ICSpot: A High-Interaction Honeypot for Industrial Control Systems

Honeypots represent one of the most common solutions to study the adversaries' movements and develop ad-hoc protection strategies. An effective honeypot can mimic a real system behavior and can be used to deceive the attacker and collect data related to his actions. However, current honeypots for Industrial Control Systems (ICSs) still lack realistic physical process simulation of the industrial network. Simulating an industrial process accurately while also enabling interaction with it is a complicated task. In this paper, we present ICSpot, the first ICS honeypot that addresses the current state-of-the-art limitations by integrating a physical process interaction. We developed our honeypot by leveraging different ad-hoc ICS tools resulting in a more completed and realistic solution. Then, we installed our honeypot on a local Internet Exchange Point and an AWS server, and we collected the interaction for 30 days. Finally, we report the finding related to the interaction collection and compare the results on the two installation points. Our results show that the physical process port we implemented is highly attractive to attackers.