These Aren’t the PLCs You’re Looking For: Obfuscating PLCs to Mimic Honeypots

Industry 4.0 and the trend of connecting legacy Industrial Control Systems (ICSs) to public networks have exposed these systems to various online threats. To combat these threats, honeypots have been widely used to provide proactive monitoring, detection and deception security capabilities. However, skilled attackers are now adept at fingerprinting and avoiding honeypots. Therefore, we take a fundamentally different approach in this paper. Instead of the honeypot representing a real system, we deploy it as a deterrent. Through obfuscation, the aim is to make an attacker believe the real system is a honeypot and collect threat intelligence data on the attacker. To achieve this, we introduce a new obfuscation technique that allows real ICSs to present themselves as honeypots. By taking advantage of honeypot fingerprinting techniques, we are able to deter attackers from interacting with the real Programmable Logic Controller (PLC) within the industrial network. The approach is implemented and evaluated using different penetration testing tools and an expert evaluation highlighting the benefits of obfuscation in that potential adversaries would be misled into assuming the PLC is a honeypot.