Gas what?: I can see your GasPots. Studying the fingerprintability of ICS honeypots in the wild

Internet connectivity of electronic devices has brought us the ease of centralized management and these days more and more devices are connected to this globally accessible network. At the same time, this landscape has opened new doors for malicious actors. While internet connectivity is a built-in feature for desktop and mobile devices, Industrial Control Systems (ICS) lag behind. Traditionally, ICS networks have been air-gapped and as a result, many ICS devices are not well-equipped to be connected to the internet. Absence of proper authentication and other security mechanisms is commonly observed on these devices. In response to the new threats of connected ICS systems, various ICS honeypots have been developed during the past decade. These honeypots are used to collect information on the attack landscape of ICS systems. In this research, we show that ICS honeypots should be designed more carefully and existing honeypots can fairly easily be fingerprinted by the attackers. We systematically study the categories of often overlooked behaviors that make ICS honeypots fingerprintable. Moreover, to demonstrate the impact of these flaws, we perform a large scale analysis over the internet to detect GasPot honeypots that emulate automatic tank gauges (ATG). We were able to find 17 existing honeypot instances which is more than the number of discovered GasPots by Shodan. Finally, we released our ICS honeypot scanner and our ATG honeypot which provides full protocol support and fixes the existing flaws within GasPot that makes it detectable.