Integration of the Network and Application Layers of Automatically-Configured Programmable Logic Controller Honeypots

Abstract

Much of the critical infrastructure of the world is controlled by programmable logic controllers (PLC). These PLCs regulate the processes of these industries, and therefore are targets for malicious actors around the globe. Honeypots are one of various security mechanisms that can be deployed to help protect these vital systems. In order to work, a honeypot must accurately mimic the system under protection. However, within the PLC market there are numerous manufacturers and protocols which makes mimicking PLCs using one monolithic software package a daunting task. To mitigate this shortfall, ScriptGenE, a protocol-agnostic framework capable of accurately creating PLC honeypots, is designed. ScriptGenE uses previously captured PLC traffic to create a tree of the protocol and selectively respond to application layer requests in an accurate way. This research integrates ScriptGenE with Honeyd to provide the PLC honeypots with an accurate network layer. This combination provides a comprehensive PLC honeypot. Testing is done by using the combined framework to emulate a network of Allen-Bradley ControlLogix, Allen-Bradley CompactLogix, and Siemens S7-300 PLCs. A series of tools are used to evaluate the legitimacy of the emulated PLC network including Nmap, Honeyscore, RSLinx, STEP7, and Wget. Nmap and Honeyscore are used to show that the combined framework is able to accurately emulate the network layer of three different PLC types with 100 percent accuracy. Using Wget, RSLinx, and STEP7, this research shows the ability to emulate more advanced application layer protocols such as ENIP, ISOTASP, and HTTP with accuracies of 78, 100, and 67 percent respectively. This completed framework provides a viable solution to help protect critical infrastructure around the world.

Document Details

Document Type

Technical Report

Publication Date

Mar 23, 2017

Accession Number

AD1054643

Entities

Tags