Industrial Cybersecurity: First Steps

Every time I set up a lab environment for proof-of-concept or demonstration purposes, I do it manually from scratch. This process can be repetitive and time-consuming, prompting me to think about how to virtualize and automate the lab setup. To address this, I initiated the LAVAEL project, which is described in previous articles.

In each instance where I’m asked to prepare a lab or POC environment, I consider how to efficiently virtualize the components required for the setup. Typically, I begin with basic simulations, such as SIEM integration, command and control (C2) configurations, and workstation setups. Realizing the potential to automate these tasks, I began researching ways to virtualize and automate the installation process, leading to the inception of LAVAEL.

During some demonstrations, clients expressed interest in monitoring OT networks, prompting me to explore ways to integrate OT scenarios into the lab. Although I was initially unfamiliar with OT and ICS operations, I saw an opportunity to build a basic lab that could address these needs. I started by reading books on OT, ICS, and cybersecurity in this domain, and soon, I had access to hardware — a Siemens S7–1200 PLC with an HMI. I began searching for ways to incorporate this hardware into the lab setup and discovered Factory I/O, a brilliant program designed for learning automation technologies. While its primary purpose is educational, I found it suitable for cybersecurity and SIEM-related experiments.

This is my first attempt at creating an OT cybersecurity lab, and the project is still a work in progress. I’m currently learning and testing various concepts because I find this field very interesting.

Siemens S7–1200 PLC with Factory I/O

Simulating a Basic Attack on the Siemens S7–1200 PLC

Another project I’m working on is outlined below. I’ll likely provide only an overview once it’s done, as creating a detailed step-by-step guide would take a considerable amount of time. Additionally, describing the project using MITRE methodologies, as shown in the LAVAEL project, or OT/ICS-related frameworks is also time-consuming.

The idea behind this lab is to virtualize the Enterprise and Industrial Demilitarized Zone (IDMZ), while the OT components will consist of physical hardware, such as a FortiGate firewall connected to the virtualized portion of the lab. Additionally, I plan to incorporate OpenPLC on a Raspberry Pi and ScadaBR. For each Factory I/O scene, a laptop or PC with a GPU will be required. In the OT environment, an appropriate license can be applied for the OT firewall. For OT intrusion detection systems (IDS), solutions like Cisco Cyber Vision, Nozomi Networks, or Forescout SilentDefense could be utilized based on research.

The official Factory I/O tutorial for the Siemens S7–1200 PLC was used: Factory I/O Tutorial

To simulate attacks, scripts from the following repository were used: ICSSecurityScripts GitHub Repository