Many industrial network devices use RS-232/485 for communication. Typically the serial port of a PC would be directly (or indirectly, via a serial Ethernet gateway) connected to the serial port of the device. There would be a software running on the PC, which sends commands to the device over the serial interface. By some accounts there are hundreds of serial protocols in use in SCADA networks. Some of the more common protocols are MODBUS and DNP.
We need to simulate those protocols over the serial port, so as to present a protocol interface to an attacker who connects to the serial port. Many languages support serial interface programming including Python and Java. We were able to achieve serial communication through a open source Python serial programming module (pyserial.sf.net).
Simulating 802.11
The HostAP driver(http://hostap.epitest.fi/), replies for 802.1b management packets and converts a client adapter an access point. The driver can be used to simulate an access point which is inside a automation or a SCADA network
Capturing attack tools and capturing the attackers' track
Though not part of Honeyd, there are lots of keystroke loggers available. We need a mechanism to track the attacker on the web interface of the device. We do not know of any tools which can provide that functionality, however we explored some possibilities where the the Java applet (running on the "attackers" web browser) is able to comm
Challenges
Deployment and Testing
An ideal deployment site for such a script would be a subnet close to a real Industrial/SCADA network or a phone number which belongs to a SCADA/Automation plant. We are not aware of any active and on-going SCADA specific attacks, it would be difficult to get a SCADA aware attacker into the honeypot.
No comments:
Post a Comment