Blog  

Deception for Industrial Control Systems

Deception for Industrial Control Systems

Attackers only have to be lucky once. Defenders have to be lucky every time.

Industrial Control Systems (ICS) have many unique characteristics that make defensive countermeasures against cyber attacks a challenging job.

The main priority for ICS/SCADA systems is operational continuity. The use of outdated and physically isolated devices, and the inevitable convergence between the IT and the OT world, makes these environments vulnerable to insider threats and external breach attempts. It also creates other security management challenges that we rarely see in pure IT environments.

Why is that? Some facts for consideration:


An “air gapped” network is not always an option, as there may be data from those devices that needs to be accessed (Weiss, 2010; Knapp, 2011).

Patching devices may require a connection to either the Internet or a central patching server, such as a Windows Server Update Service (WSUS) or RedHat Satellite.

Consultants and vendors may bring malware in on laptops and connect those systems to the SCADA network for maintenance purposes.

Performing software updates on SCADA devices can be difficult (Higgins, The SCADA Patch Problem, 2013). The vendors of these devices or the integrators used to bring them online may not allow them to be updated without the vendor or integrator first performing appropriate regression testing (Byres, 2012).

Fear of disturbing equipment that has been operating fine for years, sometimes decades, for a security patch (Zubairi & Mahboob, 2013)

Implementing additional security controls on SCADA networks or devices like anti-virus or a host-based intrusion detection system might cause some unexpected behaviours, such as system slowdowns or active responses to perceived attacks (Wade, 2011).


Let’s consider the HMI (Human Machine Interface) in an OT environment. This is a critical component of a SCADA network as it permits an operator to communicate with a controller of an industrial system. Most of these HMI are Windows-based machines, so vulnerabilities such as buffer overflow, weak hashing algorithms, SQL injection flaws, FrostyURL, Shellshock, and cross-Site Scripting attacks are well documented. Therefore, mitigating the vulnerabilities may not always be possible, as discussed above.

Now, considering all these limitations let’s discuss how CounterCraft’s Cyber Deception Platform can help in the proactive protection of critical assets without imposing any burden on the normal operation of services:


CounterCraft’s approach does not require modifying the existing SCADA network.

There is no need to insert additional inline devices.

Deception assets are simply plugged into the network as any other system would be and set up to run services that look like other devices on your SCADA network. A deception host that, from the outside, looks like a real production HMI can deflect the attention of the human attackers away from real ICS assets and, when engaged, generate a confirmed alert of an ongoing attack in real time. Further intelligence will be obtained from the attacker’s actions, leading to a better understanding of the attacker’s objectives and TTPs used. Other deception hosts like physical WiFi routers or PLC emulations can also be an effective part of a deception campaign.

The CounterCraft Cyber Deception Platform does not base detection on known signatures or traffic analysis, but on human actions.

It can be configured to look like specific devices on a typical SCADA network.

CounterCraft allows for the monitoring of attacks designed specifically to target the current infrastructure.

Deception offers you earlier detection, along with immediate identification of the breach and compromised asset.

Understanding TTPs of the attacker leads to local actionable Intel to share with SIEM, SOAR and the rest of the security team.


Deception campaigns based on these principles can effectively detect threats against ICS infrastructures, from lateral movements and zero-day attacks to vulnerabilities exploitation attempts and documents exfiltration.

CounterCraft flips the traditional conundrum on its head—now attackers have to be lucky all the time, and you, the defender, only have to be lucky once.

Like Jim Morrison said, this is the end. But you can...