Emulation of industrial Fieldbus modules for Virtual Commissioning

García Concejero, Yeray, Salazar del Río, Miguel Antonio

January 2019

The evolution of the industry, known as industry 4.0, has introduced new technologies such as Virtual Commissioning and Industrial Internet of things. Nowadays, virtual models of automated systems are being created in order to be tested while being built in real life, what includes PLC programs, robots, etc. In order to provide a real behaviour emulation, these virtual models should be as similar to reality as possible. Currently, the components communication in a real system is done through Internet with the use of fieldbuses I/O modules. Right now, these modules are not integrated in the virtual model, as the PLC program returns an error due to the hardware not being found. This implies that the PLC project must be modified, and a workaround must be done in order to connect the I/O cards components of the modules. Furthermore, it means that two PLC projects need to be maintained at the same time, one for the real system and another for the virtual system. In this thesis, a research was done to prove if fieldbuses modules could be emulated, helping to improve Virtual Commissioning. The final goal is to allow a PLC project created for a real system to be run again the corresponding virtual model without any change. To achieve this, a driver able to emulate the communication behaviour of an Ethernet/IP fieldbus module is developed and tested against a real PLC program.

ethernet/ip

enip

emulation

comunication

virtual

commissioning

Control Engineering

Reglerteknik

Honeypot study of threats targeting critical infrastructure / Honeypot studie av cyberhot riktade mot kritisk infrastruktur

Alberto Scola, Carlo

January 2023

Honeypots are systems with the intent of gathering information about potential threats and, at the same time, shifting part of the attention away from the real targets. In industrial control system environments, honeypots play a significant role and can lead to further threat study while distracting potential attackers away from critical physical systems. Low-interaction honeypots are emulated systems that try to recreate a real environment by simulating applications and protocols. These types of honeypots still need improvements to be efficient, and during this thesis work the focus has been on the Conpot open-source ICS honeypot. Due to their nature, low-interaction honeypots are less appealing to potential attackers than high-interaction honeypots since they do not provide the same level of realism and can be easier discovered. Earlier works showed ways to increase the ability to attract more visitors and an improved setup of Conpot has been evaluated. Its results have been analyzed and compared with the default installation. Several advancements have been implemented as well as custom features and working functionalities, such as a customized industrial system design, improved logging, and a web API proxy. The goal of this work is to answer the investigated hypothesis which consists in finding out if an improved version of the low-interaction honeypot can yield more significant results. By evaluating the network traffic received, the outcome has been insightful and showcased a distinguished improvement over the original version of the honeypot. The ICS protocols displayed a more considerable number of interactions along with an increased amount of attacks. In conclusion, further development for the Conpot honeypot is desirable which would largely improve its performance and practicality in real-world deployments. / Honeypots är ett system med avsikten att samla information om potentiella hot och samtidigt avleda uppmärksamheten från de verkliga målen. I industriella kontrollsystemsmiljöer spelar honungskrukor en viktig roll och kan leda till ytterligare hotstudier samtidigt som potentiella angripare distraheras från viktiga fysiska system. Honeypots med låg interaktion är emulerade system som försöker återskapa verkliga miljöer genom att simulera applikationer och protokoll. Dessa typer av honeypots behöver fortfarande förbättringar för att vara effektiva, och under detta examensarbete har fokus legat på Conpot open source ICS honeypots. På grund av designbegränsningar är honeypots med låg interaktion mindre tilltalande för potentiella angripare än honeypots med hög interaktion. Tidigare arbeten har visat sätt att öka möjligheten att locka fler besökare och en förbättrad installation av Conpot har utvärderats och dess resultat har analyserats och jämförts med standardinstallationen. Flera framsteg har implementerats samt anpassade funktioner och fungerande funktioner, såsom en anpassad industriell systemdesign, förbättrad loggning och en webb-API-proxy. Målet med detta arbete är att svara på den undersökta hypotesen som går ut på att ta reda på om en förbättrad version av honungskrukan med låg interaktion kan ge mer signifikanta resultat. Genom att utvärdera den mottagna nätverkstrafiken har resultatet varit insiktsfullt och visat upp en stor förbättring jämfört med den ursprungliga versionen av honeypot. ICS-protokollen visade ett större antal interaktioner tillsammans med en ökad mängd attacker. Sammanfattningsvis är det önskvärt med en vidareutveckling av Conpot honeypot som avsevärt skulle förbättra dess prestanda och praktiska användning i den verkliga världen.

ICS

Honeypots

Modbus

SCADA

Enip

Conpot

Bacnet

FTP

IPMI

Network security

Cyber attacks

Computer and Information Sciences

Data- och informationsvetenskap