Python PLC Honeypot Project
This article will give a general introduction about the Python PLC Honeypot System we developed for cyber security training, exercises, testing and research.
Program Design Propose : This project aims to develop a sophisticated honeypot system that emulates an OT (Operational Technology) SCADA network environment, bridging Level 1 OT field controller devices (PLCs) with Level 2 control programs, including Human-Machine Interfaces (HMIs). This honeypot will simulate various PLC models from major vendors, such as Schneider and Siemens, while supporting the primary communication protocols Modbus-TCP and Siemens-S7Comm. The system will integrate essential components: PLC emulator, OT controller simulator, ladder logic verifier, data logger, attack detector and system monitor.
As a cybersecurity honeypot, the system will detect unauthorized access attempts on PLCs, including attempts to log in to PLC configuration pages via HTTP/HTTPS, send the OT control request, and fetch PLC state data. The orchestrator will monitor for possible attack scenario such as Denial of Service (DoS), False Command Injection (FCI) and False Data Injection (FDI) attacks. The system will log and display real-time data on system execution states, enabling blue teams defenders to monitor and analyze attacker or red team behaviors. Designed for cybersecurity training, cyber defense exercises, Capture the Flag (CTF) challenges, and hands-on attack/defense competitions, this PLC honeypot provides a realistic and interactive platform for advancing OT cybersecurity skills and strategies.
# Created: 2024/11/02
# Version: v_0.1.3
# Copyright: Copyright (c) 2024 LiuYuancheng
# License: GNU Affero General Public License v3.0
Introduction
The Python PLC Honeypot Project is a distributed cybersecurity solution designed to mimic the behavior of real SCADA network control flows between Programable Logic Controllers (PLCs) and Human-Machine Interfaces (HMIs), the honey pot is a full digital equivalent VMs based system without any special OT-hardware (user can also integrate the hardware in the system). This system lures potential red team attackers into engaging with a simulated OT (Operational Technology) environment, enabling the collection of attack data, Digital Forensics and Incident Response (DFIR) datasets, and supporting the development of enhanced security measures. It also provides a platform for blue team defenders to monitor, analyze, and respond to cyber threats in industrial environments. The system structure and workflow diagram is shown below:
The system is divided into three main subsystems:
System Network Introduction
The system operates across two isolated networks:
System Key Features Introduction
The PLC honey port System include below eight main features:
This project provides a robust platform for cybersecurity training, testing, and research, contributing to improved resilience in industrial control systems. It has been used in two international CTF competition in Singapore and Europe.
Design of PLC Emulator
The PLC Emulator is designed to run on a virtual machine (VM) or a physical machine within the honeypot environment. It comprises two primary components:
The program workflow diagram is shown below:
The PLC Emulation Program is the core component and operates with four parallel threads to ensure modularity and real-time operation:
Flask Web Host Thread [PLC Config Web Interface Module] :
Modbus and S7Comm Thread [PLC Modbus/S7comm Service Module] :
PLC Function Thread [PLC Ladder Logic Execution Module] :
Monitor Report Thread [Honeypot Monitor Report Module] :
The PLC Emulation Program generates three types of logs:
The Log Archive Agent is responsible for managing and synchronizing log files generated by the PLC Emulator. It consists of two parallel threads:
Log File Management Thread :
Log Synchronization Thread:
The multi-threaded design provides modularity, enabling simultaneous emulation of PLC processes, protocol handling, logging, and reporting. This architecture ensures both realism for attackers and comprehensive data collection for defenders.
Design of PLC Controller
The PLC Controller is a critical component that connects to the PLC Emulator via OT protocol client threads. It simulates complex HMI-PLC control flows and enables the creation of realistic SCADA system control scenarios and provide the verification function of PLC behavior to detect unauthorized command injections or other attacks. . The overall controller workflow is depicted in the following diagram:
The PLC Controller Program is designed to run three parallel threads for efficient and modular operation:
OT Communication Thread [PLC Modbus/S7Comm Client Module] :
Function Thread [Controller Ladder Logic Execution Module] :
Monitor Report Thread [Honeypot Monitor Report Module] :
Similar to the PLC Emulator, each controller VM includes a Log Archive Agent to manage and synchronize logs with the central log archive server.
To deploy the PLC controllers and emulates in honeypot network, users can run multiple PLC controller programs within a single VM or multiple VM, each capable of loading different ladder logic modules. This setup allows for simulation of 1-to-1, 1-to-N, N-to-N, or Mixed SCADA control workflows. The connection diagram is shown below:
Upon initialization, the PLC Controller performs the following steps:
Step 1: Load Configuration:
Step 2: Simulate Control Cycles:
Step 3: Verification Process:
The following verification workflow illustrates the detection of a false command injection attack:
领英推荐
Its modular multi-threaded design allows for efficient execution of control logic, monitoring, and logging, making it a robust tool for honeypot environments. By accurately replicating complex SCADA workflows, the PLC Controller provides an effective mechanism for studying attacker behavior and improving industrial cybersecurity defenses.
Design of Deception Layer
The OT deception layer is designed to mimic a real industrial environment, providing attackers with realistic targets while recording their activities. As introduced in the PLC Emulator and Controller designs, this layer includes key features like access limitations, data type verification, and IP-based white-listing for permissions. These mechanisms aim to replicate genuine industrial setups and mislead attackers into believing they have compromised real systems. The deception layer includes four key features:
[1] Access Limitation and Data Type Verification:
[2] Realistic Web Configuration Interfaces:
[3] Vendor-Specific Emulation:
[4] Realistic Functionality:
The M221 deception web user interface is shown below:
The S71200 PLC deception web user interface is shown below:
For the function of each deception PLC configuration web interface:
Monitoring and Attack Detection
By replicating real-world interfaces and functionality, this layer not only enhances the realism of the honeypot environment but also helps identify potential attack vectors. The combination of realistic deception interfaces, activity monitoring, and attack alerting ensures that attackers are misled while their actions are carefully observed.
Design of Data Log System
The Data Log System ensures comprehensive monitoring and logging of all actions and progress within the PLC Emulators and Controllers. This system provides defenders with access to a centralized repository for analyzing log data and identifying potential security incidents. As shown in the Emulator and controller design, each VM will run a log archive agent to synchronize the log data to the log server. The log system includes 2 main parts:
The system workflow is shown below:
The following steps summarize the system workflow:
Each log message includes the following fields: Timestamp, Log Type (normal action, info, warning, error, alert) and the detailed log data as shown in the below example:
2024-11-21 14:38:01,209 INFO PLC controller Controller01 Inited
2024-11-21 14:38:01,209 INFO PLC controller verification loop started
2024-11-21 14:38:01,210 INFO Start one around verification.
2024-11-21 14:38:11,210 INFO Random generate input: [False, False, False, True, True, True, True, False]
2024-11-21 14:38:11,211 INFO Expected output: [False, True, False, True, False, True, True, True]
2024-11-21 14:38:13,034 INFO Get PLC result: [False, True, False, True, False, True, True, True]
2024-11-21 14:38:13,034 INFO Start one around verification.
2024-11-21 14:38:23,059 INFO Random generate input: [False, True, True, False, True, False, True, True]
2024-11-21 14:38:23,059 INFO Expected output: [False, False, False, True, False, True, False, False]
2024-11-21 14:38:24,883 INFO Get PLC result: [False, False, False, True, False, True, False, False]
2024-11-21 14:38:24,884 INFO Start one around verification.
The blue team defenders can use the Web interface to check, search and filter all the logs from the archive server's web UI as shown below:
In the main page, the blue team defender can check the total log size, agent connection state and select the emulator or controller's log based on the PLC emulator or controller ID. Then the page will switch to the component's log view page for user to filter, search and check the detailed log files contents. User can also do the further processing of the logs to integrated in their SIEM system or use the raw log file as the DFIR data set.
Design of Honeypot Monitor Hub
The Honeypot Monitor Hub serves as the central system for collecting, storing, and visualizing reports from all PLC emulators and controllers. It facilitates real-time monitoring and alerting for the Blue Team, enabling efficient management of the honeypot environment and detection of potential threats. The Monitor Hub is deployed on a virtual machine within the orchestration network. It includes:
The honeypot monitor hub web UI overview is shown below:
The Monitor Hub provides a comprehensive web interface with five main pages, as illustrated below:
To View the PLC emulator state, select the PLC Emulator View tab from the navigation bar and the click the PIC ID in the table as shown below:
For the information detail please refer to below table:
To View the PLC controllers' state, select the PLC Controller View tab from the navigation bar and the click the Controller ID on in the table as shown below:
For the information detail please refer to below table:
The Honeypot Monitor Hub is a critical component of the honeypot system, providing real-time insights, alerting, and detailed reports for defenders. By offering centralized management and an easy-to-use web interface, it enhances the ability of the Blue Team to monitor, analyze, and respond to potential threats effectively.
System Setup and Usage
For the System deployment, Attack Alert and Notification and Using the system to detect OT attack scenario and trace the attack path, we will use a work shop to show the detail in the next article.
Project GitHub Repo Link :
Thanks for spending time to check the article detail, if you have any question and suggestion or find any program bug, please feel free to message me. Many thanks if you can give some comments and share any of the improvement advice so we can make our work better ~
Open source zero trust networking
3 个月Marcos Ricardo Schejtman Rubio, we should look at building this into your zero trust networking demo using NetFoundry/open source OpenZiti. One side could show how frequently the honeypot is being attacked across the internet, while another can only be accessed across the zero trust network overlay, thus unavailable to unauthenticated actors.
Contract & Consulting Engineer | Automation | Intelligent Sensors & Digital Systems
3 个月Yuancheng Liu Thank You for sharing your work. Jaxson Brown I am sure you will appreciate this from our neighbours in Singapore.
ICS/OT Cyber security Instructor
3 个月Sávio Lira Daniel Valentim
Cybersecurity Services @ Siemens Energy
3 个月Can this be deployed in a real PLC network or is it available only in a simulated environment