Ingredients for an ICS Lab: How to Build an ICS Lab from Scratch Part 1

Knowing about OT is a big part of my job these days: while my background includes traditional IT experience from consulting audit firms, I built up an ICS skillset while working with an ICS Network Security Monitoring (NSM) vendor.

Now I help asset owners to defend their systems against intruders, and as part of my ongoing practice, I’ve built Capture the Flags (CTFs) for various conferences. But there’s always more to learn; in particular, I want to understand ICS protocols and the uniqueness of the ICS assets to better assist in protecting asset owners.

To that end, I’ve decided to build an ICS Lab that will give me hands-on freedom to experiment and run tests.


There are two approaches to building this ICS lab which I intend to focus on. The first is the most simple and economical: using a Raspberry Pi, we can simulate the ICS environment with several virtual machines (VMs). While this would be great for some low-level dabbling, I’m interested in something more substantial.

The second approach is to go full ICS: purchase and assemble real ICS Program Logical Controllers (PLCs), Human Machine Interfaces (HMIs), Remote Terminal Units (RTUs) and Intelligent Electronic Devices (IEDs). Needless to say, this produces the full effect of building a real, working ICS environment.

The second approach offers another big advantage over the first in the form of data. Only so much asset inventory information can be displayed using a simulated ICS environment. This limits user experience, thereby increasing the learning curve once they transition to a realistic ICS environment.

IT & OT Environment

While an ICS environment is good for demonstrating the effect of attacks on the Purdue Layer 2 network, we also want to simulate other Purdue Levels. The Purdue Model – for those who don’t know – is a way to visualize how IT and OT networks intertwine; therefore, we must obtain firewalls, switches, and other IT infrastructure to continue building our lab.[

For starters, I’m selecting an ESXi server on the network to house the email server, intranet, and other business applications including IT defensive software. There will also be engineering workstations on the ESXi server assigned to the ICS vLAN.

The ultimate purpose of building all of this is to have multiple attack scenarios and simulations so that my team and I can better learn the risks our clients will face, and how to defend them.

Lastly! Documentation

When building these labs and CTFs, I’ve found that I often forget to document my work after it has been completed. I suggest documenting your work as you progress. I’m generally a busy person and there are entire weeks when I cannot work on this lab.

Without documentation about what I’ve been doing and where I left off, it’s hard to understand my progress or resume building. Documentation also allows us to store a baseline for our network. Once the attack and defensive simulations are complete, the lab can be reverted to its last known stable state.  Combine Level 5 and Level 4. Call it Level 4 and the name is Enterprise Security Zone

Harry Thomas is a senior level cyber security consultant who works with industries that require security in high availability networks such as Electric Utilities, Healthcare, Oil & Gas, etc. He enhances security programs through methods of vulnerability assessments, penetration testing, reverse engineering, and security research. Harry harnesses his experience from both enterprise security and ICS security to build secure networks that enable organizations.

Securicon offers comprehensive digital security and compliance solutions to organizations. Our services include penetration testing and social engineering assessments which are trusted by critical infrastructure companies across the U.S and other critical organizations to find vulnerabilities and maximize safety. In 2019, there’s no room to be lax about security – contact us today!