In August of this year, we presented at Blackhat our paper titled The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems. GasPot was a honeypot designed to mimic the behavior of the Guardian AST gas-tank-monitoring system. It was designed to look like no other existing honeypot, with each instance being unique to make fingerprinting by attackers impossible. These were deployed within networks located in various countries, to give us a complete picture of the attacks facing gas tank monitoring systems.
This allowed us to discover that attackers with ties to Iran and the Syrian Electronic Army were probing the security of automated gas tank systems. However, GasPot was a research tool, not a full-fledged honeypot. Recently, we learned that the well-known industrial control system (ICS) honeypot Conpot (a project under the umbrella of the non-profit research group Honeynet Project) added code from GasPot to allow Conpot to act as a gas station honeypot as well. In effect, GasPot was integrated into Conpot.
This is a good thing. For one, the Conpot project has a larger developer base than can maintain and improve on the project. We wanted to raise awareness about this problem; we have succeeded in that goal. There are some aspects of the Conpot implementation we’d quibble with (for example: GasPot is designed to use random station names, Conpot is not), but overall this will help provide researchers everywhere a better picture of ICS threats. Conpot is a more mature project, and the addition of GasPot’s features into it only makes it better. For example, an admin module for interfacing with these monitoring systems has already been created for Conpot – a capability that was not present in our original GasPot implementation,
Our research into vulnerabilities in other automation systems continues, although for now our work on automated gasoline tanks is finished. We will provide updates into our research at an appropriate time. We hope that our findings then will also make their way into Conpot.