Industrial Control Systems Honeypot: A Formal Analysis of Conpot

Abstract

Technologies used in ICS and Smart Grid are overlapping. The most discussed attacks on ICSs are Stuxnet and Black energy malware. The anatomy of these attacks not only pointed out that the security of ICS is of prime concern but also demanded to execute a proactive approach in practicing ICS security. Honeypot is used to implement defensive measures for security. The Honeynet group released Honeypot for ICS labelled as Conpot in 2013. Though the Conpot is low interactive Honeypot, it emulates processes of different cyber-physical systems, typically Smart Grid. In the literature, the effectiveness of Honeypot operations was studied by challenging limitations of the existing setup or proposing new variants. Similar approaches are followed for Conpot evaluation. However, none of the work addressed a formal verification method to verify the engagement of Honeypot, and this makes the presented work unique. For proposed work, Coloured Petri Net (CPN) tool is used for formal verification of Conpot. The variants of Conpot are modelled, including initial state model, deadlock state model and livelock model. Further evaluation of these models based on state space analysis results confirmed that Conpot could lure an attacker by engaging him in an infinite loop and thereby limiting the scope of the attacker from exploring and damaging the real-time systems or services. However, in the deadlock state, the attacker’s activity in the conpot will be restricted and will be unable to proceed further as the conpot model incorporates deadlock loop.