Content uploaded by Nicola Zannone
Author content
All content in this area was uploaded by Nicola Zannone on Jun 28, 2023
Content may be subject to copyright.
Towards A High-interaction Physics-aware Honeynet for
Industrial Control Systems
Marco Lucchese
University of Verona
marco.lucchese@univr.it
Massimo Merro
University of Verona
massimo.merro@univr.it
Federica Paci
University of Verona
federicamariafrancesca.paci@univr.it
Nicola Zannone
Eindhoven University of Technology
n.zannone@tue.nl
ABSTRACT
Industrial control systems (ICSs) play a crucial role in modern so-
ciety, controlling and automating processes in industries ranging
from manufacturing to energy production. e increasing connec-
tivity of ICSs with corporate networks has made them vulnerable
to cyber aacks that can compromise the controlled physical pro-
cesses. We present the architecture of HoneyICS, a high-interaction,
physics-aware, scalable, recongurable, and extensible honeynet
for ICSs, facing most of the limitation of current honeypots for ICSs.
CCS CONCEPTS
•Security and privacy →Intrusion/anomaly detection and mal-
ware mitigation;Network security;
KEYWORDS
Cyber-physical systems security, Honeypot, cyber-physical aack
ACM Reference Format:
Marco Lucchese, Massimo Merro, Federica Paci, and Nicola Zannone. 2023.
Towards A High-interaction Physics-aware Honeynet for Industrial Con-
trol Systems. In e 38th ACM/SIGAPP Symposium on Applied Computing
(SAC ’23), March 27-April 2, 2023, Tallinn, Estonia. ACM, New York, NY, USA,
4 pages. https://doi.org/10.1145/3555776.3577803
1 INTRODUCTION
Industrial Control Systems (ICSs) are physical and engineered sys-
tems whose operations are monitored, coordinated, controlled, and
integrated by a computing and communication core. ey oen
represent the backbone of Critical Infrastructures for safety-critical
applications such as electric power distribution, nuclear power pro-
duction, and water supply.
ICSs are increasingly exposed to sophisticated cyber-physical at-
tacks i.e., security breaches in cyberspace that adversely aect the
physical processes. To defend ICSs from these aacks, it is impor-
tant to monitor and log remote connections to the Operational Tech-
nology (OT) network, linking controllers, interfaces and plants.
Permission to make digital or hard copies of part or all of this work for personal or
classroom use is granted without fee provided that copies are not made or distributed
for prot or commercial advantage and that copies bear this notice and the full citation
on the rst page. Copyrights for third-party components of this work must be honored.
For all other uses, contact the owner/author(s).
SAC ’23, March 27-April 2, 2023, Tallinn, Estonia
© 2023 Copyright held by the owner/author(s).
ACM ISBN 978-1-4503-9517-5/23/03.
https://doi.org/10.1145/3555776.3577803
Honeypots are computer security systems that emulate hardware
and soware devices and can be used to detect aacks in their ini-
tial phase and to collect information about the techniques used by
aackers in order to select appropriate mitigations [18]. Although
honeypots for ICSs [3, 5, 7–10, 16, 17, 20, 24, 26, 27, 29] have done
several progresses in the last years, they still have limitations re-
garding the following features that we deem important.
•Level of interaction: ICS honeypots should be able: (i) to return
accurate ngerprints of the devices and the industrial network
(low-interaction), and (ii) to allow the aacker to interact with
the honeypot (high-interaction) providing consistent simulation
of physical feedback to aackers’ actions.
•Congurability: including extensibility, to emulate dierent mod-
els of PLCs, and the possibility to adopt dierent industrial net-
work protocols, depending on the context of use.
•Scalability: ICS honeypots should be able to simulate real-world
ICSs, which oen comprise hundreds of devices.
•Entry point: to support aacks that may gain access to the hon-
eypot either by compromising the VPN to which it is connected
or by exploiting devices directly exposed to the Internet. In the
former case, ARP poisoning techniques allows us to mount non-
trivial MITM aacks on the OT network.
Contribution. We propose the architecture of a new honeypot
framework for ICS, called HoneyICS. HoneyICS is a high-interaction
and physics-aware honeynet emulating an OT network of PLC and
HMI honeypots rather than just a single PLC honeypot, like in
most existing frameworks [14]. HoneyICS supports high extensi-
bility as it is able to emulate dierent brands of PLCs. HoneyICS is
a high-interaction honeypot as it allows the aacker to modify PLC
registers, HMI interfaces, and the user program executed by the
PLCs. Moreover, HoneyICS emulates physical plants connected to
PLCs and it is thus able to provide realistic feedback to aackers’
commands. Last but not least, the aacker has full control of the
network connecting PLCs and HMIs to mount MITM aacks.
2 REQUIREMENTS FOR ICS HONEYPOTS
Honeypots are technical countermeasures that can support a multi-
layered approach to ICS security. ey are computer security sys-
tems that emulate hardware and soware devices and can be used
to decoy aackers away from the real system, to educate sta, and
to study aack paerns [18]. A system consisting of two or more
honeypots is called honeynet.
1
Table 1: Comparison with other ICS honeypots
7= Not supported
G#
= Partially supported 3= Fully supported
Level of Interaction Congurability Scalability Honeypot
Entry PointHoneypot ICS Network simulation Physics-aware PLC registers Code inj. HMI MITM ICS protocols Extensibility
SCADA Honeynet [29]
G#
7 7 7 7 7 Modbus
G#
G#
Internet
Conpot [17]
G#
7 7 7 7 7 Modbus, S7comm, BACnet, EtherNet/IP
G#
G#
Internet
Dipot [13]
G#
7 7 7 7 7 Modbus, S7comm, BACnet
G#
G#
Internet
HosTaGe [9]
G#
7
G#
7 7 7 Modbus, S7comm 7
G#
Internet
Pliatsios et al. [6]
G#
7
G#
73
G#
Modbus
G#
G#
VPN
Honeyd+ [20]
G#
7 7 7 7 7 EtherNet/IP
G#
3Internet
THS [24]
G#
7
G#
7 7 7 Modbus, S7comm, BACNet
G#
G#
Internet
CryPLH [7]
G#
7 7 7
G#
7S7comm 7
G#
Internet
HoneyPhy [27]
G#
37 7
G#
G#
DNP3 7 7 Internet + VPN
GasPot [16] 7 7 7 7 7 7 -7
G#
Internet
Antonioli et al. [5] 3 3 7 7 3 3 EtherNet/IP 7
G#
VPN
Murillo et al. [3]
G#
37 7 7
G#
EtherNet/IP 7
G#
VPN
MimePot [10]
G#
3 3 7 7
G#
Modbus 7
G#
VPN
HoneyPLC [8]
G#
7 7
G#
7 7 S7comm 3
G#
Internet
Operational Technology (OT) networks of ICSs usually include
devices, systems, networks, and controllers used to operate and/or
automate industrial processes. ey consists of eld devices such
as sensors and actuators that monitor and control the evolution of a
physical process overtime, programmable logic controllers (PLCs)
that control the eld devices, and one or more human machine
interfaces (HMIs), which allow human operators to interact with
PLCs and display status information and historical data gathered
by the eld devices in the ICS environment. OT networks include
two main sub-networks: the supervisory control network to connect
PLCs and HMIs, and the eld communications network to link the
PLCs with the associated eld devices. Modern ICS systems are
interconnected through a variety of network industrial protocols,
such as Modbus [4], DNP3 [11], EtherNet/IP [23], OPC UA [25],
and S7comm [2].
us, honeypots for ICSs, which eectively emulate OT net-
works, have to face a number of non-trivial challenges to provide
the following features that we deem essential to deceive aackers.
Level of interaction. Honeypots and honeynets are usually classi-
ed based on the level of interaction that they allow to the aacker.
Low-interaction honeypots emulate one or more services with sim-
ple functions. While high-interaction ones emulate the behavior of
real devices and are thus suitable to collect information about at-
tacker’s actions. An ICS honeypot should be able to simulate an in-
dustrial network connecting an arbitrary number of communicat-
ing PLCs, possibly supervised via HMI interfaces, and supporting
an observable and accessible network trac involving PLCs and
HMIs. us, an ICS honeypots should be not only able to return
accurate ngerprints of the involved devices and ICS networks
(Network simulation) as done by low-level interaction ICS honey-
pots [7, 24], but they should also allow the aacker to interact with
the honeypot, for instance, by inspecting and modifying PLC regis-
ters, uploading malicious PLC code, inspecting and exploiting HMI
interfaces, and basically have full control of the OT network. In
addition, as pointed out in [19, 27], physics-awareness is a crucial
ingredient to realize convincing and deceiving ICS honeypots; this
means the aacker should receive consistent feedback from a (pos-
sibly simulated) manipulated physical process.
Congurability. e honeypot should allow to change the aack
surface exposed to an aacker in order to adapt to evolving aack-
ers’ exploit tools and techniques as well as to the ICS network to be
protected. us, possibly, the honeypot should be able to support
dierent industrial network protocols, depending on the context of
use. It should also be extensible to support the simulation of PLCs
of dierent brands and models.
Scalability. To simulate real-world ICSs, the honeypot should scale
to middle-size ICSs with hundreds of PLCs and HMIs of dierent
kinds without aecting the performance. Although the adoption of
virtual resources (rather than physical devices) is a necessary con-
dition for scalability, it does not necessarily ensure scalability. To
ensure scalability, ICS honeypots should be empirically tested (at
varying number of PLCs and HMIs) to assess their response time.
Honeypot Entry Point. A convincing ICS honeypot should support
aacks to availability and integrity of the target system. e at-
tacker might gain access to the honeypot and its components either
by compromising the VPN to which the honeypot is connected or
by exploiting devices directly exposed to the Internet. e entry
point has an impact on the aacker’s capabilities. In case the at-
tacker is able to access the honeypot via the Internet, she can try
tamper the exposed PLCs and HMI interfaces (eventually aer a
brute-force aack on their authentication). On the other hand, in
case the aacker is able to compromise the VPN under which the
honeypot runs, she can do ARP poisoning in order to sni network
trac on the supervisory control network, and to set up MITM at-
tacks between two PLCs or between a PLC and the associated HMI.
3 LIMITATIONS OF ICS HONEYPOTS
Several honeypots and honeynets have been proposed in the liter-
ature. Table 1 provides an overview and a comparison of related
work, highlighting their limitations, according to the desired re-
quirements for an ideal ICS honeypot, as discussed in Section 2.
Level of interaction. Current approaches mostly provide limited func-
tionality when it comes to TCP/IP stack simulations, as well as na-
tive ICS network protocols. is poses serious limitations in the ac-
tions an aacker can perform within the honeypot and, thus, in the
understanding of adversarial interactions and malware. e exhi-
bition of a convincing trac in the network connecting PLCs with
supervising HMIs is crucial to convince an aacker on the authen-
ticity of the targeted ICS. In this respect, Antonioli et al. [5] pro-
vide the possibility to build up a communication network between
PLCs and/or HMIs, while HoneyPhy [27] only propose an ideal
architecture where such communication is possible. As a conse-
quence, only Antonioli et al. [5] support non-trivial MITM aacks
between PLCs and/or HMIs; more limited forms of MITM aacks,
between PLCs and their plant, can be simulated in [3, 6, 10, 27].
2
Among the reviewed honeypots, only [6, 9, 10, 24] explicitly sup-
port some form of register manipulation, and only [5–7, 27] explic-
itly support some form of HMI manipulation. As regards physics-
awareness, only the works in [3, 5, 10, 27] provide some form of
simulation of the underlying physical industrial processes. More-
over, only HoneyPLC [8] is able to simulate the upload of malicious
user programs, although the injected code is only stored by the
honeypot but not executed. While capturing the code is a rst im-
portant step to support PLC malware analysis, the execution of the
injected code together with consistent physical feedback is crucial
to deceive the aacker.
Congurability. All honeypots discussed in Section 3, but [8, 17, 24],
support only limited extensibility because they can impersonate
only one or two PLC models returning the corresponding nger-
prints. Similarly, most works, except for [9, 13, 17, 20], only support
a limited number of ICS network protocols. is may signicantly
limit the ICS network they can emulate and, thus, context in which
they can be deployed.
Scalability. Most of the reviewed ICS honeypots have scalable de-
signs because they adopt virtual resources and/or lightweight vir-
tualization techniques such as Docker containers. However, only
Honeyd+ [20] provides explicit evaluation of the proposed honey-
pot, in terms of the number of supported virtual PLCs.
Aacker Entry Point. Our analysis of the literature has shown that
existing honeypots have been either exposed on the Internet [7, 9,
13, 17, 20, 24, 29] or protected via a VPN [3, 5, 6, 10]. Although ex-
posing the honeypot on the Internet can provide the aacker with
an easier access to the honeypot, it limits the type of interactions
that the aacker can perform with the honeypot (cf. Section 2). On
the other hand, while providing more useful information on how
the aacker can aempt to compromise the ICS network, the em-
ployment of a VPN might discourage the aacker as she has to go
through an additional line of defense. We advocate that a honeypot
should support both entry points to capture a larger spectrum of
adversarial interactions. In this respect, only HoneyPhy [27] has
been designed to supports both kinds of entry points.
4 OUR PROPOSAL
In this section, we propose HoneyICS, a high-interaction ICS hon-
eynet supporting a non-trivial simulation of OT industrial networks.
In the following, we describe the underlying architecture of our
honeynet framework and the supported aacker model; then we
provide guidelines for its implementation in the next section.
4.1 Honeynet architecture
HoneyICS can emulate the key components of OT networks: PLCs,
HMIs, communication networks, and physical plant. e whole
honeynet framework is managed and supervised via a manage-
ment dashboard. Fig. 1 presents the architecture of our honeynet
along with its components and entry points.
PLCs. To support a realistic interaction with PLC devices, Hony-
ICS combines the capabilities of both low-interaction and high-
interaction physics-aware honeypots. Specically, network simu-
lation (i.e., low-level interaction) is achieved using a personality en-
gine returning accurate ngerprints matching the proles of the
Figure 1: HoneyICS architecture
target PLC. At the same time, the high-interaction physics-aware
honeypot implements ICS network protocols supporting specic
commands to modify PLC registers. is allows aackers to com-
promise the underlying physical process by reading/writing the
value of PLC registers and/or manipulating the user program of PLCs.
HMIs. e presence of HMIs allows us to support aacks where
the aacker gains control of the HMI, for example via password
brute-force aacks or via phishing, and is able to send actuator
commands directly to the PLCs.
Physical plant. We assume in our honeynet architecture the pres-
ence of physical processes to realize physics-awareness, i.e., a con-
vincing physical evolution of the compromised system that can be
observed by the aacker. Such processes could consist in either
real physical devices or simulations done via classical tools.
Communication network. e previous components are connected
via a communication network, which is divided into supervisory
control network, connecting PLCs among them and PLCs with HMIs
(this network is devoted to exhibit a realistic network trac), and
eld communication network, connecting the PLCs to the physical
plant (customized protocol, transparent to the aacker).
Management Dashboard. e honeynet is managed via a web dash-
board to simplify its deployment and conguration. It enables the
user to see what honeynets are currently running, add new hon-
eynets, stop old ones and see/analyze the logs for each of the hon-
eynets running. It also allows to compare what is displayed by an
HMI interface with the real state of the physical process. is al-
lows an operator to detect MITM aacks where an aacker feeds
the HMIs with faked data which do not correspond with the actual
evolution of the plant.
4.2 Attacker model
As shown in Fig. 1, our honeynet supports both Internet exposure
and VPN protection. In particular, the aacker can access our hon-
eynet either via the Internet, by nding specic devices (PLCs and
HMIs) via search engines, such as Google, Shodan [15], etc., or by
gaining access to the VPN to which the honeypot is connected. In
the laer case, the aacker can take full control of the supervisor
control network connecting PLCs and HMIs, although she does not
have direct access to the eld communications networks.
Once she has gained access, the aacker may ngerprint the
target PLCs, using tools such as Nmap, to obtains basic system in-
formation (e.g., PLC model and brand, open and ltered ports, the
3
services running on those ports, and the supported industrial pro-
tocol). In a subsequent step, the aacker may aempt to read and
write PLC memory registers and to upload and execute a malicious
PLC user program. e aacker may be able to observe the eect
of the program execution either by examining the value of the PLC
registers or via a compromised HMI.
Another possible aack vector is to brute-force HMI interfaces,
possibly protected by weak passwords, to tamper with the phys-
ical state of the system by sending commands through the HMI
interfaces. In case the aacker is able to compromise the VPN un-
der which the honeypot runs, then she will also be able: (i) to sni
network trac on the supervisory control network; (ii) to set up
MITM aacks between two PLCs or between a PLC and the asso-
ciated HMI. In the laer case the aacker may achieve a two-fold
objective: on one hand she can manipulate PLC registers (such as
those used to store actuator commands or sensor measurements)
to bring the physical process into a compromised state; on the
other hand the aacker may transmit fake measurements to the
corresponding HMI; these measurements may possibly come from
previous recordings made by the aacker on the genuine target
system during an eavesdrop phase.
5 IMPLEMENTATION PROPOSAL
We plan to realize a prototype implementation of HoneyICS based
on Modbus [4], DNP3 [11] and other ICS network protocols. To
support congurability and scalability, we aim to rely upon ex-
isting simulation frameworks such as Honeyd [22], HoneyPLC [8],
OpenPLC [28], and Simulink [21], rather than physical ICS hard-
ware/devices, where each component of our architecture is deployed
in a dedicated Docker container.
To simulate a PLC, we can leverage existing low-interaction and
physics-aware high-interaction honeypots. For example, the real-
ization of the low-interaction honeypot can rely upon Honeyd [22]
to provide a personality engine able to simulate the TCP/IP stack
of target devices such as PLCs. On the other hand, OpenPLC [28],
an open source soware PLC compliant with the IEC 61,131-3 stan-
dard [12], can be used to implement the physics-aware high-interaction
honeypot. is allows us to leverage the network layer of OpenPLC
to establish and maintain network connections over ICS network
protocols. To route network requests coming either from scanning
tools, such as Nmap, or via ICS network protocols to the proper
honeypot, OpenPLC can be integrated into Honeyd using Hon-
eyd’s subsystem virtualization feature [22]. HMI components can
be implemented using some open source drag-and-drop SCADA in-
terface that can interact with several PLC brands, such as ScadaBR [1].
On the other hand, the physical process of the plant can be simu-
lated in Simulink [21], a framework to model, simulate and analyze
cyber-physical systems, widely adopted in industry and research.
e supervisory control network of the honeynet can be simu-
lated using a broker that connects PLCs with each other through
the ICS network protocols. Similarly, a second broker can be used
to emulate the eld communications network connecting the PLCs
with physical plant.
ACKNOWLEDGMENTS
We thank Daniele Antonioli and Nils O. Tippenhauer for comments
on an early dra of the paper, and the anonymous reviewers for
their useful reviews. e authors have been partially supported by
the project “Dipartimenti di Eccellenza 2018–2022” funded by the
Italian Ministry of Education, Universities and Research (MIUR).
REFERENCES
[1] 2009. e ScadaBR project. https://www.scadabr.com.br/
[2] 2016. S7comm - e Wireshark Wiki. https://wiki.wireshark.org/S7comm/
Accessed: 2022-05-14.
[3] A. Murillo, L. Combita Alfonso, A. Gonzalez, S. Rueda, A. Cardenas, and N. i-
jano. 2018. A Virtual Environment for Industrial Control Systems: A Nonlinear
Use-Case in Aack Detection, Identication, and Response. In ICSS. 25–32.
[4] A. Swales. 1999. Open Modbus/TCP specication. Schneider Electric 29 (1999),
3–19.
[5] D. Antonioli, A. Agrawal, and N.O. Tippenhauer. 2016. Towards High-
Interaction Virtual ICS Honeypots-in-a-Box. In CPS-SPC. ACM, 13–22.
[6] D. Pliatsios, P.G. Sarigiannidis, T. Liatis, K. Rompolos, and I. Siniosoglou. 2019.
A Novel and Interactive Industrial Control System Honeypot for Critical Smart
Grid Infrastructure. In IEEE CAMAD. 1–6.
[7] D.I. Buza, F. Juhász, G. Miru, M. Félegyházi, and T. Holczer. 2014. CryPLH: Pro-
tecting Smart Energy Systems from Targeted Aacks with a PLC Honeypot. In
Smart Grid Security. Springer, 181–192.
[8] E. López Morales, C. Rubio, A. Doupé, Y. Shoshitaishvili, R. Wang, T. Bao, and
G-J. Ahn. 2020. HoneyPLC: A Next-Generation Honeypot for Industrial Control
Systems. ACM SIGSAC, 279–291.
[9] E. Vasilomanolakis, S. Srinivasa, C.G. Cordero, and M. Mühlhäuser. 2016. Multi-
stage aack detection and signature generation with ICS honeypots. In NOMS
IEEE. 1227–1232.
[10] G. Bernieri, M. Conti, and F. Pascucci. 2019. MimePot: a Model-based Honeypot
for Industrial Control Networks. In IEEE SMC. 433–438.
[11] G. Clarke, D. Reynders, and E. Wright. 2004. Practical Modern SCADA Protocols:
DNP3, 60870.5 and Related Systems. Newnes, Elsevier.
[12] International Electrotechnical Commission. 1993. Programmable controllers-
Part 3 : Programming languages. IEC 61131-3 (1993).
[13] J. Cao, W.Li, J. Li, and B. Li. 2018. DiPot: A Distributed Industrial Honeypot System.
Springer, 300–309.
[14] J. Franco, A. Aris, B. Canberk, and A. Selcuk Uluagac. 2021. A Survey of Hon-
eypots and Honeynets for Internet of ings, Industrial Internet of ings, and
Cyber-Physical Systems. IEEE Commun. Sur v. Tutorials (2021), 2351–2383.
[15] J. Matherly. 2015. Complete guide to Shodan. Shodan LLC.
[16] K. Wilhoit and S. Hilt. 2015. e GasPot Experiment: Unexamined Perils in Using
Gas-Tank-Monitoring Systems. In Trend Micro, Vol. 6. 3–13.
[17] L. Rist, J. Vestergaard, D. Haslinger, A. De Pasquale, and J. Smith. 2013. Conpot
ICS/SCADA Honeypot. http://conpot.org/
[18] M. Dodson, A.R. Beresford, and M. Vingaard. 2020. Using Global Honeypot Net-
works to Detect Targeted ICS Aacks. In CyCon. 275–291.
[19] M. Krotol, K. Kursawe, and D. Gollmann. 2019. Securing Industrial Control Sys-
tems. In Security and Privacy Trends in the Industrial Internet of ings, Cristina
Alcaraz (Ed.). Springer, 3–27.
[20] M. M. Winn. 2015. Constructing Cost-Eective and Targetable ICS Honeypots
Suited for Production Networks. Master’s thesis. Air Force Institute of Technol-
ogy.
[21] MATLAB. 2021. version R2021a.
[22] N. Provos. 2003. Honeyd: A Virtual Honeypot Daemon (Extended Abstract).
DFN-CERT 2 (2003).
[23] P. Brooks. 2001. Ethernet/IP-industrial protocol. In ETFA, Vol. 2. 505–514.
[24] S. Abe, Y. Tanaka,Y. Uchida, and S. Horata. 2018. Developing Deception Network
System with Traceback Honeypot in ICS Network. SICE JCMSI 11 (2018), 372–
379.
[25] S-H. Leitner and W. Mahnke. 2006. OPC UA–service-oriented architecture for
industrial applications. ABB Corporate Research Center 48, 61-66 (2006), 22.
[26] S. Arndt S. Lau, J. Klick and V. Roth. 2016. POSTER: Towards Highly Interactive
Honeypots for Industrial Control Systems. In CCS. ACM, 1823–1825.
[27] S. Litcheld, D. Formby, J. D. Rogers, A. P. S. Meliopoulos, and R. A. Beyah. 2016.
Rethinking the Honeypot for Cyber-Physical Systems. IEEE Internet Comput. 20
(2016), 9–17.
[28] T.R. Alves, M. Burao, F.M. Souza, and T.V. Rodrigues. 2014. OpenPLC: An open
source alternative to automation. In IEEE GHTC. 585–589.
[29] V. Pothamsey and M. Franz. 2004. SCADA HoneyNet Project: Building Honey-
pots for Industrial Networks. (CIAG) Cisco Systems.
4