Honeypots are increasingly used in Industrial Control Systems (ICS) to divert attacks from critical assets and study malicious behavior. While prior work has examined specific aspects of ICS honeypot design, a comprehensive understanding of cost-effective deployment strategies is still lacking. This work investigates how interaction level, network type, and geographic location affect the attractiveness of ICS honeypots. We deploy both low- and high-interaction honeypots, alongside a physical device, across corporate and cloud networks in various geographic regions. We collect and analyze network interactions involving HTTP, S7Comm, and Modbus protocols from 16 honeypots with diverse configurations over a three-month period. Our results show that network type has the largest impact on ICS honeypot traffic, while interaction level and geographic location play a minor role. We also find that low-interaction honeypots capture traffic comparable to high-interaction setups, supporting their use for general threat intelligence.

A Comparative Study of ICS Honeypot Deployments

Donadel, Denis;Lupia, Francesco;Merro, Massimo;Zannone, Nicola
2025-01-01

Abstract

Honeypots are increasingly used in Industrial Control Systems (ICS) to divert attacks from critical assets and study malicious behavior. While prior work has examined specific aspects of ICS honeypot design, a comprehensive understanding of cost-effective deployment strategies is still lacking. This work investigates how interaction level, network type, and geographic location affect the attractiveness of ICS honeypots. We deploy both low- and high-interaction honeypots, alongside a physical device, across corporate and cloud networks in various geographic regions. We collect and analyze network interactions involving HTTP, S7Comm, and Modbus protocols from 16 honeypots with diverse configurations over a three-month period. Our results show that network type has the largest impact on ICS honeypot traffic, while interaction level and geographic location play a minor role. We also find that low-interaction honeypots capture traffic comparable to high-interaction setups, supporting their use for general threat intelligence.
2025
ICS Honeypot
Honeypot deployment analysis
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11562/1169384
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact