The rapid growth of information and transfer of messages has led the cyber security to become an important part of the Industrial control systems (ICS). Traditional security tools, methods and techniques applied in cyber security are becoming ineffective and insufficient, as the attackers are able to easily circumvent commonly applied security mechanisms (firewalls, detection and prevention systems etc.). To counteract this development, it is necessary to gather and investigate in depth as much information on the cyber-attacks and their perpetrators as possible.

The use of deception systems may be a suitable tool in this regard. A deception system provides false, delayed or incomplete information, and misleads attackers into a course controlled by the operator of the deception systems [1]. In general, deception is “a kind of persuasion. Persuasion means trying to get someone or something to help you achieve goals that would be costly or impossible for you to achieve on your own” [2].

Rowe in [2] provides a taxonomy of the deception methods. Qassrawi et al. in [3] shifts the idea of these taxonomies towards cyber security and presents examples of the deception systems. According to [2, 3] the deception systems include:

• a system hiding things in the background (masking)—e.g. monitoring of users by modifying the operating system to hide its traces;
  
  
• a system hiding something as something else (repackaging)—e.g. embedding of attack-thwarting software within otherwise innocent utilities;
  
  
• a system hiding something by having it overshadowed by something else (dazzling)—e.g. sending a lot of error messages to attackers when they perform harmful activities;
  
  
• a system imitating aspects of something else (mimicking)—e.g. fake filesystem or directory, which looks like the real file system or directory;
  
  
• a system, which creates new and often “fake” objects that may interest the deceivee (inventing)—e.g. a piece of software left for attackers to download, such as honeyfiles, which are bait files intended for hackers to access [4]. A specific example of honeyfiles is honeysheet [5];
  
  
• a system, which uses diversions unrelated to the object of interest (decoying)—e.g. snooping login credentials to attackers to encourage them to log in (Honeytoken [6]).

The most used deception system is a honeypot. The term honeypot was defined by the public forum of over 5000 security professionals in 2003 as “an information system resource whose value lies in being probed, attacked, or compromised” [7]. Honeypot “provides a defense mechanism in which they deceive attackers into believing that they are compromising a real production system” [3]. Honeypots may be categorized by the level of interaction, purpose, role and deployment. This paper considers the categorization of honeypots according to the level of interaction and purpose of usage.

As regards the level of interaction, it presents the maximum range of attack possibilities allowed by a honeypot to an intruder to have. Low-interaction honeypots, that are dominant among the honeypots used, implement targets to attract or detect attackers by the emulation of characteristic elements of a particular operating system or network services. In contrast, high-interaction honeypots use complete operating systems, allowing the attackers to access all services on the operating system and platform in question, with the purpose of gathering more realistic information about the attackers, their methods and attacks. Honeypots providing the attackers with more ability to interact than do the low-interaction honeypots, but supporting less functionality than high-interaction solutions, present medium-interaction honeypots. The properties of each type of honeypots based on the interaction relevant for the legal analysis are shown in Table 1. 

The second classification of honeypots relevant to the legal analysis is the classification based on their purpose, where research honeypots and production honeypots can be distinguished. A research honeypot is used to obtain information about the blackhat community, without any direct value to the organization, which must protect its information. In comparison, a production honeypot is used within an environment of organization to protect the organization and help mitigate the risk [5].

Honeypots can also be classified according to their role. On the one hand, honeypots for the client-side attacks are called client side honeypots; on the other hand, server side honeypots are used for the detection of new exploits, collection of malware and for further research of the threat analysis.

Network of honeypots is defined as a honeynet. A successful deployment of a honeynet means the successful deployment of its architecture. There are some core elements of the honeynet architecture [10]:

•  data control—the first core element, enabling the control of and containment of the attacker’s activity;
• data capture—the second core element, allowing the monitoring and logging of all of the attacker’s activities within the honeynet;
• data collection—the third core element, that ensures all captured data to be stored in one central location, if more honeynets are used by the organization;
•  data analysis—optional element, which analyses the data collected from the honeynet.

Another example of the deception technology is based on the digital bait approach. Digital bait “is a false digital entity created by the administrators for discovering the adversary” [3]. The idea of honeytoken can be traced back to Spitzner. He defines honeytoken as “an artificial digital data item (e.g. a credit card number, a database entry or login credentials) planted into a genuine system resource (e.g. databases, file systems or e-mail inboxes)” [6]. Similar definition can be found in [11]. According to Bercovitch, it is “an artificial data item that is so similar to real tokens such that even an expert in the relevant domain will not be able to distinguish between real tokens and the honeytoken” [11].