Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan - - PowerPoint PPT Presentation

industrial control systems honeypot
SMART_READER_LITE
LIVE PREVIEW

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan - - PowerPoint PPT Presentation

Feb 28, 2024 221 likes •390 views

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik Kinkel Jon Osborne Korbin Stich http://may1601.sd.ece.iastate.edu Client : Alliant Energy Advisor : Dr. Doug Jacobson April 28, 2016 May1601 ICS

slide-1
SLIDE 1

Industrial Control Systems Honeypot

May1601

Aashwatth Agarwal Dan Borgerding Jon Hope Nik Kinkel Jon Osborne Korbin Stich http://may1601.sd.ece.iastate.edu Client: Alliant Energy Advisor: Dr. Doug Jacobson

April 28, 2016

May1601 ICS Honeypot April 28, 2016 1 / 15

slide-2
SLIDE 2

Threat Overview

Highly critical threat Advanced attackers First attack on a power grid (Ukraine)

May1601 ICS Honeypot April 28, 2016 2 / 15

slide-3
SLIDE 3

Project Overview

What is a honeypot? A security mechanism designed to detect, deflect or counteract attempts at unauthorized use of information systems. Purpose Trick intruders Alert administrators Detect attack vectors Prevent data loss/corruption

May1601 ICS Honeypot April 28, 2016 3 / 15

slide-4
SLIDE 4

The Deliverable

Customized honeypots for multiple protocols Minimal IDS Automated deployment & management Configurable logging backends Cheap, plug & play device

Raspberry Pi 2

May1601 ICS Honeypot April 28, 2016 4 / 15

slide-5
SLIDE 5

Tech Challenge 1: Dealing with Lots of Protocols

Many honeypot protocols and logging backends to deal with New protocols must be integrated quickly and safely

SSH Honeypot Traffic Splunk Syslog Text File Alert Logs HTTPS DNP3

May1601 ICS Honeypot April 28, 2016 5 / 15

slide-6
SLIDE 6

Design 1: Honeypot Plugin Framework

Figure: Multi-process, message-passing architecture

SSH HTTP HTTPS DNP3 Splunk Syslog Text File S3 Controller Custom Honeypot Custom Logger Application-specific alerts broadcasted to loggers

pluggable · concurrent · separate address space · easy testing

May1601 ICS Honeypot April 28, 2016 6 / 15

slide-7
SLIDE 7

Demo: Honeypot Plugin Framework

Demo

May1601 ICS Honeypot April 28, 2016 7 / 15

slide-8
SLIDE 8

Tech Challenge 2: Obscure SCADA Protocols

DNP3 Application layer protocol built on TCP/IP Consists of Data, Transport, and Application layers Testing Secure Authentication

DNP3Spec-V1-Introduction-20071215

May1601 ICS Honeypot April 28, 2016 8 / 15

slide-9
SLIDE 9

Design 2: Device Architecture

Network Traffic Incoming Traffic Sniffed Traffic Public Interface Snort IDS SSH Admin Honeypot Framework Snort Alerts Honeypot Alerts

Simplified Device Internals

May1601 ICS Honeypot April 28, 2016 9 / 15

slide-10
SLIDE 10

Testing 1: Unit Tests

Test Set Plugins Loggers fssh webauth dnp3 syslog splunk

Unit Testing Code Output Verification Plugin Strategies Log Strategies Core Strategies

May1601 ICS Honeypot April 28, 2016 10 / 15

slide-11
SLIDE 11

Testing 2: Integration Testing

Vagrant Repeatable environment simulation Automatic streamlined VM Provisioning

Vagrant Environment

May1601 ICS Honeypot April 28, 2016 11 / 15

slide-12
SLIDE 12

Tech Challege 3: Simultaneous, Multi-Site Deployment

Deployment Directory

28 Devices. Numerous Locations Ansible Makes This EASY

Ansible Honeypot Administration

May1601 ICS Honeypot April 28, 2016 12 / 15

slide-13
SLIDE 13

Demo: Provisioning with Ansible

Demo

May1601 ICS Honeypot April 28, 2016 13 / 15

slide-14
SLIDE 14

Long-term Support, Administration, and Maintenance

Update process must be: flexible single-step fault-tolerant idempotent Manual administration

  • ption necessary

Auto-notify for security updates

Ansible Updates

May1601 ICS Honeypot April 28, 2016 14 / 15

slide-15
SLIDE 15

Questions

May1601 ICS Honeypot April 28, 2016 15 / 15