Accepted author manuscript, 3.44 MB, PDF document
Available under license: CC BY: Creative Commons Attribution 4.0 International License
Final published version
Research output: Contribution to Journal/Magazine › Journal article › peer-review
Research output: Contribution to Journal/Magazine › Journal article › peer-review
}
TY - JOUR
T1 - These aren’t the PLCs you’re looking for
T2 - Obfuscating PLCs to mimic Honeypots
AU - Maesschalck, Sam
AU - Fantom, Will
AU - Giotsas, Vasileios
AU - Race, Nicholas
PY - 2024/6/30
Y1 - 2024/6/30
N2 - Industry 4.0 and the trend of connecting legacy Industrial Control Systems (ICSs) to public networks have exposed these systems to various online threats. To combat these threats, honeypots have been widely used to provide proactive monitoring, detection and deception security capabilities. However, skilled attackers are now adept at fingerprinting and avoiding honeypots. Therefore, we take a fundamentally different approach in this paper. Instead of the honeypot representing a real system, we deploy it as a deterrent. Through obfuscation, the aim is to make an attacker believe the real system is a honeypot and collect threat intelligence data on the attacker. To achieve this, we introduce a new obfuscation technique that allows real ICSs to present themselves as honeypots. By taking advantage of honeypot fingerprinting techniques, we are able to deter attackers from interacting with the real Programmable Logic Controller (PLC) within the industrial network. The approach is implemented and evaluated using different penetration testing tools and an expert evaluation highlighting the benefits of obfuscation in that potential adversaries would be misled into assuming the PLC is a honeypot.
AB - Industry 4.0 and the trend of connecting legacy Industrial Control Systems (ICSs) to public networks have exposed these systems to various online threats. To combat these threats, honeypots have been widely used to provide proactive monitoring, detection and deception security capabilities. However, skilled attackers are now adept at fingerprinting and avoiding honeypots. Therefore, we take a fundamentally different approach in this paper. Instead of the honeypot representing a real system, we deploy it as a deterrent. Through obfuscation, the aim is to make an attacker believe the real system is a honeypot and collect threat intelligence data on the attacker. To achieve this, we introduce a new obfuscation technique that allows real ICSs to present themselves as honeypots. By taking advantage of honeypot fingerprinting techniques, we are able to deter attackers from interacting with the real Programmable Logic Controller (PLC) within the industrial network. The approach is implemented and evaluated using different penetration testing tools and an expert evaluation highlighting the benefits of obfuscation in that potential adversaries would be misled into assuming the PLC is a honeypot.
KW - Control systems
KW - Honeypots
KW - ICS
KW - Industrial Control Systems
KW - Industrial control
KW - Integrated circuits
KW - Monitoring
KW - PLC
KW - Programmable Logic Controllers
KW - Protocols
KW - Security
KW - Software defined networking
KW - Software-Defined Networking
U2 - 10.1109/TNSM.2024.3361915
DO - 10.1109/TNSM.2024.3361915
M3 - Journal article
VL - 21
SP - 3623
EP - 3635
JO - IEEE Transactions on Network and Service Management
JF - IEEE Transactions on Network and Service Management
SN - 1932-4537
IS - 3
ER -