There have been a number of reports of attacks on industrial
control systems (ICS) in the past few years. Looking a bit closer,
most of the attacks seem to have spilt over from traditional IT.
That’s to be expected, as production systems are commonly connected
to ordinary corporate networks at this point.
Though our data does not indicate at this point that a lot of
threat actors specifically target industrial systems – in fact,
most evidence points to purely opportunistic behaviour – the tide
could turn any time, once the added complexity of compromising OT
environments promises to pay off. Criminals will take any chance
they get to blackmail victims into extortion schemes, and halting
production can cause immense damage. It is likely only a matter of
time. So cybersecurity for operational technology (OT) is vitally
important.
Deception is an effective option to improve threat detection and
response capabilities. However, ICS security differs from
traditional IT security in several ways. While deception technology
for defensive use like honeypots has progressed, there are still
challenges due to fundamental differences like the protocols used.
This article is intended to detail the progress and challenges when
deception technology transits from traditional IT to ICS
security.
The value of deception: taking back the
initiative
Deception technology is an active security defense method that
detects malicious activities effectively. On the one hand, this
strategy constructs an environment of false information and
simulations to mislead an adversary’s judgment, making unsuspecting
attackers fall into a trap to waste their time and energy,
increasing the complexity and uncertainty of the intrusion.
At the same time, the defenders can collect more comprehensive
attack logs, deploy countermeasures, trace the source of attackers
and monitor their attack behaviors. Recording everything to
research the tactics, techniques, and procedures (TTP) an attacker
uses is of great help for the security analysts. Deception
techniques can give defenders back the initiative.
Discover the latest in cybersecurity with comprehensive
“Security Navigator 2023[1]” report. This
research-driven report is based on 100% first-hand information from
17 global SOCs and 13 CyberSOCs of Orange Cyberdefense, the CERT,
Epidemiology Labs and World Watch and provides a wealth of valuable
information and insights into the current and future threat
landscape.
With some deception applications, for instance honeypots, the
operating environment and configuration can be simulated, thus
luring the attacker to penetrate the fake target. By this means,
defenders will be able to grab the payloads the attackers drop and
get information about the attacker’s hosts or even web browser by
JavaScript in web applications. What’s more, it is possible to know
the attacker’s social media accounts by JSONP Hijacking as well as
countering the attacker through ‘honey files.’ It can be predicted
that deception technology will be more mature and widely used in
the coming years.
Recently, the integration of information technology and
industrial production has been accelerating with the rapid
development of the Industrial Internet and intelligent
manufacturing. The connection of massive industrial networks and
equipment to IT technology will inevitably lead to increasing
security risks in this field.
Production at risk
Frequent security incidents such as ransomware, data breaches,
and advanced persistent threats seriously affect industrial
enterprises’ production and business operations and threaten the
digital society’s security. Generally, these systems are prone to
be weak and exploited easily by the attacker due to their simple
architecture, which uses low processing power and memory. It is
challenging to protect ICS from malicious activities as the
components of ICS are unlikely to take any updates or patches due
to their simple architecture. Installing endpoint protection agents
is usually not possible either. Considering these challenges,
deception can be an essential part of the security approach.
- Conpot is a low-interactive honeypot that can
simulate the IEC104, Modbus, BACnet, HTTP, and other protocols,
which can be easily deployed and configured. - XPOT is a software-based high-interactive PLC
honeypot which can run programs. It simulates Siemens S7-300 series
PLCs and allows the attacker to compile, interpret and load PLC
programs onto XPOT. XPOT supports S7comm and SNMP protocols and is
the first high-interactive PLC honeypot. Since it is
software-based, it is very scalable and enables large decoy or
sensor networks. XPOT can be connected to a simulated industrial
process in order to make adversaries’ experiences
comprehensive. - CryPLH is a low-interactive and virtual
Smart-Grid ICS honeypot simulating Siemens Simatic 300 PLC devices.
It uses Nginx and miniweb web servers to simulate HTTP(S), a Python
script to simulate Step 7 ISO-TSAP protocol and a custom SNMP
implementation. The authors deployed the honeypot within the
university’s IP range and observed scanning, pinging, and SSH login
attempts. It can be seen that the ability of interaction is
gradually increasing from the simulation of ICS protocol to ICS
environment.
With the development of cybersecurity technology, deception has
been applied in various circumstances like the web, databases,
mobile apps, and IoT. Deception technology has been embodied in
some ICS honeypot applications in the OT field. For instance, ICS
honeypots like Conpot, XPOT, and CryPLH can simulate the Modbus,
S7, IEC-104, DNP3 and other protocols.
Accordingly, deception technology like the honeypot applications
above can make up for the low efficiency of detection systems for
unknown threats and can play an important role in ensuring the
safety of industrial control networks. These applications can help
detect cyber attacks on industrial control systems and display a
general risk trend. The actual OT vulnerabilities exploited by the
attackers can be caught and sent to the security analyst, thus
leading to timely patches and intelligence. In addition to this, it
is possible to get a prompt alert e.g. before ransomware breaks out
and avoid massive losses and a stop in production.
Challenges
This is not a ‘silver bullet’, however. In comparison to the
sophisticated deception available in traditional IT security,
deception in ICS still faces some challenges.
First and foremost, there are numerous kinds of industrial
control devices as well as protocols, and many protocols are
proprietary. It is almost impossible to have a deception technology
that can be applied to all industrial control devices. Therefore,
honeypots and other applications often need to be customized for
the emulation of different protocols, which brings a relatively
high threshold for implementation in some environments.
The second problem is that pure virtual industrial control
honeypots still have limited simulation capabilities, making them
susceptible to hacker identification. The current development and
application of purely virtual ICS honeypots only allow the
underlying simulation of industrial control protocols, and most of
them have been open source, straightforward to be found by search
engines such as Shodan or Zoomeye. Collecting adequate attack data
and improving ICS honeypots’ simulation capabilities is still
challenging for security researchers.
Last but not least, high-interaction industrial control
honeypots consume considerable resources and have high maintenance
costs. Apparently, honeypots often require the introduction of
physical systems or equipment in order to build a real-run
simulation environment. However, industrial control systems and
equipment are costly, hard to reuse, and challenging to maintain.
Even seemingly similar ICS devices are often remarkably diverse in
terms of functionality, protocols and instructions.
Is it worth it?
Based on the above discussion, deception technology for ICS
should be considered for integration with new technology. The
ability to simulate and interact with a simulated environment
strengthens defense technology. Moreover, the attack log captured
by the deception application is of great value. Analyzed through AI
or Big data tools, it helps to get an in-depth understanding of ICS
field intelligence.
To summarize, deception technology plays a vital role in the
rapid development of ICS network security and improves intelligence
as well as the ability of defend. However, the technology is still
facing challenges and needs a breakthrough.
If you’re interested in some more insight into what the busy
Orange Cyberdefense researchers have investigated this year, you
can just hop over to the landing page of their recently published
Security Navigator[2].
Note: This insightful piece has been expertly crafted
by Thomas Zhang, Security Analyst at Orange Cyberdefense.
Found this article interesting? Follow us on Twitter [3]
and LinkedIn[4]
to read more exclusive content we post.
References
- ^
Security
Navigator 2023 (www.orangecyberdefense.com) - ^
Security
Navigator (www.orangecyberdefense.com) - ^
Twitter
(twitter.com) - ^
LinkedIn
(www.linkedin.com)
Read more https://thehackernews.com/2023/02/honeypot-factory-use-of-deception-in.html