Maesschalck, Sam and Giotsas, Vasileios and Race, Nicholas (2021) World Wide ICS Honeypots : A Study into the Deployment of Conpot Honeypots. In: Industrial Control System Security Workshop, 2021-12-07 - 2021-12-07.
![[thumbnail of World Wide ICS Honeypots]](https://eprints.lancs.ac.uk/style/images/fileicons/text.png)
World_Wide_ICS_Honeypots_ICSS.pdf - Published Version
Available under License Creative Commons Attribution.
Download (662kB)
Abstract
Honeypots are a well-known concept used for threat intelligence and are becoming more ordinary within ICS environments. A well-known ICS honeypot, Conpot, is popular and has been deployed on a large scale. These deployments are not always correctly configured and have odd characteristics compared to a real industrial control system. This paper explores several common Conpot signatures and deployments found through internet search engines such as Shodan. We identify that the default deployment of Conpot is not enough when deploying a honeypot. Afterwards, we explore the behaviour of a real PLC when conducting the same reconnaissance operations. To verify these red flags, we deploy three honeypots with a different configuration, have them scanned by Shodan and evaluate the traffic they get. Our experiments indicate that Shodan leverages CIP for ICS classification. We conclude that proper deployment of a low-interaction honeypot, such as Conpot, requires time and resources to entirely obfuscate the device and fool the attacker to a limited level. However, small changes to the default configuration does increase the performance of Conpot and results in more returning traffic.