hunnypOT
hunnypOT: a production honeypot for Operational Technology (OT) systems in the power sector.
hunnypOT is a network appliance that simulates an Industrial Control System network. It provides an early warning system so that attacks on Critical Infrastructure (such as power plants, water treatment facilities and telecommunications networks) can be detected before the attacker can cause damage.
Our solution is simple. Plug in our device, and wait. You will receive email and SMS alerts if an attacker tries interacting with it, so that you can immediately start working to kick them out.
Motivation
Attacks on critical infrastructure are increasing, and the impact of those attacks could be catastrophic, affecting not “just” data, but threatening national security, causing environmental damage, hurting the national economy, and even causing human injury or death. The converged Operational Technology (OT)-Information Technology (IT) space is relatively new and growing. Defending an OT system properly and preparing for incident response requires knowledge about the kinds of possible attacks on OT and OT/IT converged systems. Deception technology such as a honeypot is one way to obtain that intelligence and provide a non-invasive foolproof alert of anomalous activity.
2019 Utility Industry survey:
- 56% of utilities surveyed report at least one shutdown or operational data loss per year.
- 54% expect an attack on critical infrastructure in the next 12 months
- 42% rated their cyber readiness as high
- 31% rated readiness to respond to or contain a breach as high.
[Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?, Siemens and Ponemon Institute, 04 October 2019]
hunnypOT Design
We leveraged the open source project “Conpot” to jumpstart the power grid emulation, and have extended its limited emulation to improve realism by supporting more PLC commands. We built logging and command-control servers to capture, alert and log any activity on the emulated PLC.
Overview of software design