ICSvertase: A Framework for Purpose-based Design and Classification of ICS Honeypots

Abstract

As attacks on Industrial Control Systems (ICS) are increasing, the design and deployment of ICS honeypots is gaining momentum as a way to prevent, detect, and research them. However, ICS honeypot creators hardly explicitly consider what adversary behavior they want to capture, potentially creating honeypots that may not completely fulfill their intended purpose. At the same time, ICS honeypots are classified using the traditional interaction level scheme which is unsuitable for ICS due to its unique properties. In turn, these issues make it hard for potential users to systematically determine the suitability of an ICS honeypot for their use case. To tackle these problems, in this paper we introduce ICSvertase, a novel framework allowing for structural reasoning about ICS honeypots. ICSvertase integrates several existing components from the ATT&CK for ICS and Engage frameworks provided by MITRE and extends them with novel elements. ICSvertase provides a novel approach to helping companies and users in several real-world use cases, such as choosing the most suitable existing ICS honeypot, designing new ICS honeypots, and classifying existing ones in a more fine-grained way. To show ICSvertase’s benefits, we provide examples for these real-world use cases and compare them to their traditional counterparts.

Publication
In Proceedings of the 18th International Conference on Availability, Reliability and Security
Emmanuele Zambon
Emmanuele Zambon
Assistant Professor

My research interests include Industrial Control System security and network intrusion detection.