Traditional industrial control system (ICS) honeypots suffer from low interactivity and simulation inaccuracies, resulting in insufficient threat capture capability. To address this, we propose ICSLure, a high-interaction honeynet framework that innovatively integrates physical programmable logic controllers (PLCs), remote terminal units (RTUs), industrial routers/switches, and virtual network components. It supports mainstream industrial protocols—including Modbus and PROFINET RTU—to construct a modular, physically realistic ICS emulation environment. Through end-to-end traffic monitoring and real-time data interaction, ICSLure enables high-fidelity detection and deep behavioral analysis of advanced persistent threats (APTs) and protocol-level adversarial activities. Experimental evaluation demonstrates that ICSLure significantly improves attack context completeness and threat intelligence quality, facilitating ICS-specific attack pattern identification and defense strategy optimization. As a scalable technical foundation, it advances proactive security for industrial control systems.

The security of Industrial Control Systems (ICSs) is critical to ensuring the safety of industrial processes and personnel. The rapid adoption of Industrial Internet of Things (IIoT) technologies has expanded system functionality but also increased the attack surface, exposing ICSs to a growing range of cyber threats. Honeypots provide a means to detect and analyze such threats by emulating target systems and capturing attacker behavior. However, traditional ICS honeypots, often limited to software-based simulations of a single Programmable Logic Controller (PLC), lack the realism required to engage sophisticated adversaries. In this work, we introduce a modular honeynet framework named ICSLure. The framework has been designed to emulate realistic ICS environments. Our approach integrates physical PLCs interacting with live data sources via industrial protocols such as Modbus and Profinet RTU, along with virtualized network components including routers, switches, and Remote Terminal Units (RTUs). The system incorporates comprehensive monitoring capabilities to collect detailed logs of attacker interactions. We demonstrate that our framework enables coherent and high-fidelity emulation of real-world industrial plants. This high-interaction environment significantly enhances the quality of threat data collected and supports advanced analysis of ICS-specific attack strategies, contributing to more effective detection and mitigation techniques.