Building a (modest) ICS testing & training lab

Part of training people into becoming ICS security specialists is providing them the opportunity to test or train certain things in a ‘safe’ environment. Which means you’ll need a (modest) ICS testing & training lab. There are some great labs out there (Idaho National Labs for example), that offer every test set-up you can think of. But not all companies have the resources to build a lab of that scale. For most companies or organisations a testlab environment limited to simulations of their own processes is just fine. There’s quite a bit of information you can find online about building such a lab. And usually it’s suggested that building it is fairly easy. Is it really?

You need ‘real’ stuff…

To build a representative lab you should have ‘real’ stuff in it. And with ‘real’ stuff I don’t mean having one or two Programmable Logic Controllers (PLC) combined with some Remote Terminal Units (RTU). A real ICS lab should contain everything that is present in a real environment. To simulate a power plant for example, you would need an actual Distributed Control System (DCS) that connects to several PLC’s, RTU’s, sensors etc. so that those devices can be taken into account during a simulated test/training. It is also important to have a real (physical) process running behind it so that physical impact of attacks can be observed properly.

…and network environments

And that’s just the process side of the testing lab. Your ideal lab should contain more than just that. This means that supporting environments for the process side should be included (think about the fire detection system, physical access systems, PI/OPC gateways, etc.). And don’t forget to include a simulated office environment with all regular business services in it (e.g. email server, file sharing, intranet, etc…) as well as a “simulated Internet”. These should be included to simulate different attack scenario’s and investigate different possible attack paths. You can play the role of an attacker on the “simulated internet” and try to get in or you can assume that you have physical access to the corporate offices and put yourself into the simulated office environment.
Where to start?

You have several options, depending on how much you are willing to spend on your lab. You can check eBay and buy several old or decommissioned RTU’s/PLC’s, or you can look out for decommissioned plants and buy their equipment. Another option is to procure training kits from big(ger) SCADA vendors such as Siemens, Phoenix, ABB, Scheider Electric, etc. Or you can build things yourself with small devices such as Raspberry PI or other alternatives. Don’t be afraid to experiment and combine several things/vendors together. Make sure you also have servers (for virtualisation purposes), switches, hubs, routers, firewalls etc. and learn how to use them. By building your own testing environment you will certainly learn a lot on basic networking skills.

Testlab procedures

Once your lab is ready to be used, make sure to create some procedures. Take especially good care of staging, as this is often forgotten. Nothing is as frustrating as losing a lot of time to get your lab back to its original state after a successful ‘attack’. At this stage you will be very happy if you have a (tested) staging procedure which gives you an easy step-by-step guide to revert to a known good state of the lab.

* DISCLAIMER * This is a copy of my original blogpost posted on the Toreon website while I was still working there