Over the past few years, there have been many reported attacks against industrial control systems (ICS). Looking a little closer, most of the attacks seem to have flowed out of traditional IT. This is not surprising, as production systems are generally connected to normal corporate networks at this time.

While there is currently no data to suggest that many threat actors specifically target industrial systems (indeed, most evidence points to purely opportunistic behavior), intrusions into OT environments With increasing complexity, the tide can change at any moment. Criminals use every opportunity to blackmail their victims into carrying out their extortion schemes. Stopping production can cause huge losses. It’s probably just a matter of time. Therefore, operational technology (OT) cybersecurity is very important.

Deception is an effective option for improving threat detection and response capabilities. However, ICS security differs from traditional IT security in several ways. Deception techniques for defensive uses like honeypots have advanced, but there are still challenges due to fundamental differences such as the protocols used. This article aims to detail the advancements and challenges as deception techniques move from traditional IT to ICS security.

Deception Worth: Taking Back Initiative

Deception techniques are active security defenses that effectively detect malicious activity. On the one hand, this strategy creates an environment of false information and simulations to mislead the adversary’s judgment, traps unsuspecting attackers and wastes time and energy, and reduces the complexity and uncertainty of the intrusion. Raise.

At the same time, defenders can collect more comprehensive attack logs, deploy countermeasures, track attacker sources, and monitor attack behavior. Keeping a record of all the tactics, techniques, and procedures (TTPs) used by attackers can be very helpful for security analysts. Deception techniques can regain the initiative for defenders.

Comprehensive “Discover the Latest in Cybersecurity”Security Navigator 2023This research-based report is based on 100% direct information from Orange Cyberdefense, CERT, Epidemiology Labs, and World Watch’s 17 Global SOCs and 13 CyberSOCs, providing a wealth of current and future insights. provide valuable information and insight. threat landscape.

Some deceptive applications, such as honeypots, can simulate their operating environment and configuration, thus luring attackers into entering a fake target. This allows the defender to retrieve the payload that the attacker drops, and to retrieve information about the attacker’s host, as well as information about the web browser using the web application’s JavaScript. In addition, JSONP Hijacking can reveal attackers’ social media accounts, as well as counteract them through “honey files”. Deception techniques can be expected to become more mature and widely used over the next few years.

In recent years, with the rapid development of industrial Internet and intelligent manufacturing, the integration of information technology and industrial production has accelerated. Connecting large industrial networks and equipment to his IT technology inevitably increases security risks in this area.

production at risk

Frequent security incidents such as ransomware, data breaches, and advanced persistent threats have severely impacted the production and business operations of industrial enterprises, threatening the security of the digital society. In general, these systems tend to be vulnerable and easily exploited by attackers due to their simple architecture with low processing power and memory usage. Due to the simple architecture of the ICS’s components, they are unlikely to be updated or patched, making it difficult to protect his ICS from malicious activity. It’s also usually not possible to install an endpoint protection agent. Given these challenges, deception can become an important part of your security approach.

  • component is a low-interaction honeypot that can simulate IEC104, Modbus, BACnet, HTTP, and other protocols, and is easy to deploy and configure.
  • XPOT A software-based highly interactive PLC honeypot that can run programs. It simulates a Siemens S7-300 series PLC and allows an attacker to compile, interpret and load his PLC program into XPOT. XPOT supports S7comm and SNMP protocols and is the first highly interactive PLC honeypot. Because it is software-based, it is highly scalable, allowing large decoy or sensor networks. XPOT can be connected to simulated industrial processes to make the adversary experience comprehensive.
  • Cry PLH is a low-interactivity virtual smart grid ICS honeypot that simulates a Siemens Simatic 300 PLC device. We will use Nginx and a miniweb web server to simulate HTTP(S), and a Python script to simulate the Step 7 ISO-TSAP protocol and a custom SNMP implementation. The author deployed a honeypot within her IP range at the university and observed scanning, pinging, and SSH login attempts. From ICS protocol simulations to his ICS environment, we see a gradual increase in the ability to interact.

With the development of cybersecurity technology, fraud is applied in various contexts such as web, database, mobile apps and IoT. Deception techniques have been incorporated into some ICS honeypot applications in the OT space. For example, ICS honeypots such as Conpot, XPOT and CryPLH can simulate protocols such as Modbus, S7, IEC-104 and DNP3.

Therefore, deception techniques like the honeypot application mentioned above can compensate for the inefficiency of detection systems against unknown threats and can play an important role in securing industrial control networks. can. These applications help detect cyber-attacks on industrial control systems and show general risk trends. Her real OT vulnerabilities exploited by attackers are caught and sent to security analysts, leading to timely patches and intelligence. In addition to this, you can get quick alerts before ransomware hits, for example, to avoid large losses and production stoppages.


However, this is not a “silver bullet”. Deception in ICS still faces some challenges compared to the sophisticated deception available in traditional IT security.

First and foremost, there are many different types of industrial control devices as well as protocols, and many protocols are proprietary. It is almost impossible to have deception technology that is applicable to all industrial control devices. Therefore, honeypots and other applications often need to be customized for emulation of various protocols, making implementation a relatively high threshold in some environments.

A second problem is that the simulation capabilities of pure virtual industrial control honeypots are still limited, making them susceptible to hacker identification. Current developments and applications of purely virtualized ICS honeypots only allow for the underlying simulation of industrial control protocols, most of which are open source and easily accessible by search engines such as Shodan and Zoomeye. can be found in Collecting good attack data and improving the simulation capabilities of ICS honeypots remains a challenge for security researchers.

Last but not least, high-interaction industrial control honeypots consume considerable resources and have high maintenance costs. Apparently, honeypots often require the introduction of physical systems and equipment to create a real-world simulation environment. However, industrial control systems and equipment are expensive, difficult to reuse, and difficult to maintain. Even his seemingly similar ICS devices are often very diverse in terms of functionality, protocols, and instructions.

Is it worth it?

Based on the above discussion, ICS deception techniques should be considered for integration with new technologies. The ability to simulate and interact with simulated environments enhances defense technology. Additionally, attack logs captured by fraudulent applications are extremely valuable. Analyzing with AI or big data tools can help you gain a deeper understanding of ICS field intelligence.

In summary, deception techniques play a key role in the rapid development of ICS network security, improving intelligence and defensive capabilities. However, the technology still faces challenges and needs breakthroughs.

To learn more about what the busy Orange Cyberdefense researchers investigated this year, visit our recently published website landing page. security navigator.

Note: This insightful article was expertly crafted by Thomas Zhang, Security Analyst at Orange Cyberdefense.

Did you find this article interesting?Please follow us twitter and LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog