Building a Fake Solar Plant for Cybersecurity Research — Part 2

A contained honeypot impersonating a small internet-facing energy site collected 54 days of traffic – roughly 1.7 million events from 16,568 unique sources, discovered within the first hour. Most was commodity automation, but a thin tail spoke real Modbus, including 392 device-identity reads with zero write or control attempts. On ATT&CK for ICS the industrial activity maps to discovery and never reaches impact, while the SSH chain still completed: weak logins led to commodity DDoS, proxy, and backdoor malware.