In industrial control system (ICS) network, communication is often conducted using custom protocols. Methods for analysis and protection from cyber threats that are specific to ICS network need to be discussed in line with each device and system specification. In this research, the honeypot technology, which is already practiced in IT networks, was further improved for ICS networks so that it responds to packets reaching the honeypots and even conducts counter-scan to collect information of the attack method and its sources. It has been already presented that machines infected with some known malware (e.g. Havex RAT) in ICS networks conduct scan activities against certain devices. For this type of attack, interaction honeypot is considered effective in identifying infected devices out of such scans. In the simulation based on Modbus Stager, which affects programmable logic controller (PLC) operation and connected PCs, the suggested interaction honeypot, namely “traceback honeypot system (THS)” successfully collected payload that is actually sent in the attacks by emulating responses to commands on Modbus protocols. Information obtained from THS-based observation can be used for proactive purposes as in separating infected devices from the operating network and restricting access to certain devices to prevent further infection in the ICS network. This paper discusses methods of tracking attack sources using the THS and preventing further infection within the network based on the search result.
PDF full text from Publisher