ZDResearch Presents ICS Honeypot Detection Framework at Kaspersky Industrial Cybersecurity Conference

The Sixth Conference on Industrial Cybersecurity Organized by Kaspersky Lab was held on September 19-21 in Sochi, Russia. This year’s theme was ‘Industrial Cybersecurity: Opportunities and Challenges in Digital Transformation’.

 

Event participants included leading experts on the security of industrial systems, as well as specialists and managers representing industrial enterprises from more than 20 countries, including USA, China, Russia, Germany, Denmark, Italy, Spain, France, Lithuania, Saudi Arabia, UAE, Qatar, Iran, Egypt and Japan.

 

Over 250 people attended the conference. Participants included IT/OT control experts, representatives of vendors such as Honeywell, Schneider Electric, Omron Corporation, Siemens, etc., as well as researchers and professors from international universities and research institutions, including Clemson University, Singapore University of Technology and Design, and Fraunhofer Institute of Optronics, System Technologies, and Image Exploitation IOSB (Germany). Also taking part were experts from Russia’s National Computer Incident Coordination Center. The ICL group was a Gold Partner of the conference.

The business track hosted discussions on such issues as the regulation of critical infrastructure cybersecurity in Russia, approaches to enterprise industrial information security in the era of digital transformation, the choice of effective security tools and practical aspects of assuring cybersecurity of industrial infrastructure.

 

Within the industrial cybersecurity technical track, participants shared their expertise in implementing real-world projects related to security at industrial enterprises, detecting cyberphysical threats and identifying vulnerabilities in industrial systems.

Mr Mohammad-Reza Zamiri of ZDResearch’s talk was titled “A Framework for Fingerprinting of ICS Honeypots”. Honeypots are well-known tools for detecting and trapping hacking attempts. Compared to other security mechanisms such as Firewalls and Intrusion Detection Systems, honeypot technology has not advanced significantly, particularly in Industrial Control Systems (ICS). ICS honeypots attempt to simulate the services of industrial control systems to imitate their behaviors. The adversaries on the other hand try to identify these honeypots and bypass them. This makes protecting such honeypots against detection very important. In this research, Mr Zamiri categorizes honeypot identification methods used to identify industrial honeypots. He classifies these methods in four categories, the first three of which are the commonly discussed in the literature, whereas the fourth noivel method is related to the nature of industrial control systems:

 

  1. Default Settings

(default network service banners, default names, default values, etc.)

 

  1. Identify the honeypot hosting environment

(OS detection, looking for hosting location, etc)

 

  1. Incomplete implementation of protocols

Many honeypots simulate protocols or network services. Certainly, some of the features of these protocols will be implemented incompletely

 

  1. Detecting unusual ICS behaviors

An ICS Honeypot should be able to correctly imitate or simulate the logic of an industrial system. Some honeypots simulate industrial protocols, but they have not been successful in their logical implementation. For example, an industrial system that holds a physical parameter such as temperature, must be dynamically simulated. Keeping a few fixed numbers in ICS network services could be a sign of a honeypot.

Many honeypots are designed to be identified by scanner tools such as nmap or p0f, but these honeypots should actually use auxiliary data that is like a real industrial system to cause the least doubt.

With respect to these categories, Mr Zamiri has developed an ICS honeypot detection framework, and evaluated it by identifying “Gaspot”, a popular ICS honeypot used to simulate common tank gauges used in the oil & gas industry. The framework recognizes honeypots based on characteristics specific to each categorization. Evaluations show that the framework identifies gaspots with more confidence compared to state-of-the-art tools.

 

You can find the framework’s code here:

https://github.com/zdresearch/OWASP-Nettacker/tree/master/lib/payload/scanner/ics_honeypot

 

Link to the conference presentation:

https://ics.kaspersky.com/media/ics-conference-2018/Mohammar-Zamiri-A-Framework-For-Fingerprinting-ICS-Honeypots-En.pdf

 

Leave a Reply

Your email address will not be published. Required fields are marked *