Abstract
Honeypots are increasingly used in Industrial Control Systems (ICS) to divert attacks from critical assets and study malicious behavior. While prior work has examined specific aspects of ICS honeypot design, a comprehensive understanding of cost-effective deployment strategies is still lacking. This work investigates how interaction level, network type, and geographic location affect the attractiveness of ICS honeypots. We deploy both low-and high-interaction honeypots, alongside a physical device, across corporate and cloud networks in various geographic regions. We collect and analyze network interactions involving HTTP, S7Comm, and Modbus protocols from 16 honeypots with diverse configurations over a three-month period. Our results show that network type has the largest impact on ICS honeypot traffic, while interaction level and geographic location play a minor role. We also find that low-interaction honeypots capture traffic comparable to high-interaction setups, supporting their use for general threat intelligence.
Emmanuele Zambon
Assistant Professor
My research interests include Industrial Control System security and network intrusion detection.