Labshock Patch 23 Unleashes Thunderwatch: Why OT Security Training Just Got a Full Control Layer Rewrite + Video

By /

Listen to this Post

Featured Image

Introduction:

For years, Operational Technology (OT) security training has followed a predictable, network-centric script: scan a subnet, find a Programmable Logic Controller (PLC), read its traffic, and write a report. This approach treats the PLC as just another IP address—a node on a network rather than the computational brain of an industrial process. Labshock’s Patch 2.3 fundamentally disrupts this paradigm by introducing Thunderwatch, a dedicated PLC programming zone that forces security professionals to learn OT from the inside out—starting with control logic, not network packets.

Learning Objectives:

  • Understand the shift from network-centric to control-centric OT security training and why PLC programming knowledge is essential for effective defense.
  • Gain hands-on experience with industrial automation concepts including Ladder Logic, Structured Text, PLC memory architecture, timers, counters, and Function Blocks.
  • Learn to trace HMI commands, bind tags, upload logic, and observe physical process outputs in a safe, virtualized industrial environment.

You Should Know:

  1. The Automation Anatomy: Moving Beyond the IP Address

The fundamental flaw in traditional OT security training is the assumption that a PLC is merely a network endpoint. In reality, the PLC is the control brain of an industrial process—it reads plant state, executes logic, writes outputs, moves physical processes, and ultimately creates risk. Patch 2.3’s Thunderwatch zone is built on the premise that you cannot secure what you do not understand, and you cannot understand a PLC without programming it.

The training curriculum within Thunderwatch is structured around what Zakhar Bernhardt calls “Automation Anatomy”—a deep dive into the PLC’s operational core. This includes the PLC Thinking Model (how the controller scans inputs, executes logic, and updates outputs), Industrial Data Flow (how sensor data moves from field devices to the controller and up to the HMI), and the fundamental building blocks of PLC programming: Ladder Logic, Structured Text, PLC Memory organization, Timers, Counters, Function Blocks, and Program Organization Unit (POU) structure.

Step-by-Step Guide: Understanding the PLC Scan Cycle

To truly grasp OT security, you must understand the cyclic nature of PLC execution. Here is a simplified breakdown of the scan cycle that every OT security professional should know:

  1. Input Scan: The PLC reads the physical state of all input modules (sensors, switches, transmitters) and stores these values in its input image table in memory.
  2. Program Execution: The CPU executes the user’s program logic (Ladder Logic or Structured Text) sequentially, rung by rung, using the input image table values to determine output states.
  3. Output Scan: The calculated output values are written from the output image table to the physical output modules (actuators, valves, motors).
  4. Housekeeping: The PLC performs internal diagnostics, communications handling, and peripheral device checks.
  5. Repeat: The cycle repeats continuously, typically in milliseconds.

From a security perspective, this cycle presents multiple attack surfaces. An attacker who understands the scan cycle can time their exploits to corrupt input data before the program executes, manipulate logic during execution, or force unsafe output states. Tools like Labshock’s IDS are designed to monitor industrial protocols like Modbus, DNP3, and PROFINET for anomalies in this cycle.

  1. The PLC Programming Zone: From Theory to Live Memory Changes

Thunderwatch is not a passive learning environment. Every theoretical concept has a corresponding lab exercise. The progression is deliberate: you read the system, then you touch the system. This hands-on approach moves beyond PDFs, slides, and abstract “best practices” to real automation stack components: a real PLC runtime, a real HMI, a real engineering workstation, and real process logic.

The lab sequence within Thunderwatch follows a structured path:
– Trace HMI Command: You start by observing how a command issued from the Human-Machine Interface travels through the network to the PLC.
– Write First PLC Program: You write your own logic—perhaps a simple motor start/stop circuit in Ladder Logic.
– Bind Tags: You connect your program variables (tags) to physical I/O addresses within the PLC’s memory map.
– Upload Logic: You compile and upload your program to the virtual PLC runtime.
– Observe Output: You trigger inputs and watch the outputs respond in real-time, validating your logic.
– Break Assumption: You intentionally introduce errors or unsafe conditions to see how the system behaves.
– Prove State: You verify the actual state of the process against your expected outcome, building a mental model of cause and effect.

Step-by-Step Guide: Simulating a Simple PLC Program in Labshock

While specific Labshock commands are platform-dependent, the following conceptual workflow mirrors the Thunderwatch experience:

  1. Access the Labshock Environment: Navigate to the World of Labshock portal and log in.
  2. Launch the Thunderwatch Lab: Select the PLC Programming Zone from the available labs.
  3. Open the Engineering Workstation: Access the virtual engineering workstation within the lab environment.
  4. Create a New Project: Open the PLC programming software (simulated environment) and create a new project.
  5. Write Ladder Logic: Implement a simple seal-in circuit for a motor starter:

– Network 1: `[Start PB][Stop PB](Motor_Output)`
– Network 2: `

[Stop PB](Motor_Output)`
6. Compile and Download: Compile the logic and download it to the virtual PLC.
7. Switch to Run Mode: Place the PLC in RUN mode.
8. Interact via HMI: Use the simulated HMI to press the Start button and observe the Motor Output energize.
9. Analyze Memory: Use the PLC's memory viewer to observe the live memory changes as inputs and outputs transition.
10. Simulate an Attack: From a separate attack workstation within the lab, attempt to force the Motor_Output coil to an unsafe state using a protocol exploit (e.g., a Modbus write command).

<h2 style="color: yellow;">3. Industrial Data Flow and Protocol Analysis</h2>

Understanding how data flows through an industrial control system is critical for both attack and defense. Thunderwatch provides visibility into the entire data pipeline: from the field device (sensor), through the PLC's input module, into the PLC's memory, through the program logic, out to the output module, and up to the HMI and SCADA systems for operator visualization.

Labshock's architecture includes built-in IDS capabilities that monitor this data flow for anomalies. Unlike traditional IT SIEMs that focus on authentication logs and network connections, an OT SIEM must understand industrial protocols—their structure, their normal operating ranges, and their potential for abuse.

<h2 style="color: yellow;">Step-by-Step Guide: Basic OT Protocol Reconnaissance</h2>

Using Labshock's virtual environment, you can perform reconnaissance on industrial networks:

<ol>
<li>Identify the OT Network Segment: Determine the IP subnet range of the OT network (e.g., 192.168.1.0/24).</li>
<li>Perform a Ping Sweep: Use `nmap -sn 192.168.1.0/24` to identify live hosts.</li>
<li>Scan for Open Ports: Use `nmap -sT -p 502,44818,2222 192.168.1.10` to scan for common OT protocols (Modbus TCP on port 502, Ethernet/IP on 44818, etc.).</li>
<li>Enumerate Modbus Devices: Use a tool like `modbus-cli` or `nmap` scripts (<code>nmap --script modbus-discover -p 502 192.168.1.10</code>) to enumerate PLCs and their coil/register maps.</li>
<li>Capture Traffic: Use `tcpdump -i eth0 -w ot_traffic.pcap` to capture live OT traffic for analysis.</li>
<li>Analyze with Wireshark: Open the capture in Wireshark and apply filters like `modbus` or `cip` to inspect protocol-specific details.</li>
</ol>

This reconnaissance provides the foundational intelligence needed to understand the attack surface of an OT environment—knowledge that is exponentially more powerful when combined with an understanding of the underlying control logic.

<h2 style="color: yellow;">4. Live Memory Changes and Real-Time Process Manipulation</h2>

One of the most powerful aspects of Thunderwatch is the ability to observe and manipulate live PLC memory. In a real industrial environment, changing a single bit in a PLC's memory can have catastrophic physical consequences—opening a valve at the wrong time, stopping a pump, or triggering an emergency shutdown.

Thunderwatch allows students to safely experiment with these concepts:
- Forcing I/O: Students learn how to force specific inputs or outputs to test program behavior.
- Online Editing: They practice making changes to the PLC program while it is running, observing the immediate effect on the process.
- Memory Manipulation: They use engineering tools to directly write values to PLC memory addresses, simulating the actions of an attacker who has gained network access.

This hands-on experience is what sets Thunderwatch apart. It transforms abstract security concepts into tangible, physical outcomes. You don't just read about a cyber-physical attack—you execute one, observe the consequences, and then implement the defensive measures to prevent it.

<h2 style="color: yellow;">5. Bridging the IT/OT Divide with Hands-On Training</h2>

The gap between Information Technology (IT) and Operational Technology (OT) security practices has long been a critical vulnerability. IT professionals think in terms of data, networks, and confidentiality. OT professionals think in terms of physical processes, safety, and availability. Thunderwatch is designed to bridge this divide by providing a common language—the language of control logic.

By learning to program a PLC, an IT security professional gains empathy for the OT engineer's world. They understand why patching a PLC is not as simple as patching a Windows server—why uptime is paramount, and why a failed logic upload can be as dangerous as a malware infection.

Step-by-Step Guide: Setting Up a Basic OT Security Lab with Labshock

For those looking to replicate this environment locally, Labshock is available as an open-source project on GitHub:

<h2 style="color: yellow;">1. Clone the Repository:</h2>

[bash]
git clone https://github.com/zakharb/labshock.git

2. Navigate to the Directory:

cd labshock

3. Review the Documentation: Read the `README.md` file for specific setup instructions, dependencies, and system requirements.
4. Run the Setup Script: Execute the provided setup script to deploy the virtualized OT environment (this typically uses Docker or similar containerization).

./setup.sh

5. Access the Lab: Once deployed, access the lab environment via the provided web interface or direct RDP/SSH connections to the virtual machines.
6. Explore the Pre-configured Scenarios: Labshock includes pre-built industrial scenarios (e.g., a virtual oil plant) for practicing attacks and defenses.

What Undercode Say:

  • Control-Centric Security is the Only Viable Path Forward: The network-centric approach to OT security has failed. Threat actors are not scanning subnets; they are manipulating logic. Thunderwatch correctly identifies that true OT security expertise begins with understanding the machine’s “brain,” not just its network interface. This represents a fundamental pedagogical shift that the industry desperately needs.
  • The “Testable, Not Documented” Philosophy is a Game-Changer: Zakhar Bernhardt’s assertion that “OT security must be testable, not documented” cuts to the heart of the problem with most compliance-driven security programs. A PDF of best practices does not stop a logic bomb. Only hands-on testing, experimentation, and validation can build the muscle memory required to defend industrial systems. Thunderwatch, with its “read then touch” methodology, operationalizes this philosophy and sets a new standard for OT security training.

Prediction:

  • +1 Democratization of OT Security Expertise: Platforms like Labshock’s Thunderwatch will lower the barrier to entry for OT security, enabling a new generation of professionals to gain practical skills without the need for expensive physical hardware or risky live-plant testing. This will significantly expand the talent pool and improve the overall security posture of critical infrastructure.
  • +1 Shift in Certification and Training Standards: The success of hands-on, control-centric platforms will force traditional certification bodies and training providers to overhaul their curricula. Expect to see more emphasis on PLC programming, logic analysis, and cyber-physical attack simulation in future OT security certifications.
  • -1 Increased Sophistication of OT Attacks: As more defenders learn to program PLCs, so too will attackers. The barrier to entry for developing sophisticated, logic-based attacks will decrease, potentially leading to a rise in targeted, high-impact industrial sabotage. The defensive community must stay ahead of this curve.
  • +1 Integration with AI/ML for Anomaly Detection: The deep understanding of PLC logic and memory states gained through platforms like Thunderwatch will fuel the development of more effective AI/ML-based anomaly detection systems. By establishing a baseline of “normal” logic behavior, these systems can more accurately detect malicious modifications or unsafe operating conditions.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Zakharb Labshock – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky

Related Posts: