Supervisory Control and Data Acquisition (SCADA) is an integrated part of a process control network. By actually damaging some critical infrastructure assets, including a nuclear plant and launch of a satellite, the Stuxnet virus proved the need for process control network security. Having woken up to this new threat, people are coming up with various strategies to mitigate such attacks. Various tools and techniques are being deployed to enhance the security posture of SCADA installations, one of the most important being honeypots and honeynets.
Process control and automation systems are the lifelines for critical infrastructure like air traffic control systems, nuclear plants, satellite launch systems, electricity generation, water supplies, oil and gas refineries, and so on. Any disruption to these systems may result in catastrophic risks including loss of human life. Till recently, most of the networking products in the critical infrastructure area were perceived to be in the safe environment. Protocols used for their communication were proprietary and these networks were usually physically isolated from the IT networks.
With new requirements like the access to real-time data, the possibility of inter-communication between products from disparate vendors, connectivity with ERP systems and of course, cost-effectiveness, the standard protocols such as Ethernet and TCP/IP are being adapted to a large extent in process networks. They are also being connected to IT networks, and the Ethernet is now being used as a backbone to connect various devices and run the day to day manufacturing processes. But along with the benefits like ease of use and ease of connecting, combining IT and the process control networks has resulted in added risk factors —the latter are now exposed to all the risks associated with the IT network.
A typical process control network (PCN) is categorised by four levels, starting at Level 0. Let us try to understand these levels with an example of temperature control. A temperature sensor (thermometer – Level 0) in the boiler will send the current value of the water’s temperature to the controller. Depending upon the desired target temperature, the temperature controller (Level 1) will switch the heater on or off. In a typical factory, there will be many such controllers connected to a centralised (supervisory) control (Level 2) to ensure synchronisation between various processes. Advanced controllers (Level 3) will be used to optimise the processes. These may include historians (which maintain history of process parameters) or optimisation controllers.
Here, Level 0 signals are typically analogue in nature, and Level 1 to Level 3 can use the Ethernet for connectivity. The business network that is not part of the PCN is considered as Level 4, and care is taken to control access between these two networks only on a need basis. Supervisory Control and Data Acquisition (SCADA), at Level 2, is one of the most important parts of the PCN. It is used to centrally monitor and record various process parameters. Here, the processes may be running at one physical location and SCADA may be located at entirely different locations. As per the requirement, WAN or LAN links are used for interconnection between them.
Honeypots and honeynets
Wikipedia defines a honeypot as ‘a trap set to detect, deflect, or in some manner counteract attempts at unauthorised use of information systems.’ Generally, it consists of a computer, data or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers. Thus, an attacker may attack a SCADA honeypot perceiving it to be a true SCADA system. Multiple honeypots configured to mimic various devices or operating systems is a honeynet. Depending upon the requirement, honeypots and honeynets can be deployed at any of the following locations:
- Directly accessible from the Web
- In a de-militarised zone where access is allowed from the Internet as well as from the protected internal network
On the internal network
Honeypots and honeynets help to ensure security in various ways:
- They divert the attacker’s attention to an easy target rather than the actual system.
- Log the attackers’ activities for further analysis to gain in-depth knowledge about the attack and to develop prevention techniques.
Provide forensic information, which is required by law enforcement agencies to establish that an attack occurred.
Characteristics of honeypots and honeynets
They look ‘genuine’, exactly like the system they mimic —an attacker should not be able to make out that they are modified systems.
Allow controlled traffic towards the Internet—an attacker should not be able to use the honeypot as a stepping stone for further attacks on the Internet.
May contain dummy information, for example a SCADA honeypot may contain a Web page resembling the genuine SCADA system. This will attract the attackers and keep them engaged, ultimately resulting in more time and attack techniques being used on this system.
Honeyd: An open source honeypot
As defined by honeyd.org, Honeyd is a small daemon that creates virtual hosts on a network. These hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses (tested up to 65536) on a LAN for network simulation. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems.
The Honeyd configuration file defines how the configured honeypot will respond to various types of requests such as ICMP Ping, requests on UDP ports, TCP SYN, etc, thus, in a way, defining the status of various ports and services. This reply is interpreted by the scanning tool as a system running a corresponding service.
The basics of nmap port scanning
Let us understand the process of port scanning that is used by the network scanning tool, nmap. A typical SYN scan of nmap sends a SYN packet to the destination IP address on the port number to be scanned.
The simplest way to install honeyd under Ubuntu 12.0.4 is to use the following command:
sudo apt-get install honeyd
Honeyd is installed in /usr/share/honeyd. Once installed, it can be configured to mimic various operating systems which appear to run with various services. First, let us understand how honeyd can be configured to mimic Windows XP SP1.
Configuring honeyd to mimic Windows XP SP1
Create the configuration for the Windows XP honeypot in the winxp.conf file as follows:
set winxp personality "Microsoft Windows XP Professional SP1" set winxp default tcp action block set winxp default udp action block set winxp default icmp action reset set winxp uptime 1234567 add winxp tcp port 135 open add winxp tcp port 139 open add winxp tcp port 445 open set winxp ethernet "intel" dhcp winxp on eth0
# To configure static IP on eth0, comment the dhcp command and enable bind command as follows:
# bind ipaddress winxp
Explanation of important configuration options: Remember that the first three bytes of the MAC address denote the manufacturer’s ID number. The command:
set winxp ethernet "intel"
…configures MAC address belonging to Intel Semiconductor to the honeypot. The other commands are self-explanatory. To start the honeypot configured in winxp.conf under daemon mode, use the following command:
sudo honeyd –d –f winxp.conf
Using the daemon mode will enable you to see all the network requests and corresponding responses on the screen of the honeypot system.
The SCADA honeypot
As mentioned on the website http://scadahoneynet.sourceforge.net/, the SCADA honeynet project was launched with the aim of determining the feasibility of building a software-based framework to simulate a variety of industrial networks such as SCADA, DCS, and PLC architectures. It can be used to:
- Build a honeynet for attackers, in order to gather data on attacker trends and tools
- Provide a scriptable industrial protocol simulator to test a real, live protocol implementation
Research countermeasures, such as device hardening, stack obfuscation, reducing application information, and the effectiveness of network access controls
The project dates way back to 2005 but it is very relevant even today in the challenging SCADA security scenario.
SCADA honeypot installation
Download the latest release of the SCADA honeynet project and expand the tgz to get four Python scripts. The names indicate services emulated by the corresponding scripts:
honeyd-ftpd.py honeyd-html.py honeyd-modbus.py honeyd-telnet.py
Place these files in the /usr/share/honeyd/plc folder. Also make sure you have installed Python on your Ubuntu box.
Create configuration for the SCADA honeypot in scada.conf file as follows:
set scada default tcp action block set scada default udp action block set scada default icmp action open set scada maxfds 35 set scada uptime 23456787 add scada tcp port 21 "python plc/honeyd-ftpd.py" add scada tcp port 23 "python plc/honeyd-telnet.py" add scada tcp port 502 "python plc/honeyd-modbus.py" add scada tcp port 80 "python plc/honeyd-html.py" set scada ethernet "00:11:22:33:44:55" bind 192.168.1.11 scada
Similarly, three other Python scripts define responses for port 23 (telnet), port 80 (http) and port 502 (MODBUS)
To start the honeypot configured in scada.conf under daemon mode, use the following command:
sudo honeyd –d –f scada.conf
Testing the SCADA honeypot
Using nmap for scanning: nmap –n 192.168.1.11 reveals only three open ports: 21, 23 and 80. By default, nmap scans for 1000 well-known ports listed in the nmap-services file. This file does not include port 502 used by the MODBUS protocol.
To scan all TCP ports, use the following command:
sudo nmap -p1-65535 -n 192.168.1.11
After detecting FTP, Telnet and HTTP ports open; try to use the respective clients to access content from these ports.
Port 80 – the browser: Open the honeypot IP on any Web browser to see the PLC Web page with Diagnostics, Statistics and Protocols Supported menus.
Port 23 Telnet: Telnet to the honeypot IP and establish a connection.
Checking logs on the honeypot
All the traffic received on the scada.conf interface is logged in the /var/log/scadahoneynet.log file, which you can study and analyse—make sure to allow write permission to this file for the user running honeyd.
The SCADA honeynet project satisfies the basic requirements of a honeypot:
- Appearing as part of a network, though actually isolated
- All access logs are saved for further study
- Its Web interface contains a page that an attacker could perceive to be of great value
Word of caution
Various issues related to the legality of honeypots and honeynets have already been discussed – search the Web for more details. Please make sure to evaluate and understand a particular honeypot by testing it in a lab environment. Do not forget to understand the legal consequences before deploying it in live environments. As an example, if an attacker uses a honeypot to further launch attacks on third party systems, the liability may lie with the honeypot owner.
 Honeyd: http://www.honeyd.org/
 SCADA Honeynet project: http://scadahoneynet.sourceforge.net/
 Honeypots: are they legal? http://www.symantec.com/connect/articles/honeypots-are-they-illegal
The author is an IS auditor, network security consultant and trainer with 25+ of years industry experience. He is an industrial electronics engineer with CISA, CISSP and DCL certification. Please feel free to contact him at rajesh at omegasystems dot co dot in.