Deploying an ICS Honeypot in a Cloud Computing Environment and Comparatively Analyzing Results Against Physical Network Deployment

Abstract

Industrial control systems (ICSs) provide important services in national critical infrastructure but are increasingly the subject of cyberattacks. The need for ease of maintenance and operational convenience encourages using cloud services, increasing their security vulnerabilities, and knowing what threats to expect that would help in defending cloud-based ICSs. This thesis tested an ICS honeypot (decoy system) called GridPot that was deployed in a third-party cloud environment and simulated a microgrid distribution system. We compared data from a GridPot instance deployed on an in-house server with three cloud-deployed GridPot instances with varying configurations. Overall results showed that the cloud-deployed GridPots had comparable traffic to the non-cloud GridPot, but it yielded less ICS-specific traffic, though what occurred appeared more deliberate. Nearly all attacks on the cloud-deployed GridPots showed little sophistication about ICS protocols. Our results further confirmed that cloud-based honeypot owners must maintain awareness of cloud service providers that recycle IP addresses to avoid exploits on previously used IP addresses. We conclude that ICS honeypots in the cloud are an effective tool for collecting cyberattack intelligence, and they do not appear to discourage attacks by being in the cloud.

Document Details

Document Type

Technical Report

Publication Date

Dec 01, 2020

Accession Number

AD1126768

Entities

Tags