A safer way to break industrial systems (on purpose)

Cybersecurity teams often struggle to test defenses for industrial control systems without risking disruption. A group of researchers from Curtin University has developed a way to make that easier. Their work introduces a container-based framework that lets researchers and practitioners simulate real control system environments and run cyberattacks on them safely.

Industrial control systems (ICS) run everything from water treatment plants to power grids. Because they manage physical processes, testing them directly can be risky. Many organizations either use outdated datasets or rely on narrow simulations that model only one system type. That limitation has slowed progress in building and validating intrusion detection systems for industrial networks.

Turning containers into virtual control rooms

The researchers designed a software suite that recreates the behavior of ICS components such as programmable logic controllers, human-machine interfaces, sensors, and actuators. It uses Docker containers to isolate these parts, allowing users to build and run different industrial environments on a single computer.

Instead of setting up physical hardware or using virtual machines that require heavy resources, the containerized design provides a way to model and test control systems faster. The system also follows the Purdue Enterprise Reference Architecture, a structure widely used in industrial networks, which helps ensure realistic simulation of communications between layers of control and enterprise systems.

When discussing the project with Help Net Security, Dr. Sonny Pham, one of the researchers at Curtin University, said the approach brings new practicality to ICS research and training. “Our proposed Curtin ICS-SimLab offers a new level of practicality. It leverages containerisation to deliver high configurability and flexibility, enabling researchers to model diverse ICS architectures without needing to recode or rebuild hardware,” Pham explained. “Its lightweight deployment means entire simulations can run on a single host computer, making it accessible even to smaller labs or training centres.”

He added that ICS-SimLab supports integration of historical data into its modular simulations. “Researchers can replay real-world incidents under controlled conditions,” he said. “For example, a water utility team could use ICS-SimLab to recreate Modbus command injection attacks similar to those seen in U.S. water facilities, then test intrusion detection solutions or train operators to recognise anomalies before service disruption occurs.”

Running live-style attacks without the risk

To show how the framework works, the team created three sample simulations. One modeled a solar panel grid with a transfer switch that toggles between solar and mains power. Another simulated a water bottle filling facility, complete with tanks, valves, and conveyor belts. The third replicated a substation-like setup using intelligent electronic devices that manage power flow.

Each of these virtual environments was then subjected to different cyberattacks. The researchers implemented reconnaissance, injection, command, and denial-of-service attacks against the simulated systems. For example, some attacks scanned for Modbus device addresses or tried to inject false sensor data into the control loop. Others flooded the network with traffic to overwhelm communication channels.

These experiments allowed the team to monitor how different control architectures reacted under stress. Using Wireshark, they captured traffic data from both normal and attack conditions, producing datasets that reflect the behavior of multiple ICS designs under threat.

Turning attack data into defensive insight

The data collected through these simulations is intended to support the development of intrusion detection systems tailored for ICS environments. Each packet in the dataset was labeled as either benign or malicious, along with information about the type of attack and protocol used. This approach provides a structured foundation for machine learning research, where models can be trained to recognize subtle differences in network activity.

Most existing datasets focus on a single control environment, which often leads to overfitting. A detection model trained on one system may fail when applied to another. The researchers argue that generating data from several simulated systems can help reduce that bias and improve generalization. It also gives cybersecurity teams a way to test whether their detection tools hold up under different industrial conditions.

Pham noted that simulated datasets have already proven valuable in related projects. “A good real-world example comes from a railway cyber range project where researchers generated datasets of staged attacks similar to what we’ve seen in major ICS incidents,” he said. “One of their scenarios mirrored the 2015 BlackEnergy attack on the Ukrainian power grid. They chained together several steps: exploiting a flaw in a web app, planting a backdoor trojan for reconnaissance and lateral movement, and finally pushing false data into the RTU to trick the HMI into tripping a breaker.”

He said the resulting dataset provided detailed packet captures, memory images, and HMI logs. “With that kind of ground truth, security teams could have built detection rules for abnormal Modbus use or trained models to spot unusual IT-to-OT transitions,” Pham said. “This is exactly where our Curtin ICS-SimLab adds value. It can recreate similar multi-stage attack scenarios in a safe environment and capture rich datasets of both benign and malicious traffic.”

He added that the team plans to expand the project further. “In our upcoming work, we plan to share a library of attack scripts that simulate different types of ICS attacks documented in the literature,” Pham said. “This will allow researchers worldwide to stage varied scenarios using ICS-SimLab and rigorously test the effectiveness and robustness of their detection models.”

Training teams before real incidents happen

Beyond supporting IDS research, the project has practical potential for training and operational planning. Security teams could use such simulations to rehearse incident response procedures without involving live equipment. Engineers could explore how different configurations behave under attack before deploying new systems. Because the setup runs on standard computers, it can be replicated by other researchers or industrial operators without specialized hardware.

The authors noted that their container-based model currently focuses on network-level attacks, such as those exploiting Modbus vulnerabilities. Simulating device-specific exploits, like firmware tampering or buffer overflows, would require more detailed virtualization. They plan to explore those areas next, along with integrating more accurate tools such as Matlab or Simulink to model physical processes.

From lab concept to industrial defense tool

The work highlights a shift toward more accessible and adaptable testing in industrial cybersecurity. By lowering the technical barrier for creating realistic ICS environments, the framework allows more researchers and defenders to experiment, share datasets, and validate intrusion detection systems before threats reach production systems.

For CISOs responsible for operational technology, this kind of simulation research points to a future where defense testing can happen safely and at scale. It helps close the gap between theory and practice by letting teams see how attacks unfold in realistic settings, all without endangering real infrastructure.