[n-exploit]

I know security by obscurity doesn't work in the real world, but what if some of those honeypots are actual ICS systems made to look like a poorly configured honeypot? One could host a mock service (representing a poorly configured ICS) on the cloud that acts as a wall to turn away those who don't dig deeper, but the required services are redirected to a legitimate ICS on the ground.

[gherkin0]

In this case, I think the engineering effort required to proxy a real one to make it look like a poorly-configured honeypot would be greater than actually implementing some proper security measures, like a firewall plus a VPN for any needed external access.

[Pharaoh2]

There was an article somewhere, which recommended installing vmware tools on a non-vm OS, just because virus/malicious payloads will detect it, think it's a honeypot vm and shred itself so as not to get discovered. It's a nice way to protect yourself from payloads that may otherwise have executed and be invisible in honeypots.

It better for everyone if honeypots and normal systems looks as similar as possible.

[ilyanep]

I had the same thought as GP as well. Could you not implement some of the "disguise-as-honeypot" features (such as setting the name to "HoneyTrap" or "Error: rand...") in addition to the normal security features?

[gherkin0]

In this case we're talking about embedded industrial control systems, I doubt they're easy to modify in that way.

[n-exploit]

You're probably right.