Industrial IoT Honeypots and Honeynets: A Critical IIoT Security Measure

Abstract

Industrial Internet of Things (IIoT) is defined as the application of Internet of Things (IoT) technology in the automation field using industrial communication technologies. The IIoT environment has penetrated various fields such as our cities, transportation, manufacturing, and infrastructure, while becoming a popular target for hackers. Honeypots and honeynets have proven crucial for understanding and defending against attacks on IIoT, as they can attract attackers and deceive them into believing they have gained access to real systems. Honeypots and honeynets can complement other mainstream security solutions (firewalls, Intrusion Detection Systems (IDS)) to effectively defend against malicious behavior. This article introduces research on honeypots and honeynets for IIoT.

1. Industrial Internet of Things and Similar Definitions

The Industrial Internet of Things (IIoT) is defined as the application of IoT technology in the automation field using industrial communication technologies. Two similar concepts are IoT and Cyber-Physical Systems (CPS).
1.1 IIoT and IoT
IoT (Internet of Things) consists of a network of devices connected via the internet, such as sensors, actuators, and other embedded devices capable of collecting data and communicating.
By definition, IIoT is the application of IoT using industrial communication technologies in the automation field, while IoT serves as the foundation of IIoT, with applications permeating every corner of our lives. Sensors, actuators, wearable devices, embedded devices, and many other IoT devices are ubiquitous in buildings, cities, transportation, automotive, manufacturing, critical (nuclear reactors, power plants, refineries, etc.) and non-critical infrastructure, as well as agriculture.
1.2 Cyber-Physical Systems
CPS (Cyber-Physical Systems) is a network composed of sensors, actuators, Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), Intelligent Electronic Devices (IEDs), and other embedded devices used to monitor and control physical processes in critical and non-critical application areas.
Application scenarios for CPS include but are not limited to Industrial Control Systems (ICS), smart grids, other smart infrastructures (such as water, gas, building automation), medical devices, and smart vehicles. Overall, IIoT is closely linked to CPS due to the unique nature of its working environment (closed systems).
From a definitional standpoint, IoT, CPS, and IIoT are quite similar with little distinction. A special report by NIST points out that the difference between IoT and CPS lies in that IoT emphasizes information and network-related technologies in the physical world, while CPS is closer to a closed system implementation, focusing more on perception and information exchange control. Based on this foundation, IIoT further connects the definitions of IoT and CPS as it possesses characteristics of both.

2. Industrial IoT Honeypots and Honeynets

2.1 Common Security Mechanisms in Industrial IoT
To protect industrial devices in the IIoT environment, various network defense measures are commonly employed in industrial networks, such as cryptographic encryption, using firewalls, deploying IDS and Intrusion Prevention Systems (IPS), and utilizing antivirus and anti-malware solutions. The current national standards for industrial wireless networks in China define industrial network protocols that include three layers: physical layer, link layer, and application layer, and they employ various security mechanisms in security management, such as CCM* encryption mode (widely used in IEEE 802.x and BLE protocols), and replay attack prevention methods based on timestamps and nonces.
2.2 Challenges Faced by Traditional Industrial IoT Security Mechanisms
Due to the unique nature of the IIoT environment, there are specific requirements for device resources, network lifespan, and Quality of Service (QoS), which pose significant challenges to the security defense capabilities of IIoT. IoT serves as the foundation of IIoT, and IoT devices typically have limited power, storage, computing, and communication resources. This limitation is particularly impactful in the IIoT environment, where industrial communication devices are deployed in the automation field, restricting the security mechanisms that can be utilized. Additionally, the devices used in IIoT environments were not designed with security in mind from the outset. For example, in industrial production, industrial networks often need to meet requirements for low latency, low power consumption, high reliability, and high stability. Under such conditions, the application environments of IIoT/CPS are often assumed to be secure and isolated by default. This vague security assumption was shattered by the well-known “Stuxnet” virus in 2010. This example illustrates the urgent need to reconstruct and innovate the traditional static “implicit trust” model; the core idea of “zero trust” in network implementation—removing implicit trust—was also born to address such issues. Considering that zero trust-related technologies and standards have not yet matured, and this article mainly introduces IIoT honeypots and honeynets, we will not elaborate extensively on the principles of zero trust. As more and more industrial environments are connected to the internet, updating the security mechanisms of industrial devices that may not be replaced for decades has also become a serious issue.
2.3 Honeypots, Honeynets, and Their Applications in Industrial IoT
Traditional IIoT security mechanisms are not transparent for security researchers to discover and analyze the methods used by attackers (and defensive responses). Honeypots are used to attract attackers and deceive them into believing they have gained access to real systems; they are tools used for the purpose of being attacked and potentially compromised, while two or more honeypots implemented on a system form a honeynet. Honeypots can be integrated with firewalls and IDS to form an IPS, capturing relevant information about attackers, studying their behaviors, and developing security solutions to prevent potential future attacks.
In practical use, honeypots and honeynets can be deployed in different locations, such as cloud computing environments, isolation zones of enterprise networks (DMZ), actual application/production environments (in IoT, IIoT, or CPS networks), and private deployment environments with public IP addresses, as shown in the base honeynet architecture in Figure 1. Different environmental options have their own advantages and disadvantages; furthermore, the type of honeypot or honeynet best suited for a given environment also varies.
Industrial IoT Honeypots and Honeynets: A Critical IIoT Security Measure

Figure 1 Base Honeynet Architecture

The deployment environment of IIoT is very broad. Research by Javier et al. divides the application environments of honeynets in IIoT into six major parts: Industrial Control Systems (ICS), smart grids, water systems, gas pipelines, building automation systems, and integrated IIoT honeynets. They also classified these environments based on technological development. Figure 2 illustrates the classification of honeypots and honeynets applicable to IIoT, while Figure 3 depicts the development history of IIoT honeypots and honeynets. As one of the main target application areas of existing honeypots, over half of IIoT honeypots are designed for ICS environments. Although there are fewer baits targeting specific IIoT applications (most research focuses on ICS), similar industrial devices (such as PLCs) are still used in ICS and smart infrastructures (such as power grids, water, gas).
Industrial IoT Honeypots and Honeynets: A Critical IIoT Security Measure

Figure 2 Classification of Honeypots and Honeynets Applicable to IIoT

Industrial IoT Honeypots and Honeynets: A Critical IIoT Security Measure

Figure 3 Development of IIoT Honeypots and Honeynets

IIoT honeynets began with Cisco’s SCADA HoneyNet project in 2004. The SCADA HoneyNet is an open-source honeypot framework based on Honeyd, which is a low-interaction honeynet that supports simulating Modbus/TCP, FTP, Telnet, and HTTP services running on PLCs. Berman’s paper published in 2012 at the U.S. Air Force Research Laboratory was the first study on IIoT honeypots and honeynets in the literature. The following year, the second paper in this field was also published at the U.S. Air Force Research Laboratory, coinciding with the era of the Stuxnet virus. In 2013, the most popular ICS honeypot, the Conpot open-source project, was completed, and Trend Micro Research’s Wilhoit released their low-interaction ICS honeypot white paper, which injected new momentum into the subsequent research and practice of honeypots and honeynets in IIoT/CPS.
IIoT low-interaction honeypots can provide valuable information related to scanning, target protocols, attack sources, and brute force attempts. On the other hand, only through medium/high-interaction honeypots can it be possible to discover and analyze other more advanced attacks against specific industrial protocols and processes. IIoT high-interaction honeypots allow attackers to damage the system or use the honeypot for other attack behaviors, so deploying high-interaction honeypots is a highly risky endeavor, especially in IIoT environments with special requirements. Additionally, the high cost of industrial equipment is one of the primary driving factors for using virtual resources rather than physical devices in IIoT honeypots.
The unique requirements and functionalities of IIoT environments make it challenging to deploy security tools, including honeypots, even with advanced research. In terms of honeypot usage, most honeypots and honeynets are designed for research purposes rather than production purposes. SCADA devices need to operate continuously, with very few instances of interruption or downtime. Furthermore, industrial devices generally have strict time constraints that require guaranteed response times. Therefore, inserting honeypots into ICS production environments that have not deployed honeypots or updating outdated honeypots is extremely difficult, as these actions may significantly affect ICS communications and pose risks to the system (high-interaction honeypots).
The most commonly used attacks detected/tested in IIoT honeypots and honeynets are scanning attacks. Most studies have tested scanning attacks over different time periods, and these honeypots can count the number of scans, perform traffic analysis, and assess the legitimacy of scanning sources using existing libraries. In addition to DoS and DDoS, SSH, brute force attempts, and man-in-the-middle attacks are also key detection targets in specific honeypot and honeynet environments. Some attacks, although less common than those mentioned above, such as ransomware, mining backdoors, and specific attacks against ICS, such as HAVEX RAT, PLC Blaster, and tank overflow attacks, are also focal points for protection.
Linux is the mainstream operating system environment for honeypots and honeynets, along with FreeBSD. In terms of programming languages, Python is the most popular, followed by C/C++ and Java. This is likely related to the availability of libraries supporting industrial protocols for these languages, such as Python’s Modbustk, pymodbus, and cpppo EtherNet/IP libraries; C/C++’s libiec61850 and OpenDNP3 libraries; and Java’s JAMOD Modbus library. The Conpot honeypot, as the most popular open-source honeypot for IIoT/CPS, is also written in Python.
2.4 Summary and Insights
The IIoT environment is very unique, and any honeypot/honeynet should consider its target application field, purpose, cost, deployment environment, services provided/simulated, expected interaction with attackers, resource consumption, required tools, fingerprint identification, and potential liability issues from the outset of development. Moreover, from application to deployment, IIoT honeypots/honeynets need to undergo multifaceted considerations: for instance, which specific applications, specific industrial protocols, deployment locations in the network, and resource allocation (how to ensure industrial production communication and control resources).
IIoT honeypots/honeynets are an important security measure, and this field has always been an active area of research. How to apply existing cutting-edge research to production environments and collaborate with other security measures to better protect IIoT environments will be a key focus for us in the future.

(Some content in this article is translated and modified from A Survey of Honeypots and Honeynets for Internet of Things, Industrial Internet of Things, and Cyber-Physical Systems (J. Franco et al. 2021))

References

[1] E. Sisinni, A. Saifullah, S. Han, U. Jennehag, M. Gidlund[C]. Industrial Internet of Things: Challenges, opportunities, and directions. IEEE Trans. Ind. Informat.. 2018(4), vol. 14, no. 11, pp. 4724-4734.

[2] B. Bordel, R. Alcarria, T. Robles, D. Martín[C]. Cyber–physical systems: Extending pervasive sensing from control theory to the Internet of Things. Pervasive Mobile Comput. 2017, vol. 40, pp. 156-184.

[3] A. Humayed, J. Lin, F. Li, B. Luo[C]. Cyber-physical systems security—A survey. IEEE Internet Things J. 2017, vol. 4, no. 6, pp. 1802-1831.

[4] C. Greer, M. Burns, D. Wollman, E. Griffor[DB/OL]. Cyberphysical systems and Internet of Things. NIST, Gaithersburg, MD, USA. 2019, Rep. 1900-202.

[5] GB/T 26790, 工业无线网络WIA规范[S].

[6] L. Spitzner[DB/OL]. The Value of Honeypots, Part One: Definitions and Values of Honeypots. http://www.symantec.com/connect/articles/value-honeypotspart-onedefinitions-and-values-honeypots/, Apr. 14, 2020.

[7] P. Kumar, R. Verma[J]. A review on recent advances & future trends of security in honeypot. Int. J. Adv. Res. Comput. Sci.. 2017, vol. 8, no. 3, pp. 1108-1113.

[8] J. Franco, A. Aris, B. Canberk, A. S. Uluagac[C]. A Survey of Honeypots and Honeynets for Internet of Things, Industrial Internet of Things, and Cyber-Physical Systems. IEEE Communications Surveys & Tutorials. 2021, vol. 23, no. 4, pp. 2351-2383.

China Confidentiality Association

Science and Technology Branch

Scan to follow us

Industrial IoT Honeypots and Honeynets: A Critical IIoT Security Measure

Author: Xiong Siqi, Shenyang Institute of Automation, Chinese Academy of Sciences

Editor: Xiang Lingzi

2022 Highlights Review

Cross-Network Attacks: An Introduction to Techniques for Breaking Physical Isolation

Thoughts on the Top-Level Design of Smart City Security

Revisiting Some New Issues Facing the Development of Digital Forensics Technology

The Development and Challenges of Low Earth Orbit Satellite Interconnected Networks

Introduction to LaserShark Non-Contact Attack Implant Technology

Recent Highlights Responses

AI Meets 6G—Opportunities and Challenges

The Zero Trust Architecture: Removing Implicit Trust and Breaking Traditional Security “Boundaries”

The Zero Trust Architecture: Removing Implicit Trust and Breaking Traditional Security “Boundaries”

Overview of Network Intrusion Detection Technology

Electromagnetic Radiation of USB 3.0 and Its Interference on 2.4GHz Wireless Devices

Related posts

  1. Emerging Professional Insights (Part 1) | Artificial Intelligence
  2. Innovations in E-Paper Technology: From E-Readers to Full-Color Displays
  3. How Industrial IoT Helps Manufacturing Achieve Profitability
  4. Open Source Industrial IoT Edge Protocol Gateway Software
  5. Embedded Development: Core Components of Safety Architecture – SMU
  6. The New Battlefield of Industrial IoT – Edge Intelligent Servers
  7. Technical Sharing | Discussion on MM32F5 Series: Maximizing Throughput with Bus Design
  8. How Vulnerable IoT Devices Face Security Challenges
  9. Protecting IoT Devices with PUF Technology
  10. The Importance of Sensors in the IoT Era
  11. Industrial IoT Cannot Be Bought with Money!
  12. How IIoT Enhances Process Control Systems
  13. NanoMQ: Lightweight High-Performance MQTT Gateway for IIoT
  14. Applications of 4G IoT Gateway GM01 in Edge Computing
  15. How to Solve the Miniaturization of ECG Monitors
  16. Beginner Friendly | Quick Steps to Achieve MQTT Communication with Cloud Platform
  17. Overview of BifroMQ Open Source MQTT Middleware Architecture
  18. What Value Does the Industrial IoT Cloud Platform Bring to Enterprises?
  19. Decoding Advantech’s Industrial IoT Development Path

Leave a Comment