To address the scarcity of threat intelligence for critical infrastructure (e.g., wastewater treatment plants) and the low fidelity of conventional honeypots, this paper proposes a high-fidelity industrial control system (ICS) honeypot based on network twin technology. The approach pioneers the deep integration of network twin principles into honeypot design, enabling precise modeling and real-time synchronization of operational technology (OT) environments to actively lure and monitor real-world attacks at fine-grained resolution. The system incorporates attack traffic analysis, log-based forensic tracing, and ransomware detection and response capabilities, while supporting structured threat intelligence generation and sharing. Deployed in an operational water treatment facility, it successfully captured and fully recorded multiple real-world intrusion incidents—including representative ransomware campaigns—demonstrating its effectiveness and novelty in enhancing threat visibility, enabling proactive defense, and facilitating collaborative threat intelligence.

Critical Infrastructure (CI) is prone to cyberattacks. Several techniques have been developed to protect CI against such attacks. In this work, we describe a honeypot based on a cyber twin for a water treatment plant. The honeypot is intended to serve as a realistic replica of a water treatment plant that attracts potential attackers. The attacks launched on the honeypot are recorded and analyzed for threat intelligence. The intelligence so obtained is shared with the management of water treatment plants, who in turn may use it to improve plant protection systems. The honeypot used here is operational and has been attacked on several occasions using, for example, a ransomware attack that is described in detail.