Final published version
Licence: CC BY: Creative Commons Attribution 4.0 International License
Research output: Contribution to Journal/Magazine › Journal article › peer-review
Research output: Contribution to Journal/Magazine › Journal article › peer-review
}
TY - JOUR
T1 - Don’t get Stung, Cover your ICS in Honey
T2 - How do Honeypots fit within Industrial Control System Security
AU - Maesschalck, Sam
AU - Giotsas, Vasileios
AU - Green, Benjamin
AU - Race, Nicholas
PY - 2022/3/31
Y1 - 2022/3/31
N2 - The advent of Industry 4.0 and smart manufacturing has led to an increased convergence of traditional manufacturing and production technologies with IP communications. Legacy Industrial Control System (ICS) devices now interconnected via public networks, are exposed to a wide range of previously unconsidered threats, threats which must be considered to ensure the continued safe operation of industrial processes. This paper surveys the ICS honeypot deployments in the literature to date and provides an overview of ICS focused threat vectors, and studies how honeypots can be integrated within an organisations defensive strategy. We discuss relevant legislation, such as the UK Cyber Assessment Framework, the US NIST Framework for Improving Critical Infrastructure Cybersecurity, and associated industry-based standards and guidelines supporting operator compliance. This is used to frame a discussion on our survey of existing ICS honeypot implementations in the literature, and their role in supporting regulatory objectives. We observe that many low-interaction honeypots are limited in their use. This is largely due to the increased knowledge attackers have on how real-world ICS devices are configured and operate, vs. the configurability of simulated honeypot systems. Furthermore, we find that environments with increased interaction provide more extensive capabilities and value, due to their inherent obfuscation delivered through the use of real-world systems. Based on these insights, we propose a novel framework towards the classification and implementation of ICS honeypots.
AB - The advent of Industry 4.0 and smart manufacturing has led to an increased convergence of traditional manufacturing and production technologies with IP communications. Legacy Industrial Control System (ICS) devices now interconnected via public networks, are exposed to a wide range of previously unconsidered threats, threats which must be considered to ensure the continued safe operation of industrial processes. This paper surveys the ICS honeypot deployments in the literature to date and provides an overview of ICS focused threat vectors, and studies how honeypots can be integrated within an organisations defensive strategy. We discuss relevant legislation, such as the UK Cyber Assessment Framework, the US NIST Framework for Improving Critical Infrastructure Cybersecurity, and associated industry-based standards and guidelines supporting operator compliance. This is used to frame a discussion on our survey of existing ICS honeypot implementations in the literature, and their role in supporting regulatory objectives. We observe that many low-interaction honeypots are limited in their use. This is largely due to the increased knowledge attackers have on how real-world ICS devices are configured and operate, vs. the configurability of simulated honeypot systems. Furthermore, we find that environments with increased interaction provide more extensive capabilities and value, due to their inherent obfuscation delivered through the use of real-world systems. Based on these insights, we propose a novel framework towards the classification and implementation of ICS honeypots.
KW - Honeypots
KW - Industrial Control Systems
KW - ICS
KW - Malware
KW - Security
KW - Critical Infrastructure
U2 - 10.1016/j.cose.2021.102598
DO - 10.1016/j.cose.2021.102598
M3 - Journal article
VL - 114
JO - Computers and Security
JF - Computers and Security
SN - 0167-4048
M1 - 102598
ER -