Digital honeypots are computers commonly used to collect intelligence about new cyberattacks and malware behavior. To be successful, these decoys must be configured to allow attackers to probe a system without compromising data collection. Previous research at the Naval Postgraduate School developed an industrial control system (ICS) honeypot simulating a small electric-distribution system. This honeypot was attacked, and its log data was deleted. Our research analyzed the attacks and developed methods to harden the main weakness of the publicly accessible user interface. The hardened honeypot included more robust data collection and logging capabilities and was deployed in a commercial cloud environment. We observed significant scanning and new attacks, including the well-known BlueKeep exploit. Our results showed that the added security controls, monitoring, and logging were effective but imperfect in protecting the honeypot’s data and event logs. This work can help improve the security of industrial control systems used in both the government and private sectors.DOECaptain, United States Marine CorpsApproved for public release. Distribution is unlimited
