As shown in the title, today's update will be later, just refresh this chapter at that time.

......

Abstract: With the rapid development of network information technology, cybersecurity faces severe challenges. Hackers' attacks are characterized by clear targets, diverse methods, and strong concealment. Relying solely on traditional boundary security protection technology can no longer meet the current cybersecurity needs, and new technologies are urgently needed. Network Deception Defense Technology is a security defense method that is currently receiving widespread attention and discussion. It differs from traditional passive security protection methods as it's an active defense method. This paper researches the application of Network Deception Defense Technology in Power Plant cybersecurity. It proposes the establishment of a Network Deception Defense system to strengthen Power Plant network security monitoring and management, and provides a practical application plan for this system in Power Plants based on the actual situation of the network.

Keywords: Cybersecurity; Network Deception Defense Technology; Power Plant

The Power Plant is one of the country's important infrastructures, and as the National Grid is constructed and utilized, the security risks faced by the Power Plant's industrial control system are becoming increasingly prominent. The safety of the power generation system is related to national security and affects the national economy and people's livelihood. In recent years, incidents of cyber attacks on domestic and international power systems have been commonplace, such as the Ukraine grid attack incident, the major cyber attack incident on Israel's power supply system, and the Venezuela blackout event, causing adverse impacts and significant economic losses. Meanwhile, from the large-scale leak of cyber attack weapons by NAS Equation Group to the 'Eternal Blue' exploit, and various Web application vulnerabilities and IoT vulnerabilities that are widely used; from increasingly targeted and agile ransomware attacks to the widespread deployment of various mining attacks; from repeated data breach incidents exposed to almost daily exposure of APT attacks. Ever-present cybersecurity events have deeply made us feel the attack methods becoming more weaponized, hacker attacks driven by economic interests becoming more rational, cyber attacks becoming more industrialized, and attack-defense confrontation between countries becoming normalized, with the cyber attack surface expanding. "The essence of cybersecurity is confrontation, and the essence of confrontation is the competition between the capabilities of the attack-defense ends." Advanced threats show a rising trend year by year, and attacks by APT, 0day vulnerabilities, and other unknown threat attacks pose great challenges to traditional security protection methods. The attack-defense game is constantly escalating, and the current state of attack-defense imbalance urgently needs new defense solutions. The construction of Network Deception Defense systems will further enhance the security protection level of Power Plant systems, strengthen the Power Plant cybersecurity protection system, prevent and suppress major cybersecurity incidents, and ensure safe and stable operation of power production and reliable power supply.

1 Current state of security construction

After years of cybersecurity construction, the Power Plant cybersecurity protection system has established a cybersecurity line composed mainly of traditional security devices such as Firewalls, Internet behavior management, intrusion prevention systems, and forward-reverse isolation. According to the requirements of the "Power Monitoring System Security Protection Overall Plan", adhering to the overall protective principles of "security zoning, network specialization, horizontal isolation, and vertical authentication", comprehensive security protection construction for business systems has been improved, achieving the ability to cope with multiple cybersecurity threats. At the same time, through technical means such as cybersecurity isolation, network structure adjustment, and log auditing, the company's information network can meet cybersecurity requirements while ensuring safe and stable interaction between office networks and production network business data. It further strengthens the company's capability to resist cybersecurity risks, improve the information network security of power systems, and promote better application of network information technology. The network security topology diagram of deployed security equipment is shown in Figure 1. In Figure 1, security devices include Network Firewalls, Internet behavior management, intrusion prevention systems, and log auditing. Firewalls are deployed on the boundary to control access permissions through policies. Internet behavior management is deployed in series between the firewall and core network equipment, while intrusion prevention systems are deployed in parallel next to core equipment to detect network attack traffic. Log auditing is deployed in parallel on the server switch, and Antivirus software is managed under unified deployment by the company. The production control zone is protected by unidirectional isolation equipment from the Management Information Zone.

2 Cybersecurity situation of Power Plants

With the networking and intelligent development of China's power systems, a large amount of IT general software and power-specific software is used in power systems, which may involve design flaws and vulnerabilities in the operating system, business software, database, and middleware. When management systems, especially production management systems, are connected to the Internet, attackers can exploit vulnerabilities to plant viruses, trojans, and other malicious software into the power system and steal important information and data within the system. Additionally, advanced persistent threat APT attacks, advanced attack methods utilizing "0day" vulnerabilities, and attackers using social engineering methods for "spear phishing" and "watering hole" attacks against specific targets in the power industry pose a great threat. They can bypass the defense line of traditional security devices and have become the biggest threat currently faced by power network security. Deception Defense Technology is a new active defense technology that allows defenders to observe attacker behaviors [1] by luring attackers and malicious applications to expose themselves, enabling researchers to design effective protection measures. Deception Defense Technology provides low false reports and high-quality monitoring data. Therefore, when constructing their threat detection capabilities, Power Plant security personnel should incorporate Deception Defense Technology into the security defense system.

3 Deployment and implementation

Applying Deception Defense Technology to the Power Plant network system first requires deploying the basic functional modules needed for Deception Defense Technology, including: Honeypot service management, threat log analysis, statistical analysis display, and system overview display. The main functions of each module are as follows:

3.1 Honeypot Service Management

Honeypot service provides honeypot management, simulation traceability, and bait settings, mainly consisting of various honeypots, including low, medium, and high-level honeypots. The low-interaction honeypot mainly consists of common network protocols, and additionally includes common industrial control network protocols. Medium-interaction honeypot possesses certain interactivity, capable of simulating real Power Plant assets to increase honeypot sweetness, such as allowing users to log in via ssh, telnet and providing an operational terminal. High-interaction honeypot simulates real information assets, such as Linux and Windows devices, ERP systems, etc., and places fictitious sensitive files within the system to lure attackers into triggering capture mechanisms. Honeypot types include hotspot security event honeypots for rapid upgrading; supporting middleware simulation, including tomcat, weblogic, JBoss, etc.; supporting simulation of OA systems and other Web applications, covering common web vulnerabilities simulation; common database simulation including mySQL, Redis, MongoDB, etc.; system services including common file transfer services FTP/TFTP, and operation and maintenance services SSH/Telnet.

(1) Honeypot Management. The honeypot management function of the Deception Defense system supports custom honeypot grouping. Honeypots in the same group form a honeynet isolated from the production network, where honeypots within the honeynet system can network and interact with each other. Honeypot support includes reset, delete, view honeypot copy count, creation time, and cluster node details.

(2) Simulation Tracing. The Deception Defense System provides custom simulation tracing honeypot functionality, allowing flexible simulation business system deployment based on power plant needs to customize disguised business systems. Template creation supports the customization of business system display elements, including: template name, webpage title, copyright information, uploading website LOGO and title bar icons, among others. Additionally, it supports one-click copying of simulation tracing honeypot templates, providing convenience for power plants to rapidly implement honeypot deployment.

(3) Bait Management. The Deception Defense System provides Internet bait (GitHub), which refers to setting false information on public websites to mislead hackers during their information gathering phase, thereby redirecting their attack objectives toward honeypots, indirectly protecting other assets. Bait configuration provides detailed instructions, fills in information, and downloads bait projects, then log into GitHub, create a new repository, and upload the bait.

(4) Other Functions. The Deception Defense System offers email alert external functionality, supports the addition of trusted hosts by internal trusted scanning devices, and sends detailed logs to third-party platforms via syslog, providing effective data for cybersecurity decision-making. It also supports threat intelligence linkage, performing real-time queries of malicious IPs and uploading malicious files to intelligence platforms for analysis.

3.2 Threat Log Analysis

Threat Log Analysis provides honeypot session logs, detailed log lists, attacker tracing analysis. Honeypot session logs offer unified log presentation based on honeypot access quintuplets, with drill-down capabilities to view the entire process from session establishment to session end on a timeline of operation logs. The log list provides unified alarm log presentation while supporting detailed alarm information viewing. Attacker tracing offers detailed attacker fingerprints, such as attacker quintuplets, browser information, terminal information, scanning tools, through fingerprint information combined with intelligence systems to accurately locate the attacker's position or identity for tracing purposes.

3.3 Statistical Analysis Display

The statistical analysis module provides real-time dynamic system resource display, attack source IP map, attack statistical reports, and attack source analysis. The system resource module provides real-time dynamic display of resource usage, including memory usage rate, disk read/write, network card upload/download rate. Each performance indicator offers detailed dynamic real-time display. The attack source IP map provides a global map of attack origins, offering geographic location positioning and analysis display. Attack statistical reports provide custom report statistics, allowing flexible definition of exportable statistical reports within the time ranges of the past month, three months, half year, and custom start and end dates. Statistical reports support PDF report, HTML report download and analysis. Attack source analysis provides intrusion frequency analysis based on the timeline around attack source IP addresses and intrusion frequency analysis based on honeypot services, alongside detailed display of attack source intrusion logs.

3.4 System Overview Display

The system overview enables power plant security personnel to understand the current security status and trend analysis of their network environment. It provides daily intrusion discovery counts, historical intrusion discovery counts, and current honeypot capture counts, dynamically displaying trend statistics in real-time on a timeline; offering a honeypot service type statistical pie chart, TOP10 invaded honeypot sensors, and attacker source IP statistics. The Deception Defense System adopts a bypass access mode, not altering the existing network architecture of the power plant, requiring no mirrored traffic, applicable to various network environments, able to be deployed as a standalone, distributed, or clustered. Deployed in both Management Information Zone and Production Control Zone are capture software (probes) and business simulation systems, capturing attacks such as internal network infiltration and APT attacks, which conventional security devices find difficult to detect, performing tracing of data to locate attack source and attacker identity for tracing and forensics.

4 Application Benefits

Upon completing deployment in the power plant network according to the Deception Defense Technology framework, the Deception Defense System customizes business high simulation and constructs a honeynet by setting traps on the necessary paths of intruders, confuses attack targets, attracts attackers into the honeynet, stalls the attackers, delays attacks, and protects the actual business systems of power plants, thereby buying time for emergency response. The Deception Defense System gathers information such as attacker address, samples, hacker fingerprints, allowing mastery of their detailed attack paths, tools, terminal fingerprints, and behavioral characteristics, achieving comprehensive forensics, precision tracing. The Deception Defense System is behavior-based detection where bypassing attack features is ineffective, enabling efficient discovery of unknown attack behaviors. By interacting with FW, IPS, and other defense devices, it blocks attack behaviors in real-time. Furthermore, by extracting features of unknown attack behaviors, it upgrades features for IDS, IPS, and other products, enhancing attack detection capabilities and continuously empowering the security defense system.

5 Conclusion

The Deception Defense System utilizes honeypot and bait technologies to construct a deception defense system with capabilities of confusion, entrapment, and monitoring, achieving the purpose of hiding the attack target, delaying attack rhythm, capturing attack behaviors and methods when an attacker bypasses or breaks through defense measures. Therefore, employing Deception Defense Technology to build a highly simulative capture network and provide interference capabilities with obfuscated defense targets can analyze and alert attacker behaviors, trace attacker identity, and interactively deploy control with existing defense systems. It satisfies the latest security protection demands while reinforcing network security control capabilities, enhancing the reliability and security protection capabilities of various business system networks, thus being vital to guarantee the safe and stable operation of power systems. Given the increasingly severe current cybersecurity landscape, it offers valuable reference significance for power enterprises deploying cybersecurity equipment.

According to GB/T22239-2019 "Cybersecurity Technology Network Security Level Protection Basic Requirements," hospital fundamental network security can be divided into secure physical environment, secure communication network, secure zone boundary, secure computing environment, and secure management center. Hospital information system security is crucial for normal hospital operations and data availability protection. Existing hospital information system security risks include threats such as resource, content, and logic attacks, mainly due to outdated security defense systems, risk assessments not being implemented, incomplete identity authentication passwords, inadequate network security management, etc.