Creating Convincing Industrial-Control-System Honeypots

Cyberattacks on industrial control systems (ICSs) can be especially damaging since they often target critical infrastructure. Honeypots are valuable network-defense tools, but they are difficult to implement for ICSs because they must then simulate more than familiar protocols. This research compared the performance of the Conpot and GridPot honeypot tools for simulating nodes on an electric grid for live (not recorded) traffic. We evaluated the success of their deceptions by observing their activity types and by scanning them. GridPot received a higher rate of traffic than Conpot, and many visitors to both were deceived as to whether they were dealing with a honeypot. We also tested Shodan’s Honeyscore for finding honeypots, and found it was fooled by our honeypots as well as others when, like most users, it did not take site history into account. This is good news for collecting useful attack intelligence with ICS honeypots

Hardening Honeypots for Industrial Control Systems

Honeypots are computers that collect intelligence about new cyberattacks and malware behavior. To be successful, these decoys must allow attackers to probe a system without compromising data collection. Previously, we developed an industrial control system (ICS) honeypot simulating a small electric-distribution system, but this honeypot was attacked, and its log data was deleted. The current work analyzed the attacks and developed methods to harden the main weaknesses of the public user interface. The hardened honeypot included more robust data collection and logging capabilities, and was deployed in a commercial cloud environment. We observed significant scanning and new attacks, including the well-known BlueKeep exploit and activity related to Russian cyberattacks on Ukraine. Our results showed that the added security controls, monitoring, and logging were more effective in protecting the honeypot’s data and event logs

Responding to Cybersecurity Challenges: Securing Vulnerable U.S. Emergency Alert Systems

Emergency alert systems (EASs) in the United States (US) form part of the nation’s critical infrastructure. These systems rely on aging platforms and suffer from a fragmented interconnected network of partnerships. Some EASs have an easily identifiable vulnerability: one can access their management website via the Internet. Authorities must secure these systems quickly. Other concerns also exist, such as the lack of policies for reporting vulnerabilities. To begin to assess EASs in the US, we used Shodan to evaluate the availability of these websites in six southeastern states. We found 18 such websites that one could access via the Internet and that required only requiring user credentials to login into. Next, we searched for published policies on reporting vulnerabilities; we found no vulnerability-disclosure policies for any system we identified. To identify, prioritize, and address EAS vulnerabilities, we present a list of technical and management strategies to reduce cybersecurity threats. We recommend integrated policies and procedures at all levels of the public-private-government partnerships and system resilience as lines of defense against cybersecurity threats. By implementing these strategies, EASs in the US will be positioned to update critical infrastructure, notify groups of emergencies, and ensure the distribution of valid and reliable information to at-risk populations

HARDENING WINDOWS-BASED HONEYPOTS TO PROTECT COLLECTED DATA

Digital honeypots are computers commonly used to collect intelligence about new cyberattacks and malware behavior. To be successful, these decoys must be configured to allow attackers to probe a system without compromising data collection. Previous research at the Naval Postgraduate School developed an industrial control system (ICS) honeypot simulating a small electric-distribution system. This honeypot was attacked, and its log data was deleted. Our research analyzed the attacks and developed methods to harden the main weakness of the publicly accessible user interface. The hardened honeypot included more robust data collection and logging capabilities and was deployed in a commercial cloud environment. We observed significant scanning and new attacks, including the well-known BlueKeep exploit. Our results showed that the added security controls, monitoring, and logging were effective but imperfect in protecting the honeypot’s data and event logs. This work can help improve the security of industrial control systems used in both the government and private sectors.DOECaptain, United States Marine CorpsApproved for public release. Distribution is unlimited