Honeypot for industrial control systems (ICS) is still in an early stage. While there are a number of implementations, to the team’s knowledge none of them offers high-interaction, cyber-physical integrated experience to deceive attackers, and therefore is suitable for retaining attackers inside for conducting longitudinal attack analysis. Besides, logging on honeypot systems that allow conducting analysis of attack vectors and threat intelligence has not yet been well studied or implemented.
This project tackles these challenges towards a practical, high-fidelity ICS honeypot in smart grid domain that offers better realism from attacker’s perspective and effective logging features for security and threat analysis. In particular, the project utilizes ADSC’s experience in smart grid security (e.g., cyber-physical integrated smart grid honeypot prototype) and Custodio Technologies’ expertise in cyber threat detection. At the end of the project, the team aims at developing the honeypot system with TRL 6.
The team has developed a comprehensive honeypot system with mechanisms such as high-fidelity virtual IEDs and PLCs as well as dummy SCADA traffic generators, which made huge improvements in terms of realism from previous honeypot versions. The realism offered by the honeypot as well as logging mechanisms have been evaluated and improved iteratively from cyber attackers’ perspective, through collaboration with cybersecurity experts from Custodio Technologies. This enables the honeypot to not only lure attackers but also retain them inside to collect intelligence about their behaviour and activities after they penetrate the infrastructure, instead of collecting network traffic only at the entry point.
The team demonstrated the deployment of the smart grid honeypot on National Cybersecurity R&D Lab (NCL), so that other researchers and engineers can easily reproduce the environment for research, training and educational purposes. The virtual machine images and user guide to reproduce the honeypot setup on NCL are available at: