Who's Scanning Our Smart Grid?


Summary

In order to implement and fine-tune cyber defense mechanisms, it is crucial to know who are the potential enemies and what tactics they are using. In the general cyber security area, honeypot, a decoy system intended to attract cyber attackers, is considered as an effective measure to collect such threat intelligence. However, publication analysing such data is scarce, especially in industrial control systems and smart grid domain. In this paper, we discuss our findings based on the empirical study with 6-month network traces collected in low-interaction smart grid honeypot systems deployed in geographically different regions on Amazon cloud platform. In particular, we discuss actual attack patterns observed as well as insights from the data-driven study on access/attack patterns, correlations among different locations, and dynamics in access sources, some of which are considered effective when configuring security mechanisms such as firewall and intrusion detection systems.

Honeypot Configuration

In this study, we set up 5 AWS instances on different geographic locations, namely Singapore, The US (Ohio), Canada, Germany, and Brazil. We set up TCP listeners on the ports listed in the paper linked below. As can be seen in the paper, we utilized simple server programs for IEC 60870-5-104 and IEC 61850, which provide responses according to the protocol. Because we did not emulate further system/device details, we claim they are categorized as low-interaction honeypot. During the study, we checked Shodan entries (https://www.shodan.io) about our honeypot instances, and confirmed that they are not flagged as honeypot, but are registered as ICS devices. Each honeypot instance runs Wireshark network protocol analyzer to capture hourly network traces. We ran our honeypot instances for over 8 months from September, 2017 to April, 2018.

Publications

  • Daisuke Mashima, Yuan Li, and Binbin Chen
    Who's Scanning Our Smart Grid? Empirical Study on Honeypot Data    ,
    In Proceedings of IEEE Globecom 2019, Dec. 2019.
    [Paper]

Honeypot Network Traces

(c) Copyright 2015 Illinois at Singapore Pte Ltd