What is a Honeypot?
A Honeypot is a decoy system that is intentionally made vulnerable or attractive in order to mislead and monitor cyber attackers. In OT networks, a honeypot is used to detect unwanted access attempts without putting critical systems at risk.
Honeypots help with threat detection, forensic investigation and improving OT security strategies.
π§ How does a Honeypot work?
- A fake system or service is configured with apparent functionality
- The honeypot is made visible on the network (e.g. via IP, open ports)
- Every interaction is logged:
- Login attempts
- Scans
- Malware downloads
- Data is analysed for Threat Intelligence or anomaly detection
π Honeypots in OT environments
- Fake PLC or SCADA interfaces that resemble real industrial systems
- Simulation of Modbus or ProfiNET services to lure network scans
- Detection of unauthorised access attempts on Remote Access
- Insight into attacker behaviour within isolated OT test environments
- Support for Threat Hunting and Security Monitoring
Note: honeypots must never be directly connected to production OT networks.
π Honeypot vs. Honeynet vs. IDS
| Term | Description |
|---|---|
| Honeypot | A single decoy target system to lure attackers |
| Honeynet | A network of multiple honeypots with routing/switching |
| IDS | Passive detection of suspicious activity on real systems |
π Security aspects
- No production data or real access in the honeypot
- Combine with SIEM for alerting and correlating attacks
- Ideal for testing anomaly detection and Threat Simulations
- Increases insight into attackersβ TTPs (Tactics, Techniques & Procedures)
Honeypots are low risk, high information yield when properly configured.
π In summary
A honeypot is a powerful tool to mislead attackers and gain valuable insights without endangering your OT production network.