At Blackhat Europe 2013 in Amsterdam security researcher at Trend Micro revealed a collaborative honeypot project with Scada security team that was running fake ICS/Scada devices used in many critical infrastructure power and water plants.
The honeypot were optimized and promoted on different search engines such as google to be found directly and trick attacker about the reality of these servers. Servers were named ‘Scada-1′,’Scada-2′, and so on.
According to Scada security researcher Kyle Wilhoit they also made the honeypot seeded on devices that were part of HD Moore’s Shodan Project.4. This to attract motivated and targeted attackers to easily find the servers and the first attack was detected after only 18 hours.
Trend Micro reported detecting 39 attacks on the Honeypots from 11 different countries during the 28 days they were active. 12 of the attacks were targeted and 13 of them were repeated several times by the same actor, indicating they could have been automated.
Beside the honeypot results researchers published snort intrusion detection system result where top Snort alert generated in the honeypot environment was Modbus TCP non-Modbus communication on TCP port 502. This rule is triggered when an established connection utilizing Modbus is hijacked or spoofed to send other commands or attacks to a different device.
You can have Trend Micro report by following this link: http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-whos-really-attacking-your-ics-equipment.pdf