Journal of Computer Applications ›› 2020, Vol. 40 ›› Issue (9): 2650-2656.DOI: 10.11772/j.issn.1001-9081.2019122214

• Cyber security • Previous Articles     Next Articles

Design and implementation of high-interaction programmable logic controller honeypot system based on industrial control business simulation

ZHAO Guoxin1, DING Ruofan2,3, YOU Jianzhou3, LYU Shichao3, PENG Feng1, LI Fei1, SUN Limin3   

  1. 1. College of Information Engineering, Beijing Institute of Petrochemical Technology, Beijing 102617, China;
    2. College of Information Science and Technology, Beijing University of Chemical Technology, Beijing 100020, China;
    3. Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100089, China
  • Received:2020-01-03 Revised:2020-03-01 Online:2020-09-10 Published:2020-07-06
  • Supported by:
    This work is partially supported by the National Key Research and Development Program of China (2018YFC1201102), the Key Research and Development Program of Guangdong Province (2019B010137004), the Science and Technology Project of Headquarter of State Grid Corporation of China (522722180007).

基于工控业务仿真的高交互可编程逻辑控制器蜜罐系统设计实现

赵国新1, 丁若凡2,3, 游建舟3, 吕世超3, 彭锋1, 李菲1, 孙利民3   

  1. 1. 北京石油化工学院 信息工程学院, 北京 102617;
    2. 北京化工大学 信息科学与技术学院, 北京 100020;
    3. 中国科学院 信息工程研究所, 北京 100089
  • 通讯作者: 游建舟
  • 作者简介:赵国新(1963-),男,辽宁铁岭人,教授,硕士,主要研究方向:智能控制、工控安全;丁若凡(1995-),男,江苏扬州人,硕士研究生,主要研究方向:工控安全、蜜罐技术;游建舟(1992-),男,福建龙岩人,博士研究生,主要研究方向:工控安全、物联网安全、蜜罐技术;吕世超(1985-),男,河北保定人,助理研究员,博士研究生,主要研究方向:无线通信安全、工控安全;彭锋(1993-),男,湖北黄冈人,硕士研究生,主要研究方向:智能控制、工控安全;李菲(1994-),女,北京人,硕士研究生,主要研究方向:工控安全、故障诊断;孙利民(1966-),男,河南淮阳人,研究员,博士,主要研究方向:工控安全、物联网安全。
  • 基金资助:
    国家重点研发计划项目(2018YFC1201102);广东省重点研发计划项目(2019B010137004);国家电网公司总部科技项目(522722180007)。

Abstract: The capability of entrapment is significantly influenced by the degree of simulation in industrial control honeypots. In view of the lack of business logic simulation of existing industrial control honeypots, the high-interaction Programmable Logic Controller (PLC) honeypot design framework and implementation method based on industrial control business simulation were proposed. First, based on the interaction level of industrial control system, a new classification method of Industrial Control System (ICS) honeypots was proposed. Then, according to different simulation dimensions of ICS devices, the entrapment process in honeypot was divided into a process simulation cycle and a service simulation cycle. Finally, in order to realize the real-time response to business logic data, the process data was transferred to the service simulation cycle through a customized data transfer module. Combining typical ICS honeypot software Conpot and the modeling simulation tool Matlab/Simulink, the experiments were carried out with Siemens S7-300 PLC device as the reference, and so as to realize the collaborative work of information service simulation and control process simulation. The experimental results show that compared with Conpot, the proposed PLC honeypot system newly adds 11 private functions of Siemens S7 devices. Especially, the operating read (function code 04 Read) and write (function code 05 Write) in the new functions realize 7 channel monitoring for I area data and 1 channel control for Q area data in PLC. This new honeypot system breaks through the limitations of existing interaction levels and methods and finds new directions for ICS honeypot design.

Key words: honeypot, Industrial Control System (ICS), Conpot, high-interaction, S7comm private function

摘要: 工控蜜罐的诱捕能力受仿真程度显著影响,针对现有工控蜜罐缺乏业务逻辑仿真的问题,提出了一种基于工控业务仿真的高交互可编程逻辑控制器(PLC)蜜罐设计框架和搭建方法。首先,基于工控系统的交互层次提出了一种新的工控系统(ICS)蜜罐分类方法;然后,根据工控设备的不同仿真维度,将蜜罐诱捕过程分为过程仿真循环和服务仿真循环;最后,通过定制的数据转存模块将过程数据转换到服务仿真循环中,以实现业务逻辑数据的实时响应。实验以西门子S7-300 PLC设备为参考,结合典型工控蜜罐软件Conpot和建模仿真工具Matlab/Simulink,实现了信息服务仿真和控制过程仿真的协同工作。实验结果表明,相较于Conpot,高交互PLC蜜罐系统新增了11种西门子S7设备私有功能,其中读(04 Read功能码)写(05 Write功能码)操作实现了对PLC的I区7个通道的监测和Q区1个通道的控制。这种全新的蜜罐系统突破了现有交互层次和方式的局限,为工控蜜罐设计拓展了新方向。

关键词: 蜜罐, 工控系统, Conpot, 高交互, S7comm私有功能

CLC Number: