How Honeypots can Help Your Automation Security

In order to systematically detect and defend against hacker attacks on industrial targets, so-called honeypots scenarios are often used. In many of these, false data and information are left out in the open and the real valuable data, software, and hardware—are protected as a result. A good example of a false pot of honey in an industrial environment is a data-routing network switch. In this article, we take a closer look at how this could theoretically work in an operational production facility.

If we want to protect ourselves effectively at the earliest possible stage against attacks, we need to understand the continually evolving strategies used by hackers. It is not as simple as disabling the firewall and password-protection then waiting to see what happens. You would undoubtedly experience a wave of attacks but would learn little or nothing from these attacks. And, of course, it is entirely out of the question to expose real data, which in many cases would be not only irresponsible but also illegal.

Discovering Intruders

Fig. 1: Classic honeypot scenario: A "dummy" switch is set up to attract attacks then closely monitored

However, there are ways of using honeypot scenarios to open the door without risking damage or data loss. No company should ever attempt to do so without first obtaining expert guidance. Anyone interested in the honeypot scenario described in this article should first consult and work together with their company IT department and advisors. Only they will be able to confirm that there is no additional risk to data or hardware and that no liabilities are incurred.

Allowing a Cyber Attack

In the industrial environment—and especially in critical infrastructures (CRITIS)—cybersecurity has become an extremely high priority. In this context, anything that can be done to warn of hacker activity and/or learn about hacker tactics is worth considering. As counter-intuitive as it may seem, we have decided to allow a cyberattack as a defensive strategy. Where could we start?

Automated environments typically have numerous controllers, robots, drives, HMIs, etc. connected to a network. Network switches are used to connect components to the server, monitor data traffic, and route it to where it is needed. Their data-routing functions, together with their access management functions, make switches a classic target for cyberattacks, and the ideal honeypot.

A Switch as a Honeypot

Network switches perform essential functions in connecting robots, drives, PLCs and other devices to the industrial network. As a result, their firmware and configuration are vitally important and should be well-protected:

  • Switch firmware, similar to operating systems,  is subject to manufacturer modifications and updates.
  • The configuration of a switch encompasses a range of settings including which ports are used for which data traffic flowing to and from which connected devices.

Switch management with the data management system versiondog

Fig. 2: Switch management with the data management system versiondog

The configuration of a switch covers a range of settings. These settings include which ports are used for which data traffic is flowing to and from which connected devices.

Attackers who want to do damage within a network can manipulate the network communication of a switch. Switches are often used by hackers to establish a connection with a component, e.g., by opening and closing ports. In this way, erroneous data can be routed.

Being a favorite target of hackers is what makes network switches so suitable as honeypots. One scenario involves installing an additional switch in the industrial network. This switch is set up to look attractive, but, as it has no real function. It can be left alone by company staff, all of whom are informed of its actual purpose. With no changes being made internally, any changes that are made to the switch must have been made by an unauthorized external party.

Fig. 3: How data backups/versions are classified according to content, storage and identifier in order to facilitate fast disaster recovery in production

Fig. 3: How data backups/versions are classified according to content, storage, and identification to facilitate fast disaster recovery in production

The trick is to detect these changes as quickly as possible. This is where a data management system can be used. However, this system is not capable of regularly and automatically checking the state of the switch, detecting even the smallest change, then alerting the appropriate personnel without delay. Any manipulation might be an attack in itself, or it could be the preparation for an attack. Either way, early warning will help avoid damage or loss, and detailed inspection of the changes will reveal the tactics being used.

A Data Management System

versiondog is a data management system that is installed on computers connected to the industrial network of a manufacturing or CRITIS facility to manage change and safeguard data. It efficiently fulfills the criteria required by this honeypot scenario with its backup and compare functions. While it does not replace other network security measures, such as firewalls IDS systems and IPS systems, it can be used alongside them as a valuable extra layer of security. This is because it can be set to automatically and precisely compare current device data to previous device data at regular intervals. For the network switch in our honeypot scenario, the focus will be on ports, which could allow a hacker to gain access to automation equipment and potentially wreak havoc.

Together with a disciplined version control system that includes clear and complete documentation (who changed what, when, where and why), versiondog's automatic backup and compare functions are important components of an effective cybersecurity strategy. Each new backup is compared with the previous backup, and in the case of our honeypot switch, nothing should have changed. If a change is found, the system administrator is alerted and can take the appropriate action. So if the worst comes to the worst and disaster recovery is necessary, the last non-manipulated version of any device data or control program can be located and restored quickly and with confidence.

Cyberattacks on industrial facilities and public utilities have, unfortunately, become a reality. Because of the complexity of these largely automated environments, only a multi-layered approach can effectively protect against potentially dangerous losses. As part of this defense in depth strategy, honeypot scenarios such as this are one component of many – a little more safety, certainty, and security for us and the environment.

Authors:

Dr. Thorsten Sögding & Stefan Schnackertz

 

Go back