A flexible architecture for Industrial Control System honeypots

While frequent reports on targeted attacks for Industrial Control Systems hit the news, the amount of untargeted attacks using standardized industrial protocols is still unclear, especially if devices are mistakenly or even knowingly connected to the Internet. To lay the foundation for a deeper insight into the interest of potential attackers, a large scale honeynet system that captures all interactions using industrial protocols is proposed. Special for the honeynet system architecture is the automated deployment on a cloud infrastructure and its modularisation of the industrial protocols. The centralized-but-redundant data collection allows correlating attacks that happen on multiple devices. A real-world experiment confirms the feasibility of the approach, and results of the observed interactions with the honeynet are presented.