POSTER: Towards Highly Interactive Honeypots for Industrial Control Systems

Abstract

Honeypots are a common tool to set intrusion alarms and to study attacks against computer systems. In order to be convincing, honeypots attempt to resemble actual systems that are in active use. Recently, researchers have begun to develop honeypots for programmable logic controllers (PLCs). The tools of which we are aware have limited functionality compared to genuine devices. Particularly, they do not support running actual PLC programs. In order to improve upon the interactive capabilities of PLC honeypots we set out to develop a simulator for Siemens S7-300 series PLCs. Our current prototype XPOT supports PLC program compilation and interpretation, the proprietary S7comm protocol and SNMP. While the supported feature set is not yet comprehensive, it is possible to program it using standard IDEs such as Siemens' TIA portal. Additionally, we emulate the characteristics of the network stack of our reference PLC in order to resist OS fingerprinting attempts using tools such as Nmap. Initial experiments with students whom we trained in PLC programming indicate that XPOT may resist cursory inspection but still fails against knowledgeable and suspicious adversaries. We conclude that high-interactive PLC honeypots need to support a fairly complete feature set of the genuine, simulated PLC.