SCADA HoneyNet Project: Building Honeypots for Industrial Networks

Venkat Pothamsetty and Matthew Franz
Critical Infrastructure Assurance Group(CIAG)
Cisco Systems, Inc.

Links

Honeyd - a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems

News & Updates

7/15/05/(released version 0.3) - Converted teh stand-alone scripts to work with honeyd, changes to html scripts. See Release Notes for more details.

6/01/04/(released version 0.2) - Fixed the bug regarding the absense of modbusHdrs.py, included sample nmap OS fingerprints of some PLCs, included a test file to generate custom Modbus packets to test the modbusSrve.py implementation

5/13/04 - Major cleanup of content

3/20/04 - PLC Simulation scripts available for down and PLC Simulation Case Study complete.

Objectives

The short-term goal of the project is to determine the feasibility of building a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures. We plan to document the requirements and release proof of concept code (in the form of honeyd scripts) so that a single Linux host can simulate multiple industrial devices and complex network topologies. Given the variety of deployments and the lack of standard, well-defined architectures for industrial networks, this project attempts to create the building blocks so that users can simulate their networks own networks--not make assumptions about what "real world" SCADA/DCS/PLC look like. Assuming deployment of "SCADA HoneyNets" ever reach critical mass, the longer term objective of the project is to gather information about general attack patterns and specific exploits that could be used to write signature for commercial and Open Source IDS products.

Introduction

There is still little information about SCADA vulnerabilities and attacks, despite the growing awareness of security issues in industrial networks. As is the case with IT security, owner-operators are often unwilling to release attack or incident data. However, unlike IT products and protocols, there are not the sort of public repositories of vendor advisories and vulnerabilities in industrial devices. Although some vulnerability research is being conducted in this area, very little has been released publically and no "SCADA security tools" (whatever that might mean) have been released to the public.

To address these limitations, this goal of this project is to provide tools and to simulate a variety of industrial networks and devices. We see several uses for this project:

Build a HoneyNet for attackers, to gather data on attacker trends and tools
Provide a scriptable industrial protocol simulators to test a real live protocol implementation
Research countermeasures, such as device hardening, stack obfuscation, reducing application information, and the effectiveness network access controls

Feature Requirements

Based on our knowledge of industrial network applications, products, and protocols, we identified the following requirements:

Individual Device Simulation

To simulate individual devices, the following functionality is needed:

Stack level: To simulate the TCP/IP stack of a Ethernet-based device device to a script kiddie type attacker who is scanning the network with OS detection tools such as Nmap and Xprobe.
Protocol level: To simulate industrial protocols for skilled attackers who have the tools which interrogate protocols and want to do something meaningful using the protocol features
Application level: To simulate various applications on a SCADA device such as web servers and management applications such as SNMP and Telnet.
Hardware level:Many of the SCADA devices use serial interfaces such as modems and RS232 interfaces for both SCADA protocol communication and for management purposes. An attacker who either "logs into" a SCADA device or has access to the serial network, needs to be presented with a serial device and/or a protocol communication over a serial device.

Simulate Network

We need to simulate various entry points so that when an attacker encounters a perimeter device, he will be presented the same network as a real SCADA network at that particular network entry point
Various network entry points that we need to simulate include:

A router directly connected to the Internet: Control system networks are typically not directly conne a control network is located inside a corporate network. Assuming the corporate network as Internet, we need to simulate the entry point of a router that seperates the control network and the corporate network. The devices that are normally connected to such routers would be Industrial Ethernet switches or industrial devices with an IP stack, such as some IP enabled PLCs and wireless access points.
Direct serial device:Some of the industrial devices have a modem that can be directly dialed into from a PSTN. We need to simulate a "modem server" that can take connections and behaves like a industrial device or is connected to a industrial device.
A Ethernet enabled industrial device directly connected to the Internet: Such a scenario should be the same as simulating the stack, the protocols and applications on that device and connecting that to Internet
An Ethernet serial gateway directly plugged into the Internet:An Ethernet serial gateway is a bridge between the IP network and the serial interface. The IP side of the device would be connected to the network, either a Industrial switch or a router to which other IP industrial devices are connected to. The serial side of the device would be connected to a serial device or a serial network.
Wireless: Wireless is one of the entry points into a Industrial network. Most of the Industrial wireless devices use proprietary wireless protocols and some of them use 802.1b standard. Typically the serial interface of the device would be connected to a wireless bridge.
Remote desktop access and HMIs:The Human Machine Interfaces and the software that communicates with Industrial devices usually run on a Windows machine. Administrators who want remote access to these devices would typically run a remote desktop viewer, such as VNC or PC anywhere. An attacker would normally find it through a port scan ' after he gets into the control network and might get to it using a VNC client. Simulating this would probably need a custom made VNC protocol simulation.
Remote Access Server (RAS):Another possible entry point into a control network is to dial into the network using PPP and use the PPP password to authenticate yourself to a Network Access Server and then directly access the Industrial device.

Capture the attacker tools and tracks

Our scripts need to capture the attacker tools and tracks. That should include keystroke logging and facilities to capture the tools and binaries he might be up loading, if the attack. Our scripts also need to capture network traffic.

Review of existing technologies and relavency

Honeyd

Honeyd has facilities for easy simulation of TCP/IP stacks and applications.
Honeynet takes Nmap and Xprobe signatures through configuration files and sends packet responses to scans matching those signatures. Users can set up profiles, mapping IP addresses that Honeyd should respond to a corresponding device profile. When attackers Nmap or Xprobe scan the IP address which Honeyd is taking care of, he will be returned with packets matching the corresponding device profile.

Therefore using Honeyd, it would be possible to simultaneously simulate stacks of multiple IP based Industrial devices, provided the corresponding scanning tools (Nmap or Xprobe) has the knowledge of the signature. As of now, there are no signatures of Industrial devices in Nmap's database.
Honeyd allows the user to listen on a port and run a script on that particular port when anybody connects to that port. As of now, there are many scripts contributed to the project, which can simulate web pages, WSFTP servers and Cisco telnet servers.

Using this feature on Honeyd, it is possible to write scripts that simulated various Industrial Ethernet protocols. For example, it would be possible to simulate a Modbus/TCP server on port 502 and EtherNet/IP on ports 44818/2222.

Serial interface simulation

Many industrial network devices use RS-232/485 for communication. Typically the serial port of a PC would be directly (or indirectly, via a serial Ethernet gateway) connected to the serial port of the device. There would be a software running on the PC, which sends commands to the device over the serial interface. By some accounts there are hundreds of serial protocols in use in SCADA networks. Some of the more common protocols are MODBUS and DNP.

We need to simulate those protocols over the serial port, so as to present a protocol interface to an attacker who connects to the serial port. Many languages support serial interface programming including Python and Java. We were able to achieve serial communication through a open source Python serial programming module (pyserial.sf.net).

Simulating 802.11

The HostAP driver(http://hostap.epitest.fi/), replies for 802.1b management packets and converts a client adapter an access point. The driver can be used to simulate an access point which is inside a automation or a SCADA network

Capturing attack tools and capturing the attackers' track

Though not part of Honeyd, there are lots of keystroke loggers available. We need a mechanism to track the attacker on the web interface of the device. We do not know of any tools which can provide that functionality, however we explored some possibilities where the the Java applet (running on the "attackers" web browser) is able to comm

Challenges

Deployment and Testing

An ideal deployment site for such a script would be a subnet close to a real Industrial/SCADA network or a phone number which belongs to a SCADA/Automation plant. We are not aware of any active and on-going SCADA specific attacks, it would be difficult to get a SCADA aware attacker into the honeypot.

Send comments to scadahoneynet-talk@lists.sourceforge.net or ciag-tools@cisco.com