Time-to-lie: Identifying industrial control system honeypots using the internet control message protocol

Jacob J Williams; Matthew  Edwards; Joe Gardiner

doi:10.1109/ICDCSW63273.2025.00141

Time-to-lie: Identifying industrial control system honeypots using the internet control message protocol

Jacob J Williams^*, Matthew Edwards, Joe Gardiner

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

12 Downloads (Pure)

Abstract

The convergence of information and operational technology networks has created previously unforeseen security issues. To address these issues, both researchers and practitioners have integrated threat intelligence methods into the security operations of converged networks, with some of the most valuable tools being honeypots that imitate industrial control systems (ICS). However, the development and deployment of such honeypots is a process rich with pitfalls, which can lead to undiagnosed weaknesses in the threat intelligence being gathered. This paper presents a side-channel method of covertly identifying ICS honeypots using the time-to-live (TTL) values of target devices. We show that many ICS honeypots can be readily identified, via minimal interactions, using only basic networking tools. In a study of over 8,000 devices presenting as ICS systems, we detail how our method compares to an existing honeypot detection approach, and outline what our methodology reveals about the current population of live ICS honeypots. In demonstrating our method, this study aims to raise awareness of the viability of the TTL heuristic and the prevalence of its misconfiguration despite its presence in literature.

Original language	English
Title of host publication	2025 IEEE 45th International Conference on Distributed Computing Systems (ICDCS)
Publisher	Institute of Electrical and Electronics Engineers (IEEE)
ISBN (Electronic)	9798331517250
ISBN (Print)	9798331517267
DOIs	https://doi.org/10.1109/ICDCSW63273.2025.00141
Publication status	Published - 1 Dec 2025
Event	45th IEEE International Conference on Distributed Computing Systems - Glasgow, United Kingdom Duration: 20 Jul 2025 → 23 Jul 2025 https://icdcs2025.icdcs.org/

Publication series

Name	International Conference on Distributed Computing Systems
Publisher	IEEE
ISSN (Print)	1063-6927
ISSN (Electronic)	2575-8411

Conference

Conference	45th IEEE International Conference on Distributed Computing Systems
Abbreviated title	ICDCS 2025
Country/Territory	United Kingdom
City	Glasgow
Period	20/07/25 → 23/07/25
Internet address	https://icdcs2025.icdcs.org/

Research Groups and Themes

Cyber Security

Access to Document

10.1109/ICDCSW63273.2025.00141

Full-text PDF (accepted manuscript)
This is the accepted author manuscript (AAM) of the article which has been made Open Access under the University of Bristol's Scholarly Works Policy. The final published version (Version of Record) can be found on the publisher's website. The copyright of any third-party content, such as images, remains with the copyright holder.
Accepted author manuscript, 217 KBLicence: CC BY

Handle.net

Persistent link

Cite this

Williams, J. J., Edwards, M., & Gardiner, J. (2025). Time-to-lie: Identifying industrial control system honeypots using the internet control message protocol. In 2025 IEEE 45th International Conference on Distributed Computing Systems (ICDCS) (International Conference on Distributed Computing Systems). Institute of Electrical and Electronics Engineers (IEEE). https://doi.org/10.1109/ICDCSW63273.2025.00141

Williams, Jacob J ; Edwards, Matthew ; Gardiner, Joe. / Time-to-lie : Identifying industrial control system honeypots using the internet control message protocol. 2025 IEEE 45th International Conference on Distributed Computing Systems (ICDCS). Institute of Electrical and Electronics Engineers (IEEE), 2025. (International Conference on Distributed Computing Systems).

@inproceedings{f2b8db7b6723409c97a10ddf0a6fe59d,

title = "Time-to-lie: Identifying industrial control system honeypots using the internet control message protocol",

abstract = "The convergence of information and operational technology networks has created previously unforeseen security issues. To address these issues, both researchers and practitioners have integrated threat intelligence methods into the security operations of converged networks, with some of the most valuable tools being honeypots that imitate industrial control systems (ICS). However, the development and deployment of such honeypots is a process rich with pitfalls, which can lead to undiagnosed weaknesses in the threat intelligence being gathered. This paper presents a side-channel method of covertly identifying ICS honeypots using the time-to-live (TTL) values of target devices. We show that many ICS honeypots can be readily identified, via minimal interactions, using only basic networking tools. In a study of over 8,000 devices presenting as ICS systems, we detail how our method compares to an existing honeypot detection approach, and outline what our methodology reveals about the current population of live ICS honeypots. In demonstrating our method, this study aims to raise awareness of the viability of the TTL heuristic and the prevalence of its misconfiguration despite its presence in literature. ",

author = "Williams, \{Jacob J\} and Matthew Edwards and Joe Gardiner",

year = "2025",

month = dec,

day = "1",

doi = "10.1109/ICDCSW63273.2025.00141",

language = "English",

isbn = "9798331517267",

series = "International Conference on Distributed Computing Systems",

publisher = "Institute of Electrical and Electronics Engineers (IEEE)",

booktitle = "2025 IEEE 45th International Conference on Distributed Computing Systems (ICDCS)",

address = "United States",

note = "45th IEEE International Conference on Distributed Computing Systems, ICDCS 2025 ; Conference date: 20-07-2025 Through 23-07-2025",

url = "https://icdcs2025.icdcs.org/",

}

Williams, JJ , Edwards, M & Gardiner, J 2025, Time-to-lie: Identifying industrial control system honeypots using the internet control message protocol. in 2025 IEEE 45th International Conference on Distributed Computing Systems (ICDCS). International Conference on Distributed Computing Systems, Institute of Electrical and Electronics Engineers (IEEE), 45th IEEE International Conference on Distributed Computing Systems, Glasgow, United Kingdom, 20/07/25. https://doi.org/10.1109/ICDCSW63273.2025.00141

Time-to-lie: Identifying industrial control system honeypots using the internet control message protocol. / Williams, Jacob J ; Edwards, Matthew ; Gardiner, Joe.
2025 IEEE 45th International Conference on Distributed Computing Systems (ICDCS). Institute of Electrical and Electronics Engineers (IEEE), 2025. (International Conference on Distributed Computing Systems).

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

TY - GEN

T1 - Time-to-lie

T2 - 45th IEEE International Conference on Distributed Computing Systems

AU - Williams, Jacob J

AU - Edwards, Matthew

AU - Gardiner, Joe

PY - 2025/12/1

Y1 - 2025/12/1

N2 - The convergence of information and operational technology networks has created previously unforeseen security issues. To address these issues, both researchers and practitioners have integrated threat intelligence methods into the security operations of converged networks, with some of the most valuable tools being honeypots that imitate industrial control systems (ICS). However, the development and deployment of such honeypots is a process rich with pitfalls, which can lead to undiagnosed weaknesses in the threat intelligence being gathered. This paper presents a side-channel method of covertly identifying ICS honeypots using the time-to-live (TTL) values of target devices. We show that many ICS honeypots can be readily identified, via minimal interactions, using only basic networking tools. In a study of over 8,000 devices presenting as ICS systems, we detail how our method compares to an existing honeypot detection approach, and outline what our methodology reveals about the current population of live ICS honeypots. In demonstrating our method, this study aims to raise awareness of the viability of the TTL heuristic and the prevalence of its misconfiguration despite its presence in literature.

AB - The convergence of information and operational technology networks has created previously unforeseen security issues. To address these issues, both researchers and practitioners have integrated threat intelligence methods into the security operations of converged networks, with some of the most valuable tools being honeypots that imitate industrial control systems (ICS). However, the development and deployment of such honeypots is a process rich with pitfalls, which can lead to undiagnosed weaknesses in the threat intelligence being gathered. This paper presents a side-channel method of covertly identifying ICS honeypots using the time-to-live (TTL) values of target devices. We show that many ICS honeypots can be readily identified, via minimal interactions, using only basic networking tools. In a study of over 8,000 devices presenting as ICS systems, we detail how our method compares to an existing honeypot detection approach, and outline what our methodology reveals about the current population of live ICS honeypots. In demonstrating our method, this study aims to raise awareness of the viability of the TTL heuristic and the prevalence of its misconfiguration despite its presence in literature.

UR - https://icdcs2025.icdcs.org/

U2 - 10.1109/ICDCSW63273.2025.00141

DO - 10.1109/ICDCSW63273.2025.00141

M3 - Conference Contribution (Conference Proceeding)

SN - 9798331517267

T3 - International Conference on Distributed Computing Systems

BT - 2025 IEEE 45th International Conference on Distributed Computing Systems (ICDCS)

PB - Institute of Electrical and Electronics Engineers (IEEE)

Y2 - 20 July 2025 through 23 July 2025

ER -

Williams JJ , Edwards M , Gardiner J. Time-to-lie: Identifying industrial control system honeypots using the internet control message protocol. In 2025 IEEE 45th International Conference on Distributed Computing Systems (ICDCS). Institute of Electrical and Electronics Engineers (IEEE). 2025. (International Conference on Distributed Computing Systems). doi: 10.1109/ICDCSW63273.2025.00141

Time-to-lie: Identifying industrial control system honeypots using the internet control message protocol

Abstract

Publication series

Conference

Research Groups and Themes

Access to Document

Handle.net

Other files and links

Fingerprint

Cite this