Build a Free ICS Lab and Override a PLC Using Python

Build a Free ICS Lab and Override a PLC Using Python

The pervasive connectivity of modern utility grids and manufacturing floors has fundamentally shifted the security paradigm for critical infrastructure globally. While industrial operations were once protected by their physical isolation, the current push toward digital transformation in 2026 has exposed these environments to a suite of cyber threats that were previously relegated to traditional IT networks. Central to this issue is the vulnerability of legacy protocols and the equipment they manage, which often prioritize availability and reliability over robust security measures. Building a functional laboratory environment provides a safe and cost-effective way to examine these risks without jeopardizing live production assets. By simulating an industrial control system using open-source tools, practitioners can gain hands-on experience with how Programmable Logic Controllers operate and how they might be manipulated by unauthorized network traffic. This approach allows for a deeper understanding of the intersection between physical processes and digital control, offering a clear view of the potential consequences when security boundaries are breached. Establishing such a lab serves as a critical first step in developing the skills necessary to defend the infrastructures that support modern society.

1. Understanding the Infrastructure: Roles and Risks of Programmable Logic Controllers

Programmable Logic Controllers, commonly known as PLCs, function as the essential nervous system for industrial environments ranging from wastewater treatment plants to automotive assembly lines. These ruggedized computers are specifically designed to operate in harsh conditions while performing real-time, deterministic tasks that manage physical hardware like motors, pumps, and temperature sensors. Unlike standard desktop computers that run complex operating systems and varied applications, a PLC executes a continuous loop of scanning inputs, processing a specific logic program, and updating outputs. This cycle ensures that the physical process remains stable and predictable, which is paramount in environments where a delay of even a few milliseconds could result in mechanical failure or safety hazards. The logic within these devices is typically written in languages such as Ladder Logic or Structured Text, which translate high-level commands into the physical actions required to maintain a manufacturing or utility process. Understanding this fundamental operation is necessary because it highlights exactly what is at stake when a controller is compromised by an external entity or an internal misconfiguration.

Despite the physical reliability of these systems, the communication protocols they utilize were often developed during a time when internal industrial networks were completely air-gapped from the internet. Modbus/TCP stands as a primary example of this legacy, remaining one of the most widely used protocols in the world for machine-to-machine communication due to its simplicity and openness. However, this simplicity comes at a significant cost to security, as the protocol inherently lacks any mechanism for authentication or encryption. When a command is sent to a PLC over port 502, the device typically treats the instruction as legitimate, regardless of the source, because it assumes the sender has authorized physical access to the network. This design philosophy creates a situation where anyone with network access can read the status of internal registers or write new values to the controller, effectively bypassing any intended logic or safety guardrails. In the context of modern interconnected facilities, these vulnerabilities represent a major entry point for actors looking to disrupt operations or gain insights into proprietary industrial processes.

2. Software and Resources: Building the Virtual Industrial Environment

Constructing a comprehensive simulation requires a suite of specialized software tools that can emulate the behavior of high-end industrial hardware. OpenPLC serves as the core of this laboratory, providing an open-source platform that functions as a fully operational logic engine capable of running standard industrial programs. To complement the logic engine, FUXA offers a web-based solution for creating Human-Machine Interface (HMI) dashboards, allowing users to visualize the data being processed by the PLC in real-time. For more advanced supervisory control, Ignition Maker provides a free, limited version of professional-grade SCADA (Supervisory Control and Data Acquisition) software, which is widely utilized across various industries to manage large-scale operations. Together, these tools form a robust ecosystem that mimics the complex software stacks found in real-world factory floors, providing a high-fidelity environment for testing and analysis without the need for expensive proprietary hardware.

To facilitate communication and perform deep-packet analysis, several auxiliary tools must be integrated into the laboratory setup. The pyModbus library is a critical component for those wishing to use Python to interact with industrial devices, as it provides the necessary functions to read and write data to the registers of a Modbus-enabled controller. Complementing this is Wireshark, the industry-standard network protocol analyzer, which allows for the capture and inspection of every individual packet moving across the virtual network. This visibility is essential for understanding how commands are structured and how they appear to network defense systems. Finally, VirtualBox acts as the underlying hypervisor, enabling the creation of isolated virtual machines that can host different parts of the lab, such as the “attacker” workstation or the SCADA server. By leveraging these resources, an engineer can create a segmented and controlled network that accurately reflects the challenges faced by modern industrial cybersecurity professionals.

3. Laboratory Design: Topology and Data Routing Considerations

The architecture of an effective industrial security lab must prioritize the isolation of experimental traffic while maintaining a realistic communication flow between various components. A typical setup involves a host machine running a Linux distribution, which serves as the primary environment for deploying Docker containers that house the PLC and HMI services. By utilizing containerization, the logic engine and the visualization interface remain lightweight and easily reproducible, while still being able to communicate through a defined virtual network bridge. A separate virtual machine, acting as the external node or “attacker” station, is then placed on the same local area network as the host. This configuration allows the external node to reach the PLC’s communication services through the host’s IP address, simulating a scenario where a device on the corporate network attempts to bridge the gap into the operational technology (OT) environment.

Communication within this lab environment follows a specific path that mirrors the hierarchy of a standard industrial network. The OpenPLC container listens for incoming requests on its administrative web port and the dedicated industrial protocol port, which is port 502 for Modbus/TCP. The HMI, whether it is FUXA or Ignition, continuously queries the PLC to update its visual status indicators, while the PLC responds with the current state of its internal memory registers. When the external node initiates a connection, it interacts directly with the PLC’s communication port, bypassing the intended visual interfaces. This interaction model is crucial for demonstrating how industrial devices often lack the ability to distinguish between a legitimate HMI update request and an unauthorized command from a third-party script. Proper data routing ensures that all traffic can be monitored and analyzed at different points in the network, providing a complete picture of the interactions between control logic and external commands.

4. Implementation Procedures: Deploying Logic and Interacting with Controllers

The practical deployment of the laboratory begins with launching the logic engine using a containerized version of OpenPLC. This process involves mapping the necessary administrative and communication ports to the host system, ensuring that the web interface is accessible for configuration and that the industrial protocol port is ready to receive traffic. Once the container is operational, a basic logic program, such as a simple motor control circuit, is uploaded to the controller through the web-based management console. This program defines the behavior of the system, establishing how specific inputs should trigger specific outputs. Following the PLC setup, the visual interfaces are connected by configuring the drivers in FUXA or Ignition to point toward the internal IP address of the OpenPLC container. This link allows the HMI to begin monitoring the digital switches and sensors defined in the logic, providing a real-time window into the automated process.

Once the environment is active and the visual interfaces are reflecting the state of the PLC, the focus shifts to executing protocol commands using Python. By employing the pyModbus library, a script can be written to perform an initial observation of the system, querying the status of “Coils,” which represent the digital outputs of the controller. This action demonstrates how an external user can gain situational awareness of the physical process without any form of authentication. To move beyond mere observation, a specific function code, such as “Write Single Coil,” can be used to send an unauthorized command that flips a digital switch from an OFF state to an ON state. This action directly overrides the internal safety logic and can be verified by watching the HMI dashboard change instantaneously. Simultaneously, running Wireshark on the network interface allows for the capture of these raw data packets, revealing the unencrypted hex values that constitute the “Read” and “Write” instructions. Analyzing these packets highlights how easy it is to identify the specific bytes responsible for controlling physical hardware when no encryption is present.

5. Strategic Defensive Measures: Hardening Systems and Advanced Monitoring

Securing an industrial environment requires a multi-layered approach that addresses both the inherent weaknesses of legacy protocols and the architectural flaws of the network. One of the most effective strategies is the implementation of network segmentation based on the ISA/IEC 62443 standard, which organizes assets into distinct zones and conduits. By placing critical controllers into restricted zones and strictly controlling the traffic that passes through conduits, organizations can prevent lateral movement and ensure that only authorized HMIs can communicate with the PLCs. This structural change effectively mitigates the risk of a compromised workstation on the corporate network gaining direct access to the industrial logic engine. Furthermore, the use of industrial-grade firewalls that are capable of deep packet inspection (DPI) for Modbus traffic can filter out unauthorized function codes, such as those used to modify register values, while still allowing the reading of status data.

The experience gained from building and interacting with a simulated lab provided a clear roadmap for more advanced security research and real-world application. Security teams discovered that monitoring for unusual traffic patterns using Network Detection and Response (NDR) tools was instrumental in identifying the unauthorized Python scripts that were used to override controller states. It became evident that mapping these findings to the MITRE ATT&CK for ICS framework allowed for a more systematic understanding of the tactics and techniques used by potential adversaries. Future efforts should focus on the adoption of more secure protocols like OPC-UA, which include built-in features for authentication and encryption, effectively closing the gaps left by legacy systems. The transition from testing in a lab to implementing these defenses in a production environment represented a significant advancement in the maturity of operational technology security. Moving forward, the continued study of advanced protocols and the integration of automated response systems will be essential for staying ahead of the evolving threat landscape in the industrial sector.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later