Revolutionizing OT Security: How Containerized Gasflow Terminal Runs 26 Services Under 3GB RAM – No Factory Required + Video

Listen to this Post

Featured Image

Introduction:

Operational Technology (OT) security has long been trapped by the “scale illusion” – the belief that realistic testing requires physical factories, industrial racks, and expensive hardware clusters. A breakthrough approach from Labshock Security demonstrates that a fully operational OT environment – including 8 PLCs, 7 switches, 4 HMIs, SCADA, IDS, collectors, and Splunk SIEM – can run on a single small server with less than 3GB of RAM. This shifts OT security from static documentation to repeatable, testable containerized runtimes where every control can be validated before deployment.

Learning Objectives:

  • Deploy a lightweight, containerized OT environment simulating PLCs, SCADA, and SIEM using Docker and open-source tools.
  • Configure and test OT-specific security monitoring with Splunk, Suricata IDS, and Modbus traffic analysis.
  • Apply Linux networking and Windows PowerShell commands to harden virtual OT networks and detect anomalies.

You Should Know:

  1. Containerized OT Emulation: Running PLCs and SCADA in Docker

The core idea is that a complete industrial control system can be modeled as software containers, not physical hardware. Below is a step‑by‑step guide to launching a minimal Gasflow‑like topology using Docker on Linux.

Step‑by‑step guide:

1. Install Docker and Docker Compose (Ubuntu/Debian):

sudo apt update && sudo apt install docker.io docker-compose -y
sudo systemctl enable --now docker
sudo usermod -aG docker $USER  re-login after
  1. Create a `docker-compose.yml` for OT services (simplified example):
    version: '3.8'
    services:
    plc-sim:
    image: mbsim/python-modbus-server
    container_name: plc_bpcs_01
    networks:</li>
    </ol>
    
    - ot_net
    ports:
    - "5020:502"
    hmi:
    image: nginx:alpine
    volumes: ./hmi/html:/usr/share/nginx/html
    networks:
    - ot_net
    scada:
    image: ithc/scada-br:latest
    environment:
    - MODBUS_HOST=plc-sim
    networks:
    - ot_net
    ids:
    image: jasonish/suricata:latest
    cap_add:
    - NET_ADMIN
    - NET_RAW
    networks:
    - ot_net
    networks:
    ot_net:
    driver: bridge
    

    3. Start the emulated OT environment:

    docker-compose up -d
    

    4. Verify running services:

    docker ps
    docker stats --no-stream  should show <3GB total RAM
    

    This mirrors Labshock’s Gasflow Terminal approach: 26 services on a single server with minimal overhead.

    2. Emulating PLC Logic with Python Modbus Server

    PLCs in the Gasflow Terminal include 4 Basic Process Control System (BPCS) and 4 Safety Instrumented System (SIS) units. Use a Python script to emulate Modbus‑TCP registers.

    Codes:

     modbus_plc_sim.py
    from pyModbusTCP.server import ModbusServer
    import random
    import time
    
    server = ModbusServer("0.0.0.0", 502, no_block=True)
     Holding registers: 0-3 BPCS, 4-7 SIS
    server.data_bank.set_holding_registers(0, [random.randint(0,100) for _ in range(8)])
    
    try:
    server.start()
    print("PLC emulator running on port 502")
    while True:
     Simulate process changes
    bpcs_pressure = server.data_bank.get_holding_registers(0)[bash] + random.randint(-5,5)
    server.data_bank.set_holding_registers(0, [bash] + [random.randint(0,100) for _ in range(7)])
    time.sleep(1)
    except KeyboardInterrupt:
    server.stop()
    

    Run it inside a container or directly:

    pip install pyModbusTCP
    python modbus_plc_sim.py
    

    Test communication using `mbpoll` (Linux) or `Test-Connection` (Windows):

     Linux
    mbpoll -a 1 -t 3 -r 0 -c 8 127.0.0.1 502
     Windows PowerShell
    (New-Object System.Net.Sockets.TcpClient).Connect("127.0.0.1", 502)
    

    3. Configuring Splunk SIEM for OT Log Aggregation

    The Gasflow Terminal uses Splunk as its SIEM, consuming 50% of runtime memory. To replicate:

    Step‑by‑step guide:

    1. Run Splunk Enterprise in Docker (trial mode):

    docker run -d -p 8000:8000 -p 8088:8088 -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_PASSWORD=changeme --name splunk splunk/splunk:latest
    
    1. Add a HTTP Event Collector (HEC) token via web UI or CLI:
      docker exec -it splunk /opt/splunk/bin/splunk add http-event-collector -uri https://localhost:8088 -name OT_Collector -index main -auth admin:changeme
      

    2. Forward Modbus logs from PLC emulator using `curl` or Python:

      import requests, json
      url = "https://localhost:8088/services/collector"
      headers = {"Authorization": "Splunk <your-token>", "Content-Type": "application/json"}
      data = {"sourcetype": "_json", "event": {"plc_id": 1, "pressure": 75, "alert": "none"}}
      requests.post(url, headers=headers, data=json.dumps(data), verify=False)
      

    3. Create a Splunk alert for unusual Modbus function codes (e.g., write to safety registers). Use search:

      index=ot sourcetype=modbus func_code=06 | stats count by src_ip
      

    4. Implementing an OT‑Friendly IDS with Suricata

    The Gasflow Terminal includes one IDS. Suricata can inspect Modbus/TCP and DNP3 traffic.

    Step‑by‑step guide:

    1. Install Suricata (Ubuntu):

    sudo add-apt-repository ppa:oisf/suricata-stable -y
    sudo apt update && sudo apt install suricata -y
    

    2. Download OT protocol rules:

    sudo suricata-update enable-source et/open
    sudo suricata-update
    

    3. Create custom OT rule (file `/etc/suricata/rules/local.rules`):

    alert modbus any any -> any 502 (msg:"OT - Modbus write to SIS register"; modbus.func_code:06; sid:1000001; rev:1;)
    alert tcp any 44818 -> any any (msg:"OT - CIP/ Ethernet/IP traffic detected"; sid:1000002;)
    
    1. Run Suricata on the virtual OT network interface:
      sudo suricata -i docker0 -c /etc/suricata/suricata.yaml -v
      

    5. Monitor alerts:

    tail -f /var/log/suricata/fast.log
    
    1. Hardening the Containerized OT Network with Linux Commands

    Security testing must be repeatable. Use Linux network controls to isolate OT services.

    Commands to restrict and monitor traffic:

     Create a dedicated bridge with no external routing
    sudo ip link add ot-bridge type bridge
    sudo ip addr add 10.10.10.1/24 dev ot-bridge
    sudo ip link set ot-bridge up
    
    Block all egress from OT containers except to Splunk (port 8088)
    sudo iptables -A FORWARD -i br-ot -o eth0 -j DROP
    sudo iptables -A FORWARD -i br-ot -o eth0 -p tcp --dport 8088 -j ACCEPT
    
    Log all Modbus write attempts from the OT network
    sudo iptables -A FORWARD -p tcp --dport 502 -m string --string "\x06" --algo bm -j LOG --log-prefix "MODBUS_WRITE: "
    

    On Windows (PowerShell as Admin) for monitoring:

     Capture Modbus traffic on local interface
    New-NetEventSession -Name "OT_Session"
    Add-NetEventPacketCaptureProvider -SessionName "OT_Session" -CaptureType Ethernet -MultiLayer
    Start-NetEventSession -Name "OT_Session"
     Stop: Stop-NetEventSession
    

    6. Replicating Full Gasflow Topology with Docker Compose

    To fully emulate 26 services (8 PLCs, 7 switches, 4 HMIs, 1 SCADA, 1 IDS, 2 collectors, 1 Splunk, plus others), extend the Docker compose file with multiple instances and a software‑defined switch (Open vSwitch).

    Example snippet for multiple PLCs:

    plc_bpcs_1:
    image: mbsim/python-modbus-server
    networks: [bash]
    plc_bpcs_2:
    image: mbsim/python-modbus-server
    networks: [bash]
     ... up to 8
    

    Software switch (Open vSwitch):

     On host
    sudo apt install openvswitch-switch
    sudo ovs-vsctl add-br ot-switch
    sudo ovs-docker add-port ot-switch eth1 plc_bpcs_1 --ipaddress=10.10.10.2
    

    Then connect each service to the OVS bridge instead of Docker’s default bridge to simulate industrial switching.

    7. Testing OT Security Controls in Containerized Runtime

    The Labshock philosophy: “OT security must be testable, not documented.” Run automated security tests against your virtual gas station.

    Python test suite example using `pymodbus` and `scapy`:

    from pymodbus.client import ModbusTcpClient
    from scapy.all import
    
    def test_unauthorized_write():
    client = ModbusTcpClient('10.10.10.2')  PLC IP
    client.connect()
     Attempt to write to a safety register (SIS)
    rr = client.write_register(100, 0xFFFF)  normally blocked
    if not rr.isError():
    print("VULNERABILITY: SIS register modified")
    client.close()
    
    def test_modbus_scan():
    pkt = IP(dst="10.10.10.0/24")/TCP(dport=502, flags="S")
    ans, unans = sr(pkt, timeout=2)
    for sent, rcvd in ans:
    print(f"Modbus device found at {rcvd[bash].src}")
    

    Run inside a dedicated test container with:

    docker run --network ot_net -it python:3 bash
    pip install pymodbus scapy
    python test_ot_security.py
    

    What Undercode Say:

    • Containers eliminate the “scale illusion” – You can build a fully operational OT environment with 26 services on a laptop using Docker, proving that physical hardware is not required for security testing.
    • Repeatability beats documentation – When OT security is defined as code (Dockerfiles, Compose, Python emulators), you can version, share, and automatically test defenses against live process behavior.

    The Gasflow Terminal approach is not a simulation or training aid – it is a production‑grade operational runtime that fits in 3GB RAM. For blue teams, this means affordable, high‑fidelity breach and attack simulation. For red teams, it offers a legal, self‑contained target to practice PLC manipulation, SCADA MITM, and SIEM evasion. The industrial world is rapidly becoming a software system; security must evolve to treat OT infrastructure as code – fully runnable, testable, and repeatable without ever stepping into a factory.

    Prediction:

    Within two years, most OT security trainings and certifications will replace physical PLC labs with containerized emulations like Gasflow Terminal. Cloud providers will offer “OT as a Service” sandboxes, and regulatory frameworks (e.g., IEC 62443) will include testable container images as evidence of compliance. The divide between IT and OT security tooling will collapse as the same DevSecOps pipelines are used to harden both enterprise and industrial controllers. Organizations that adopt runtime‑testable OT models today will have a 10x faster incident response capability compared to those relying on static network diagrams.

    ▶️ Related Video (74% Match):

    https://www.youtube.com/watch?v=2A5ygCKCsmc

    🎯Let’s Practice For Free:

    IT/Security Reporter URL:

    Reported By: Zakharb Switches – Hackers Feeds
    Extra Hub: Undercode MoN
    Basic Verification: Pass ✅

    🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

    💬 Whatsapp | 💬 Telegram

    📢 Follow UndercodeTesting & Stay Tuned:

    𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky