Honeypots are increasingly used in Industrial Control Systems (ICS) to divert attacks from critical assets and study malicious behavior. While prior work has examined specific aspects of ICS honeypot design, a comprehensive understanding of cost-effective deployment strategies is still lacking. This work investigates how interaction level, network type, and geographic location affect the attractiveness of ICS honeypots. We deploy both low- and high-interaction honeypots, alongside a physical device, across corporate and cloud networks in various geographic regions. We collect and analyze network interactions involving HTTP, S7Comm, and Modbus protocols from 16 honeypots with diverse configurations over a three-month period. Our results show that network type has the largest impact on ICS honeypot traffic, while interaction level and geographic location play a minor role. We also find that low-interaction honeypots capture traffic comparable to high-interaction setups, supporting their use for general threat intelligence.
A Comparative Study of ICS Honeypot Deployments
Donadel, Denis;Lupia, Francesco;Merro, Massimo;Zannone, Nicola
2025-01-01
Abstract
Honeypots are increasingly used in Industrial Control Systems (ICS) to divert attacks from critical assets and study malicious behavior. While prior work has examined specific aspects of ICS honeypot design, a comprehensive understanding of cost-effective deployment strategies is still lacking. This work investigates how interaction level, network type, and geographic location affect the attractiveness of ICS honeypots. We deploy both low- and high-interaction honeypots, alongside a physical device, across corporate and cloud networks in various geographic regions. We collect and analyze network interactions involving HTTP, S7Comm, and Modbus protocols from 16 honeypots with diverse configurations over a three-month period. Our results show that network type has the largest impact on ICS honeypot traffic, while interaction level and geographic location play a minor role. We also find that low-interaction honeypots capture traffic comparable to high-interaction setups, supporting their use for general threat intelligence.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.