Industrial Control Honeypot Based on Power Plant Control System

Abstract

AbstractIndustrial honeypot is different from ordinary honeypot mainly because of the industrial control protocol used in the communication of industrial control equipment in the industrial control system. The trapping ability of industrial control honeypot mainly depends on its simulation interaction level, and the simulation protocol communication interaction determines the authenticity of the trapping environment. Based on the investigation of the control system of real power plant, it is proposed that the control system of power plant is placed in sandbox to restore the high fidelity of honeypot. Using protocol reverse analysis technology, in-depth analysis of EGD industrial control protocol to master protocol characteristics, timely sense abnormal industrial control traffic data and abnormal protocol packets. Use the Cuckoo sandbox framework to deploy honeypots with the main aircraft deployment mechanism to prevent escape or other sabotage if an attacker identifies the honeypot as a springboard. Finally, all suspected attack data captured by honeypot will be submitted to cuckoo host for analysis, providing reliable data for network security administrators and a more secure active defense network environment for power plants.KeywordsHoneypotIndustrial control system safety protectionCuckooAbnormal process identificationProtocol Reverse parsing