Service HMII Task: change the keep alive value sent from the HMI to PLC3?I Required: active MitM brute-force attacksI Solution: active MitM with packet dropping
5 Overflow the Ultra-filtration tankI Task: control PLC4 to overflow the Ultra-filtration tankI Required: all the previous challengesI Solution: active MitM with selective filter
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box S3 CTF Evaluation 20
Evaluation: S3 CTF Results
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box S3 CTF Evaluation 21
Conclusions
In this work, we:
• Address the problem of designing a realistic honeypot for ICS
• Present the design of an high-interaction, virtual, low-cost ICShoneypot that runs in-a-Box
• Show an implementation of such a design based on theMiniCPS framework [CPS-SPC15]
• Discuss its evaluation in the context of an ICS CTF [paper draft]
Acknowledgments: Anand, Nils, and S3 participants’.
Thank you for your time!
[email protected] Towards High-Interaction Virtual ICS Honeypots-in-a-Box Conclusions 22