Worldwide [change] |Account |Register |About Cisco
Guest

Hierarchical Navigation

CIAG Research Projects

Honeynet for SCADA Environments

Principal Investigator: Venkat Pothamsetty

Project Description: The project extends the concept of Honeynet to SCADA networks. The goal is to simulate a whole SCADA network, including the devices, protocols, and applications in a single Linux box, using multiple scripts.

Project Impact: There is still little information about SCADA vulnerabilities and attacks, despite the growing awareness of security issues in industrial networks. As is the case with IT security, owner-operators are often unwilling to release attack or incident data. However, unlike IT products and protocols, there are none of the sort of public repositories of vendor advisories and vulnerabilities in industrial devices. Although some vulnerability research is being conducted in this area, very little has been released publicly and no "SCADA security tools" (whatever that might mean) have been released to the public. To address these limitations, the goal of this project is to provide tools and to simulate a variety of industrial networks and devices. We see several uses for this project:

  • Build a HoneyNet for attackers, to gather data on attacker trends and tools
  • Provide a scriptable industrial protocol simulator to test a real-life protocol implementation
  • Research countermeasures, such as device hardening, stack obfuscation, application information reduction, and effectiveness network access controls

Project Details: Based on our knowledge of industrial network applications, products, and protocols, we identified the following requirements:

  1. Individual Device Simulation To simulate individual devices, the following functionality is needed:
    • Stack level: To simulate the TCP/IP stack of a Ethernet-based device to a script kiddie type attacker who is scanning the network with OS detection tools such as Nmap and Xprobe.
    • Protocol level: To simulate industrial protocols for skilled attackers who have the tools which interrogate protocols and want to do something meaningful using the protocol features
    • Application level: To simulate various applications on a SCADA device such as web servers and management applications such as SNMP and Telnet.
    • Hardware level: Many of the SCADA devices use serial interfaces such as modems and RS232 interfaces for both SCADA protocol communication and for management purposes. An attacker who either "logs into" a SCADA device or has access to the serial network, needs to be presented with a serial device and/or a protocol communication over a serial device.
  2. Simulate Network: We need to simulate various entry points so that when an attacker encounters a perimeter device, he or she will be presented the same network as a real SCADA network at that particular network entry point. Various network entry points that we need to simulate include:
    • A router directly connected to the Internet: Control system networks are typically not directly connected; a control network is located inside a corporate network. Assuming the corporate network as Internet, we need to simulate the entry point of a router that separates the control network and the corporate network. The devices that are normally connected to such a router would be Industrial Ethernet switches or industrial devices with an IP stack, such as some IP-enabled PLCs and wireless access points.
    • Direct serial device: Some of the industrial devices have a modem that can be directly dialed into from a PSTN. We need to simulate a "modem server" that can take connections and behave like an industrial device or is connected to an industrial device.
    • A Ethernet-enabled industrial device directly connected to the Internet: Such a scenario should be the same as simulating the stack, the protocols and applications on that device and connecting that to the Internet.
    • An Ethernet serial gateway directly plugged into the Internet: An Ethernet serial gateway is a bridge between the IP network and the serial interface. The IP side of the device would be connected to the network, either by or through an industrial switch or a router to which other IP industrial devices are connected to. The serial side of the device would be connected to a serial device or a serial network.

Project Deliverables:

  1. A project has been started on Sourceforge: scadahoneynet.sf.net

Status: Completed