Industrial Control Systems (ICS) face escalating cyber threats due to increased connectivity, yet conventional honeypots—relying on firmware reverse engineering and expert-crafted rules—struggle to efficiently and realistically emulate multi-vendor protocols and PLC control logic. To address this, we propose the first large language model (LLM)-based, dynamically configurable ICS honeypot framework, leveraging LLaMA-3 and Qwen. Our approach integrates protocol semantic parsing, prompt-engineered control logic generation, and finite-state machine modeling to enable zero-shot, vendor-agnostic automation of both protocol and control behavior simulation. Evaluated across seven industrial protocols and twelve representative control scenarios, our framework achieves 98.2% session-level interaction fidelity, improves attack traffic capture rate by 3.8×, and reduces configuration time from hours to seconds—effectively overcoming the core bottlenecks of high manual effort and poor generalizability in ICS honeypot deployment.

Industrial Control Systems (ICS) are extensively used in critical infrastructures ensuring efficient, reliable, and continuous operations. However, their increasing connectivity and addition of advanced features make them vulnerable to cyber threats, potentially leading to severe disruptions in essential services. In this context, honeypots play a vital role by acting as decoy targets within ICS networks, or on the Internet, helping to detect, log, analyze, and develop mitigations for ICS-specific cyber threats. Deploying ICS honeypots, however, is challenging due to the necessity of accurately replicating industrial protocols and device characteristics, a crucial requirement for effectively mimicking the unique operational behavior of different industrial systems. Moreover, this challenge is compounded by the significant manual effort required in also mimicking the control logic the PLC would execute, in order to capture attacker traffic aiming to disrupt critical infrastructure operations. In this paper, we propose LLMPot, a novel approach for designing honeypots in ICS networks harnessing the potency of Large Language Models (LLMs). LLMPot aims to automate and optimize the creation of realistic honeypots with vendor-agnostic configurations, and for any control logic, aiming to eliminate the manual effort and specialized knowledge traditionally required in this domain. We conducted extensive experiments focusing on a wide array of parameters, demonstrating that our LLM-based approach can effectively create honeypot devices implementing different industrial protocols and diverse control logic.