How to use Honeypots for Automation Cyber Security
How to use Honeypots for Automation Cyber Security
Systematically Detect and Defend Against Hacker Attacks by using Honeypots
In order to systematically detect and defend against hacker attacks on industrial targets, so-called honeypots scenarios are often used.
What is a honeypot?
Honeypots are when false data and information are left out in the open. Real, valuable data, software, and hardware are protected as a result. A good example of a false honeypot in an industrial environment is a data-routing network switch.
In this article, we take a closer look at how this could theoretically work in an operational production facility.
How to implement honeypots?
If we want to protect ourselves effectively at the earliest possible stage against attacks, we need to understand the continually evolving strategies used by hackers. It is not as simple as disabling the firewall and password-protection then waiting to see what happens. You would undoubtedly experience a wave of attacks but would learn little or nothing from these attacks. And, of course, it is entirely out of the question to expose real data, which in many cases would be not only irresponsible but also illegal.
However, there are ways of implementing honeypots to open the door to cyber attack without risking damage or data loss. No company should ever attempt to do so without first obtaining expert guidance. Anyone interested in the honeypot scenario described in this article should first consult and work together with their company IT department and advisors. Only they will be able to confirm that there is no additional risk to data or hardware and that no liabilities are incurred.
The figure below represents a classic honeypot scenario. A “dummy” switch is set up to attract attacks, then is closely monitored.
Allowing a Cyber Attack
In the industrial environment—and especially in critical infrastructures —cyber security has become an extremely high priority. In this context, anything that can be done to warn of hacker activity and/or learn about hacker tactics is worth considering. As counter-intuitive as it may seem, allowing a cyber attack as a defensive strategy is something to consider. So how do you safely implement a honeypot?
Automated environments typically have numerous controllers, robots, drives, HMIs, etc. connected to a network. Network switches are used to connect components to the server, monitor data traffic, and route it to where it is needed. Their data-routing functions, together with their access management functions, make switches a classic target for cyber attacks, and the ideal honeypot.
Using a Switch as a Honeypot
Network switches perform essential functions in connecting robots, drives, PLCs and other devices to the industrial network. As a result, their firmware and configuration are vitally important and should be well-protected:
Switch firmware, similar to operating systems, is subject to manufacturer modifications and updates.
The configuration of a switch encompasses a range of settings including which ports are used for which data traffic flowing to and from which connected devices.
The following figure shows switch management with aid of the data management system, versiondog.
The configuration of a switch covers a range of settings. These settings include which ports are used for which data traffic is flowing to and from which connected devices.
Attackers who want to do damage within a network can manipulate the network communication of a switch. Switches are often used by hackers to establish a connection with a component, e.g. by opening and closing ports. In this way, erroneous data can be routed.
Being a favorite target of hackers is what makes network switches so suitable for use as honeypots. One scenario involves installing an additional switch in the industrial network. This switch is set up to look attractive, but, as it has no real function. It can be left alone by company staff, all of whom are informed of its actual purpose. With no changes being made internally, any changes that are made to the switch must have been made by an unauthorized external party.
The trick is to detect these changes as quickly as possible. This is where a data management system can be used. The data management system must be capable of regularly and automatically checking the state of the switch, detecting even the smallest change, then alerting the appropriate personnel without delay. Any manipulation might be an attack in and of itself, or it could be the preparation for an attack. Either way, early warning will help avoid damage or loss, and detailed inspection of the changes will reveal the tactics being used.
Choosing A Data Management System
versiondog is a data management system that is installed on computers connected to the industrial network of a manufacturing or CRITIS facility to manage change and safeguard data. It efficiently fulfills the criteria required by this honeypot scenario with its backup and compare functions.
While it does not replace other network security measures, such as firewalls IDS systems and IPS systems, it can be used alongside them as a valuable extra layer of security. This is because it can be set to automatically and precisely to compare current device data to previous device data at regular intervals. For the network switch in our honeypot scenario, the focus will be on ports, which could allow a hacker to gain access to automation equipment and potentially wreak havoc.
Together with a disciplined version control system that includes clear and complete documentation (who changed what, when, where, and why), versiondog’s automatic backup and compare functions are important components of an effective cyber security strategy. Each new backup is compared with the previous backup, and in the case of our honeypot switch, nothing should have changed. If a change is found, the system administrator is alerted and can take the appropriate action. If the worst comes to worst and disaster recovery is necessary, the last non-manipulated version of any device data or control program can be located and restored quickly and with confidence.
Cyberattacks on industrial facilities and public utilities have, unfortunately, become a reality. Because of the complexity of these largely automated environments, only a multi-layered approach can effectively protect against potentially dangerous losses. As part of this in-depth defense strategy, honeypot scenarios such as this are one component of many – a little more safety, certainty, and security for us and the environment.
Dr. Thorsten Sögding & Stefan Schnackertz
versiondog for Cyber Security
versiondog is designed to work together with your company’s network security system providing an extra layer of security within the production process.