ICS Scada Honeypot Technical Training

Get access this exciting two days deep dive workshop on SCADA honeypots. During the first day, the students will be guided in the different phases in planning, deploying and analyzing the collected data from a ICS/SCADA honeypot.

Day 1

Introduction to Honeypots systems, with special focus on ICS/SCADA)

The first day, the students will introduced to different types of honeypot systems and pro/con’s of each honeypot type.

The students will be guided thou the different phases in planning, deploying and analyzing the collected data from a ICS/SCADA honeypot.

We will deploy live honeypots on the internet and see how attackers would start to probe our honeypots. Furthermore, we will also attack the deployed honeypots ourselves; using SCADA pen testing tools and similar software. We will learn to spot various tools, and how to hide the signatures of a default honeypot.

Day 2

Deploy more honeypots and move from low interaction to medium/high interaction Honeypots

We will continue the modification of the SCADA honeypot from day 1 and will also deploy a new Internet based ICS/SCADA credential honeypot to our research arsenal - for further research/analyzing.

The students will on day 2 build a purpose-build in-house Honeypot lab, where we change a low interaction honeypot to act as a realistic device (medium/high interaction honeypot) to ensure that attackers can’t spot the honeypot ‘a mile away’. This would give the students even better opportunity to do research/threat intelligence data on high interaction honeypots.

The 2nd day would also provide opportunities to deep dive into students ideas for further activities after the workshop.

Course syllabus

  • Introduction to Honeypots systems, with special focus on ICS/SCADA.
  • Building and Deployment of a live honeypot on the internet.
  • Useful tools to pentest SCADA honeypot systems
  • How to read the logs, and spot different attack types
  • Useful modification of the honeypot configuration
  • Learning how to build and deploy a medium/high interactive honeypot - for even better research data/TTP’s
  • Closing remark and ideas for further activities.

Each student will get access to a numbers of virtual lab servers to learn how to deploy and customize settings to avoid the default honeypot signature and evolve the low-interaction honeypot to be a true high interactive honeypot.

Takeaway for participants

After this 2 days workshop, you will be able to plan and deploy different types of ICS/SCADA related open source honeypots, either for research or to defend your corporate/industrial assets. You will understand different Honeypot types and deceptions methods.

You will leave the class room with a knowledge on how to change the default signature on the honeypots and the understanding of the most common tools who will attack your honeypots.


Students must bring a suitable laptop able to connect to the Internet. It must have a SSH client (Putty/term or similar software) installed. All lab servers are based on the internet, so no hypervisor like Vmware/VirtualBox are required on the student device. Knowledge of basic Linux commands, text editor and usage of the command line would be beneficial, but not a strict requirement to benefit from this course.

Workshop Level

Beginner to Intermediate