Home > Research > Publications & Outputs > World Wide ICS Honeypots

Electronic data

  • World_Wide_ICS_Honeypots_Conpot

    Rights statement: © ACM, 2021. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in PUBLICATION, {VOL#, ISS#, (DATE)} http://doi.acm.org/10.1145/nnnnnn.nnnnnn

    Accepted author manuscript, 641 KB, PDF document

    Available under license: CC BY-NC: Creative Commons Attribution-NonCommercial 4.0 International License

View graph of relations

World Wide ICS Honeypots: A Study into the Deployment of Conpot Honeypots

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paperpeer-review



Honeypots are a well-known concept used for threat intelligence and are becoming more ordinary within ICS environments. A well-known ICS honeypot, Conpot, is popular and has been deployed on a large scale. These deployments are not always correctly configured and have odd characteristics compared to a real industrial control system. This paper explores several common Conpot signatures and deployments found through internet search engines such as Shodan. We identify that the default deployment of Conpot is not enough when deploying a honeypot. Afterwards, we explore the behaviour of a real PLC when conducting the same reconnaissance operations. To verify these red flags, we deploy three honeypots with a different configuration, have them scanned by Shodan and evaluate the traffic they get. Our experiments indicate that Shodan leverages CIP for ICS classification. We conclude that proper deployment of a low-interaction honeypot, such as Conpot, requires time and resources to entirely obfuscate the device and fool the attacker to a limited level. However, small changes to the default configuration does increase the performance of Conpot and results in more returning traffic.