Home > Research > Publications & Outputs > World Wide ICS Honeypots

Electronic data

  • World Wide ICS Honeypots

    Final published version, 647 KB, PDF document

    Available under license: CC BY: Creative Commons Attribution 4.0 International License

View graph of relations

World Wide ICS Honeypots: A Study into the Deployment of Conpot Honeypots

Research output: Contribution to conference - Without ISBN/ISSN Conference paperpeer-review

Publication date7/12/2021
<mark>Original language</mark>English
EventIndustrial Control System Security Workshop - Austin, United States
Duration: 7/12/20217/12/2021
Conference number: 7


WorkshopIndustrial Control System Security Workshop
Abbreviated titleICSS
Country/TerritoryUnited States


Honeypots are a well-known concept used for threat intelligence and are becoming more ordinary within ICS environments. A well-known ICS honeypot, Conpot, is popular and has been deployed on a large scale. These deployments are not always correctly configured and have odd characteristics compared to a real industrial control system. This paper explores several common Conpot signatures and deployments found through internet search engines such as Shodan. We identify that the default deployment of Conpot is not enough when deploying a honeypot. Afterwards, we explore the behaviour of a real PLC when conducting the same reconnaissance operations. To verify these red flags, we deploy three honeypots with a different configuration, have them scanned by Shodan and evaluate the traffic they get. Our experiments indicate that Shodan leverages CIP for ICS classification. We conclude that proper deployment of a low-interaction honeypot, such as Conpot, requires time and resources to entirely obfuscate the device and fool the attacker to a limited level. However, small changes to the default configuration does increase the performance of Conpot and results in more returning traffic.