IMPLEMENTATION OF SECURITY INFORMATION AND EVENT MANAGEMENT SOFTWARE IN A HONEYPOT
Loading...
Authors
Sciuto, Jesse
Subjects
security information and event management
industrial control system
honeypot
SIEM
ICS
industrial control system
honeypot
SIEM
ICS
Advisors
Rowe, Neil C.
Nguyen, Thuy D.
Date of Issue
2023-12
Date
Publisher
Monterey, CA; Naval Postgraduate School
Language
Abstract
Many industrial control systems (ICS) were originally designed as standalone systems, unconnected to the Internet, that provided little cybersecurity to maximize reliability and response time. Increasingly, these systems have been exposed to the Internet for better control and management, making them vulnerable to cyberattacks. We explored the use of security information and event management (SIEM) technology to improve an ICS honeypot (decoy) system’s ability to detect and respond to attacks against electrical-power grids. We integrated commercial SIEM software into the honeypot architecture and deployed a SIEM-enabled instance in a commercial cloud environment. Our experiments showed that SIEM’s real-time alerts, data collection and aggregation, and threat analysis helped speed up the discovery of several living-off-the-land and botnet cyberattacks on the honeypot. This work provides a framework for ICS defenders in the Department of Defense and private sectors to use SIEM and honeypot technology to protect critical assets.
Type
Thesis
Description
Series/Report No
Department
Information Sciences (IS)
Organization
Identifiers
NPS Report Number
Sponsors
OUSD (R&E), Washington, DC 20301
Funding
Format
Citation
Distribution Statement
Approved for public release. Distribution is unlimited.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.