Smart grid honeypots offer effective way to study attacks on industrial control systems
As cybersecurity continues to be a worldwide concern, ADSC researchers are working to improve upon and apply a technology that has been proven to be reliable in identifying and analyzing security attacks – a honeypot – to industrial control systems.
According to ADSC Senior Research Scientist Daisuke Mashima, a honeypot is a “decoy” system designed to lure cyber-attackers in hopes of detecting attack attempts early, slowing down or mitigating the impact of attacks, and gathering real-world attack traces for learning attack vectors and designing better cyber security systems.“Enterprise IT security has used honeypots for a long time, but in industrial control or smart grid systems, the design and use of honeypots is relatively new and immature,” Mashima said.
Industrial control systems, used to automate industrial processes, are the backbone of the power grid, manufacturing facilities, and water treatment plants, among other critical infrastructures. According to Mashima, as more smart grids are being deployed in Singapore, the United States, and other countries, smart grid security is still in its early stages and this method is considered effective in providing additional security.
In November 2018, Mashima received a one-year grant, funded by the Singapore Cybersecurity Consortium under the National Research Foundation, to develop a high-fidelity industrial control systems (ICS) honeypot in the smart grid domain. Mashima has partnered with Custodio Technologies in Singapore to extend research he previously did to develop a state-of-the-art smart grid honeypot system implemented on top of an open-source, software-based smart grid testbed system developed by ADSC.
“The current implementation of the system is minimal, and our honeypots are lacking some realistic aspects from an attacker’s perspective, and that’s why we’re working with Custodio Technologies,” Mashima said. “Their expertise is penetration testing to find vulnerabilities in the system, so they will help us see how our honeypots look to attackers. Based on that, we can improve honeypot systems and effective logging mechanisms to later analyze what the attacker is doing in the system.”
Now, the researchers have a simple prototype that they’ll spend the year improving, with an end goal of making the prototype ready for practical use for immediate data collection and data analysis. According to Mashima, the threat intelligence collected by the smart grid honeypot enables engineers and researchers to design and implement cyber-physical security mechanisms for countering emerging threats against our critical infrastructure.
There are currently open source industrial control systems and enterprise IT honeypots available, but they provide only a cyber view, showing what ports are open to the Internet and what ICS protocols are supported. Mashima’s proposed honeypot will provide a realistic cyber and physical view to the attacker.
“An attacker may have a good amount of knowledge as to whether a system is fake or not, so to fool an attacker, we need to provide a realistic physical side view,” Mashima said. “We want to retain the attacker inside a system for as long as possible to study their attack behavior for a longer time.”
Mashima will also be partnering with National University of Singapore to incorporate NUS’s experience implementing virtual ICS networks, as well as deploying the project outcome on the National Cybersecurity R&D Lab (NCL).
“Through this partnership, our work will expand the coverage and comprehensiveness of the implemented smart grid honeypot system,” Mashima said. “NCL is a great environment for evaluating scalability and sharing the outcome with other researchers.”