industrial control systems honeypot
play

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan - PowerPoint PPT Presentation

Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik Kinkel Jon Osborne Korbin Stich http://may1601.sd.ece.iastate.edu Client : Alliant Energy Advisor : Dr. Doug Jacobson April 28, 2016 May1601 ICS


  1. Industrial Control Systems Honeypot May1601 Aashwatth Agarwal Dan Borgerding Jon Hope Nik Kinkel Jon Osborne Korbin Stich http://may1601.sd.ece.iastate.edu Client : Alliant Energy Advisor : Dr. Doug Jacobson April 28, 2016 May1601 ICS Honeypot April 28, 2016 1 / 15

  2. Threat Overview Highly critical threat Advanced attackers First attack on a power grid (Ukraine) May1601 ICS Honeypot April 28, 2016 2 / 15

  3. Project Overview What is a honeypot? A security mechanism designed to detect, deflect or counteract attempts at unauthorized use of information systems. Purpose Trick intruders Alert administrators Detect attack vectors Prevent data loss/corruption May1601 ICS Honeypot April 28, 2016 3 / 15

  4. The Deliverable Customized honeypots for multiple protocols Minimal IDS Automated deployment & management Configurable logging backends Raspberry Pi 2 Cheap, plug & play device May1601 ICS Honeypot April 28, 2016 4 / 15

  5. Tech Challenge 1: Dealing with Lots of Protocols Alert Honeypot Logs Traffic Many honeypot protocols and Splunk SSH logging backends to deal with New protocols must be Syslog HTTPS integrated quickly and safely Text File DNP3 May1601 ICS Honeypot April 28, 2016 5 / 15

  6. Design 1: Honeypot Plugin Framework Figure: Multi-process, message-passing architecture Splunk SSH Application-specific alerts broadcasted to loggers HTTP Syslog Custom Custom Honeypot Logger HTTPS Text File Controller DNP3 S3 pluggable concurrent separate address space easy testing · · · May1601 ICS Honeypot April 28, 2016 6 / 15

  7. Demo: Honeypot Plugin Framework Demo May1601 ICS Honeypot April 28, 2016 7 / 15

  8. Tech Challenge 2: Obscure SCADA Protocols DNP3 Application layer protocol built on TCP/IP Consists of Data, Transport, and Application layers Testing Secure Authentication DNP3Spec-V1-Introduction-20071215 May1601 ICS Honeypot April 28, 2016 8 / 15

  9. Design 2: Device Architecture Network Traffic Sniffed Snort Alerts Snort Traffic IDS Honeypot Alerts Honeypot Framework Incoming Public Traffic Interface SSH Admin Simplified Device Internals May1601 ICS Honeypot April 28, 2016 9 / 15

  10. Testing 1: Unit Tests Test Set Unit Testing Code Output Verification Plugin Strategies Plugins Loggers Log Strategies Core Strategies dnp3 splunk syslog fssh webauth May1601 ICS Honeypot April 28, 2016 10 / 15

  11. Testing 2: Integration Testing Vagrant Repeatable environment simulation Automatic streamlined VM Provisioning Vagrant Environment May1601 ICS Honeypot April 28, 2016 11 / 15

  12. Tech Challege 3: Simultaneous, Multi-Site Deployment Deployment Directory 28 Devices. Numerous Locations Ansible Makes This EASY Ansible Honeypot Administration May1601 ICS Honeypot April 28, 2016 12 / 15

  13. Demo: Provisioning with Ansible Demo May1601 ICS Honeypot April 28, 2016 13 / 15

  14. Long-term Support, Administration, and Maintenance Update process must be: flexible single-step fault-tolerant idempotent Manual administration option necessary Auto-notify for security updates Ansible Updates May1601 ICS Honeypot April 28, 2016 14 / 15

  15. Questions May1601 ICS Honeypot April 28, 2016 15 / 15

Recommend


More recommend