SCADA HoneyNet Project: Building Honeypots for Industrial Networks

Venkat Pothamsetty and Matthew Franz
Critical Infrastructure Assurance Group(CIAG)
Cisco Systems, Inc.

Links

  • Download
  • Mailing List
  • PLC Simulation Case Study
  • Honeyd - a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems

    News & Updates

  • 7/15/05/(released version 0.3) - Converted teh stand-alone scripts to work with honeyd, changes to html scripts. See Release Notes for more details.

  • 6/01/04/(released version 0.2) - Fixed the bug regarding the absense of modbusHdrs.py, included sample nmap OS fingerprints of some PLCs, included a test file to generate custom Modbus packets to test the modbusSrve.py implementation
  • 5/13/04 - Major cleanup of content
  • 3/20/04 - PLC Simulation scripts available for down and PLC Simulation Case Study complete.

    Objectives

    The short-term goal of the project is to determine the feasibility of building a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures. We plan to document the requirements and release proof of concept code (in the form of honeyd scripts) so that a single Linux host can simulate multiple industrial devices and complex network topologies. Given the variety of deployments and the lack of standard, well-defined architectures for industrial networks, this project attempts to create the building blocks so that users can simulate their networks own networks--not make assumptions about what "real world" SCADA/DCS/PLC look like. Assuming deployment of "SCADA HoneyNets" ever reach critical mass, the longer term objective of the project is to gather information about general attack patterns and specific exploits that could be used to write signature for commercial and Open Source IDS products.

    Introduction

    There is still little information about SCADA vulnerabilities and attacks, despite the growing awareness of security issues in industrial networks. As is the case with IT security, owner-operators are often unwilling to release attack or incident data. However, unlike IT products and protocols, there are not the sort of public repositories of vendor advisories and vulnerabilities in industrial devices. Although some vulnerability research is being conducted in this area, very little has been released publically and no "SCADA security tools" (whatever that might mean) have been released to the public.

    To address these limitations, this goal of this project is to provide tools and to simulate a variety of industrial networks and devices. We see several uses for this project:

    Feature Requirements

    Based on our knowledge of industrial network applications, products, and protocols, we identified the following requirements:

    Individual Device Simulation

    To simulate individual devices, the following functionality is needed:

    Simulate Network

    We need to simulate various entry points so that when an attacker encounters a perimeter device, he will be presented the same network as a real SCADA network at that particular network entry point
    Various network entry points that we need to simulate include:

    1. A router directly connected to the Internet: Control system networks are typically not directly conne a control network is located inside a corporate network. Assuming the corporate network as Internet, we need to simulate the entry point of a router that seperates the control network and the corporate network. The devices that are normally connected to such routers would be Industrial Ethernet switches or industrial devices with an IP stack, such as some IP enabled PLCs and wireless access points.
    2. Direct serial device:Some of the industrial devices have a modem that can be directly dialed into from a PSTN. We need to simulate a "modem server" that can take connections and behaves like a industrial device or is connected to a industrial device.
    3. A Ethernet enabled industrial device directly connected to the Internet: Such a scenario should be the same as simulating the stack, the protocols and applications on that device and connecting that to Internet
    4. An Ethernet serial gateway directly plugged into the Internet:An Ethernet serial gateway is a bridge between the IP network and the serial interface. The IP side of the device would be connected to the network, either a Industrial switch or a router to which other IP industrial devices are connected to. The serial side of the device would be connected to a serial device or a serial network.
    5. Wireless: Wireless is one of the entry points into a Industrial network. Most of the Industrial wireless devices use proprietary wireless protocols and some of them use 802.1b standard. Typically the serial interface of the device would be connected to a wireless bridge.
    6. Remote desktop access and HMIs:The Human Machine Interfaces and the software that communicates with Industrial devices usually run on a Windows machine. Administrators who want remote access to these devices would typically run a remote desktop viewer, such as VNC or PC anywhere. An attacker would normally find it through a port scan ' after he gets into the control network and might get to it using a VNC client. Simulating this would probably need a custom made VNC protocol simulation.
    7. Remote Access Server (RAS):Another possible entry point into a control network is to dial into the network using PPP and use the PPP password to authenticate yourself to a Network Access Server and then directly access the Industrial device.

    Capture the attacker tools and tracks

    Our scripts need to capture the attacker tools and tracks. That should include keystroke logging and facilities to capture the tools and binaries he might be up loading, if the attack. Our scripts also need to capture network traffic.

    Review of existing technologies and relavency

    Honeyd

    Honeyd has facilities for easy simulation of TCP/IP stacks and applications.
    Honeynet takes Nmap and Xprobe signatures through configuration files and sends packet responses to scans matching those signatures. Users can set up profiles, mapping IP addresses that Honeyd should respond to a corresponding device profile. When attackers Nmap or Xprobe scan the IP address which Honeyd is taking care of, he will be returned with packets matching the corresponding device profile.

    Therefore using Honeyd, it would be possible to simultaneously simulate stacks of multiple IP based Industrial devices, provided the corresponding scanning tools (Nmap or Xprobe) has the knowledge of the signature. As of now, there are no signatures of Industrial devices in Nmap's database.
    Honeyd allows the user to listen on a port and run a script on that particular port when anybody connects to that port. As of now, there are many scripts contributed to the project, which can simulate web pages, WSFTP servers and Cisco telnet servers.

    Using this feature on Honeyd, it is possible to write scripts that simulated various Industrial Ethernet protocols. For example, it would be possible to simulate a Modbus/TCP server on port 502 and EtherNet/IP on ports 44818/2222.

    Serial interface simulation

    Many industrial network devices use RS-232/485 for communication. Typically the serial port of a PC would be directly (or indirectly, via a serial Ethernet gateway) connected to the serial port of the device. There would be a software running on the PC, which sends commands to the device over the serial interface. By some accounts there are hundreds of serial protocols in use in SCADA networks. Some of the more common protocols are MODBUS and DNP.

    We need to simulate those protocols over the serial port, so as to present a protocol interface to an attacker who connects to the serial port. Many languages support serial interface programming including Python and Java. We were able to achieve serial communication through a open source Python serial programming module (pyserial.sf.net).

    Simulating 802.11

    The HostAP driver(http://hostap.epitest.fi/), replies for 802.1b management packets and converts a client adapter an access point. The driver can be used to simulate an access point which is inside a automation or a SCADA network

    Capturing attack tools and capturing the attackers' track

    Though not part of Honeyd, there are lots of keystroke loggers available. We need a mechanism to track the attacker on the web interface of the device. We do not know of any tools which can provide that functionality, however we explored some possibilities where the the Java applet (running on the "attackers" web browser) is able to comm

    Challenges

    Deployment and Testing

    An ideal deployment site for such a script would be a subnet close to a real Industrial/SCADA network or a phone number which belongs to a SCADA/Automation plant. We are not aware of any active and on-going SCADA specific attacks, it would be difficult to get a SCADA aware attacker into the honeypot.

    Send comments to scadahoneynet-talk@lists.sourceforge.net or ciag-tools@cisco.com

    SourceForge Logo