Login| Sign Up| Help| Contact|

Patent Searching and Data


Title:
HIGH INTERACTION NON-INTRUSIVE INDUSTRIAL CONTROL SYSTEM HONEYPOT
Document Type and Number:
WIPO Patent Application WO/2018/044410
Kind Code:
A1
Abstract:
The present embodiments relate to high interaction virtualized non-intrusive ICS HoneyPots. By way of introduction, the present embodiments described below include apparatuses and methods for emulating an industrial control system (ICS) and making the emulated ICS available to a network susceptible to a cyber-attack. The ICS is emulated using the network topology, control logic and process data from the live ICS. The live ICS data is received via unidirectional communication, and the emulated ICS is deployed as a HoneyPot capable of interacting with a cyber-attack in the same manner as the live ICS. The HoneyPot includes a process historian for logging emulated process data to analyze the cyber-attack, and a plurality of HoneyPots may provide the logged data to a cloud server for cross-deployment and cross-customer analytics.

Inventors:
PFLEGER DE AGUIAR, Leandro (15 Mary Lane, Robinsville, New Jersey, 08691, US)
WEI, Dong (8 Stacey Street, Edison, New Jersey, 08820, US)
MCGRAW, Shawn (14 Bear Trail, Jackson, New Jersey, 08527, US)
Application Number:
US2017/042692
Publication Date:
March 08, 2018
Filing Date:
July 19, 2017
Export Citation:
Click for automatic bibliography generation   Help
Assignee:
SIEMENS AKTIENGESELLSCHAFT (Werner-von-Siemens-Straße 1, München, München, DE)
International Classes:
H04L29/06; G05B19/00; G05B19/418; G06F9/455
Foreign References:
US20140336785A12014-11-13
Other References:
ROLAND C. BODENHEIM: "IMPACT OF THE SHODAN COMPUTER SEARCH ENGINE ON INTERNET-FACING INDUSTRIAL CONTROL SYSTEM DEVICES THESIS", 27 March 2014 (2014-03-27), XP055240157, Retrieved from the Internet [retrieved on 20160111]
VOLLMER TODD ET AL: "Cyber-Physical System Security With Deceptive Virtual Hosts for Industrial Control Networks", IEEE TRANSACTIONS ON INDUSTRIAL INFORMATICS, IEEE SERVICE CENTER, NEW YORK, NY, US, vol. 10, no. 2, May 2014 (2014-05-01), pages 1337 - 1347, XP011547205, ISSN: 1551-3203, [retrieved on 20140502], DOI: 10.1109/TII.2014.2304633
None
Attorney, Agent or Firm:
RASHIDI-YAZD, Seyed Kaveh E. (Siemens Corporation- Intellectual Property Dept, 3501 Quadrangle Blvd. Ste. 230Orlando, Florida, 32817, US)
Download PDF:
Claims:
WE CLAIM:

1. A method for deploying a high interaction HoneyPot for an industrial control system, the method comprising:

receiving (401), by a server from devices in the industrial control system, data indicative of a network topology for the industrial control system, control logic for the devices in the industrial control system and process data for the devices in the industrial control system;

emulating (403), with a virtual machine on the server, the industrial control system based on the received data indicative of the network topology and the received control logic; and

deploying (405), by the virtual machine, the HoneyPot for the industrial control system with the emulated industrial control system and based on the received process data.

2. The method of claim 1, wherein the receiving (401) comprises receiving control logic and process data from a combination of one or more of a programmable logic controller, an industrial personal computer, a human-machine interface, a sensor and a network switch.

3. The method of claim 1, wherein the received process data comprises real process data for the industrial control system.

4. The method of claim 1, wherein the received process data comprises modified process data for the industrial control system.

5. The method of claim 1, wherein the received process data comprises artificial process data and enriched data for the industrial control system.

6. The method of claim 1, wherein deploying (405) the HoneyPot comprises connecting the HoneyPot to an intranet.

7. The method of claim 1, wherein deploying (405) the HoneyPot comprises emulating a demilitarized zone (DMZ).

8. The method of claim 1, wherein deploying (405) the HoneyPot comprises connecting the server directly to an external network, and extracting a reusable template from the from the deployed HoneyPot.

9. The method of claim 1, further comprising: storing (407), with a process historian on the server, security data for the

HoneyPot; and

analyzing (409) the security data to evaluate security threats to the industrial control system.

10. The method of claim 8, wherein analyzing (409) comprises evaluating security threats comprises industrial control system protocol violations.

A system for deploying a high interaction HoneyPot for an industrial control m, the system comprising:

a memory (607A) configured to:

store data indicative of a network topology of devices in the industrial control system;

store control logic for the devices in the industrial control system;

store process data for the devices in the industrial control system; and store, with an emulated process historian, security data for the HoneyPot; and

a processor (607B) configured to:

emulate, as a virtual machine, the industrial control system based on the stored data indicative of the network topology and the stored control logic; deploy, over a network, the emulated industrial control system as the HoneyPot based on the stored process data, wherein the HoneyPot is configured to log security data in the process historian; and

analyze the security data for the HoneyPot to identify protocol violations for the emulated industrial control system.

12. The system of claim 11, further comprising:

the devices (611, 613, 615, 617, 621) in the industrial control system, the devices comprising programmable logic controllers, industrial personal computers and sensors, wherein each of the devices comprises an embedded process historian and an application for providing data indicative of the device in the network topology, the control logic for the device, and process data for the device.

13. The system of claim 11, further comprising:

the devices (611, 613, 615, 617, 621) in the industrial control system, the devices comprising programmable logic controllers, industrial personal computers and sensors, wherein each of the devices is instrumented with a virtual machine to monitor for a cyber-attack.

The system of claim 11, further comprising: a display (607C) configured to display the identified protocol for the emulated industrial control system

15. The system of claim 11, further comprising:

a remote server (605) configured to:

store data indicative of a plurality of deployed HoneyPots, each deployed HoneyPot comprising an emulated industrial control system of a plurality of industrial control systems; and

analyze the data indicative of a plurality of deployed HoneyPots to identify security threats for the plurality of industrial control systems.

16. A method of monitoring a plurality of industrial control system HoneyPots, the method comprising:

receiving (501), by a cloud server from a plurality of local servers, data indicative of a plurality of industrial control systems;

receiving (503), by the cloud server from the plurality of local servers, data indicative of the plurality of industrial control system HoneyPots, each industrial control system HoneyPot configured to emulate one of the plurality of industrial control systems; monitoring (505), based on the data indicative of the plurality of industrial control systems and the data indicative of the plurality of industrial control system HoneyPots, the plurality of industrial control system HoneyPots for security threats to the plurality of industrial control systems.

17. The method of claim 16, wherein receiving (501) the data indicative of a plurality of industrial control systems comprises receiving data captured from applications running on each of a plurality of devices of each of the plurality of industrial control systems.

18. The method of claim 17, wherein receiving the data comprises receiving data from an embedded process historian running on each of a plurality of devices of each of the plurality of industrial control systems.

19. The method of claim 16, wherein receiving (503) data indicative of the plurality of industrial control system HoneyPots comprises receiving data captured in a HoneyPot process historian on each of the plurality of industrial control system HoneyPots.

20. The method of claim 16, wherein monitoring (505) the plurality of industrial control system HoneyPots comprises comparing the data indicative of the plurality of industrial control systems with the data indicative of the plurality of industrial control system HoneyPots.

21. The method of claim 20, wherein comparing the data indicative of the plurality of industrial control systems with the data indicative of the plurality of industrial control system HoneyPots comprises identifying techniques for cyber-attacks on the plurality of industrial control systems.

Description:
HIGH INTERACTION NON-INTRUSIVE INDUSTRIAL CONTROL SYSTEM HONEYPOT

Cross-Reference to Related Applications

[0001] The present patent document claims the benefit of US Provisional Patent Application Serial No. 62/382,454, filed on September 1, 2016, which is hereby incorporated by reference in its entirety. Background

[0002] There is increased interest by cyber attackers in attacking critical infrastructure by compromising industrial automation and control systems. Industrial control systems (ICS) and industrial control networks are often directly or indirectly connected to information technology (IT) networks, such as local office and plant networks and the Internet. This vertical integration may provide an opportunity for cyber attackers to exploit those networks. For example, highly sophisticated attacks have directly attacked programmable logic controller (PLC) devices, rewriting the device firmware with a malicious version by attacking the PLC though a compromised third party device.

[0003] Unlike computers and other computing devices running on conventional IT networks, many currently deployed ICS products (e.g., programmable logic controllers

(PLCs), distributed control systems (DCS), motion controllers, supervisory control and data acquisition (SCADA) systems, and human-machine interfaces (HMIs)) were designed for process control functionalities without, in many cases, intrinsic consideration of cybersecurity. Most process control system networks, including multiple PLCs, DCS devices, motion controllers, SCADA devices and HMIs, are also integrated without consideration for potential cyber threats.

[0004] Low interactive ICS HoneyPots have been deployed with limited success. For example, SCADA HoneyNet and CONPOT emulate very basic features of well-known industry PLCs. Both approaches are limited to network visible systems and do not permit direct interaction with a cyber attacker, such as a response to a connection request. The approaches also do not generate realistic input/output (I/O) data to an attacker for a significant amount of time to detect an attack.

[0005] Multiple challenges have prevented high-interaction ICS HoneyPots from being deployed to emulate PLCs. PLCs typically offer little space for the security instrumentation necessary to replicate the PLCs to behave as ICS HoneyPots. The unpredictability of connected process variables (e.g., sensor information) is an additional barrier depending on the type and complexity of the production process. Because control systems are complex and heterogeneous by nature, the overall complexity and cost of designing and deploying a replicated ICS is prohibitive, and many past attempts to build ICS HoneyPots have failed due to the adoption of simplistic approaches that fail to incorporate the complexity of the ICS (e.g., the unique signatures of connected I/O, etc.). Summary

[0006] The present embodiments relate to high interaction, non-intrusive ICS

HoneyPots. By way of introduction, the present embodiments described below include apparatuses and methods for emulating an industrial control system (ICS) and making the emulated ICS available to a network susceptible to a cyber-attack. The ICS is emulated using the network topology, control logic and process data from the live ICS. The live ICS data is received via unidirectional communication, and the emulated ICS is deployed as a HoneyPot capable of interacting with a cyber-attack in the same manner as the live ICS. The HoneyPot includes a process historian for logging emulated process data to analyze the cyber-attack, and a plurality of HoneyPots may provide the logged data to a cloud server for cross-deployment and cross-customer analytics.

[0007] In a first aspect, a method is provided for deploying a high interaction

HoneyPot for an industrial control system. The method includes receiving data indicative of a network topology for the industrial control system, control logic for the devices in the industrial control system and process data for the devices in the industrial control system by a server. The method also includes emulating the industrial control system based on the received data indicative of the network topology and the received control logic with a virtual machine on the server and deploying the HoneyPot for the industrial control system with the emulated industrial control system by the virtual machine and based on the received process data.

[0008] In a second aspect, a system is provided for deploying a high interaction HoneyPot for an industrial control system. The system includes a memory that is configured to store data indicative of a network topology of devices in the industrial control system, to store control logic for the devices in the industrial control system, to store process data for the devices in the industrial control system and to store, with an emulated process historian, security data for the HoneyPot. The system also includes a processor that is configured to emulate the industrial control system as a virtual machine based on the stored data indicative of the network topology and the stored control logic and to deploy the emulated industrial control system as the HoneyPot over a network based on the stored process data. The HoneyPot is configured to log security data in the process historian, and the processor is further configured to analyze the security data for the HoneyPot to identify protocol violations for the emulated industrial control system.

[0009] In a third aspect, a method is provided of monitoring a plurality of industrial control system HoneyPots. The method includes receiving data indicative of a plurality of industrial control systems and data indicative of the plurality of industrial control system HoneyPots by a cloud server from a plurality of local servers. Each industrial control system HoneyPot is configured to emulate one of the plurality of industrial control systems. The method also includes monitoring the plurality of industrial control system HoneyPots for security threats to the plurality of industrial control systems based on the data indicative of the plurality of industrial control systems and the data indicative of the plurality of industrial control system HoneyPots.

[0010] The present invention is defined by the following claims, and nothing in this section should be taken as a limitation on those claims. Further aspects and advantages of the invention are discussed below in conjunction with the preferred embodiments and may be later claimed independently or in combination.

Brief Description of the Drawings

[0011] The components and the figures are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the embodiments. Moreover, in the figures, like reference numerals designate corresponding parts throughout the different views.

[0012] Figure 1 illustrates an example architecture of a highly-coupled control- security PLC with an embedded process historian.

[0013] Figures 2A-2B illustrate an example architecture for an ICS high interaction HoneyPot.

[0014] Figure 3 illustrates a virtual architecture using software define components and network elements for emulating ICS process zones using virtual machines. [0015] Figure 4 illustrates a flowchart diagram of an embodiment of a method of deploying a high interaction HoneyPot for an industrial control system.

[0016] Figure 5 illustrates a flowchart diagram of an embodiment of a method of monitoring a plurality of industrial control system HoneyPots.

[0017] Figure 6 illustrates an embodiment of a system for deploying a high interaction HoneyPot for an industrial control system.

Detailed Description of Exemplary Embodiments

[0018] The present embodiments provide an automated process, an architecture and security applications (apps) for deploying an ICS specific HoneyPot emulating

programmable logic controllers (PLCs) and other industrial control system (ICS) devices. The ICS HoneyPot deploys an emulated ICS on a network and appears to cyber attackers to be a legitimate, real-world ICS. The ICS HoneyPot offers an isolated and monitored computer-designed emulation to attract cyber attackers, to quickly detect the cyber- attacks and to analyze the cyber-attacks to determine the underlying attack

methodologies. High-interaction functionality is provided by the ICS HoneyPot to allow a cyber attacker to navigate through the emulated ICS, to interact with the emulated ICS, and to activate and/or deactivate the main features of the ICS, as would be possible in the real-world ICS.

[0019] ICS devices, such as PLCs and human-machine interfaces (HMIs), typically lack the ability to detect and analyze cyber-attacks, including the ability to validate the origin of commands in the ICS. As such, typical ICS devices do not provide built-in, active sensor mechanisms detecting threats. Some ICS devices offer only passive, static security features embedded into device firmware as a factory default. Next generation ICS devices, such as PLCs, smart sensors, industrial personal computers (IPCs), etc., provide for highly coupled security and control functionality that may be activated or deactivated after commissioning the devices. For example, security applications deployed on next generation ICS devices provide for system diagnostics using data analytics and machine learning techniques. A security anomaly detection application on a PLC or other field device may also include intrusion detection capabilities, based on process variables, sensor values, actuator values, etc. The security applications deployed on PLCs and other field devices provide an architecture and application for local, device specific protection (e.g., based on unsupervised machine learning). In alternative embodiments, any PLC or ICS device capable of running multiple applications - the ICS function and the honeypot - may be used.

[0020] The present embodiments take advantage of the security applications of next generation ICS devices to deploy an ICS HoneyPot. The ICS HoneyPot is a high- interaction, high fidelity HoneyPot that mimics a real ICS, including the devices, data communications, and process values. The ICS HoneyPot may be deployed as an optional, or ad-hoc deployment on a server, controller or other field device, and utilizes applications of the next generation field devices, device architectures and ICS infrastructures.

[0021] The present embodiments provide for deploying a high interaction realistic ICS HoneyPot that may improve the detection of advanced threats to critical

infrastructure, protecting the real-world infrastructure from the advanced threats. The present embodiments may overcome limitations that have prevented the deployment of high interaction realistic ICS HoneyPots. For example, the high interaction realistic ICS HoneyPot may be deployed with an automatic setup to automatically construct and configure a virtual HoneyPot network based on scanning of the real-world ICS network. The high interaction realistic ICS HoneyPot may use realistic process control data, with a copy of the actual process automation control traffic securely exported from the real- world devices or with an obfuscated version of the actual process data, making it difficult for cyber attackers to distinguish between a real-world ICS and the emulated systems. The high interaction realistic ICS HoneyPot may also provide for realistic interaction with a cyber attacker. The emulated software stack and protocols of the virtual devices may be the same or similar to the real-world devices, including communications between the virtual devices. Alternatively, instead of emulating direct bi-directional communication between emulated devices, raw network packets are sent between the real-world devices are collected and used to instruct the virtual switches to send similar packets through the virtual network to between the virtual peers. The software stack of next generation field devices is leveraged by the virtualization strategies to allow for a high level of interaction while preserving low level security virtual instrumentation.

[0022] The high interaction realistic ICS HoneyPot may further provide for deep virtual instrumentation, with all performed events seamlessly and silently logged and with the generated data protected from malicious modification. This generated data may be exported and analyzed in a security analytics cloud or computer where the data is correlated with other external insights. For example, the high interaction realistic ICS HoneyPot may identify protocol violations caused by a cyber-attack. The ICS HoneyPot may use defined state tables to establish a baseline of normal network traffic and to identify deviations in protocols that are potentially malicious or out of the range of normal process operations. The high interaction realistic ICS HoneyPot may additionally provide for source validation. For example, mixed vendor PLCs and remote terminal devices (RTUs) could introduce inadvertent threats to the process environment through firmware compromised by a cyber-attack. The ICS HoneyPot may include logging capabilities to discover devices connected at the data link layer that are performing unauthorized scanning of the local environment or sending unauthorized device communications.

[0023] Figure 1 illustrates an example architecture of a next generation PLC with an embedded process historian. For example, figure 1 demonstrates a highly-coupled control-security PLC running a software stack with an example embodiment of an ICS HoneyPot (e.g., a cyber-security HoneyPot application). The next generation PLC has multiple cores. For example, the PLC includes two cores (e.g., Core #0 and Core #1). In this example, Core #0 runs the PLC firmware (e.g., Simatic S7 Firmware, etc.) and Core #1 runs Windows and/or Linux firmware. The PLC firmware and the Windows/Linus firmware each run as a virtual machine (e.g., VM0 and VMl, respectively). The PLC firmware includes a real-time database (RTDB) providing an embedded historian for collecting real-time PLC process data as a time series (e.g., a process image). The process data from the PLC includes process variables, inputs, outputs, memory variables, commands from human-machine interfaces (HMIs), commands from a Manufacturing Execution System (MES), etc. The Windows/Linux firmware includes another real-time database (RTDB) that exchanges data with the RTDB for the PLC firmware. The

Windows/Linux firmware includes a "Processing" function block for performing primary data processing, such as reading, writing, filtering, and smoothing primary data in the real-time database. The Windows/Linux firmware also includes a "Context" function block for translating process data into production knowledge, such as translating PLC measurements (e.g., input images IW14, IW16, IW18, etc.) into process information (e.g., temperature values, etc.).

[0024] The Windows/Linux firmware includes security applications executed by the Windows/Linux virtual machine VMl. For example, figure 1 depicts multiple applications Appl and App2 hosted by an "App Container" of the Windows/Linux virtual machine. For example, Appl is a HoneyPot security application for cyber-attack detection and App2 is a machine prognostic analysis application. Appl and App2 operate using collected data in the real-time database (RTDB). In an embodiment, the PLC provides an interactive ICS HoneyPot using Appl, and provides for analysis of a cyber-attack on the HoneyPot using App2. In an alternative embodiment, Appl and App2 facilitate an interactive ICS HoneyPot executed by a different device by providing PLC data to the other device for emulating the PLC. The HoneyPot security application Appl and the machine prognostic analysis application App2 are easily deployable, removable and updatable on the PLC (e.g., like other Windows/Linux applications). Other security applications may be provided in the App Container, such as a PLC security monitoring application and a PLC security forensics application. The App Container is also fully instrumented to allow in-depth insights into cyber-attack methodologies.

[0025] Other ICS devices may use the arrangement of applications. The software stack depicted in figure 1 enables instrumenting all or some PLCs and other field devices of an ICS to provide data for emulating the complete ICS control network of field devices. For example, because each or most field devices (e.g., smart field devices, industrial PCs, PLCs, remote terminal units (RTUs), etc.) of the production cells of the ICS are deployed with the software stack, or are connected to a device with the next generation software stack (e.g., legacy devices, etc.), data for each device is used to deploy the ICS HoneyPot. Each field device with a HoneyPot application, or a server in communication with the field devices, may be enabled to emulate the entire ICS as a high interaction HoneyPot. As such, each production zone with a device executing the HoneyPot application may deploy a high interaction HoneyPot for the entire ICS.

[0026] Figures 2A-2B illustrate an example architecture for an ICS high interaction HoneyPot. For example, the architecture may include a deployed ICS, a security analytics private server and an analytical server. The deployed ICS communicates with the security analytics private server with a local corporate IT network (e.g., an intranet). The deployed ICS and/or the security analytics private server communicates with the analytical server with an outwardly facing network (e.g., the Internet). For example, the cloud server can receive network images generated by customers of each real-world device to create "templates" of realistic honeypots to be provided or sold to other customers. A fleet-level honeypot may be included, creating an enterprise with the fleet-level honeypot template. Fleet level analysis may also allow be provided to compare expected behavior across different virtual machines (e.g., a virtual Siemens PLC honeypot controlling a giving process in a plant A for a customer should not behave drastically different form a second PLC controlling a similar process in a plant B).

[0027] The ICS high interaction HoneyPot (ICS-HH) is deployed in the ICS as a sandboxed network segment. For example, the ICS-HH includes a sandboxed network segment securely connected to the plant demilitarized zone (DMZ) firewall (e.g. by the firewall and/or a unidirectional communication gateway). The sandboxed network is deployed to be reachable by cyber attackers, but without direct connections to reach ICS networks that ICS-HH emulates. Referring to figures 2A-2B, Zone E includes the ICS HoneyPot Secure Zone (Sandbox) and Zone D (e.g., DMZ servers). The ICS HoneyPot Secure Zone and Zone D are connected to a DMZ firewall. The DMZ firewall

communicates with the local corporate IT network.

[0028] The ICS HoneyPot Secure Zone deploys the ICS-HH, which includes storage, provisioning management and physical servers for emulating ICS zones based on process information received from the Plant Zone (e.g., process / production data (I/O) received via unidirectional communication). The Plant Zone includes multiple

production zones, such as an Air-gapped zone, a Legacy Zone A and a Zone B. Other, fewer, or different production zones may be included. Each zone is provided with a field device for providing data to the ICS-HH for emulating the devices of the ICS. For example, for an Air-gapped zone (e.g., a zone with no native communication interfaces to devices outside the zone), a field device, such as a Nano box industrial personal computer (IPC) agent, is provided for gathering and communicating process data from the Air-gapped zone to the ICS-HH. For the Legacy Zone A, a field device, such as an IPC, is provided to receive process data from legacy PLCs and other devices, and to communicate the process data to the ICS-HH via the ICS control network. Zone B includes next generation PLCs, smart sensors and other field devices (e.g., with the software stack depicted in figure 1). Each next generation device communicates process information to the ICS-HH via the ICS control network.

[0029] In an embodiment, the ICS-HH is configured and deployed in three phases: a learning phase; an operation phase; and an analysis phase. Additional and different phases and/or sub-phases may be provided.

[0030] In the learning phase, network topology information, control logic and process data is collected for emulating the ICS. For example, a Provisioning

Management Server (e.g., depicted in the ICS HoneyPot Secure Zone illustrated in figure 2A) is provided. The Provisioning Management Server actively probes the connected ICS control networks to virtually replicate (e.g., emulate) the devices and components of the ICS control system (e.g., PLCs, IPCs, sensors, valves, actuators, other smart field devices, etc.). The ICS devices and components are virtually instantiated within the ICS HoneyPot Secure Zone as virtualized components (e.g., software device emulations running on the Physical Servers / ICS Zones Emulations illustrated in figure 2A). Communication between the Provisioning Management Server and the real-world devices and components of the ICS control system instances is facilitated through deploying of an ICS-HH application on each capable field device.

[0031] By actively probing the devices on the connected ICS control networks, a network topology is determined (e.g., including connections between devices, etc.). Using the network topology, each virtually replicated component in the ICS Zones Emulations initiates communications with peer devices, virtual communicating nodes of the ICS control network (e.g., TCP/UDP communication sockets/channels, etc.), emulating real-world ICS communications. Network traffic is profiled to emulate similar communications to the real-world ICS (e.g., in terms of throughput, volume, shape, direction, etc.). For example, the real-world network is instrumented to collect raw packets or metadata (e.g., via a software agent, via port mirroring on a network switch, or via a network tap device/box). Network tap devices/boxes may be installed across the plant to collect and communicate data for the HoneyPot network. For next generation devices, a software agent is embedded on the device firmware or in the app container to collect and communicate data. For the network traffic direction, the HoneyPot may remotely connect to switches and read the MAC tables. Profiling network traffic allows for simulated traffic and/or real-world collected process data to pass through emulated communication channels in the same manner as the real-world ICS. The profiled network traffic is also used as a communications baseline for detecting security anomalies with behavioral detection algorithms (e.g., detecting

communications, commands, etc. that are generated during a cyber-attack).

[0032] In addition to learning the network topology for the ICS, control logic and device configurations for the real-world ICS devices is learned for emulating the ICS processes. The Provisioning Management Server probes the connected ICS control networks to emulate the process setup. For example, the live/running control logic and device configuration of PLCs and other smart field devices is determined. Using the live/running control logic and device configuration provides for virtually replicating the functionalities of each virtually replicated field device. The running firmware version from real ICS devices is downloaded from each device and loaded into each virtually replicated component. Virtually replicating the control logic and device configurations allows for detecting malicious firmware and control logic upload/change operations during a cyber-attack.

[0033] Using the network topology, control logic and device configurations for the real-world ICS devices, the ICS is emulated in the ICS HoneyPot Secure Zone by the ICS Zones Emulation (as illustrated in figure 2A). In emulating the real-world devices, the real-world automation application is replaced by a modified automation application that is insensitive to the monitored process variable status (e.g., no appropriate error or exception processing is provided). Notwithstanding, the modified automation application may emulate ICS communications using real-world process data as if the I/O bus was actually connected. Data is transparently pulled from the embedded process historian using a data interception mechanism that makes it difficult for hackers to distinguish between a real-world connected sensor and data coming from a virtually replicated sensor. For example, the data interception mechanism may collect data using deep packet inspection engines (e.g., protocol dissectors) that understand which fields of a given network packet (e.g., S7COMM) correspond to process data. Accordingly, data is collected by reading network packets on the network using taps or port mirroring. Alternatively or additionally, data may be collected by actively connecting to the PLC and reading PII/PIQ, by connecting to PLCs via OPC, and/or by reading directly from the process historian.

[0034] In emulating the real-world devices, the ICS HoneyPot also includes security sensors. The emulated software stack of the emulated devices allows for logging of all actions performed during a cyber-attack the ICS HoneyPot. For example, the security sensors log firmware uploads and downloads, control logic changes, memory blocks overwrite actions, device reboots and resets, system configuration changes, network communications, etc. Additional and different actions may be logged. Logging the cyber- attack actions prevents an attacker from recognizing emulated devices and associated applications are running on an ICS HoneyPot, rather than in a real-life ICS network. All security events are logged locally within the embedded process historian of the emulated devices, preventing the necessity for additional outgoing data streams and/or network connections that may be received or perceived by cyber attackers. Simulated process historian and other log erasing functions are made available with the emulated devices to prevent data cleaning of the security sensor data. Alternatively, data is streamed directly to an emulated enterprise process historian for logging the security sensor data. [0035] In the operation phase, the ICS HoneyPot is made available to potential cyber- attacks (e.g., via an outwardly facing network, a DMZ networks, a local IT network, etc.). For example, the emulated devices of the ICS HoneyPot emulate a process performed by the ICS, interacting with a cyber-attack as would the real-world ICS. In an embodiment, the ICS HoneyPot emulates the process using real process/production data, simulated process/production data, or obfuscated process/production data. Modes of operation of the ICS HoneyPot are provided based on the type of data used for operating the ICS HoneyPot. Additional and different modes of operation may be provided, such as using a combination of real, simulated and/or obfuscated process/production data.

[0036] In each mode of operation, different device and/or process scenarios may be emulated. For example, device and operating scenarios may include a normal operating state, a device failure state, a device infection/malware state, etc. The device and/or process scenarios are created by a process expert to provide realistic reactions of the ICS HoneyPot to malicious process manipulations during a cyber-attack. The realistic reactions of the ICS HoneyPot may include triggered alarm cascades, activation of safety systems, process system shutdown, etc. Other process scenarios may be provided, such as catastrophic or modified process scenarios based on actions taken during the cyber- attack.

[0037] In the real data mode of operation, real process/production data is collected and received directly from the embedded process historian databases from each real- world device. The real process/production data is then used to emulate the exact process conditions running on the real-world ICS. For example, process data is pulled from each next generation field device into a temporary storage within the ICS

HoneyPot for distribution to embedded process historians of the emulated devices. Using this mode of operation, the emulated HoneyPot network emulates the real-world process, such as with a configurable time delay (e.g., 1 minute of delay from the real- world system). The real data mode of operation may have a disadvantage in that using real process data may be a security threat (e.g., proprietary process recipes that could leak during a cyber-attack on the HoneyPot). An advantage of using real process data is providing a high level of fidelity between the HoneyPot and the real-world ICS.

[0038] In the obfuscated data mode of operation, obfuscated (e.g., transformed) process/production data is used in emulating the real-world ICS. For example, an irreversible mathematical transformation or functions are applied to the real process/production data from the real-world ICS (e.g., applying squaring that includes a loss of data, or other more complex calculations including hashing derived functions). The transformation or functions are applied to data imported from the embedded historian databases from each real-world device. In an embodiment, the data transformation or functions are applied directly by the ICS-HH applications deployed on the real-world devices before exporting the process data to the HoneyPot. [0039] In the simulated data mode of operation, simulated or artificially created (e.g., fake) process/production data is used in emulating the real-world ICS. For example, pre-recorded streams of process/production data are loaded within each emulated device and replayed while emulating the real-world ICS during the operation phase. The simulated data mode does not expose any real-world process/production data to a cyber-attack. The simulated data mode may prevent more advanced interaction scenarios during emulation (e.g., interaction with knowledgeable cyber attackers who are able to understand the process setup).

[0040] In the analysis phase, security data logs collected and stored within the emulated process historians are actively retrieved using an emulated Enterprise Process Historian that collects all embedded process history data and security logs for each emulated device. For example, the collected data and security logs are uploaded to a local security analytics server (e.g., locally hosted cloud on the plant premises, etc.) or a remote security analytics server (e.g., a Siemens security analytics cloud, a remotely hosted cloud, etc.). The security analytics servers correlate and enrich the collected data with threat intelligence data to analyze a cyber-attack on the ICS HoneyPot.

[0041] Figure 3 illustrates a virtual architecture using software defined components and network elements) for emulating ICS process zones using virtual machines. The process zones are emulated on Physical Servers as the ICS Zones Emulation. As illustrated in figure 3, the ICS Zones Emulation includes an ICS-HH Hypervisor, emulated devices with emulated software stacks, and a virtual switch. Other components of the ICS are also emulated, such as a field bus, engineering workstations, process control workstations, etc.

[0042] The ICS-HH Hypervisor is a virtualization platform hypervisor (e.g., VMWare ESX/NSX, etc.) for deploying a unified virtual computing system. For example, ICS-HH Hypervisor deploys virtual machines and virtual switches for emulating the ICS-HH virtual zone and HoneyPot. The ICS-HH Hypervisor is executed on a physical server or a physical server cluster. The virtual machines of the ICS-HH Hypervisor emulate the PLCs and other field devices of the ICS. For example, the PLCs and other field devices are automatically instantiated by the virtual machines to mimic the mapped devices in the real-world ICS control system network.

[0043] Figure 3 illustrates an emulated HMI, an emulated PLC, an emulated smart sensor and an emulated switch (e.g., virtual switch). Additional HMIs, PLCs, sensors, field devices and other components of the real-world ICS control system network are also emulated. Further, emulated device includes a software stack, if applicable to the device. For example, the emulated HMI, emulated PLC, and emulated smart sensor illustrated in figure 3 each includes an app container for security applications, which is emulated to be similar to the software stack running on the real-world devices. In an embodiment, the emulated software stack is modified to include additional security instrumentation functions facilitating the HoneyPot and an additional, hidden security process historian for logging interactions and events of a cyber-attack.

[0044] Figure 3 also illustrates a virtual switch. The virtual switch includes virtual network interface cards (vNICS), virtual switch ports, virtual LANs (VLANs), field buses and other virtual connections. The virtual connections are emulated based on the mapping of the real-world ICS network connections (e.g., automatically instantiated).

[0045] The example illustrated in figure 3 may be extended to include field devices in a mixed environment of next-generation automation devices and legacy automation devices that lack next-generation software capabilities (e.g., lacking an embedded historian, high fidelity process data to capture, deployable automation applications and the software stack, etc.). For example, deploying an intermediate device with the software stack connected to the legacy devices allow for the intermediate device to capture process/production data for the legacy device. The intermediate device may be an industrial person computer (IPC), a neighboring PLC or smart sensor, etc. The intermediate device allows for seamless communication of the Provision Management Servers with the real-world ICS devices, such as during the learning phase. In an example, baselining and profiling requests are translated into secure network scanning and/or probing of the real-world devices via the intermediate device.

[0046] Figure 4 illustrates a flowchart diagram of an embodiment of a method of deploying a high interaction HoneyPot for an industrial control system. The method is implemented by the system of Figure 6 (discussed below) and/or a different system. Additional, different or fewer acts may be provided. For example, the acts 401 and 409 may be omitted. The method is provided in the order shown. Other orders may be provided and/or acts may be repeated. For example, acts 405, 407 and 409 may be repeated to analyze a plurality of different cyber-attacks. In another example, acts 401- 409 may be repeated for a different ICS, and performed concurrently as parallel acts to analyze the different ICS systems.

[0047] At act 401, ICS data is received. For example, the ICS data includes data indicative of a network topology for the ICS, control logic for the devices in the ICS and process data for the devices in the ICS. Additional or different ICS data may be received. In various embodiments, the received process data includes real process data for the ICS, modified real process data for the ICS (e.g., enriched data), or artificially generated process data. The ICS data is received by a server from devices in the ICS. The devices include a combination of programmable logic controllers (PLCs), an industrial personal computers (IPCs), human-machine interfaces (HMIs), sensors and network switches.

[0048] At act 403, the ICS is emulated based on the received data indicative of the network topology and the received control logic. For example, each field device is emulated using a virtual machine on the server. Virtual connections between the field devices is emulated, and the control logic received for each device is used to the emulated the functionality of each device. The emulated ICS provides a virtual replica of the real-world ICS, including communications, process functions, etc.

[0049] At act 405, the ICS HoneyPot is deployed. For example, a HoneyPot for the ICS is deployed by the virtual machine using the emulated ICS and using the received process data. The ICS HoneyPot is deployed in a manner to be made available to a cyber-attack, such as exposing the HoneyPot to an untrusted network or to a network with less security than the real-world ICS. The HoneyPot is connected to an intranet (e.g., a local IT network), a demilitarized zone (DMZ) network switch, or to an external network (e.g., the Internet). The deployed ICS HoneyPot is thus vulnerable to a cyber- attack.

[0050] At act 407, security data for the ICS HoneyPot is stored. The deployed ICS HoneyPot is deployed and monitored for potential threats and cyber-attacks. Security data related to the threats and cyber-attacks are stored with a process historian on the server. For example, each emulated device in the ICS HoneyPot may include a process historian to device activities and to log security events.

[0051] At act 409, the security data is analyzed. For example, the stored security data is evaluated to determine security threats to the ICS and to identify the methods used in the logged cyber-attacks. Further, the security data is analyzed to determine control system protocol violations, such as when a cyber-attack rewrites device firmware, control logic, etc. The security data may be compared across the fleet (e.g., different customer deployments), with a defined template, or with other local machines. Fleet level analysis may enhance external insights, such as for generating a vulnerability database and threat intelligence data. The analysis may occur in an on-going manner or is performed in batches at any frequency.

[0052] Figure 5 illustrates a flowchart diagram of an embodiment of a method of monitoring a plurality of industrial control system HoneyPots. The method is

implemented by the system of Figure 6 (discussed below) and/or a different system. Additional, different or fewer acts may be provided. For example, the acts 501 may be omitted. The method is provided in the order shown. Other orders may be provided and/or acts may be repeated. For example, acts 501-505 may be repeated as additional HoneyPots are monitored.

[0053] At act 501, data indicative of a plurality of industrial control systems is received. For example, the data is received by a cloud server from a plurality of local servers. The received data is captured by the local servers from applications running on devices of the plurality of industrial control systems. The applications running on each device of the plurality of industrial control systems includes an embedded process historian for storing process/production data for the device. The data indicative of the plurality of industrial control systems may be used as a baseline for each ICS, such as for comparing the baseline configuration of the devices to configurations modified by a cyber-attack. [0054] At act 503, data indicative of a plurality of ICS HoneyPots is received. In this example, the data is also received by a cloud server from a plurality of local servers. For example, each local server deploys an ICS HoneyPot to emulate an ICS, and data captured by each ICs HoneyPot is provided to the cloud server. The ICS HoneyPot data indicative received from the local servers includes data captured by a HoneyPot process historian for each ICS HoneyPot and/or by a process historian for each emulated device in each ICS HoneyPot.

[0055] At act 505, the plurality of ICS HoneyPots are monitored for security threats to the plurality of industrial control systems. The monitoring is based on the data indicative of the plurality of industrial control systems and the data indicative of the plurality of ICS HoneyPots. For example, the monitoring compares the data to detect cyber-attacks, to identify protocol changes in the HoneyPots, and to identify cyber-attack techniques on the HoneyPots. The monitoring by the cloud server cloud server also aggregates data for providing cross-deployment and cross-customer analytics. For example, trends and techniques utilized in cyber-attacks on multiple emulated ICS deployments may be identified and leveraged to enhance security in the real-world ICS deployments.

[0056] Deploying and monitoring a plurality of ICS HoneyPots improve the ability of ICS deployments and ICS devices to detect and prevent cyber-attacks. For example, each ICS HoneyPot detects cyber-attacks and determines the methods used by cyber attackers. Each HoneyPot improves upon previous computer implemented HoneyPots by emulating the entire ICS and deploying a HoneyPot capable of actively interacting with a cyber attacker. Monitoring a plurality of ICS HoneyPots also allows for a server based platform to leverage data acquired by each of the HoneyPots to learn cross- deployment and cross-client trends and prevention methods relevant to each ICS.

[0057] Figure 6 illustrates an embodiment of a system for deploying a high interaction HoneyPot for an industrial control system. For example, system 600 includes a cloud server 605, a local server 607 and field devices 611, 613, 615, 617, 621 networked via a network 603. Additional, different, or fewer components may be provided. For example, additional networks 603, cloud servers 605, local servers 607 and/or field devices 611, 613, 615, 617, 621 are used. In another example, the cloud server 605 and the local server 607 are directly connected, implemented on a single computing device, or provided as a web portal application.

[0058] The cloud server 605 and/or local server 607 is a computer platform having hardware such as one or more central processing units (CPU), a system memory, a random access memory (RAM) and input/output (I/O) interface(s). Additional, different or fewer components may be provided. In an embodiment, the cloud server 605 includes a memory 605A and a processor 605B, and the local server 607 includes a memory 607A, a processor 607B and a display 607C. For example, the memory 605A and/or 607A are configured to store data indicative of a network topology of devices in the ICS, control logic for the devices in the ICS, and store process data for the devices in the ICS. In this example, the processor 605B and/or 607B are configured to emulate the ICS as a virtual machine based on the stored data indicative of the network topology and the stored control logic. The processor 605B and/or 607B deploy the emulated ICS over a network as a HoneyPot based on the stored process data. The HoneyPot is configured to log security data in the process historian, and the memory 605A and/or 607A are configured to store the logged security data for the HoneyPot. The processor 605B and/or 607B analyze the security data for the HoneyPot, such as to detect cyber-attacks and to identify protocol violations for the emulated ICS. Further, the cloud server 605 (e.g., a remote server) configured to store (e.g., with memory 605A) data indicative of a plurality of deployed HoneyPots for different real-world ICS deployments. Each deployed HoneyPot includes an emulated ICS, and the cloud server 605 is configured to analyze the data indicative of a plurality of deployed HoneyPots to identify security threats and tactics for the plurality of industrial control systems. The display 607C is configured to display the identified protocol for the emulated industrial control system.

[0059] Network(s) 603 is a wired or wireless network, or a combination thereof. Network 603 is configured as a local area network (LAN), wide area network (WAN), intranet, Internet or other now known or later developed network configurations. For example, network 603 may be an overlay monitoring network connected with network taps and data-diodes (e.g., providing an invisible, non-intrusive network) Any network or combination of networks for communicating between the workstation 607, server 605, the field devices 611, 613, 615, 617, 621 and other components may be used. For example, multiple networks may be provided, such as one or more local plant networks (e.g., intranets) and one or more outward facing networks (e.g., the Internet). Other networks and combinations of networks may be provided.

[0060] Various improvements described herein may be used together or separately. Although illustrative embodiments of the present invention have been described herein with reference to the accompanying drawings, it is to be understood that the invention is not limited to those precise embodiments, and that various other changes and modifications may be affected therein by one skilled in the art without departing from the scope or spirit of the invention.