There have been a number of reports of attacks on industrial control systems (ICS) in the past few years. Looking a bit closer, most of the attacks seem to have spilt over from traditional IT. That’s to be expected, as production systems are commonly connected to ordinary corporate networks at this point.
Though our data does not indicate at this point that a lot of threat actors specifically target industrial systems – in fact, most evidence points to purely opportunistic behaviour – the tide could turn any time, once the added complexity of compromising OT environments promises to pay off. Criminals will take any chance they get to blackmail victims into extortion schemes, and halting production can cause immense damage. It is likely only a matter of time. So cybersecurity for operational technology (OT) is vitally important.
Deception is an effective option to improve threat detection and response capabilities. However, ICS security differs from traditional IT security in several ways. While deception technology for defensive use like honeypots has progressed, there are still challenges due to fundamental differences like the protocols used. This article is intended to detail the progress and challenges when deception technology transits from traditional IT to ICS security.
The value of deception: taking back the initiative
Deception technology is an active security defense method that detects malicious activities effectively. On the one hand, this strategy constructs an environment of false information and simulations to mislead an adversary’s judgment, making unsuspecting attackers fall into a trap to waste their time and energy, increasing the complexity and uncertainty of the intrusion.
At the same time, the defenders can collect more comprehensive attack logs, deploy countermeasures, trace the source of attackers and monitor their attack behaviors. Recording everything to research the tactics, techniques, and procedures (TTP) an attacker uses is of great help for the security analysts. Deception techniques can give defenders back the initiative.
Recently, the integration of information technology and industrial production has been accelerating with the rapid development of the Industrial Internet and intelligent manufacturing. The connection of massive industrial networks and equipment to IT technology will inevitably lead to increasing security risks in this field.
Production at risk
Frequent security incidents such as ransomware, data breaches, and advanced persistent threats seriously affect industrial enterprises’ production and business operations and threaten the digital society’s security. Generally, these systems are prone to be weak and exploited easily by the attacker due to their simple architecture, which uses low processing power and memory. It is challenging to protect ICS from malicious activities as the components of ICS are unlikely to take any updates or patches due to their simple architecture. Installing endpoint protection agents is usually not possible either. Considering these challenges, deception can be an essential part of the security approach.
Conpot is an open-source low-interactive honeypot that supports various industrial protocols, including IEC 60870-5-104, Building Automation
and Control Network (BACnet), Modbus, s7comm, and other protocols such as HTTP, SNMP and TFTP. It is designed to be easy to deploy, modify and extend. The Conpot and Conpot-based honeypot is one of the most popular ICS deception applications that has been used by researchers.
XPOT is a software-based high-interactive PLC honeypot which can run programs. It simulates Siemens S7-300 series PLCs and allows the attacker to compile, interpret and load PLC programs onto XPOT. XPOT supports S7comm and SNMP protocols and is the first high-interactive PLC honeypot. Since it is software-based, it is very scalable and enables large decoy or sensor networks. XPOT can be connected to a simulated industrial process in order to make adversaries’ experiences comprehensive.
CryPLH is a high-interactive and virtual Smart-Grid ICS honeypot simulating Siemens Simatic S7-300 PLC. It runs on a Linux-based host and uses MiniWeb HTTP servers to simulate HTTP(S), a Python script to simulate Step 7 ISO-TSAP protocol and a custom SNMP implementation. CryPLH’s interaction ability is gradually increasing from the simulation of ICS protocols to ICS environments.
With the development of cybersecurity technology, deception has been applied in various circumstances like the web, databases, mobile apps, and IoT. Deception technology has been embodied in some ICS honeypot applications in the OT field. For instance, ICS honeypots like Conpot, XPOT, and CryPLH can simulate the Modbus, S7, IEC-104, DNP3 and other protocols.
Accordingly, deception technology like the honeypot applications above can make up for the low efficiency of detection systems for unknown threats and can play an important role in ensuring the safety of industrial control networks. These applications can help detect cyber attacks on industrial control systems and display a general risk trend. The actual OT vulnerabilities exploited by the attackers can be caught and sent to the security analyst, thus leading to timely patches and intelligence. In addition to this, it is possible to get a prompt alert e.g. before ransomware breaks out and avoid massive losses and a stop in production.
This is not a ‘silver bullet’, however. In comparison to the sophisticated deception available in traditional IT security, deception in ICS still faces some challenges.
First and foremost, there are numerous kinds of industrial control devices as well as protocols, and many protocols are proprietary. It is almost impossible to have a deception technology that can be applied to all industrial control devices. Therefore, honeypots and other applications often need to be customized for the emulation of different protocols, which brings a relatively high threshold for implementation in some environments.
The second problem is that pure virtual industrial control honeypots still have limited simulation capabilities, making them susceptible to hacker identification. The current development and application of purely virtual ICS honeypots only allow the underlying simulation of industrial control protocols, and most of them have been open source, straightforward to be found by search engines such as Shodan or Zoomeye. Collecting adequate attack data and improving ICS honeypots’ simulation capabilities is still challenging for security researchers.
Last but not least, high-interaction industrial control honeypots consume considerable resources and have high maintenance costs. Apparently, honeypots often require the introduction of physical systems or equipment in order to build a real-run simulation environment. However, industrial control systems and equipment are costly, hard to reuse, and challenging to maintain. Even seemingly similar ICS devices are often remarkably diverse in terms of functionality, protocols and instructions.
Is it worth it?
Based on the above discussion, deception technology for ICS should be considered for integration with new technology. The ability to simulate and interact with a simulated environment strengthens defense technology. Moreover, the attack log captured by the deception application is of great value. Analyzed through AI or Big data tools, it helps to get an in-depth understanding of ICS field intelligence.
To summarize, deception technology plays a vital role in the rapid development of ICS network security and improves intelligence as well as the ability of defend. However, the technology is still facing challenges and needs a breakthrough.