Honeypots and SCADA Systems

HoneypotGuest Blog by Rusty O’Neal System Specialist/SCADA Admin, Canoochee EMC and Secretary, GEMC Distribution Transmission Automation Group (DTAG)

“A honeypot consists in an environment where vulnerabilities have been deliberately introduced in order to observe intrusions and attacks”(Pouget & Dacier, 2004, p. 2). The great thing about honeypots is that you can put them into any environment to observe malicious traffic. This could be used to monitor traffic locally or a wide area. Honeypots have been used for over twenty years now to watch for such traffic.

The great thing about using a honeypot is that it is used to set a trap to detect, deflect, and in some manner counteract unauthorized access. A honeypot looks just like any other network including computers, data, and a network site that appears to be part of the corporate network, but is actually put in place to be closely monitored and isolated (Honeypots.net, 2011). The attackers, on the other hand, feel as if they’re getting into some valuable resources, but they are actually are being set up.

Setting up Honeypots is a great way to do research on attackers. The reasons that I believe this is because it provides a sense of how attackers implement new technologies for hacking as well as how they may have adapted to such new technologies that networks use to fight off attackers. These types of environment are totally passive and probably all incoming packets are more than likely from malicious origin (Pouget & Dacier, 2004).

In this typical type of environment, data is sent through a secure connection from a honeypot environment to a data server and then is used to feed a specific database (Pouget & Dacier, 2004). These typical databases that are used for research may keep up with information on the attacker, information on the attacks to the environment, information on attacks to one machine of the environment, information on raw packets, and just information on the environment (Pouget & Dacier, 2004). This data is used to define the attack source and ports sequences (Pouget & Dacier, 2004). The attack source defines an IP address that targets the honeypot environment. “Attack sources send packets to specific ports of one honeypot machine (Pouget & Dacier, 2004, p. 3).” A Ports Sequence defines the specific order according to which ports have been targeted on a given honeypot machine (Pouget & Dacier, 2004, p. 3).” All of the data collected is then used to see repetitive attacks, number of attacks on the machines in the environment, number of packets sent by attackers to machines, and the total number of packets sent to the whole environment (Pouget & Dacier, 2004).

Industrial espionage involves someone in an organization stealing information to sell to its competitors. The FBI estimates that computer sabotage costs businesses around $10 billion every year (Haag & Cummings, 2008). In order for companies to protect important information, they are increasing their spending on internet security software and systems to not only protect from outside attacks but also inside attacks. You know when most people think of security being an issue the first thing that probably comes to mind to most people is probably most attacks are probably from outside attacks by hackers but actually 75 percent of attacks on computer systems come from insiders due to employee misconduct. Actually, protecting company data is very important because you may have a disgruntled employee that may decide he wants to steal information to do some type of industrial espionage or just do some damage to the systems. “Companies need to screen their employees carefully, create a culture of loyalty to inhibit the internal threats, and develop systems that help promote security (Pearlson & Saunders, 2010, p. 228).”

The same system that is set up to fight off outside attackers is also used to fight off industrial espionage. What happens here is that it is set up to look at suspicious activity and if someone is wandering around into the honeypot, then they will be caught (EC-Counclin, 2009). Also organizations use something else that is very similar to a honeypot, which is called a honeytoken. What happens here is that an administrator puts a file that appears to be important on a legitimate server and if anyone accesses it, the administrator catches the attacker (EC-Counclin, 2009).

In an operation environment I believe that this a great tool to use to learn about attacks and but also to keep them out of your main systems. Has anyone ever thought of the possibility of using such system to protect SCADA systems? This would be a great prevention and reactive approach to the security of networks. I would much rather have a honeypot that looks more attractive to an attacker, than have someone hack into my main system to possible steal information or cause damage. I feel that the use of such system could be expensive, but the overall benefits outweigh the cost. The great thing about honeypots is that you can put them into any environment to observe malicious traffic. If you’re having problems with people stealing information internally, then this is a great way to stop such attacks from happening. Just by the use of a honeytoken is a great tool because all you have to do is put an attractive file on a legitimate server and as soon as someone accesses it they are caught.

 

References:

EC-Counclin. (2009). Computer Forensics: Investigating Network Intrusions and Cybercrime. New York: Course Technology. Haag, S., & Cummings, M. (2008).

Management Information Systems (Vol. 7th). New York, NY: McGraw-Hill.Honeypots.net. (2011, January 1). Intrusion Detection, Honeypots and Incident Handling Resources. Retrieved August 27, 2011, from Honeypots.net: http://www.honeypots.net/Pearlson, K. E., & Saunders, C. S. (2010).

Managing and Using Information Systems. Hoboken: ohn Wiley & Sons, Inc. Pouget, F., & Dacier, M. (2004, January 1). Honeypot-based Forensics. route des Crêtes, Sophia-Antipolis, France.

About Mary

Ms. Hester is the CEO of LAN Systems, which provides IT solutions in the Greater Metro Atlanta Area. You can contact Mary at mary@lansystems.com.

Speak Your Mind

*