Journal of Critical Infrastructure Policy
ICS honeypots 15 have demonstrated that control system networks and devices are being targeted . In 2013 , Trend Micro released research on a honeypot for a water system that mimicked a real system , including a human-machine interface ( HMI ) and other components of an ICS . In that research , there were 12 targeted attacks out of 39 total attacks . From March to June 2013 , TrendMicro observed attacks originating in 16 countries , accounting for a total of 74 attacks on seven honeypots within the honeynet . Out of these 74 attacks , 11 were considered “ critical .” Some were even able to compromise the entire operation of an ICS device . 16
In 2015 , TrendMicro released research around the Guardian AST monitoring system using a honeypot called GasPot , which simulated a gas tank monitoring system . 17 The purpose of this honeypot was to deploy multiple unique systems that did not look the same , but nonetheless responded like real deployed systems . The goal was to build a honeypot that appeared so real that not even a well-trained control systems engineer would be able to tell that it was fake without diving deeply into the system . It consisted of four PLCs from three different brands : one Siemens S7-1200 , two Rockwell MicroLogix 1100 units , and one Omron CP1L . These PLCs were chosen for their popularity in the control systems market from around the world . Also , each PLC brand used a different protocol and was loaded with logic to perform specific and associated tasks that ran the manufacturing facility . These roles were agitator , burner control , conveyor belt control , and palletizer , which used in robotic arms . To make the manufacturing process realistic , incremental and decremental functions varied the feedback values , which imitated the starting and stopping seen in real motors and heaters . Random generator functions were also created to make slight fluctuations in the feedback values to simulate actual variations .
Not only are current attackers accustomed to encountering honeypots , but advanced actors typically perform in-depth investigation before attacking a target system to make sure that they are not identified . For this reason , the honeypot not only needed to look realistic from a design and technical implementation standpoint , but it also had to reflect a system that a real company would use . The manufacturing honeypot went online in May 2019 . For seven months , TrendMicro maintained the image of a real company and monitored the honeypot closely . The first attack encountered came a month after the honeypot went live , with several others following in its wake . This showed this sophisticated honeypot designed as a small business with critical clients and inadequate security was effective in luring threat actors .
15 A security mechanism to virtually lure attackers to exploit vulnerabilities in intentionally compromised computer resources to understand attack patterns , investigate breaches and achieve other goals .
122