Deception environments are systems designed to focus an attacker’s attention, thereby providing early warning of an intrusion, and allowing for analysis of an attacker’s motivations, tools, tactics, and procedures. They are composed of traditional honeypot and honeynet style components, together with other elements such as ‘breadcrumbs’ that are distributed across a real network to entice a potential intruder. Deception environments differ from honeypots in that they are intended to simulate realistic aspects of an organization, and are designed as a defensive campaign.
This presentation introduces analysis into how a deception environment for an industrial control environment can be created. Using the Purdue model for reference it examines the different levels of simulation that can be constructed – simulation of physical processes, control simulation of OT devices, simulation of supervisory systems, and at the highest level the simulation of enterprise systems and even personnel. The analysis examines what is possible at each level, how different levels can be simulated, and discusses which components should be simulated for a particular deception campaign, and how that offers protection against attacks.
Learning Objectives:- The benefits of industrial control deception
- How to create an industrial control deception environment
- What systems and processes are suitable for simulation
- How to build an industrial deception campaign