Hardening Honeypots for Industrial Control Systems

Abstract

Honeypots are computers that collect intelligence about new cyberattacks and malware behavior. To be successful, these decoys must allow attackers to probe a system without compromising data collection. Previously, we developed an industrial control system (ICS) honeypot simulating a small electric-distribution system, but this honeypot was attacked, and its log data was deleted. The current work analyzed the attacks and developed methods to harden the main weaknesses of the public user interface. The hardened honeypot included more robust data collection and logging capabilities, and was deployed in a commercial cloud environment. We observed significant scanning and new attacks, including the well-known BlueKeep exploit and activity related to Russian cyberattacks on Ukraine. Our results showed that the added security controls, monitoring, and logging were more effective in protecting the honeypot’s data and event logs.