The Q-ConPot® (Control System Honeypot) network appliance is an ICS and SCADA honeypot. Network honeypots provide network obfuscation (hiding in plain sight) and denies the hacker easy network reconnaissance, while greatly increasing the chance to detect a network breach. The Q-ConPot uses ConPot, an open source software package that has a wide range of built-in industrial protocols so that administrators can create attack surfaces that mimic their actual environment, or portray a very complex and fictional infrastructure. This enables administrators to create network obfuscation and deception, thereby denying hackers an accurate map of the network and its machines, as well as increasing the likelihood of the network breach being caught by an Intrusion Detection System (IDS) such as the Q-Box® or by the Q-ConPot itself.
In order to increase the deception capabilities of ConPot, the administrator can create in the Q-ConPot custom Human-Machine Interfaces (HMIs), thereby increasing the number and type of attack surfaces. The response time of the attack surfaces can also be tweaked for various delay times so as to mimic the behavior of an industrial system under constant load. ConPot can be accessed using production Human-Machine Interfaces (HMIs) or via web interface.
Also included are Moloch, an open source, enterprise class full packet capture, indexing, and database system so that in the event of an alert, administrators can immediately capture packets for forensic analysis, and HoneyBadger, which gives administrators using the Q-ConPot, unlike other honeypot systems, the ability to fight back by identifying the attacker’s location via geolocating the attacker’s IP address(es), as well as prevent TCP injection attacks, including 0-day (Zero Day) attacks.