Let's create our own ICS Labs in the VMs!

-

Let's create our own ICS Labs in the VMs: A Step-by-Step Guide

Building an Industrial Control System (ICS) lab in a virtualized environment allows security researchers, engineers, and penetration testers to safely simulate industrial networks, study threats, and test security defenses. Below is a detailed step-by-step guide to creating an ICS lab, including HMI, EWS, PLC, and other critical components.

1. Lab Architecture Overview

Key Components in an ICS Lab:

  • HMI: Graphical interface for controlling industrial processes.
  • Engineering Workstation (EWS): Used to configure PLCs and SCADA systems.
  • PLC: Controls physical processes (e.g., motors, valves).
  • SCADA System: Supervisory control and monitoring of ICS networks.
  • Historian: Logs and stores process data for analysis.
  • Networking Components: Virtualized switches, routers, and firewalls to segment ICS networks.
  • Attacker Machine: Kali Linux or Metasploit for penetration testing.

2. Choosing the Virtualization Platform

For creating an ICS lab, you need virtual machines (VMs) running ICS software. The best platforms include:

  • VMware Workstation / ESXi (Best performance)
  • VirtualBox (Free alternative)
  • Proxmox (Open-source)
  • GNS3 / EVE-NG (For network simulation)

3. Setting Up Virtual Machines

Each ICS component will be installed on separate virtual machines:

A. Engineering Workstation (EWS)

  • OS: Windows 10/11 or Windows Server 2019
  • Software:
    • Siemens TIA Portal, Rockwell Studio 5000, or Schneider Unity Pro for PLC programming.
    • ICS-related software like Codesys (open-source PLC development).
  • Functions:
    • Develop and deploy PLC logic.
    • Communicate with PLCs using Ethernet/IP, Modbus/TCP, or OPC UA.
    • Troubleshoot industrial processes.

B. HMI

  • OS: Windows-based VM.
  • Software:
    • Wonderware InTouch, Siemens WinCC, Rockwell FactoryTalk View.
    • Open-source alternatives: Ignition SCADA, OpenHMI.
  • Functions:
    • Display and control industrial processes.
    • Connect to SCADA and PLCs for real-time process visualization.
    • Implement alarm management and security monitoring.

C. PLC

Since real PLCs are hardware-based, we use simulators:

  • OS: Linux or Windows VM.
  • Software:
    • PLCSIM (Siemens) – Emulates Siemens PLCs.
    • ModbusPal – Open-source Modbus PLC emulator.
    • Codesys Control Win – Emulates industrial PLCs on Windows.
    • Factory I/O – Virtual PLC training environment.
  • Functions:
    • Runs ladder logic, function blocks, and structured text programs.
    • Communicates with SCADA and EWS via Modbus TCP, Ethernet/IP, DNP3, or OPC UA.

D. SCADA System

  • OS: Windows Server 2019 or Linux (Ubuntu 20.04).
  • Software:
    • Open-source SCADA: Ignition SCADA, OpenSCADA, ScadaBR.
    • Commercial: Siemens WinCC, Rockwell FactoryTalk, GE iFIX.
  • Functions:
    • Centralized control and monitoring of industrial processes.
    • Connects to PLCs via OPC UA, Modbus, or DNP3.
    • Manages historical data logging.

E. Historian Server

  • OS: Windows Server 2019 / Linux.
  • Software:
    • OSIsoft PI System, Canary Historian, Wonderware Historian.
    • Open-source: InfluxDB + Grafana.
  • Functions:
    • Stores real-time process data.
    • Analyzes trends for predictive maintenance.

F. Networking Components

To simulate an ICS network, you need:

  • Virtual Switches/Routers: Use GNS3 or EVE-NG.
  • Firewall: pfSense or Cisco ASA VM for network segmentation.
  • Industrial Protocol Emulation: Modbus TCP, DNP3, IEC 104 using Scapy.

G. Attacker & Security Monitoring Machine

  • OS: Kali Linux, Security Onion.
  • Software:
    • Metasploit, Wireshark, Nmap, Snort, Suricata.
  • Functions:
    • Monitor ICS traffic.
    • Perform penetration testing on ICS components.

4. Configuring ICS Network

A typical ICS lab network follows the Purdue Model:

LevelFunctionExample Components
Level 4Business ITCorporate Network
Level 3.5DMZFirewall (pfSense, Cisco ASA)
Level 3OperationsSCADA, Historian
Level 2ControlHMI, EWS
Level 1ProcessPLC, RTU
Level 0PhysicalSensors, Actuators

Steps to Set Up the Network:

  1. Create VLANs in VMware or VirtualBox for network segmentation.
  2. Assign Static IPs to each VM using subnets.
  3. Enable ICS Protocols (e.g., Modbus, OPC UA) between SCADA and PLCs.
  4. Implement Firewall Rules to isolate Level 3 (SCADA) from Level 4 (IT network).
  5. Set Up Intrusion Detection System (IDS):
    • Snort/Suricata to detect attacks on ICS protocols.

5. Testing and Securing the ICS Lab

A. Validate Communication Between ICS Components

  • Use Wireshark to capture Modbus/DNP3 traffic.
  • Test HMI-PLC interactions via SCADA.

B. Penetration Testing

  • Scan ICS Network: nmap -Pn --script modbus-discover <IP>
  • Exploit Weak PLC Configurations: Use Metasploit Modbus modules.

C. Security Hardening

  • Disable Unused Ports: Block non-essential ICS protocols.
  • Restrict Access: Implement network segmentation (firewall rules).
  • Deploy Endpoint Security: Install whitelisting software on HMI/EWS.

6. Expanding the Lab

A. Simulating Physical Processes

  • Factory I/O: 3D simulation of factory operations.
  • MATLAB Simulink: Advanced process modeling.

B. Cloud-Based ICS Lab

  • Deploy on AWS or Azure using ICS virtual appliances.

C. Incident Response Testing

  • Simulate ransomware attacks on SCADA systems.
  • Perform disaster recovery drills.

7. Summary

ComponentSoftwareRole in Lab
EWSTIA Portal, Studio 5000PLC programming
HMIWinCC, FactoryTalk ViewProcess control
PLCCodesys, ModbusPalControls actuators
SCADAIgnition SCADA, OpenSCADASupervisory control
HistorianOSIsoft PI, InfluxDBLogs process data
FirewallpfSense, Cisco ASANetwork segmentation
IDS/IPSSnort, SuricataThreat detection
Attacker VMKali LinuxSecurity testing


#CPS #OT #XIoT #IoT #IIoT #IoMT #CPSSecurity #OTSecurity #IoTSecurity #CPS보안 #OT보안 #IoT보안



Comments

Post a Comment

Popular posts from this blog

Don't confuse DCS, PLC and SCADA in front of OT specialists

-
Image
DCS, PLC and SCADA are not the same. If you keep talking only about PLC security in front of the Oil&Gas industry executives where DCS is the main focus, they will not recognize you as a proper expert. We need to understand the characteristics of OT systems such as DCS, PLC, and SCADA accurately, also respect each OT culture uniquely and finally approach the sites in the right way. Don't be confused, here’s a clear and accurate explanation of DCS, PLC, and SCADA . 1. Distributed Control System (DCS) Concept A DCS (Distributed Control System) is an automated control system used for large-scale industrial processes that require continuous operation and high reliability. It consists of multiple controllers distributed throughout the system, which communicate with each other to manage complex processes. Key Features Used in large-scale, continuous processes (e.g., oil refineries, power plants). Decentralized control architecture with multiple controllers working together. Pr...
Read more

Top 20 Threat Scenarios & Playbooks for OT Security

-
Image
A comprehensive list of 20 threat scenarios in OT security along with detailed descriptions and detection rules that can help identify and respond to these threats. This playbook-style table covers different types of attacks—from unauthorized access to insider abuse—with corresponding rules and indicators to alert security teams. # Threat Scenario Detailed Description Detection Rules & Indicators 1 Unauthorized Remote Access Attempt An attacker uses stolen or weak credentials to access OT networks remotely. - Log Analysis: Monitor VPN/RDP logs for unusual login times, geolocation mismatches, and failed/successful login bursts. - User Behavior Analytics (UBA): Alert on deviations from normal remote access patterns. - Anomaly Detection: Trigger an alert when a remote session is initiated from an unusual IP or geographic region. 2 Malware/Ransomware Infiltration in OT Network Malicious code is introduced into the OT network via compromised endpoints or phishing, potentially encr...
Read more