Controlled Chaos: Safely Breaking Industrial Systems

Cybersecurity professionals face a constant challenge when evaluating industrial control system defenses without causing operational disruptions. A research team from Curtin University has engineered a container-based framework that enables safe simulation of authentic control environments for running cyberattack scenarios. This innovation provides a practical method for testing security measures without jeopardizing physical infrastructure.

Industrial control systems manage critical operations across sectors like energy distribution and water purification facilities. Since these systems directly govern physical machinery, conducting live security tests presents substantial hazards. Many companies currently depend on obsolete data or constrained simulations that replicate just one kind of system architecture. This restriction has hindered advancement in creating and verifying intrusion detection mechanisms specifically designed for industrial networks.

The research team constructed a software package that mimics the operations of essential ICS elements including programmable logic controllers, operator interfaces, monitoring sensors, and mechanical actuators. By employing Docker container technology to isolate these components, the system enables users to assemble and operate multiple industrial configurations on standard computing equipment.

This containerized approach eliminates the need for physical hardware arrangements or resource-intensive virtual machines, delivering accelerated modeling and testing capabilities. The framework adheres to the Purdue Enterprise Reference Architecture, a standard industrial network structure, ensuring authentic replication of communication flows between operational technology and business network layers.

Dr. Sonny Pham, a lead researcher on the project, emphasized how their Curtin ICS-SimLab introduces unprecedented practicality to industrial control research and education. “Our solution utilizes containerization to provide extensive configurability and adaptability,” Pham noted. “Researchers can model various ICS configurations without rewriting code or reconstructing physical setups. The lightweight architecture allows complete simulations to operate on a single computer, making it viable for smaller laboratories and training facilities.”

The platform supports integration of historical operational data into its modular simulations. “Teams can recreate actual security incidents within controlled settings,” Pham explained. “A municipal water department could simulate Modbus command injection attacks resembling those targeting American water facilities, then evaluate detection systems or train staff to identify irregularities before service interruptions occur.”

The research team demonstrated their framework’s capabilities through three distinct simulation scenarios. One replicated a solar energy grid with transfer switching between solar and conventional power sources. Another modeled a bottled water production line complete with storage tanks, control valves, and conveyor systems. The third recreated an electrical substation environment using intelligent electronic devices for power management.

Each virtual environment underwent various cyberattack simulations. The team executed reconnaissance scans, data injection attempts, command manipulation, and denial-of-service campaigns against the simulated systems. Some attacks involved scanning for Modbus device addresses or inserting fabricated sensor readings into control loops, while others flooded networks with excessive traffic to disrupt communications.

These experiments enabled observation of how different control architectures responded under duress. Using network analysis tools like Wireshark, the team captured traffic patterns during both normal operations and attack conditions, generating comprehensive datasets that document multiple ICS designs under threat conditions.

The information gathered through these simulations provides crucial support for developing specialized intrusion detection systems for industrial environments. Each data packet received classification as either normal or malicious, accompanied by details about attack methodologies and communication protocols. This structured approach establishes a solid foundation for machine learning initiatives, where algorithms can learn to identify subtle anomalies in network behavior.

Current datasets typically focus on individual control environments, often resulting in overfitted detection models that perform poorly when applied to different systems. Generating data from multiple simulated setups helps mitigate this bias and enhances model generalization. Security teams can leverage this approach to verify whether their detection tools remain effective across varied industrial contexts.

Pham referenced how simulated datasets have demonstrated value in comparable initiatives. “In a railway cybersecurity project, researchers created datasets from staged attacks resembling major ICS incidents,” he mentioned. “One scenario replicated the 2015 BlackEnergy assault on Ukraine’s power grid, demonstrating how attackers exploited web application vulnerabilities, deployed reconnaissance malware, and ultimately manipulated control data to trigger breaker operations.”

The resulting dataset included comprehensive packet captures, memory snapshots, and interface logs. “With this level of detailed information, security teams could develop detection rules for abnormal Modbus activity or train models to identify suspicious transitions between information technology and operational technology networks,” Pham stated. “Our ICS-SimLab creates similar multi-stage attack scenarios safely while capturing rich datasets of both normal and malicious traffic.”

The research team intends to broaden their project’s scope in future developments. “We’re preparing to release a library of attack scripts that simulate various ICS attack types documented in cybersecurity literature,” Pham revealed. “This will enable global researchers to construct diverse scenarios using ICS-SimLab and thoroughly evaluate the effectiveness and resilience of their detection models.”

Beyond supporting intrusion detection research, the platform offers significant potential for security training and operational preparedness. Security personnel can practice incident response protocols without engaging live equipment. Engineering teams can examine how different configurations perform under attack before implementing new systems. Since the setup operates on conventional computers, other researchers and industrial operators can replicate it without specialized hardware.

The container-based model currently concentrates on network-level attacks targeting protocols like Modbus. Simulating device-specific exploits such as firmware manipulation or memory overflow attacks would require more sophisticated virtualization. The team plans to investigate these areas in subsequent work, alongside integrating advanced modeling tools to better replicate physical processes.

This research signals a movement toward more accessible and adaptable testing methodologies in industrial cybersecurity. By reducing technical barriers for creating realistic ICS environments, the framework enables broader experimentation, data sharing, and intrusion detection validation before threats impact operational systems.

For chief information security officers overseeing operational technology, this simulation research indicates a future where defensive testing can occur safely and at scale. It bridges the gap between theoretical security and practical implementation by allowing teams to observe attack progression in realistic settings without endangering actual infrastructure.

(Source: HelpNet Security)