HoneyPLC: Advanced Honeypot for PLCs
Mainly Based on 27th ACM Conference on Computer
and Communications Security (CCS ’20)
ABSTRACT
Today’s production and control system heavily relies on a special
computer, programmable logic controller (PLC). It is used to auto-
mate and control the processes which requires high reliability and
accuracy. Many PLC are deployed on the internet which can have
significant impact in terms of security. As they are time-critical in-
frastructure, disruption in their service can cause an economic and
environmental problems. The increasing number of cyberattacks
on this system is a serious problem for the infrastructure providers.
n. ft
As security features are largely absent in PLCs, malicious code in-
io ra
jection is possible. In such a scenario, honeypots are deployed to
identify and analyze the attack and the attacker’s technique. The
ut d
existing honeypots are far behind in capturing valuable data that
are required to understand and analyze the evolving attacking meth-
ib ing
ods. Even these honeypots are easily identified as a fake system
by different tools. Moreover, the lack of capturing malicious code
injected in PLC memory poses a serious limitation while analyzing
str rk
the attacker’s strategy. To overcome the problem, a high-interaction
honeypot, HoneyPLC, is presented which can capture the injected
di o
malicious code and operate covertly simulating different PLC mod-
or d w
els and vendors. The results from the experiments conducted to
test its capacity back these features are posed by the HoneyPLC.
So, HoneyPLC can capture malicious code, and support covertness
by providing a high interaction with an attacker. Hence, it can be a
t f he
great tool for information gathering in the ICS environment.
No blis
ACM Reference Format:
Sajjan Dharel. 2021. HoneyPLC: Advanced Honeypot for PLCs Mainly
Based on 27th ACM Conference on Computer and Commu-
nications Security (CCS ’20) . In Proceedings of . ACM, New
pu
York, NY, USA, 11 pages. https://doi.org/10.1145/nnnnnnn.
nnnnnnn
Un
1 INTRODUCTION
With the advancement of technology, more industries are shifting
towards automation. Industrial automation is a process that helps
in controlling input, output, and the operations performed by ma-
chinery with minimal human assistance. The critical infrastructure
such as the power grid, water, oil, gas, telecommunications is us-
ing automation. Industrial automation in this infrastructure is to
make them run all the time for better productivity, usability, and
Permission to make digital or hard copies of all or part of this work for personal or
Unpublished working
classroom use is granted without feedraft.
providedNot for distribution.
that copies are not made or distributed
for profit or commercial advantage and that copies bear this notice and the full citation
on the first page. Copyrights for components of this work owned by others than ACM
must be honored. Abstracting with credit is permitted. To copy otherwise, or republish,
to post on servers or to redistribute to lists, requires prior specific permission and/or a
fee. Request permissions from permissions@acm.org.
,,
© 2021 Association for Computing Machinery.
ACM ISBN 978-x-xxxx-xxxx-x/YY/MM. . . $15.00
https://doi.org/10.1145/nnnnnnn.nnnnnnn
2021-01-31 00:43. Page 1 of 1–11.
effectiveness as a plan. The untimely interruption of these systems
can put human life in danger with the greater financial loss.
The control functionality of such industrial processes is facili-
tated by a small industrial computer, called PLC. PLC is used to
control critical electrical hardware like valves, pumps, centrifuges.
These computers are interconnected in nature. Putting these com-
puters on the internet makes them an attractive target for attackers.
Already some significant attacks have been carried out on these
.
computers disrupting its normal process. The famous attack on Nu-
clear Enrichment Facility, Stuxnet [13], in Iran already showed how
sophisticated the attacker and their methods are. Only powerful
institutions are capable to perform such sophisticated attacks that
need a huge preparation phase and vendor knowledge regarding
the applied industrial equipment. A lot of honeypots have been pro-
posed to better understand the attacker and their methods for PLCs.
Though exists many, they are not sophisticated enough to gather
information such as malicious code injected on a PLC. The lower
interaction performed by these honeypots has a significant impact
on the amount of data gathered. Even high-interaction honeypots
simulation of network protocols used in real PLCs are not enough
to capture enough data. The step-by-step protocol simulation is
a big challenge as the vendors of PLCs do not provide detailed
documentation of protocols publicly. Whereas different vendors
have different products and protocols used in their PLCs, creating
a general framework is a daunting task.
The goal of this paper is to propose a high-interaction honeypot,
HoneyPLC, the first honeypot which is capable of capturing mali-
cious code injected into the PLC [1]. It provides advance enough
simulation of the network protocols such as SNMP, TCP/IP stack,
S7comm, and HTTP. These protocols are actively found in real
PLCs. The advanced simulation of the protocols allows this honey-
pot for high interaction with attackers. Similarly, the simulation of
the S7 Communication protocol used in PLC communication allows
HoneyPLC to capture the malicious ladder logic code injected into
PLC. It supports simulation of PLC of different vendors support-
ing extensible features. With the advanced simulation of protocols
found in real PLCs, it can interact with attackers as real PLC devices
hiding its nature from different reconnaissance tools like Nmap,
Shodan API. This high-interaction honeypot, HoneyPLC, can be
a significant tool for ICS and serve reliably for understanding the
attacker’s method and techniques. Aftermath, a subsequent security
strategy can be developed based on the analysis of the attack.
The seminar work is organized as follows: Section 2 introduces
industrial control systems with typical components, vulnerabilities
and threats for PLCs as well as types of existing honeypots and their
limitations. Section 3 presents a detailed idea on HoneyPLC with
architecture, components, how components interact with technical
specifications. Section 4 presents the evaluation method, results,
and the problems solved by HoneyPLC. Finally, the paper ends with
the conclusion.

2
,,
BACKGROUND AND RELATED TOOLS
This section covers Industrial Control System (Sec. 2.1), Under-
standing PLC (Sec. 2.2), Vulnerabilities and Threats in PLC (Sec.
2.3), S7 Communication Protocol (Sec. 2.4), Related Tools (Sec. 2.5),
Injecting Malicious Code into PLC (Sec. 2.6), Famous ICS Attacks
(Sec 2.7), Types of Honeypots (Sec 2.8), Existing Honeypots (Sec
2.9), Limitations of Existing Honeypots (Sec 2.10).
2.1 Industrial Control System
The National Institute of Standards and Technology (NIST) [2] de-
fines “Industrial control system (ICS)” as an information system
used to control industrial processes such as manufacturing, prod-
uct handling, production, and distribution. The industrial control
system consists of different types of control systems including su-
.
pervisory control and data acquisition systems (SCADAs) -used to
n. ft
control geographically dispersed assets, as well as distributed con-
io ra
trol systems (DCs) and smaller control systems using programmable
logic controllers (PLCs) to control localized processes.
ut d
The industries which heavily rely on such industrial processes
are electric, water and wastewater, oil and natural gas, chemical,
ib ing
transportation, pharmaceutical, pulp and paper, food and bever-
age, and discrete manufacturing (e.g., automotive, aerospace, and
durable goods). These industrial processes are controlled by dif-
str rk
ferent control components like electrical, mechanical, hydraulic
to achieve an industrial objective. Moreover, these control compo-
di o
nents are controlled by numerous control loops, human interfaces,
or d w
and remote diagnostics and maintenance tools.
A control loop utilizes sensors, actuators, and controllers like
PLCs to manipulate the controlled processes. The used sensors are
used to measure the property and then send information to the con-
t f he
trollers. Controllers interpret the signal and generate corresponding
output based on the control algorithms used and the desired target.
No blis
Furthermore, it sends the signal to the actuators which control the
valve, breakers, switches, and control used to directly manipulate
the controlled process based on commands from the controller.
pu
Human interfaces are used to monitor and configure setpoints,
control algorithms and to adjust and establish parameters in the
controller. Operators and engineers use Human Machine interfaces
Un
(HMI). HMI also display process status information and histori-
cal information. Lastly, diagnostics and maintenance utilities are
used to prevent, identify and recover from abnormal operations or
failures.
2.2 Understanding PLC
A Programmable Logic Controller (PLC) is a small computer with
programmable memory to store program instructions and various
functions. It consists of a processor unit, CPU, which interprets
inputs using the control program stored in memory and send output
signals. So, it is capable of controlling manufacturing processes. As
it can control complex industrial processes, it is ubiquitous in ICS
and SCADA environments. Most popular PLC manufactures are
Siemens [15], Allen Bradley [16] and ABB [17].
The PLC’s memory block stores instructions to implement dif-
ferent functions like input control, output control, counting, logic
gates, communication, and arithmetic operation. The memory blocks
are used to save data and code. Different programming languages
HoneyPLC: Advanced Honeypot for PLCs
Mainly Based on 27th ACM Conference on Computer
and Communications Security (CCS ’20)
like Structured Text (ST), Ladder Diagram (LAD), Instruction List
(IL), Function Block Diagram (FBD), and Sequential Function Charts
(SFC) are used to program a PLC. The codes are then compiled into
MC7 assembly code and the code is uploaded to the PLC’s memory.
PLC programs are divided into different units like organization
block (OB), functions (FC), functions blocks (FB), data blocks (DB),
system functions (SFC), system function blocks (SFB) and system
data blocks (SDB). The actual code resides in OBs, FCs and FBs
while SFCs and SFBs are built into PLC. DBs are to store data. SDBs
contain the current PLC configuration. Since, programmers can
access OBs, FCs, FBs, DBs, we describe these blocks in detail:
• Data Blocks (DBs): They are used to store data that are going
to be used by programs later. Different data types can be
stored (e.g., Boolean, byte, integer).
• Functions (FCs): These hold the standard codes. User-written
codes reside in FCs. Generally, FBs are referenced and ran
by an organizational block.
• Function Blocks (FBs): In general Function Blocks are like
Functions, the only difference is they have their own memory.
When a user creates a Function Block, an instance Data Block
is generated. When operation is more complex, it requires
memory in such sense Function Blocks becomes useful.
• Organization Blocks(OBs): They form the interface between
an operating system and the user program. They are called
by the operating system and control. Whenever an event
occurs, an OB is executed. There are several well-known
OBs that serve specific roles. A PLC program consists of at
least one organization block called OB1. It is used for the
cyclic execution of user programs. It is like a main function
in a traditional C program. OB35 for example works as a
standard watchdog that runs every 100ms. The execution
time of the main program is monitored by a watchdog which
kills the main program if the execution time becomes too
long. So, OB1 and OB35 are the primary targets of attackers.
2.3 Vulnerabilities and Threats in PLC
Today’s ICS systems evolved by incorporating IT systems into the
existing physical systems often replacing physical control mecha-
nisms. The Fourth Industrial Revolution brought huge changes to
the manufacturing industries by collecting and using the informa-
tion in real-time to create smart factories. The goal is to sense, share
and control health data, status, and operation of and product in
real-time effectively resulting in increased efficiency and flexibility.
The digitization of the factory requires communications, IT inte-
gration into the existed system with physical elements like PLCs,
HMI, and other machines.
The involvement of IT systems in industries enables more au-
tomation, more connectivity, easy control and maintenance, more
production, more data handling, and efficiency into ICS. The in-
troduction of IT capabilities into physical systems also present
security challenges. Similarly, open standards such as Ethernet and
web technologies have become ubiquitous in industrial control
systems resulting in cybersecurity risks.
Attackers use the vulnerabilities found in IT systems to reach
the control machines like PLCs and disrupt the whole ICS system.
Remote connection for workers, partners, and customers to ICS
HoneyPLC: Advanced Honeypot for PLCs
Mainly Based on 27th ACM Conference on Computer
and Communications Security (CCS ’20)
brings new security threats to ICS. There are several vulnerabilities
in PLCs themselves that are easier for attackers to target and cause
chaos. Similarly, security features also lack in PLCs which facilitates
attackers.
PLC’s are used in stand-alone applications- providing control
for a single skid or an individual item of smart equipment that does
not form part of the main system. The isolated, small nodes such
as PLCs are more likely overlooked and neglected when it comes
to implementing security.
Much of the technology is also dated. A lifetime of a PLC can
be 15 to 20 years. PLC that is designed today is not suitable in
terms of security for 15 years later. The design, therefore, do not
.
address cybersecurity issues that largely did not exist at the time.
n. ft
Vendors have been slow to adapt the design the manufacture of
io ra
PLCs [26]. The number of security threats that exist in PLCs needs
to be mitigated for a safer production environment. Some common
ut d
attacks [25] that are possible in PLCs are presented below.
ib ing
• Denial of Service Attacks: Bringing the system or PLC net-
work down by overloading the memory or communication
process.
str rk
• Spoofing:Intercepting communication to the host from the
PLC and present as a legitimate PLC.
di o
• Man-in- Middle attack:A rouge PLC intercepts and changes
messages from a valid source and forwards attack messages
or d w
to the targeted PLC with the intention to gather data and
disrupt the function.
• Rouge PLC Joining the Network:A rouge PLC impersonating
t f he
a legitimate PLC joins a factory network to create an attack
scenario.
No blis
• PLC takeover:Changing the PLC program or boot image to
alter the intended operations. Inject malicious code to PLC
for the desired output.
• Exploit remote device management:Using remote device
pu
management services such as web managers, telnet, or se-
cure shell(ssh) running over PLC -used for debugging- to
Un
gain control of PLC or change its configuration.
2.4 S7 Communication Protocol
The S7 Communications protocol (S7 comm) is a Siemens propri-
etary protocol which is used for data exchange in PLCs and SCADA
system and for programming PLC. The S7 comm protocol relies on
the block-oriented ISO transport services.
Each block is named PDU (Protocol Data Unit) and its length is
negotiated during the connection. S7 Comm protocol is Function
oriented or Command oriented which means each transmission
contains a command or a reply to it. If the size of the command
does not fit in a PDU, then it must be split across more subsequent
PDU. At first, a TCP connection on port 102 is established then ISO
over TCP setup is proceeded to negotiate the PDU size. Then the
remaining communication on a higher level is on S7 comm protocol.
The lower-level communication on the Network level is IP whereas
data-link layer communication is on Ethernet.
The S7 Comm protocol enables applications to list available
blocks, read/write data, upload and download blocks, transfer blocks
into the file system, block info requests, and diagnostics. However,
S7 comm protocol does not have any kind of security feature. So
,,
that, people having access to the PLC network can read and write
memory block data easily.
2.5 RELATED TOOLS
2.5.1 Nmap. Nmap (‘Network Mapper’) [11] is a free and open-
source tool for network discovery and security auditing. It is de-
signed to rapidly scan large networks with an aim to find what
services are running, what operating systems are running on hosts,
what type of packet filters/firewalls are in use, and many more. It
sends the raw IP packets to the scanning host and analyzes the
responses to understand the system. Though it could give benefit
to attackers to understand the system, system administrators can
use it to assess their own networks for vulnerabilities. System ad-
ministrators can use Nmap to search for unauthorized servers or
computers which don’t follow their security standards.
2.5.2 PLCScan. PLCScan[19] is a utility that helps to scan PLC
devices over S7 comm or Modbus protocols. It is a python script
that helps to gather information about PLC devices. It can scan a
network of PLC devices and gather information about PLCs. This
information could be helpful to the assessment team who would
manually get information like configurations from each PLC device.
Though it can cause issues on the production system taking devices
offline.
2.5.3 SHODAN. Shodan is a search engine [14] for finding out
devices connected to the internet. The devices it indexes can be
power plants, the internet of things, webcams, refrigerators, PLCs,
routers, and more. Along with the devices, it also provides informa-
tion about which ports and services are running on those devices.
Moreover, it provides Shodan API [27], which can be used to lever-
age Shodan’s advanced features like Honeyscore. Honeyscore is
used to check whether a device is a honeypot or a real system.
2.5.4 SNMP Scanner. Simple Network Management Protocol (SNMP)
is used to monitor devices connected to a network. For monitor-
ing purposes, it collects information about managed devices on
IP networks. Similarly, the information can be used to change the
behaviour of devices. In real-time, we can use the information to
identify and monitor the conditions of devices. SNMP scanner [18]
is a tool to facilitate scanning snmp devices and collect information.
2.6 Injecting Malicious Code into PLCs
The search engine SHODAN comes in handy finding the industrial
control devices connected on the internet. Though it may show only
one PLC device inside a control system, that one device can be used
as a gateway and perform scans on other devices of the network
and manipulate them. PLC supports ISO over TCP connection, so a
connection needs to be established prior to any other procedure.
Once connection is setup then commands can be used to request
information from PLC or upload blocks to PLC. PLC offers a system
library that contains a function to establish arbitrary TCP/UDP
communication. So, an attacker uses full TCP/UDP support to scan
the local production network behind a PLC which is in front of the
internet.
Once the attacker scans the production network, he can leverage
the internet-facing PLC as a gateway [5] to reach all the other
PLCs or network devices. To scan the production environment

,,
attacker can inject SNMP scanner along with the normal code of
PLC. At this point, the attacker should be aware of the timer. If the
code execution takes more than 100 ms then OB35 (Organizational
Block), which is used for watchdog will kill the execution of the
code. After complete scanning of the network attacker removes
the SNMP scanner and injects SOCKS 5 proxy [28] to the PLC
logic program. The next step is to connect with the discovered PLC
devices. SOCKS is an internet protocol that exchanges network
packets between client and server through proxy server. SOCKS
5 additionally provides authentication to authorized users. Thus,
SOCKS 5 proxy enables attacker to establish an error-free TCP
connection to target PLCs using the compromised PLC as a SOCKS
.
proxy.
n. ft
Finally, the attacker can use a tool like PLCinject to inject a ma-
io ra
licious payload into the PLC. PLCinject is a research tool published
by the SCADACS team [4] [5] capable of injecting arbitrary com-
ut d
piled ladder logic programs into a Siemens PLC memory block
PLCinject tool uses snap7 library [3] which simulates the Siemens
ib ing
S7comm protocol [20] and can be used to read/write whole PLC
memory, perform block operations, control the PLC, set password,
and more.
str rk
2.7 Famous ICS Attacks
di o
This section will briefly mention the notable cyber-attacks on ICS.
or d w
2.7.1 Stuxnet. In 2010, a sophisticated attack on Iranian nuclear
enrichment facility, Stuxnet, made Cybersecurity professionals to
t f he
change the way they think in their security approach. Though
discovered in 2010, it is believed to be developed since 2005 with the
combined effort of the US and Israel. This sophisticated attack used
No blis
four vulnerabilities found in the operating systems and services
and caused damaged to centrifuges used in a nuclear program. This
attack targeted only the PLCs made by Siemens and changed the
pu
ladder logic code to cause the damage. PLCs were used to control
the rotation of centrifuges. The injected malicious code changed the
Un
frequency of rotation of centrifuges resulting damage in centrifuges.
This kind of attack needs a detailed understanding of the facility,
devices, security system, operating system, protocols being used.
Stuxnet is initially spread using an infected USB drive then uses the
vulnerabilities of the system. It even disguised itself from different
security software used in the system by registering as a service
with certificates signed with a stolen key. Stuxnet is designed so
carefully to hit only the targets and leaving other machines. This
attack proved how sophisticated the attacker and their methods
can be.
2.7.2 Kemuri Attack. In 2016, a monthly IT security breach report
from Verizon Security Solution described that a water treatment
system run by Kemuri Water Company was attacked [21]. As a
result, attackers were able to manipulate the valve controlling the
flow of chemicals, change water flow level, and around 2.5 million
records containing customer payment information were stolen.
The water’s Utility’s SCADA platform was powered by an IBM
AS/400 system and used to connect both OT such as water dis-
trict valve and flow control application and IT functions such as
financial systems that store customer and billing information was
targeted by the attacker. They exploited the vulnerability on the
HoneyPLC: Advanced Honeypot for PLCs
Mainly Based on 27th ACM Conference on Computer
and Communications Security (CCS ’20)
payment application server which stored internal IP address and
admin credentials for AS/400 system.
The compromised AS/400 system, which ran valve and flows
control applications, is used to manipulate programmable logic
controllers that regulated valves and ducts that controlled the flow
of water and chemicals. Attackers were able to manipulate the
settings of the application and the amount of chemicals used in the
water supply. They were able to handicap the water treatment and
production capabilities so that the recovery time to replenish water
supplies increased. The report also claimed that attackers lacked
the knowledge of the SCADA system so that the consequences
were not serious.
2.7.3 German Steel Mill attack. The annual report of the German
Federal office for Information Security (BSI) in 2014 mentioned that
hackers infiltrated the control system of a steel mill in Germany
[12] resulting in the loss of its blast furnace. The blast furnaces
contained molten metal heated to thousands of degrees. No physical
injuries were reported except the massive damage to the facility.
This attack is one of only few attacks on industrial systems known
to have caused damage like Stuxnet damaging centrifuges in Iranian
nuclear plant.
The attack started with spear-phishing campaign-emails targeted
towards individuals-to obtain sensitive information. The targeted
emails helped attackers to extract the information they need to gain
access to the plant’s office network and eventually the production
system. The report claimed that the attacker possesses an aptitude
for OT (Operational technology) and IT (Information Technology)
system as well as the software used to oversee and administer, once
inside the mill’s network. Attackers overrode the controls of a blast
furnace blocking access and preventing workers from regaining
the control. Workers were not able to shut down the blast furnace
as a result of the attack.
2.8 Types of Honeypots
Honeypot is specifically designed to allure attackers and gain in-
formation on what process and techniques they used to disrupt the
system. Honeypot is purposefully let open to attackers in a network.
So, it requires to be unrecognized as a fake system by providing
interaction like a real system. Though it does not have value on its
own, once the attacker interacts with it, the information gathered
by it becomes valuable. The data can be highly valuable to find out
the new attack methods, new types of malicious codes and patterns.
Depending upon the design criteria honeypots are categorized as
low-interaction and high-interaction honeypots while based on
their use it can be classified as Research honeypots and Production
honeypots.
2.8.1 Levels of Interaction. Honeypots can be categorized into dif-
ferent types depending upon the amount of interaction they can do
with the attacker. More interaction it does, more information can be
gathered. Commonly categorized honeypots are Low-interaction
honeypots and high interaction honeypots.
• Low-Interaction Honeypots: These types of honeypots
provide a minimum level of interaction to the attackers.
It means it provides minimum functionality by simulating
those resources which are mostly requested or targeted by
HoneyPLC: Advanced Honeypot for PLCs
Mainly Based on 27th ACM Conference on Computer
and Communications Security (CCS ’20)
attackers. It gathers limited information about attackers and
requires minimal setup to do so. But there is nothing more
to keep the attacker engaged for longer-term which may,
in turn, reveal it as a honeypot and the attacker might not
try to complete the attack. These can be set up with simple
scripts or commands like listening on a port 80. This kind
of honeypot has nothing more to offer to attackers to try
all their skills which makes these kinds of honeypots inef-
fective in industrial systems gathering information about
attack vectors.
• High-Interaction Honeypots: High Interaction honey-
pots are the opposite of low interaction honeypots which
.
provide interaction like a real system. This kind of inter-
n. ft
action engages an attacker for a longer time making him
io ra
try all weapons. The purpose of this type of honeypot is to
capture more information from attackers and understand
ut d
the methods and logic used in attacks. Building this type of
honeypot requires more effort, resources. Because it inter-
ib ing
acts like a real system, it is hard to detect but is expensive to
maintain. For setting up these kinds of honeypots, we need
to run either a virtual host or setup up a physical machine
str rk
hosting the services required for honeypots.
di o
2.8.2 Classification Based on Purposes. Honeypots can be classified
or d w
into Research and Production honeypots based upon the purposes
they are set up in the environment.
• Research Honeypots: These types of honeypots are set up
t f he
to collect more information about attackers, how they attack,
what kinds of tools they use, and the malicious codes they
No blis
inject. The sole purpose is learning. So, this kind of hon-
eypots does not provide direct benefit to the organization
however the information gathered from them can be much
more valuable. Research honeypots are mainly found in uni-
pu
versities, military organizations, government organizations,
and research laboratories. They are difficult to configure and
Un
maintain.
• Production Honeypots: Production honeypots are deployed
inside an organization’s environment for their benefit. They
mimic the production network and devices they inhabit.
They are easier to deploy and configure as they offer far
less functionality needed for a particular environment. They
are deployed with other security measures to improve the
overall security of a system. As they offer far less functional-
ity, the amount of information gathered is also limited.
2.9 Existing Honeypots
There are several honeypots that have been proposed and used
in PLCs. The low interaction honeypots like SCADA HoneyNet
Project [6]is the first framework to simulate a variety of industrial
networks like SCADA, DCs. It is recognized as a low-interaction
honeypot being its services partially implemented using Python
scripts.
Gaspot [10] is used for the simulation of gas tank gauges used
in the oil and gas industry helping with fuel inventory. It can be
used to change temperature, tank name, and volume. It was also
written as a Python script.
,,
Gridpot [22] is an open-source tool to simulate electricity grids.
While Conpot [9] was designed to simulate a particular PLC device.
By default, it simulates Siemens S7-200 PLC and designed to be
easy to deploy, extend and modify. It can be modified to support
additional profiles by editing an XML file. It provides templates in
the form of XML files. It supports S7comm, Modbus, SNMP, and
HTTP protocol. Though it supports a lot of protocols, it is still a
low-interaction honeypot. The interaction with these protocols is
not advance.
The high interaction honeypot like S7commTrace [24] is based
on Siemens s7 protocol. It supports more function and subfunctions
codes in protocol simulation which results in high interaction with
the attacker.
CryPLH [23] is a high interaction honeypot which is largely in-
distinguishable from the real device from the attacker’s perspective
simulating services on a Linux host. It simulates HTTP, HTTPS,
S7comm, and SNMP services on a Linux host and accepts connec-
tions on specific ports. The S7comm protocol is simulated by show-
ing incorrect password response and TCP/IP Stack is simulated via
Linux Kernel.
2.10 Limitations of Existing Honeypots
Though several honeypots exist, no honeypot is capable of cap-
turing ladder logic code. Similarly, the existing honeypots have
limitations that limit their functionality of gathering information.
So, this section will detail the limitations of existing honeypots.
• Covertness: The goal of honeypot is to gather information
as much as it can. If the attacker recognizes that the machine
is a honeypot, then he will stop investing time and resources.
Thus, no more information can be gathered. So, Not being
identified by reconnaissance tools like Nmap, ShodanAPI
is a general requirement for honeypot. In such a sense, the
SCADA HoneyNet project does a decent job. But the CryPLH
which uses a Linux host for simulation is caught up by the
Nmap tool revealing the nature. HoneyPLC is far ahead com-
pared to other honeypots by advanced network simulations
to deceive the reconnaissance tools.
• Malware collection: Attacker and the malware are get-
ting better day by day. So, capturing the actual logic codes
becomes important for better understanding and analysis.
Thus, honeypots become important in such a sense. The
above mentioned previously existed honeypots has no such
capability. HoneyPLC provides a novel feature of capturing
the logic codes targeted for PLCs.
• Extensibility: Since there are different types of PLCs with
different kinds of protocols and services running, a single
honeypot that requires to simulate these devices is complex.
The existing honeypots out of box support one or two devices
like Conpot supports S7-200 PLC but can support others by
manual editing an XML file. The manual editing might lead
to error and reveal nature to an attacker. So, the limited
extensibility has been a drawback, and it requires a new
honeypot to eliminate this issue. The HoneyPLC performs
better in this case by simulating 5 different devices out of
box and with simple customization, it can support more.
The extensibility feature makes HoneyPLC a better suited
 HoneyPLC: Advanced Honeypot for PLCs
Mainly Based on 27th ACM Conference on Computer
and Communications Security (CCS ’20)
,,

honeypot for ICS environments containing PLCs of different

vendors.
• Limited Interaction: The more interaction with the at-
tacker, the more information can be gathered from them.
For more interaction, the protocols and services need to be
simulated as possessed by real plc. Since PLC manufacturers
don’t reveal the detailed documentation of the protocols, it
is hard to simulate the actual protocols. But the existing hon-
eypots even does not support the TCP/IP stack simulation,
which stops the honeypots from extracting valuable informa-
tion. The low-interaction honeypots don’t have this facility
whereas the high interaction honeypots also don’t simulate

.
properly. HoneyPLC eradicates this problem by simulating

n. ft
various network protocols.

io ra
3 HIGH INTERACTION AND ADVANCED

ut d
HONEYPOT FOR PLC
Figure 1: HoneyPLC Architecture

ib ing
This section will provide a detailed idea of how HoneyPLC works,
its components, and interaction together with use case scenario
eliminating the limitations of existing honeypots mentioned in request is handled by the integration framework. This contains two
str rk
section 2.10. major components Subsystem Virtualization and Personality En-
gine. Personality Engine allows HoneyPLC to provide sophisticated
di o
3.1 Components TCP/IP stack simulation that fools tools like Nmap. Subsystem vir-
or d w

3.1.1 PLC profile repositories: It is a database for a collection
of different kinds of PLC profiles. It contains data that are required
to simulate different kinds of PLCs. It communicates with the other
two modules Integration framework and Network Services. It con-
t f he
tualization enables redirecting network traffic to simulated services
in the Network Services module. It sits in between attackers and
different services offered by HoneyPLC forwarding traffic in be-
tween them. This component helps in alleviating the problem of

tains three different datasets required for HoneyPLC to simulate limited extensibility.
different services offered in real PC. 3.1.3 Network Services: This module in HoneyPLC is responsi-
No blis

• SNMP MIB: The industrial control system consists of net- ble for simulating different kinds of network protocols used in real
work devices that need to be managed. The PLC in such PLCs. Different components inside network services handle differ-
a system are the SNMP agents and sends up-to-date infor- ent operations. S7comm server provides the simulation of Siemens
pu

mation to the SNMP manager. Since, SNMP protocol needs proprietary protocol, which is used for communication between
to be simulated, the PLC devices hosting SNMP agents are PLCs, accessing PLC data from SCADA, and used for diagnostic pur-
Un

responsible for providing management information. In such
a case, MIB describes a set of objects. Thus, a custom MIB is
necessary for Honeypot to provide a simulation of the SNMP
protocol.
• NMAP fingerprint: When an attacker tries to fingerprint
a device, they use reconnaissance tool like Nmap to gather
information. Thus, HoneyPLC profile records Nmap finger-
print of real PLC devices. It is just a plain text file to simulate
TCP/IP Stack of a particular PLC device. This fingerprint
allows honeypot to effectively engage and disguise tools like
Nmap.
• Management Website: Some of the PLC devices even con-
tain a website used for configuration and other purposes. The
PLC profile contains a copy of such a website with the nec-
essary files like CSS, image and HTML needed for complete
loading.
poses. It also helps in capturing the ladder logic program injected by
the attacker providing a novel feature in the honeypot. SNMP agent
provides an advanced simulation of SNMP protocol with plausible
data. Any SNMP request will be handled by this component. The
HTTP server within Network Services is responsible for hosting
the websites found in real PLCs by providing simulation.
3.1.4 Interaction Data: It is a repository which is used to keep
track of all the interaction by attackers to the HoneyPLC and the
maliciously injected code. It holds two different types of data. The
logs produced by components of Network Services: S7comm server,
SNMP agent, HTTP server are kept in Interaction Data. Similarly, it
also records the malicious ladder logic program which is injected by
the attacker via the S7comm server. This module interacts with the
Network Services Module where all the components are configured
to maintain logs.

3.1.2 Integration Framework: The integration framework is
also called Honeyd Framework. Integration framework uses the
Honeyd framework [7] and sits in the middle between the attacker
and services offered by HoneyPLC. When an attacker tries to fin-
gerprint the honeypot using tools like PLC scan and Nmap, the
3.2 Profiler Tool to create Profile
A HoneyPLC profile tool is an essential tool for creating profiles
that are later stored in Profile repositories and used to simulate a
PLC. This tool only requires the IP address of a real PLC to create
a profile. With a series of queries, the tool will be able to create a
HoneyPLC: Advanced Honeypot for PLCs
Mainly Based on 27th ACM Conference on Computer
and Communications Security (CCS ’20)
complete profile with 3 different data sets in a custom directory
to simulate a target PLC. This tool interacts with 3 different ap-
plications: Nmap, wget, and snmpwalk. Nmap is used to get the
TCP/IP stack fingerprint of the actual PLC which is later served to
the attacker. To get a better fingerprint all well-known TCP and
UDP ports are also scanned. Wget is used to download the website
which is stored in real PLC if present. snmpwalk is used to collect
all the object IDS which is used for creating a MIB. After all, OIDs
are collected an identical MIB to real PLC is generated.
3.3 Simulation of Protocols
To simulate different network services offered by HoneyPLC, vari-
.
n. ft
ous Honeyd’s Capabilities including personality engine, configu-
ration files, and subsystem virtualization are used. Configuration
io ra
file (Syntax 1) is a simple text file that should follow context-free
grammar with correct syntax. The commands used in configuration
ut d
files allow Honeyd to change the personality of a honeypot. The
ib ing
commands consist of creating a subsystem and setting up a virtual
host with the required personality, port behaviour, and network
space commands. At first, a base subsystem is created then a host
str rk
is created by cloning the base subsystem. This host acts as an ac-
tual virtual honeypot, and the personality can be set as desired by
di o
assigning IP and port to it.
Honeyd simulates the TCP/IP stack of computer systems as well
or d w
as TCP and UDP services. It provides interaction at the network
level only because of it’s low- interaction nature. Summing up Hon-
eyd is just a small daemon that creates many virtual hosts on a
t f he
network and these hosts can be configured to run arbitrary services.
The personality can be adapted to appear as the desired system.
No blis
create base
pu
add base subsystem "/honeyd/s7commServer" shared restart
Un
clone host1 base
set host1 personality "Siemens Simatic 300 PLC"
bind 172.16.0.1 host
Syntax 1: Honeyd Configuration File
3.3.1 TCP/IP simulation: Representing a particular device and
providing details about the device is done by Honeyd. When an
attacker tries to fingerprint a device to understand and find a vul-
nerability in a system, they use tools like Nmap. So, HoneyPLC
needs to interact with the attacker and provide information about
devices and services to the attacker. For this, HoneyPLC at first
fingerprints a real PLC device using Nmap to generate a detailed
TCP/IP Stack. Then these fingerprints are integrated with the Hon-
eyd fingerprint database by appending fingerprints to Honeyd’s
nmap-os-db text file. At a later point when the attacker tries to
fingerprint using Nmap then HoneyPLC Integration Framework
replies with appropriate information.
3.3.2 S7 communication (S7 comm) simulation: It is a Siemens
proprietary protocol that runs on PLCs of S7- 300/400 family. The
,,
S7 comm server within network service is responsible for the sim-
ulation of S7comm and exposes several memory blocks via TCP
port 102. So, for the simulation, the information obtained from
the Wiki Wireshark [8] and third-party project Snap7 project is
used. The Snap7 project is recompiled and added some features
like logging the interactions and ladder logic capture along with
the PLC specifications like CPU model, serial number, and others.
The newly added feature capturing ladder logic program makes
this HoneyPLC a sophisticated honeypot. With this feature, the
uploaded ladder logic code can be analyzed at later point to extract
new attack patterns. This feature mitigates the problem mentioned
in section 2.10.
3.3.3 SNMP agent: The SNMP agent installed within the Honey-
PLC framework provides an advanced simulation of SNMP protocol.
SNMP agents are installed in real PLCs which are used for monitor-
ing purposes and listens to requests over UDP port 161. In practice,
an SNMP setup includes Manager and Agent where Manager asks
for up-to-date information from the agent. An SNMP agent exposes
a set of data known as Management Information Base or MIB. So,
to implement the agent, the SNMP agent in the Network services
module uses snmpsim which simulates based on real-time data or
archived MIB data. When the attacker request data, the SNMP agent
replies with OID as real PLC.
3.3.4 HTTP Server: The HoneyPLC’s HTTP server provides the
simulation of the HTTP server of real PLCs and server websites.
Most Siemens PLC devices include optional HTTP service for con-
figuration purposes. Lighttpd, a lightweight web server that is
designed for high performance is used to handle this service. When
an attacker requests service, lighttpd server handles queries and
replies with website data stored in the PLC profile.
3.4 Attack Module and Response by HoneyPLC
A Honeypot is set up to attract attackers so that they can interact
with it. At first, attackers try reconnaissance tools like Nmap and
PLCScan in the information-gathering phase. When HoneyPLC gets
a request, it is handled by Personality Engine based on features pro-
vided by the Honeyd tool. Honeyd simulates a particular device and
Personality Engine will use the appropriate fingerprint contained
in the PLC profile tool. Once the attacker is convinced the device is
not honeypot, it tries further attack methods communicating and
requesting more services with honeypot.
Later, the attacker tries to initiate an S7comm connection to find
out the PLC memory blocks. The connection at first is handled by
Honeyd framework then later forward to the Network Services
module eventually to S7comm server. S7 comm which exposes
several memory blocks, replies with the appropriate information,
and Integration Framework forwards the replies to the attacker.
At the same time, the S7 comm server is logging all the inter-
actions including the attacker’s IP address, the accessed memory
block, and timestamp.
When an attacker finds the appropriate memory block, he tries
to upload the malicious code into the memory. Tools like PLC inject
are used to inject the malicious code overwriting the existing code.
An example is presented in Syntax 2 showing how PLC inject tool
commands work. Once malicious code is injected, the HoneyPLC

,,
S7comm server writes the malicious code into a repository managed
by the Interaction Data module.
After these, two things might happen. First attacker may con-
tinue interacting with HoneyPLC to get more information or sec-
ondly stop further communication.
plcinject -c 10.0.0.1 -p OB1 -b FC1000 -f /home/user/PATH
Syntax 2: Example PLC Inject. This command injects OB1
.
with function block FC1000 located at /home/user/PATH.Then
n. ft
downloads all blocks in /home/user/PATH and the modified
io ra
OB1 back to PLC.
ut d
3.5 Logging
The HoneyPLC module is written to collect logs and those logs are
ib ing
stored in Interaction data. S7 comm server keeps a record of the
IP address of the attacker, timestamp, memory block ID. S7 comm
server writes all logs including malicious code into the Interaction
str rk
Data module. Similarly, snmpsim logs IP information, what OIDS is
accessed, and timestamp while Lighttpd web server logs IP address,
di o
timestamps, and the accessed web files into Interaction data. All
or d w
these data are important for analysis at a later point. This makes
HoneyPLC a better honeypot compared to all.
3.6 Ladder logic code Injection and Collection
t f he
The novel Ladder Logic capture in HoneyPLC is supported by the
S7 comm server. As the S7comm server uses the snap7 library for
No blis
the simulation of the S7comm protocol used by Siemens PLCs,
it exposes several memory blocks to an attacker. Then attacker
uploads malicious code using PLC inject tool into that memory
pu
block trusting to be a real PLC. The S7 comm server will then write
these codes into Interaction Data, which can be analyzed at a later
point to understand the attack vector with other interaction logs
Un
like IP address, timestamp, the accessed memory block.
4 EVALUATION AND RESULTS
The HoneyPLC is designed to mitigate the problems stated in sec-
tion 2.10. In this section, we are going to present how these prob-
lems are tackled by HoneyPLC and become one of the sophisticated
honeypots for PLC.
4.1 Extensibility
Featuring different kinds of PLCs from different manufacturers is a
challenging task. Since the manufacturer has its own proprietary
protocol and services running on different ports, one honeypot
featuring a distinguished profile becomes difficult. This section will
cover up experiments and results based on the extensibility feature
of HoneyPLC with different vendor-specific PLCs.
4.1.1 Siemens PLC. Three different Siemens PLCs: the S7-300,
S7-1200, and the S7-1500 were again chosen for the experiment.
These PLCs were connected with ethernet cables to setup an IP
address with Siemens Step7 Manager whereas a laptop host was
deployed with Python3 and HoneyPLC Profiler Tool.
HoneyPLC: Advanced Honeypot for PLCs
Mainly Based on 27th ACM Conference on Computer
and Communications Security (CCS ’20)
Each PLC was connected to the host and used the Profiler Tool to
create a profile of each. Creating a profile just needs an IP address of
the PLC and the name of the directory. When Profiler Tool started
querying for different data sets needed in creating profiles, the
progress messages were displayed including error messages. Little
difficulty was faced on downloading PLC websites including images
and HTML paths. Similarly, to get a better Nmap fingerprint, the
number of ports to be scanned was expanded.
The experiment took around 5 minutes to create each profile.
The manual modification was done for the broken links in HTML
files. These results were saved for the remaining experiments. The
future work on this honeypot should be able to remove the manual
changes needed for creating a profile.
4.1.2 Allen-Bradley and ABB PLCs. Since Siemens PLC profiling
was not a difficult task, testing different vendors PLC would prove
how well the HoneyPLC extensibility feature works. The same en-
vironment as Siemens PLC was set up for Alan-Bradley MicroLogix
1100 and the ABB PM554-TP-ETH PLCs. In addition, the software
tool provided by them were used to configure the IP address needed
for HoneyPLC Profiler Tool.
Though successful profiling was possible for both PLC, few chal-
lenges were faced because of the different protocols, ports, and
services they use in their PLC. As Siemens PLC Allen-Bradley Mi-
croLogix 1100 used port 80 for a light web server, ABB PM554-TP-
ETH does not support this feature. In addition, both these PLCs fail
to support SNMP service hindering to retrieval MIB database. More-
over, Allen-Bradley MicroLogix 1100 PLC uses Ethernet/IP protocol
for configuration purposes and uploading ladder logic program m
compared to Siemens S7comm protocol. Whereas ABB PM554-TP-
ETH PLC uses Nucleus Sand Database for database record keeping.
So, to co-operate well little changes were required for HoneyPLC
like scanning port 2200 and open port 1201 to simulate Nucleus
Sand DB.
These results clearly proved that HoneyPLC supported out of box
5 different PLCs as compared to other honeypots which support one
to two PLCs. Though it supported simulation of 5 different PLCs,
supporting a greater number of PLCs is a task for future work.
4.2 Concealing its Nature
Honeypot revealing its nature to the attacker will stop the attacker’s
motive and resources. So, concealing its nature from different kinds
of reconnaissance tools is an essential characteristic of honeypot.
Results from experiment tools like Nmap and PLCScan is compared
with other existing honeypots will be presented below.
For the experiment, two different computers were set up. One
for installation of Nmap, PLCScan, and one for HoneyPLC. In the
HoneyPLC host, additional components like Honeyd, Lighttpd, sn-
mpsim, and s7comm server were also installed. The laptop con-
taining Nmap also includes the three Siemens PLCs fingerprints in
Nmap’s fingerprint database nmap-os-db.
Additionally, another host was setup with three different Siemens
PLC (S7-300, S7-1200, S7-1500) for baseline comparison with hon-
eypots. Each PLC model and honeypots were scanned with Nmap’s
OS detection 10 times. Similarly, PLCScan was used to scan each
PLC profile in same way. In addition S7comm Trace, SCADA Hon-
eyNet and Conpot was scanned with Nmap’s OS detection enabled
HoneyPLC: Advanced Honeypot for PLCs
Mainly Based on 27th ACM Conference on Computer
and Communications Security (CCS ’20)
,,

.
n. ft
io ra
ut d
Figure 2: Nmap Scan Results. All three profiles received at Figure 3: Shodan Honeyscore Results.HoneyPLC profiles are
least 90 percent confidence rate. assigned similar score to real PLCs.

ib ing
with the hope that the attacker can inject malicious code and then
10 times.
that can be analyzed later to reveal the attack methods. An experi-
str rk
The result seemed exciting with Nmap as real PLCs get the best
ment was set up with three different HoneyPLC profiles setup in
confidence with HoneyPLC following closely. Fig-2 clearly shows
AWS EC2 instances (Ubuntu 18.04) and 4 AWS instances for Gaspot,
di o
how close the HoneyPLC profiles are with real PLCs, Similarly,
S7commTrace, SCADA HoneyNet, and Conpot exposing TCP ports
or d w

PLCScan experiments were successful as HoneyPLC showing real

80, 102, and UDP port 161. Then another host with Ubuntu 18.04
PLC data for all PLC profiles. While as Nmap results for SCADA
LTS is installed with the PLCinject tool which is used to upload
HoneyNet was identified as Siemens CP 343-1 plc and others were
ladder logic code which consists of code.
identified as Linux OS with 100 percent. PLCScan identified Conpot
t f he

An AWS Instance with HoneyPLC installed runs the S7comm

as S7-200 while others showed the empty report. HoneyPLC clearly
server and exposes several memory blocks where malicious lad-
wins against other honeypots.
der logic programs can be uploaded. So, by using the PLCinject
No blis

Similarly, Shodan Honeyscore part of Shodan API which checks

tool, sample code was injected in HoneyPLC. Similarly, the log was
whether the device is honeypot or not. Both Shodan and its API
maintained with the uploaded code and timestamp. While Gaspot
are actively used in practice to find out the devices on the internet
honeypot shows it is not possible to inject. Conpot shows TCP con-
pu

and to match whether a particular device is a honeypot or not with

nection over 102 but program upload is not possible. S7commTrace
a high degree of accuracy. As Honeyscore works only when the
with no connection established. But SCADA HoneyNet shows the
system is deployed on the internet, the testing systems were put in
Un

a public environment. The score ranges from 0.0 to 1.0. 0 meaning
the host is a real system and 1.0 means it is a honeypot. Shodan
uses its own algorithm to assign the scores.
The experiment was set up with three different HoneyPLC profiles
setup in AWS EC2 instances (Ubuntu 18.04) and 4 AWS instances for
Gaspot, S7commTrace, SCADA HoneyNet, and Conpot exposing
TCP ports 80, 102, and UDP port 161.
It took about a week for Shodan to index these instances on the
internet. The results of the Shodan experiment are depicted in
Fig-3. Shodan Honeyscore assigned 0.0 to S7-300 profile while S7-
1200 and S7-1500 were assigned 0.3 scores. Conpot instance was
also assigned a 0.3 Honeyscore. Whereas other honeypot instances,
Gaspot, S7comm Trace, SCADA HoneyNet were even not index by
Shodan as they crashed while Shodan’s crawler tried to interact
with them. This adds more evidence to our HoneyPLC, that it is
effective at maintaining covertness.
4.3 Experiment on Ladder Logic Capture
The goal of this experiment is to demonstrate the novel feature of
HoneyPLC, Ladder logic capture. A test environment was created
and exposed on the internet to check this capability of HoneyPLC
upload function started but after the function ends there was no
sample code saved or even transmitted. This experiments also miti-
gates the problem stated in section 2.10.
4.4 Interactivity
Comparing with honeypots used for the experimental purposes in
the above cases, HoneyPLC performed better in every aspect. Its
capability to capture ladder logic code, supporting different brands
of PLCs and covertness against reconnaissance tools proved its
interaction with protocols, services, and devices are much better
than other honeypots. The advanced simulation of different proto-
cols supported by real PLC in HoneyPLC provided high-interaction
as real PLC. These high interactions are important for extracting
valuable information from attackers and their tools.
4.4.1 Interaction with Step7 Manager. To test the capabilities of
the HoneyPLC S7Comm server against Step7 Manager another test
was designed. Step 7 manager which is a Siemens software used to
configure, program, test, and diagnose PLCs.
For this experiment, a Windows XP virtual environment installed
on a desktop host was setup. Additionally, HoneyPLC with three
profiles and other honeypots used in previous experiments were

,,
setup in different Ubuntu 18 LTS VMs and connected them to the
Windows XP host.
Then,Step 7 manager was used to list all memory blocks, up-
load memory blocks and then download the uploaded block in all
honeypots to test its compatibility with the honeypots.
The results proved that HoneyPLC can handle all these functions
whereas other honeypots threw connection timeout error. Though
S7comm Trace provides simulates the S7comm protocol well, Hon-
eyPLC simulation of S7comm protocol through the S7comm server
is better by supporting more functions and sub-functions.
HoneyPLC supports 13 functions and 18 sub-functions whereas
S7comm Trace supports 12 and 14, respectively. The extra function
.
error response function and sub-functions delete, insert block are
n. ft
important when injecting ladder logic code. Moreover, HoneyPLC’s
io ra
novel feature capturing ladder logic code is not available in the
S7comm Trace honeypot.
ut d
4.4.2 Internet Interaction Experiment. An additional experiment
ib ing
was set up to find out how HoneyPLC interacts with external agents
like attackers. As the attacker tries to find the exposed devices on
the internet, HoneyPLC profiles were put on the internet. Three
str rk
AWS EC2 instances were deployed exposing TCP ports 80, 102, and
UDP port 161 with each one equipped with HoneyPLC profiles
di o
for S7-300, S7-1200, and s7-1500. These instances were put on the
or d w
internet for 5 months and the results were analyzed from the logs
maintained by these HoneyPLCs.
More than 5GB of data were collected and each PLC profile
received different S7comm function commands. This proved that
t f he
attackers interacted with these profiles for a longer time than only
fingerprinting the device by using Nmap. This fact also proved that
No blis
attackers were disguised by the HoneyPLC profiles as real PLCs.
The S7-300 Profile received 4 PLC Stop functions which stop
the execution of the current ladder logic program. This result
pu
was logged by suggesting that external agents tried to disrupt the
PLC’s operation. Similarly, the deployed honeypots also received
thousands of HTTP conversations and logged multiple authentica-
Un
tion attempts on the administration websites including usernames
and passwords. Attackers also tried to download the MIBs which
are recorded in PLC profiles several times using SNMP requests.
Though no evidence of malicious code injection was found the
experiment proved that HoneyPLCs profiles were successful in
defeating the reconnaissance tools and attackers were heavily in-
teracting with them. Additionally, table 1 shows that the S7comm
received connections from different countries. The table clearly
indicates attackers from the United States, China and Russia are
most active comparing to other countries in communication with
the S7comm server. This experiment supports the idea that Honey-
PLC interacts better and clearly mitigates the problem of limited
interactivity.
5 CONCLUSION
As attackers and attacking methods are getting sophisticated, the
security system needs to be more advanced than ever for the in-
dustrial control systems (ICS). The attack on the industrial control
system can lead to socio-economic problems. Gathering information
about attack methods and payload used in the attack is important
for analyzing and developing security strategy for ICS. This paper
HoneyPLC: Advanced Honeypot for PLCs
Mainly Based on 27th ACM Conference on Computer
and Communications Security (CCS ’20)
Geo-Location S7-300 S7-1200 S7-1500
United States 359 142 250
Russia 28 12 14
China 42 16 26
Netherlands 22 13 11
Germany 18 9 12
Japan 8 2 2
France 10 5 7
Romania 6 2 4
Table 1: S7comm Connections Received by Geolocation
proposed a high interaction honeypot, HoneyPLC, a high interac-
tion honeypot for the programmable logic controller in ICS. With
results from the experiments provided above, this honeypot is a
much better honeypot among the remaining honeypots. The novel
feature capturing ladder logic code, providing better covertness,
and supporting PLCs of different vendors make HoneyPLC a better
honeypot which can be a helpful tool for critical infrastructure.
REFERENCES
[1] Efrén López Morales, Carlos Rubio-Medrano, Adam Doupéand Yan Shoshitaishvil-
iand Ruoyu Wang, Tiffany Bao, and Gail-Joon Ahn. Honeyplc: A next-generation
honeypot for industrial control systems. 2020.
[2] K. Stouffer, S. Lightman, V. Pillitteri, M. Abrams, and A. Hahn. Guide to industrial
control systems (ics) security, national institute of standards and technology.
2014.
[3] Davide Nardella. Snap7. http://snap7.sourceforge.net/. 2018.
[4] Scadacs/plcinject. https://github.com/scadacs/plcinject. 2020.
[5] Johannes Klick, Stephan Lau, Daniel Marzin, Jan-Ole Malchow, and Volker Roth.
Internet-facing plcs-a new back orifice. In Blackhat USA (2015), page 22–26, 2015.
[6] Scada honeynet project: Building honeypots for industrial networks
http://scadahoneynet.sourceforge.net/. 2020.
[7] Datasoft/honeyd. https://github.com/datasoft/honeyd. 2020.
[8] S7comm - the wireshark wiki. https://wiki.wireshark.org/s7comm. 2016.
[9] mushorg/conpot. https://github.com/mushorg/conpot. 2020.
[10] Stephen Hilt. Gaspot released at blackhat 2015. https://github.com/sjhilt/ gaspot.
2020.
[11] Gordon Lyon. Nmap: the network mapper - free security scanner. 2020.
[12] Robert M. Lee, Michael J. Assante, and Tim Conway. German steel mill cyber
attack in sans ics 2014. 2014.
[13] N. Anderson. Confirmed: Us and israel created stuxnet, lost control of it, ars
technica, vol. 1, 2012. 2020.
[14] J. Matherly. Complete guide to shodan vol. 1. 2015.
[15] Seimens. The intelligent choice for your automation task: Simatic controllers.
https://new.siemens.com/global/en/products/automation/systems/. 2020.
[16] Allen-Bradley. Programmable controllers and programmable automation con-
troller. https://www.rockwellautomation.com/en-us/products/hardware/allen-
bradley/programmable-controllers.html. 2020.
[17] ABB. Plc automation. https://new.abb.com/plc. 2020.
[18] SolarWinds. Snmp scanner. https://www.solarwinds.com/network-performance-
monitor/use-cases/snmp-scanner. 2020.
[19] Justin Searle. Plcscan. https://github.com/meeas/plcscan. 2015.
[20] Gyorgy Miru. Siemens s7 communication. http://gmiru.com/article/s7comm/.,
2016.
[21] Eduard Kovacs. Attackers alter water treatment systems in utility
hack.https://www.securityweek.com/attackers-alter-water-treatment-systems-
utility-hack-report., 2016.
[22] sk4ld. Gridpot. https://github.com/sk4ld/gridpot, 2016.
[23] D. I. Buza, F. Juh´asz, G. Miru, M. F´elegyh´azi, and T. Holczer. Cryplh: Protecting
smart energy systems from targeted attacks with a plc honeypot. In International
Workshop on Smart Grid Security pp. 181–192, Springer, 2014.
[24] F. Xiao, E. Chen, and Q. Xu. S7commtrace: A high interactive honeypot for
industrial control system based on s7 protocol. In International Conference on
Information and Communications Security, pp. 412–423, Springer, 2017.
[25] Amrit Mundra and VC Kumar. Programmable logic controllers — security threats
and solutions, texas instruments, 2019.
HoneyPLC: Advanced Honeypot for PLCs
Mainly Based on 27th ACM Conference on Computer
and Communications Security (CCS ’20)
,,

[26] Honeywell Process Solutions. Plcs and cybersecurity, 2018. [28] M. Leech, M. Ganis, Y. Lee, R. Kuris, D. Koblas, and L. Jones. Socks protocol
[27] Shodan. Leverage the power of shodan, shodan api https://developer.shodan.io/., version 5, rfc 1928 (proposed standard), internet engineering task force. 1996.
2019.

.
n. ft
io ra
ut d
ib ing
str rk
di o
or d w
t f he
No blis
pu
Un