Internet of Things 12 (2020) 100320

Contents lists available at ScienceDirect

Internet of Things
journal homepage: www.elsevier.com/locate/iot

Decepti-SCADA: A cyber deception framework for active

defense of networked critical infrastructuresR
Nicholas Cifranic a, Roger A. Hallman a,b,∗, Jose Romero-Mariona a, Brian Souza a,
Trevor Calton a, Giancarlo Coca a
a
Naval Information Warfare Center Pacific, San Diego, CA, USA
b
Thayer School of Engineering, Dartmouth College, Hanover, NH, USA

a r t i c l e i n f o a b s t r a c t

Article history: Supervisory Control and Data Acquisition (SCADA) networks enable the connection of dis-
Received 26 August 2020 tributed physical components to critical infrastructures (e.g., electricity generation and dis-
Revised 2 November 2020
tribution systems, water distribution systems, etc.). Many networked critical infrastructure
Accepted 3 November 2020
systems are susceptible to cyber threats. This introductory paper discusses the application
Available online 17 November 2020
of deception as a technique for improving the cybersecurity posture of a network by us-
Keywords: ing decoys to obfuscate the network and in turn make it harder for a potential adversary
Cybersecurity to find the real components. We introduce and describe our cyber deception framework,
Deception which we have named ‘Decepti-SCADA’ framework. The Decepti-SCADA framework demon-
Honeypots strates multiple improvements over previous implementations of cyber deception strate-
Cyber-physical systems gies for SCADA systems, implementing SCADA-specific decoys that can easily be deployed
Supervisory control and data acquisition for use in a critical infrastructure environment. We detail Decepti-SCADA’s architecture, de-
(SCADA) coy generation and distribution, and ultimately explore what else can be done with cyber
Industrial control systems (ICS)
deception for critical infrastructures through early results.
Critical infrastructure
Published by Elsevier B.V.

1. Introduction

Computer security can be viewed as a series of asymmetric conflicts between defenders and attackers [1]. Defenders
need to be right (or secured) all of the time in order to keep attackers out, while attackers just need to be right once in
order to succeed. This requires the defenders to have a high level of security assurance on their networks, requiring inten-
sive risk management processes. When securing computer networks, it is impossible to eliminate all security vulnerabilities
so defenders must focus on risk minimization [2]. One cyber risk management strategy is to find the vulnerabilities that
are present in their systems, rate the likelihood of those vulnerabilities happening, and then determine the impact of those
vulnerabilities if they were exploited. That leaves defenders with a model representing which vulnerabilities are a priority
and should be fixed first. Defenders have limited resources so they must choose what fixes to implement based on the cost
price analysis of said fixes. This leaves some lower priority vulnerabilities un-patched, and other vulnerabilities with imper-
fect fixes. In short, completely defending an operational network is an impossible task. As mentioned previously, attackers

R
Invited article from IoTBDS 2020.
∗
Corresponding author at: Naval Information Warfare Center Pacific, San Diego, CA, USA.
E-mail address: Roger.Hallman.TH@dartmouth.edu (R.A. Hallman).

https://doi.org/10.1016/j.iot.2020.100320
2542-6605/Published by Elsevier B.V.
N. Cifranic, R.A. Hallman, J. Romero-Mariona et al. Internet of Things 12 (2020) 100320

dont need to find all of the weak points in a network in order to accomplish their goals, rather they only need to find a
few. In this way, attackers have a distinct asymmetric advantage.
Defenders add security features to their networks like firewalls and intrusion detection systems in order to prevent
unauthorized and unwanted access to their systems. These types of passive, fundamentally honest, security features can
successfully prevent many cyber-attacks. When attackers conduct the network reconnaissance phase of a cyber attack [3],
they assume with a high level of confidence that their interactions with the systems on the network can be trusted as legit-
imate; defenders can take advantage of this trust by adding deception to their network. Deception provides defenders with
the capability of degrading the quality of the attacker’s understanding of the network that they are trying to exploit. Attack-
ers spend a disproportionate amount of time interacting with devices that do not add useful information to the attacker;
any amount of time that an attacker is interacting with a decoy is less time spent with a real machine and less progress
towards their goals. Many cybersecurity frameworks are being developed to incorporate cyber deception strategies (e.g., [4]).
This paper presents an in-depth description of the Decepti-SCADA framework, which utilizes recent advances in deception
and cybersecurity and integrates them into the realm of operational and industrial technologies. The main contribution of
the work presented ranges across three different, but related areas. First, the paper provides an introductory application of
deception as a technique for securing networks as it applies to critical infrastructures. While important work has been done
in similar applications [5,6], most of the existing applications have looked at deception from an attackers perspective, rather
than a defensive mechanism, Decepti-SCADA explores and emphasizes the defensive properties of deception as it applies
to critical infrastructures. The second area of contribution is the introduction of a highly-interactive honeypot system for
networked critical infrastructures. This second area is key because traditional honeypot technologies tend to be not only
passive [7], but non-effective against skilled adversaries. Decepti-SCADA leverages new modeling technologies to ensure
potential intruders have a hard time distinguishing between real assets and those that have been virtualized. The third
area of contribution relates specifically to Decepti-SCADAs modular and scalable nature by leveraging a Dockerized design
[8] that makes it much more user-friendly than currently existing implementations of deception technologies for industrial
control systems.
We organize the remainder of this paper as follows: Background information is provided in Section 2, specifically provid-
ing a primer on deception and SCADA systems which will be necessary for developing an understanding of the Decepti-
SCADA framework. Sections 3–5, respectively, present the Decepti-SCADA framework, architecture, and deployment. The
Decepti-Visual user interface, a significant improvement to ease-of-use, is described in detail in Section 6. Our continued
development and future directions are detailed in Section 7 before concluding remarks are discussed in Section 8.

2. Background and related work

This section presents background information, laying the foundation for the Decepti-SCADA framework. Specifically, we
provide a brief introduction to, and classification of, deception strategies used in cybersecurity for information technology
(IT) systems. We also discuss SCADA networks and how these operational technology systems differ from more well-known
IT systems, as well as survey the use of cyber deception in operational technology (OT) systems. Readers wishing for more
detailed surveys of the topics are encouraged to read [9–11] for deception in cybersecurity and [12,13] for an overview of
modern SCADA systems and their specific cybersecurity needs, respectively.

2.1. Deception in cybersecurity

The presumption of truthfulness is fundamental to communication, be it between people or machines. Specifically, a

deception occurs when the message sender intentionally transmits a false message to the receiver, with the intent of fos-
tering an inaccurate belief state [14]. Indeed, deception has been used in adversarial situations throughout history to create
a strategic advantage where it may not have previously existed [15]. Examples of deception tactics include the creation of a
fake Allied invasion force in Kent during World War II [16] or ‘bluffing’ in games of poker [17]. In the case of World War II’s
fake invasion force, the Allies’ goal was to fool NAZI forces into relocating their forces and making the actual landing site
on Omaha Beach a softer target; poker players typically bluff when they they have a weak hand and want to convince their
opponent to fold.
Where traditional (i.e., passive) cybersecurity is primarily oriented towards intrusion prevention and detection, deception
is categorized as a form of active security [18]. Deception for cybersecurity seeks to manipulate the information that an
adversary learns during the attack reconnaissance phase [19]. Pawlick, et al [9], provide a detailed taxonomy of defensive
deception:

• Perturbation uses the insertion of noise to limit the leakage of sensitive information.
• Moving Target Defenses (MTD) actively reconfigure network assets and defensive tools to impair an adversary’s attack
reconnaissance.
• Obfuscation defenses waste an adversary’s resources by presenting and directing them to decoy targets as opposed to the
network’s actual assets, as well as presenting fraudulent information intermixed with legitimate (i.e., valuable) informa-
tion.
• Mixing strategies use exchange systems to prevent direct linkage between systems.

2
N. Cifranic, R.A. Hallman, J. Romero-Mariona et al. Internet of Things 12 (2020) 100320

• Honey-x deception strategies refer to the use of technologies such as honeypots, honey-patches, etc., that masquerade as
legitimate network assets but include advanced monitoring capabilities which enable system administrators to discern
information on attackers. Decepti-SCADA implements a honey-x deception strategy.
• Attacker Engagement involves the use of feedback to influence attacker behavior for extended periods, wasting their re-
sources and allowing network administrators to conduct counterintelligence operations.

2.2. Modern SCADA systems

Supervisory Control and Data Acquisition (SCADA) networks, systems which monitor and control automated processes,
are important to both industrial control systems (ICS) and critical infrastructure. Put succinctly, SCADA networks enable the
communication between computing terminals and physical assets, like water pumps and electric meters for example. In
power generation and distribution infrastructure systems, SCADA networks are used for supervision, control, optimization,
and management of generation and transmission systems [12]. As you can imagine, these systems are critical to the power
generation and distribution.
SCADA systems typically consist of components such as:

• Supervisory Computers: This is the component responsible for monitoring processes as well as sending the actual com-
mands that control fielded devices [20].
• Remote Terminal Units (RTUs): RTUs [21] automatically collect data from connected sensors, meters, or other process
equipment;
• Programmable Logic Controllers (PLCs): PLCs [22] are used in numerous control applications as well as read meters and
application status reports.
• Communication Infrastructure: The communications fabric that connects the supervisory computing components to the
actual RTUs and PLCs [23].
• Human-machine Interface (HMI): The HMI is the actual visualization of the SCADA process that an operator is able to
see. This is typically a software-based representation of the system which provides real-time data of the current status
of the system by showing the different components in the specific application and what they are doing [24].

Moreover, communication between components on SCADA networks have historically used numerous, often proprietary,
protocols that limit interconnectivity with other systems (however there are currently trends towards protocol standardiza-
tion [25]). This has been the result of the ”layeringeffect which traditionally has layered a new implementation on top of an
existing/older SCADA system instead of building a new one from the ground up. New research and development has gone
into developing both methods/technologies that provide translation across heterogenous protocols as well as new ways for
simpler planning and implementation of new SCADA systems.

2.2.1. Cybersecurity for SCADA systems

Although our dependency on SCADA systems is continuously increasing, they are notoriously fragile systems with ques-
tionable cybersecurity. Some of the main factors that affect their cybersecurity include:

• Interdependencies on numerous legacy devices: Typical SCADA systems are built on existing legacy components. As dis-
cussed in the previous sub-section, the layering effect also has detrimental consequences for SCADA security by perpet-
uating existing security flaws.
• Limitations on computing resources: Traditionally, SCADA system components are purpose-built and compact pieces of
technology; as such, they do not have a lot of processing power. Due to this, they are unable to support standard/current
security technologies, and this has led to numerous cybersecurity difficulties (e.g., SCADA systems are susceptible to
timing errors due to the interaction with cybersecurity components).
• Lack of Cyber-SCADA-based education: Ultimately, the cybersecurity limitations are linked to the lack of proper resources
to educate both students and professionals in a field that is unlike other sciences, a hybrid one.

To aid with the above factors, we have extensively surveyed the current state of SCADA security, using that knowledge
to develope evaluation capabilities for grading the suitability of cybersecurity products for integration into SCADA networks
[26]. Additionally, this survey helps cyber defenders in understanding the techniques/tools that are most appropriate for
the level of computing resources currently present in their specific environments. By leveraging Return on Investment cal-
culations [27], cyber defenders can now understand before fully investing into a defense strategy, how it will benefit (or
not) their specific problem. Furthermore, the Decepti-SCADA team have also worked on developing educational resources to
provide hands-on training opportunities to both students and professionals for properly securing critical infrastructures.
Besides the tools for deciding how to secure SCADA systems and the educational training aspects, this review of cyber-
security for SCADA will focus on defensive honey-x strategies [28], applied to ICS and critical infrastructures. The use of a
cyber deception strategy on SCADA systems [29] allows defenders to disrupt an attackers asymmetric advantage by present-
ing false information that the attacker accepts as the truth, and build a false belief state based on dated information. Thus, a
deception strategy offers advantages that other defense strategies cannot. Using decoys on a SCADA system increases the at-
tack surface that an attacker must interact with in order to complete their goals. For Instance, if an attacker is doing passive
reconnaissance (e.g., simply monitoring traffic) decoys will obfuscate which values and protocols are actually being used on

3
N. Cifranic, R.A. Hallman, J. Romero-Mariona et al. Internet of Things 12 (2020) 100320

the real systems, delaying or deterring an attacker. If an attacker is doing active reconnaissance, then deception increases
the size of their network foot-print by forcing them to have to interact with real devices as well as decoys. Network intru-
sion detection systems then have a higher probability of detecting the attacker, since their attack footprint is larger. Using
honeypots accomplishes this with relatively low overhead cost to the defenders, and the honeypots do not interact with the
real SCADA devices. This means that properly configured deception can be used on a SCADA system without interrupting
normal system functionality.
Honeypots have been implemented in SCADA cybersecurity strategies in both commercial and academic settings. Com-
mercially, HoneyD [30] and Conpot [31] are two well-known, open source projects. Honeyd is a small daemon that creates
virtual hosts on a network which can be configured to run arbitrary services, and their personality can be adapted so that
they appear to be running certain operating systems. HoneyD shows how hosts might appear on the network, however
these virtual hosts are not very interactive. Conpot is a low interaction server-side ICS honeypot designed to be easy to
deploy, modify and extend; a Conpot implementation was recently used in an early detection system for industrial control
systems [32]. Conpot code is difficult to execute due in part to a poor user interface. The SCADA HoneyNet Project was an
early attempt at integrating honeypots into SCADA systems that was able to simulate stack, protocol, and application levels
of architecture, as well as some serial ports. The project is no longer maintained; however, project artifacts are available
in an online repository. The Digital Bond SCADA HoneyNet is another SCADA honeypot effort which has been abandoned
and archived online. Digital Bonds approach could simulate a Programmable Logic Controller (PLC) with Modbus/TCP, FTP,
Tel-net, HTTP, and SNMP available to the attacker. However, a separate machine is required for network monitoring. More
recently, Simoes, et al. [33,34] consider the use of integrating honeypots into SCADA systems and critical infrastructure
systems in the larger context of securing large-scale networked critical infrastructure. Their honeypot detects attackers by
simulating a complete Modbus TCP device, incorporating the protocol, control device logic, as well as other services such as
SNMP and FTP services that are commonly found on commercially available PLCs and RTU devices.
One recent development is the “Honeypots-as-a-Service” (HaaS) model [35,36], where traffic is redirected to third-party
honeypots. The HaaS model enables enables a more efficient aggregation of cyber threat information and providing im-
proved coverage for multiple client organizations [37]. This model has mainly been applied to cloud-based information and
communication technologies [38] and has recently been employed for Internet of Things use cases [39], showing promising
initial results at automating the injestion and processing of attack information, as well as distributing that information to
clients. However, HaaS has yet to be employed in the context of Industrial control/SCADA systems and critical infrastructure
for various reason [40].

3. The Decepti-SCADA framework

We now describe the Decepti-SCADA framework, which shows significant improvements in performance and usability
over previously available SCADA honeypots. Specifically:

• Decoys within the Decepti-SCADA framework are designed modularly, making it easy for contributors to develop and add
new decoys. Existing honeypot system code bases are generally so coupled that it is difficult for developers to contribute
to projects.
• Most existing honeypot systems are low-interaction, which often compromises deception. Decepti-SCADA’s use of Docker
helps to create decoys that replicate real operational systems, making interactions with decoys highly interactive and
creating a more convincing deceptions.
• Using Docker eliminates cross-platform dependencies, which makes enables broad adoption for the Decepti-SCADA
framework.
• In contrast to existing honeypot systems, Decepti-SCADA presents a beautiful web graphical user interface (GUI) for decoy
deployment, improving accessibility for novice users (See Figs. 2 and 5).
• Existing honeypots are generally cumbersome to install, often taking many hours to set up properly. Decepti-SCADA only
requires a CentOS 7 minimal installation with git and two network interfaces; 00-startup-script.sh takes care of
the rest.

The purpose of the Decepti-SCADA framework is to trick a network intruder into thinking that they are interacting with
legitimate components within SCADA networks; simultaneously slowing them down and alerting security analysts of an
attackers presence. There are two main components of the framework, each of which are deployed in a Linux-based virtual
machine:

• Decepti-Box enables decoy creation, management, and deployment.

• ELKSUR allows network administrators to monitor adversarial interactions with the decoys.

3.1. Decepti-Box and ELKSUR

The Decepti-Box system is deployed on an operational SCADA network which deploys and simulates SCADA devices.
Attackers are able to freely interact with the deployed decoys as if they are real SCADA system assets. We accomplish this
with a mix of virtual interfaces, building decoys in docker such that they are deployed as lightweight containers. Indeed,

4
N. Cifranic, R.A. Hallman, J. Romero-Mariona et al. Internet of Things 12 (2020) 100320

Fig. 1. Decepti-SCADA Architecture [42].

several hundred of SCADA decoys can be deployed with a minimal resource footprint due to Decepti-SCADA’s lightweight
architecture. The system has a web front end that can be used to easily deploy decoys, even to the most novice of users.
The second system in the Decepti-SCADA Framework, ELKSUR, detects adversarial interactions with deployed decoys. As
with Decepti-Box, ELKSUR is commonly deployed as a virtual machine and specifically monitors TCP/IP and UDP traffic on
the same network as Decepti-Box, passively ingesting network traffic and monitoring for custom-made signatures.
Custom signatures are used to detect interactions with the decoys such as nmap scans, SSH traffic interactions, TCP
handshakes, and Banner grabbing. This component is important because once an adversary begins interacting with decoys,
thinking that they are real SCADA components, analysts are alerted in real-time, helping to mitigate the situation. There are
currently two methods for ingesting network traffic: inline taps and port mirroring on a switch.
Inline taps are physical devices installed between two network devices (e.g., between two routers [41]). Port mirroring,
also known as a SPAN (Switched Port Analyzer) is accomplished by sending copies of packets seen in a port, to another
port, where it can be analyzed [2]; Decepti-SCADA uses ELKSUR for analysis. Inline taps require special devices while Port
Mirroring depends on switch configurations.

3.2. Decepti-SCADA framework in action

Decepti-SCADA routes traffic into Decepti-Box through a network bridge, into virtual interfaces which have SCADA decoy
Docker containers bound to them. TCP/IP and UDP traffic can interact with the Containers bound to those internal virtual
interfaces. These interactions are flagged, based on related network traffic, by a passive IDS.

4. The Decepti-SCADA architecture

The Decepti-SCADA framework is broken into two parts as shown in Fig. 1: one host, “Decepti-Boxprovides decoy de-
ployment, and “ELKSUR,detects malicious decoy interactions. Each system uses two network interfaces: one plugged into an
out-of-band management network, the other on the operational network. The out-of-band management network includes
front-end web services used for security analysis. This network enables analysts to access metrics on decoy interactions via
a web-based Security Information and Event Management (SIEM) system. Each host makes use of docker containers.

4.1. Decepti-SCADA decoy templates

Decoy templates are JSON-based for ease of deployment, also enabling SCADA decoys to easily be grouped by categories
and platform. This is a new and novel way of deploying containers, as the container commands are already packaged for

5
N. Cifranic, R.A. Hallman, J. Romero-Mariona et al. Internet of Things 12 (2020) 100320

Fig. 2. The Decepti-Box decoy templates [42]. The easy-to-use Decepti-Box user interface is featured.

Fig. 3. The Decepti-SCADA framework uses Jumpbox to redirect an attacker to a decoy asset [42].

6
N. Cifranic, R.A. Hallman, J. Romero-Mariona et al. Internet of Things 12 (2020) 100320

Fig. 4. Initializing Dockerized GUI [42].

Fig. 5. The interface for decoy configuration and deployment [42]. A deployed honeypot container is masquerading as a JACE Water Meter. The Decepti-
SCADA system offers the capability of either manual or automatic port assignment. Moreover, access controls can be enabled which limit access to autho-
rized network administrators.

the end user to execute (i.e., in a Docker container a specific command must be executed). We use decoy templates for
pre-packaging commands to be run.
Docker is the preferred container runtime for the SCADA decoys. In order to deploy a decoy via docker container, an
image of the SCADA device must exist. We developed SCADA device images including a water meter and Guardian AST gas
tank system, though hundreds of other SCADA decoy Docker images can be created which bind to virtual interfaces within
Decepti-Box. For example of a decoy deployment deployment, consider creating 100 virtual interfaces in Decepti-Box and
assigning virtual IP 10.1.0.1–100 to said interfaces. Docker decoys processes and then bind to the virtual IP addresses.

4.2. ELKSUR components

ELKSUR has four main components:

• Kibana [43] is a frontend web GUI that enables a user to see interactions with deployed decoys. Analysts will use this
interface to assess whether an intruder is interacting with a SCADA Decoy.
• Suricata [44] is an open source Network-based Intrusion Detection System (IDS) which logs alerts in accordance to sig-
natures; in this case, signatures that pertain to decoy interactions. The log file is called fast.log.
• Filebeat [45] is a host-based agent used to relay Suricata fast.log logs to Elasticsearch.
• Elasticsearch [46] is a search engine used to collect, and index data received data. Elasticsearch receives the parsed
fast.log, which it then feeds into Kibana for engaging visualizations.

7
N. Cifranic, R.A. Hallman, J. Romero-Mariona et al. Internet of Things 12 (2020) 100320

Fig. 6. Creating a Network Graph with Decepti-Visual.

Fig. 7. A graphical representation of a network in Decepti-Visual before turning on deception.

4.3. Routing

For Decepti-SCADA’s environment-based routing, traffic must be routed to virtual IP addresses that reside within Decepti-
Box. There are several ways to achieve this, including the redirection of traffic from the router.
Fig. 3 depicts a scenario of how this is accomplished: an adversary breaches the Jumpbox network and wishes to interact
with a device with a device associated with IP address 192.168.1.30. Though they believe that this device is located on
the SCADA Network subnet, when transmitting through the router they are redirected to a Decepti-Box virtual IP address,
192.168.1.30, where a SCADA decoy is housed.
Traffic is routed into Decepti-Box, through a network bridge, into virtual interfaces which have SCADA decoy Docker
containers bound to them. TCP/IP and UDP traffic can interact with the Containers bound to those internal virtual interfaces.
A passive IDS is sniffing all traffic, and flags these interactions based on the related network traffic.

5. Decepti-SCADA decoy configuration and deployment

The first step for Decepti-SCADA deployment is starting the Dockerized, web-based GUI, called “Portainer. This is accom-
plished by running the following command:
Once the Portainer GUI is up and running, the user navigates to the IP address, using their browser, port 9000 on
which Portainer is running. The user selects the decoy in which they wish to deploy. For demonstration, we deploy a SCADA

8
N. Cifranic, R.A. Hallman, J. Romero-Mariona et al. Internet of Things 12 (2020) 100320

Fig. 8. A graphical representation of a network in Decepti-Visual after turning on deception.

Smart Water Meter (e.g. a <ddq>‘VIKON JACE 80 0 0 Water Meter’</sdq>). The user searches for and selects <sdq>‘VIKON
JACE 80 0 0 Water Meter,giving it an appropriate description in the ’Name’ field The user then selects a virtual IP address to
be bound to the decoy before finally deploying the decoy 5.

6. The Decepti-visual user interface

Decepti-Visual is a recently-developed web application GUI that creates a visual and interactive network graph of a users
network and deception nodes. Decepti-Visual provides analysts with a simple and efficient way to get a current layout of
their network, interact with Decepti-Box, and get live alerts from the ELKSUR stack. It is capable of scanning a network and
displaying the results of the scan in the form of a network topology graph, performing detailed NMAP scans on individual
IP devices, turning deception on and off, receiving live ELKSUR alerts, and viewing alert logs.
Decepti-Visual’s primary purpose is to provide analysts with the ability to use visual representations to understand how
attackers are interacting with the decoys and other nodes on the network. To achieve this, Decepti-Visual leverages NMAPs
host discovery feature and JavaScripts D3 library to produce a dynamic, interactive graph of the users network. To create a
network graph, users first goes to Tools → Edit Hosts and enters a network ID to the input field (Fig. 6). Upon adding
hosts, users can go to Tools → Scan Network to perform a network scan. Decepti-Visual executes a python script when
a scan is run, which invokes NMAP to perform a ping sweep of the entire subnet. Upon completion of the scan, the python
script parses the data and extracts only the network hosts that are up and exports the information into a JSON file. Decepti-
Visual then takes the newly created JSON file and loads it into the frontend by using Javascripts D3 library which will create
and display the graphical network nodes and connection links (Fig. 7).
Users activate deception inside Decepti-Box when they click <ddq>‘deception on’</sdq> inside the GUI. This initiates an
SSH connection to Decepti-Box and sends a command to turn on the deception nodes (10.0.1.1–10.0.1.10). Once Decepti-Box
turns on deception, Decepti-Visual re-scans the assigned subnets and updates the network graph (Fig. 8). Comparing the
differences between Fig. 7 and 8 it is immediately seen how Decepti-Visual captures the network topology with deception

9
N. Cifranic, R.A. Hallman, J. Romero-Mariona et al. Internet of Things 12 (2020) 100320

Fig. 9. A security analyst activates a detailed node scan using Decepti-Visual.

Fig. 10. A detailed node scan.

on versus deception off. Analysts wishing for more information about a host on the network can initiate a detailed node
scan (Fig. 9). This function performs a more in-depth NMAP scan and provide results of the hosts state, operating system,
and open ports (Fig. 10).
Decepti-Visual also features the ability to display live security alerts that are generated by the ELKSUR VM directly on
the graph. This feature provides the analyst with a quick and simple way to visualize malicious activity on the deception
network. We achieve this using Flask-SocketIOs websocket along with the Elasticsearch Python API to keep a live communi-
cation channel between the frontend web GUI, Flask backend, and the ELKSUR VM. This multi-directional channel allows us
to serve our graphical display with live external events and notifications without the need for the client to refresh the web
page.
Together, Decepti-Visual consists of four separate components which work in conjunction in order to render a graphical
display of network security alerts generated by the Suricata IDS:

1. A Flask server which calls a function utilizing the Elasticsearch Python API and allowing us to interact directly with the
indexes and documents (which contain IDS log data) that are stored in Elasticsearch.
2. A configured Filebeat module to simplify the collection and shipping of security alert logs from the IDS to Elasticsearch.

10
N. Cifranic, R.A. Hallman, J. Romero-Mariona et al. Internet of Things 12 (2020) 100320

Fig. 11. Decepti-Visual interactions.

Fig. 12. Decepti-Visual notifies a security analyst to a new security alert.

11
N. Cifranic, R.A. Hallman, J. Romero-Mariona et al. Internet of Things 12 (2020) 100320

Fig. 13. Security alert information.

3. The Suriacata IDS which is configured to execute two signature-based rules and detect incoming ICMP and OpenSSH
packets that are targeted at the deception nodes in our network.
4. The Decepti-Visual GUI which gets sent the security alert via a websocket and updates graph to display it.

Every ten seconds, the Flask server calls a function in the background to send a query to the Elasticsearch Module to
retrieve any new intrusion attempt alerts captured by Suricata and any new generated alerts arrive at the Flask server
in the form of JSON-formatted objects to be processed. After processing, alerts are displayed in the GUI. Fig. 11 shows
the interaction flow of the four components which include: log collection, log shipping, processing and the network-graph
update cycle.
In our example, we have specified a rule in the Suricata IDS to trigger an alert whenever someone tries to SSH into a
device inside the deception network (10.0.1.0/24). From our attacking machine we then SSH into a deception device (10.0.1.2)
and as soon as the attacker tries to connect via SSH into the device, triggering the Suricata IDS so that an intrusion attempt
alert gets logged in the system. The Elasticsearch API running in the background of Decepti-Visual then queries this log and
identifies that there is a new alert. This alert is sent from the ELKSUR virtual machine to the Flask backend where Decepti-
Visual parses the data and saves the information to a local log file. Simultaneously, Decepti-Visual utilizes the websocket
to notify the frontend that a new alert has been triggered. This notification results in updating the graph on the GUI to
display the alert and making the deception node (10.0.1.2) affected by the malicious activity to flash red (Fig. 12). For more
information on the alerts, users can click on Tools → View Logs to view the logged alerts history (Fig. 13). This will
display all alerts that have been triggered since the time that the Decepti-Visual server has been running.

7. Continued development and future directions

The Decepti-SCADA Framework is a viable first step in implementing deception as a cybersecurity strategy across critical
infrastructures, particularly for SCADA components. We are continually making improvements:

• a build of Decepti-Box for a Windows client.

• utilizing machine learning and artificial intelligence capabilities to create decoys that are more active and dynamic, thus
creating improved realism.
• profiling equipment components from multiple vendors in order to create a more diverse set of decoys.
• studying the creation of more decoys while maintaining system fidelity.
• studying game theoretic and logical tools to more effectively camouflage Decepti-SCADA honeypots among legitimate
SCADA network assets, with the goal of making them more difficult to detect via more well-known honeypot detection
services (e.g., [47]). A possible avenue for accomplishing this is the implementation of deceptive network scan results
[48]. The logic used for honeypot fingerprinting in [47] is not made public, but adversarial learning may enable us to
infer the classification parameters that differentiate between a honeypot and a legitimate network asset.
• implementing attacker engagement strategies [19] in a SCADA network environment. Specifically, this effort will involve
real devices and decoys on a SCADA network and tests how Reinforcement Learning (RL) agents would be perform in
determining which devices are real. Rather than using a simulated environment to deliver signals to the RL agents, our
experiment will use actual signals from legitimate network assets and decoys. This will provide insight on how our
decoy system would influence an attacker, given that they are aware of the strategies and techniques deployed by this
framework.

Beyond the areas described above, we continue to refine testing of various components, as well as develop case studies
which involving red team participation which will assist us with determining the utility of deception for SCADA systems.

12
N. Cifranic, R.A. Hallman, J. Romero-Mariona et al. Internet of Things 12 (2020) 100320

Finally, we will explore the feasibility of cyber deception and HaaS with respect to state-controlled utilities and other gov-
ernment institutions.

8. Conclusions

We have introduced and described the Decepti-SCADA framework, a robust solution used to deploy SCADA decoys and
continually monitor interactions with them. Decepti-Box is the deployment aspect, while ELKSUR conducts monitoring. Fur-
thermore, we have presented the Decepti-Visual GUI and demonstrated its user-friendliness interface for performing security
tasks using the Decpti-SCADA Framework. While Decepti-SCADA is not yet mature enough for real-worl operational deploy-
ment, we have highlighted the ability to deploy SCADA is a user-friendly fashion. Additionally, early results show deception
can be accomplished in critical infrastructures by creating realistic decoys of SCADA components.

Declaration of Competing Interest

The authors declare that they have no known competing financial interests or personal relationships that could have
appeared to influence the work reported in this paper.

Acknowledgments

The authors would like to express their gratitude to Mr. Ayax Ramirez, from NIWC Pacific, for his support and guidance
throughout the preparation and publication of this work.
Roger A. Hallman is supported by the United States Department of Defense SMART Scholarship for Service Program
funded by USD/R&E (The Under Secretary of Defense-Research and Engineering), National Defense Education Program (NDEP)
/ BA-1, Basic Research.

References

[1] K. Durkota, V. Lisỳ, B. Bošanskỳ, C. Kiekintveld, M. Pěchouček, Hardening networks against strategic attackers using attack graph games, Comput. Secur.
87 (2019) 101578.
[2] P.J. Denning, D.E. Denning, Cybersecurity is harder than building bridges, Am. Sci. 104 (3) (2016) 155.
[3] T. Yadav, A.M. Rao, Technical aspects of cyber kill chain, in: International Symposium on Security in Computing and Communication, Springer, 2015,
pp. 438–452.
[4] A.S. Sohal, R. Sandhu, S.K. Sood, V. Chang, A cybersecurity framework to identify malicious edge device in fog computing and cloud-of-things envi-
ronments, Comput. Secur. 74 (2018) 340–354.
[5] I. Stellios, P. Kotzanikolaou, M. Psarakis, C. Alcaraz, J. Lopez, A survey of IoT-enabled cyberattacks: assessing attack paths to critical infrastructures and
services, IEEE Commun. Surv. Tutor. 20 (4) (2018) 3453–3495.
[6] A. Kleinmann, O. Amichay, A. Wool, D. Tenenbaum, O. Bar, L. Lev, Stealthy Deception attacks against Scada systems, in: Computer Security, Springer,
2017, pp. 93–109.
[7] A. Vetterl, Honeypots in the Age of Universal Attacks and the Internet of Things, University of Cambridge, 2020 Ph.D. thesis.
[8] D. Merkel, Docker: lightweight linux containers for consistent development and deployment, Linux J. 2014 (239) (2014) 2.
[9] J. Pawlick, E. Colbert, Q. Zhu, A game-theoretic taxonomy and survey of defensive deception for cybersecurity and privacy, ACM Comput. Surv. (CSUR)
52 (4) (2019) 82.
[10] N.C. Rowe, J. Rrushi, Introduction to Cyberdeception, Springer, 2016.
[11] K.E. Heckman, F.J. Stech, R.K. Thomas, B. Schmoker, A.W. Tsow, Cyber Denial, Deception and Counter Deception, Springer, 2015.
[12] N. Arghira, D. Hossu, I. Fagarasan, S.S. Iliescu, D.R. Costianu, Modern scada philosophy in power system operation-a survey, University’</sdq> Po-
litehnica” of Bucharest Scientific Bulletin, Series C: Electrical Engineering 73(2)(2011)153–166.
[13] S. Nazir, S. Patel, D. Patel, Assessing and augmenting Scada cyber security: asurvey of techniques, Comput. Secur. 70 (2017) 436–454.
[14] D.B. Buller, J.K. Burgoon, Interpersonal deception theory, Communication theory 6 (3) (1996) 203–242.
[15] J. Latimer, Deception in War: Art Bluff Value Deceit Most Thrilling Episodes Cunning mil hist from The Trojan, Abrams, 2003.
[16] D. Wheatley, Deception in world war II, RUSI J. 121 (3) (1976) 87–88.
[17] J. Palomäki, J. Yan, M. Laakasuo, Machiavelli as a poker matea naturalistic behavioural study on strategic deception, Pers. Individ. Differ. 98 (2016)
266–271.
[18] D.E. Denning, Framework and principles for active cyber defense, Comput. Secur. 40 (2014) 108–113.
[19] M. Bilinski, K. Ferguson-Walter, S. Fugate, R. Gabrys, J. Mauger, B. Souza, You only lie twice: a multi-round cyber deception game of questionable
veracity, in: International Conference on Decision and Game Theory for Security, Springer, 2019, pp. 65–84.
[20] E.B. Turner, Computer based supervisory control systems, IEEE Trans. Ind. Appl. (2) (1974) 305–315.
[21] W.W. Jusoh, M.A. Ghani, M.M. Hanafiah, S. Raman, Remote terminal unit (RTU) hardware design and development for distribution automation system,
in: 2014 IEEE Innovative Smart Grid Technologies-Asia (ISGT ASIA), IEEE, 2014, pp. 572–576.
[22] U. Sanver, E. Yavuz, C. Eyupoglu, T. Uzun, Design and implementation of a programmable logic controller using pic18f4580, in: 2018 IEEE Conference
of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus), IEEE, 2018, pp. 231–235.
[23] M. Iacob, G.-D. Andreescu, N. Muntean, Scada system for a central heating and power plant, in: 2009 5th International Symposium on Applied Com-
putational Intelligence and Informatics, IEEE, 2009, pp. 159–164.
[24] J. Reeser, T. Jankowski, G.M. Kemper, Maintaining HMI and Scada systems through computer virtualization, IEEE Trans. Ind. Appl. 51 (3) (2014)
2558–2564.
[25] Z. Li, F. Yang, D. Ishchenko, The standardization of distribution grid communication networks, in: 2012 IEEE Power and Energy Society General Meeting,
IEEE, 2012, pp. 1–8.
[26] J. Romero-Mariona., R.A. Hallman, M. Kline., J.S. Miguel., M. Major., L. Kerr., Security in the industrial Internet of Things – the c-sec approach, in:
Proceedings of the International Conference on Internet of Things and Big Data - Volume 1: IoTBD,INSTICC, SciTePress, 2016, pp. 421–428, doi:10.
5220/0 0 05877904210428.
[27] R.A. Hallman, M. Major., J. Romero-Mariona., R. Phipps., E. Romero., J.M.S. Miguel., Return on cybersecurity investment in operational technology
systems: quantifying the value that cybersecurity technologies provide after integration, in: Proceedings of the 5th International Conference on Com-
plexity, Future Information Systems and Risk - Volume 1: COMPLEXIS,INSTICC, SciTePress, 2020, pp. 43–52, doi:10.5220/0 0 0941620 0430 052.

13
N. Cifranic, R.A. Hallman, J. Romero-Mariona et al. Internet of Things 12 (2020) 100320

[28] C. Wang, Z. Lu, Cyber deception: overview and the road ahead, IEEE Secur. Privacy 16 (2) (2018) 80–85.
[29] V.E. Urias, M.W. Stout, B. Van Leeuwen, On the feasibility of generating deception environments for industrial control systems, in: 2018 IEEE Interna-
tional Symposium on Technologies for Homeland Security (HST), IEEE, 2018, pp. 1–6.
[30] X. Zhang, L. Zheng, Delude remote operating system (os) scan by honeyd, in: 2009 Second International Workshop on Computer Science and Engi-
neering, 2, IEEE, 2009, pp. 503–506.
[31] A. Jicha, M. Patton, H. Chen, Scada honeypots: an in-depth analysis of conpot, in: 2016 IEEE Conference on Intelligence and Security Informatics (ISI),
IEEE, 2016, pp. 196–198.
[32] A. Pashaei, M.E. Akbari, M.Z. Lighvan, H.A. Teymorzade, Improving the IDS performance through early detection approach in local area networks using
industrial control systems of honeypot, in: 2020 IEEE International Conference on Environment and Electrical Engineering and 2020 IEEE Industrial
and Commercial Power Systems Europe (EEEIC/I&CPS Europe), IEEE, 2020, pp. 1–5.
[33] P. Simões, T. Cruz, J. Gomes, E. Monteiro, On the use of honeypots for detecting cyber attacks on industrial control networks, in: Proc. 12th Eur. Conf.
Inform. Warfare Secur. ECIW 2013, 2013.
[34] P. Simões, T. Cruz, J. Proença, E. Monteiro, Specialized honeypots for Scada systems, in: Cyber Security: Analytics, Technology and Automation, Springer,
2015, pp. 251–269.
[35] Haas, https://haas.nic.cz/.
[36] M. Balamurugan, B.S.C. Poornima, Honeypot as a service in cloud, in: International Journal of Computer Applications, éditeur: Proceedings of the 2011
International Conference on Web Services Computing, 2011.
[37] L. Zobal, D. Kolář, R. Fujdiak, Current state of honeypots and deception strategies in cybersecurity, in: 2019 11th International Congress on Ultra
Modern Telecommunications and Control Systems and Workshops (ICUMT), IEEE, 2019, pp. 1–9.
[38] N.F. Khan, M.M. Mohan, Honey pot as a service in cloud in, Int. J. Pure Appl.Math. 118 (20) (2018) 2883–2888.
[39] A. Kostopoulos, I.P. Chochliouros, C. Patsakis, M. Anastasiadis, A. Guarino, Protocol deployment for employing honeypot-as-a-service, in: IFIP Interna-
tional Conference on Artificial Intelligence Applications and Innovations, Springer, 2020, pp. 105–115.
[40] P. Sokol, R. Benko, L. Rózenfeldová, Legal issues of Deception systems in the industrial control systems, in: Recent Developments on Industrial Control
Systems Resilience, Springer, 2020, pp. 301–333.
[41] B. Galloway, G.P. Hancke, Introduction to industrial control networks, IEEE Commun. Surv. Tutor. 15 (2) (2012) 860–880.
[42] N. Cifranic., J. Romero-Mariona., B. Souza., R.A. Hallman, Decepti-Scada: a framework for actively defending networked critical infrastructures, in:
Proceedings of the 5th International Conference on Internet of Things, Big Data and Security - Volume 1: IoTBDS,INSTICC, SciTePress, 2020, pp. 69–77,
doi:10.5220/0 0 0934330 0690 077.
[43] Kibana, https://www.elastic.co/products/kibana.
[44] Suricata, https://suricata-ids.org/.
[45] Filebeat, https://www.elastic.co/products/beats/filebeat.
[46] Elasticsearch, https://www.elastic.co/products/enterprise-search.
[47] Honeypot or not?, https://honeyscore.shodan.io/.
[48] S. Jajodia, N. Park, F. Pierazzi, A. Pugliese, E. Serra, G.I. Simari, V. Subrahmanian, A probabilistic logic of cyber deception, IEEE Trans. Inf. Forensics
Secur. 12 (11) (2017) 2532–2544.

14