Integration of the Network and Application Layers of Automatically Configured Programmable Logic Controller Honeypots

Justin K. Gallenstein


This research further develops ScriptGenE, a protocol-agnostic framework capable of accurately creating PLC honeypots. ScriptGenE uses previously captured PLC traffic to create a tree of the protocol and selectively respond to application layer requests in an accurate way. This research integrates ScriptGenE with Honeyd to provide the PLC honeypots with an accurate network layer. This combination provides a comprehensive PLC honeypot. Testing is done by using the combined framework to emulate a network of Allen-Bradley Control Logix, Allen-Bradley Compact Logix, and Siemens S7-300 PLCs. A series of tools are used to evaluate the legitimacy of the emulated PLC network including Nmap, Honeyscore, RSLinx, STEP7, and Wget. Nmap and Honeyscore are used to show that the combined framework is able to accurately emulate the network layer of three different PLC types with 100 percent accuracy. Using Wget, RSLinx, and STEP7 this research shows the ability to emulate more advanced application layer protocols such as ENIP, ISOTASP, and HTTP with accuracies of 78, 100, and 67 percent respectively.