Defending industrial control systems (ICS) in the cyber domain is both helped and hindered by bespoke systems integrating heterogeneous devices for unique purposes. Because of this fragmentation, observed attacks against ICS have been targeted and skilled, making them difficult to identify prior to initiation. Furthermore, organisations may be hesitant to share business-sensitive details of an intrusion that would otherwise assist the security community.

In this work, we present the largest study of high-interaction ICS honeypots to date and demonstrate that a network of internet-connected honeypots can be used to identify and profile targeted ICS attacks. Our study relies on a network of 120 high-interaction honeypots in 22 countries that mimic programmable logic controllers and remote terminal units. We provide a detailed analysis of 80,000 interactions over 13 months, of which only nine made malicious use of an industrial protocol. Malicious interactions included denial of service and replay attacks that manipulated logic, leveraged protocol implementation gaps and exploited buffer overflows. While the yield was small, the impact was high, as these were skilled, targeted exploits previously unknown to the ICS community.

By comparison with other ICS honeypot studies, we demonstrate that high-quality deception over long periods is necessary for such a honeypot network to be effective. As part of this argument, we discuss the accidental and intentional reasons why an internet-connected honeypot might be targeted. We also provide recommendations for effective, strategic use of such networks.