Containerized Cozenage: Exploring the Effectiveness of High Interaction ICS Honeypot Containers

Abstract

Industrial control systems (ICS) provide critical functionality and are responsible for ensuring water treatment and electrical grid operation, among other vital services. Therefore, they are prime targets for cyber attackers. As attackers employ techniques such as living-off-the-land to remain undetected, defenders need to adapt their tools to protect ICS networks. We present a high interaction honeypot which runs the Sedona Framework within a Docker container. Containerized honeypots could mitigate costs associated with deployment and maintenance. Fingerprint evasion methods are implemented in our honeypot's design. These methods include creating a physics-aware simulated centrifuge device, and ensuring compatibility with human machine interface (HMI) software. The honeypot's behavior was compared against a physical system: the Contemporary Controls BASC-20T. The honeypot was found to fully interoperate with two HMI control applications. Network traffic analysis reveals that the honeypot's network response time signature can be made to closely resemble the BASC-20T.