root@dafthack:~#‎ > ‎

ICS/SCADA Honeypot

posted Mar 20, 2013, 6:18 AM by Beau Bullock
Trend Micro have released a report detailing the research they've done into ICS (industrial control systems), and SCADA (supervisory control and data acquisition) attacks.  They set up three seperate honeypots on the public internet for their experiment. One of the honeypots is an actual SCADA device requiring high-interaction from the researchers.  It is a web application designed to look like a water pressure station.  They also have a low-interaction honeypot is a software-based emulation of a SCADA system. They honeypots were attacked a total of 39 times.  12 were unique and targeted, and 13 were repeated by a few of the attackers.
   "The top Snort alert generated in the honeypot environment was Modbus TCP non-Modbus communication on TCP port 502. This rule is triggered when an established connection utilizing Modbus is hijacked or spoofed to send other commands or attacks to a different device,"
This is important to the ever-growing fear of a targeted ICS/SCADA attack that may cause physical damage to these systems and could potentially be harmful to humans living in or around the area where the attacked device has been compromised. 
"This research proves stuff is going on. With what [regularity], I don't know. Maybe companies aren't disclosing those attacks, and a lot of these companies may not be aware that they are being attacked and targeted,"
Download the full report from Trend Micro here:
I am a big fan of this type of research as it can help unveil the types of attacks various attackers are using as well as how often they are doing it.  I have set up a few honeypots on my home network for research in the past and have been running one on the internet for about a month now that I will be writing a blog posting for in the near future.