HoneyNetICS: A New Generation ICS Honeypot Enhancing Realism through Network Segmentation

Industrial Control Systems (ICS) are at the heart of delivering vital services like power generation, water treatment, manufacturing, and transportation. Their increasing digitization and interconnectivity with business IT networks and the Internet have grown their attack surface, and they are now an attractive target to cyber attackers. While critical, many ICS environments remain constructed on legacy devices and protocols that possess no inherent security capabilities, thus being vulnerable to a wide range of threats. High-profile attacks like Stuxnet and Industroyer have shown the potentially catastrophic results of successful compromise of industrial processes, highlighting the necessity of better visibility and safeguarding within these environments. Honeypots, a security device used to attract and identify possible attackers, malware, or unauthorized network activity. It acts as a decoy or trap, mimicking vulnerable systems, services, or applications to divert the attention of hackers. Applied to ICS, they can harvest information on techniques used against industrial assets, support threat intelligence, and serve as testbeds for developing more secure infrastructures. Nevertheless, the majority of existing ICS honeypot solutions rely on weak architectures and design choices, such as exposing programmable logic controllers (PLCs) directly to the Internet, thus rendering the environment more prone to be detected as a decoy system. This thesis presents HoneyNetICS, a new generation high-interaction ICS honeypot system designed to offer realistic and versatile deception tools to fool attackers. Built on top of HoneyICS, the architecture combines virtualized and containerized components to mimic key elements of an industrial network, PLCs and a human-machine interface (HMI). The components are networked through segmented and software-defined networks to replicate typical ICS topologies where only a subset of the external interface is exposed to the world, but internal resources are restricted by an insulated VPN connection. To further increase fidelity, the physical-process simulator is connected to the PLCs via a serial connection, reproducing the communication patterns typical of real industrial links. This architecture more accurately mimics the deployments of ICS in the real world, where direct exposure of the core devices is not common, thereby improving realism and the quality of threat intelligence collected. The platform can facilitate passive monitoring and active deception, hence being well-suited for the analysis of the attacker's behavior, detection tool assessment, and experimentation with emerging defensive techniques.