Listen to this Post

Introduction:
Operational Technology (OT) security has long been trapped by the “scale illusion” – the belief that realistic testing requires physical factories, industrial racks, and expensive hardware clusters. A breakthrough approach from Labshock Security demonstrates that a fully operational OT environment – including 8 PLCs, 7 switches, 4 HMIs, SCADA, IDS, collectors, and Splunk SIEM – can run on a single small server with less than 3GB of RAM. This shifts OT security from static documentation to repeatable, testable containerized runtimes where every control can be validated before deployment.
Learning Objectives:
- Deploy a lightweight, containerized OT environment simulating PLCs, SCADA, and SIEM using Docker and open-source tools.
- Configure and test OT-specific security monitoring with Splunk, Suricata IDS, and Modbus traffic analysis.
- Apply Linux networking and Windows PowerShell commands to harden virtual OT networks and detect anomalies.
You Should Know:
- Containerized OT Emulation: Running PLCs and SCADA in Docker
The core idea is that a complete industrial control system can be modeled as software containers, not physical hardware. Below is a step‑by‑step guide to launching a minimal Gasflow‑like topology using Docker on Linux.
Step‑by‑step guide:
1. Install Docker and Docker Compose (Ubuntu/Debian):
sudo apt update && sudo apt install docker.io docker-compose -y sudo systemctl enable --now docker sudo usermod -aG docker $USER re-login after
- Create a `docker-compose.yml` for OT services (simplified example):
version: '3.8' services: plc-sim: image: mbsim/python-modbus-server container_name: plc_bpcs_01 networks:</li> </ol> - ot_net ports: - "5020:502" hmi: image: nginx:alpine volumes: ./hmi/html:/usr/share/nginx/html networks: - ot_net scada: image: ithc/scada-br:latest environment: - MODBUS_HOST=plc-sim networks: - ot_net ids: image: jasonish/suricata:latest cap_add: - NET_ADMIN - NET_RAW networks: - ot_net networks: ot_net: driver: bridge
3. Start the emulated OT environment:
docker-compose up -d
4. Verify running services:
docker ps docker stats --no-stream should show <3GB total RAM
This mirrors Labshock’s Gasflow Terminal approach: 26 services on a single server with minimal overhead.
2. Emulating PLC Logic with Python Modbus Server
PLCs in the Gasflow Terminal include 4 Basic Process Control System (BPCS) and 4 Safety Instrumented System (SIS) units. Use a Python script to emulate Modbus‑TCP registers.
Codes:
modbus_plc_sim.py from pyModbusTCP.server import ModbusServer import random import time server = ModbusServer("0.0.0.0", 502, no_block=True) Holding registers: 0-3 BPCS, 4-7 SIS server.data_bank.set_holding_registers(0, [random.randint(0,100) for _ in range(8)]) try: server.start() print("PLC emulator running on port 502") while True: Simulate process changes bpcs_pressure = server.data_bank.get_holding_registers(0)[bash] + random.randint(-5,5) server.data_bank.set_holding_registers(0, [bash] + [random.randint(0,100) for _ in range(7)]) time.sleep(1) except KeyboardInterrupt: server.stop()Run it inside a container or directly:
pip install pyModbusTCP python modbus_plc_sim.py
Test communication using `mbpoll` (Linux) or `Test-Connection` (Windows):
Linux mbpoll -a 1 -t 3 -r 0 -c 8 127.0.0.1 502 Windows PowerShell (New-Object System.Net.Sockets.TcpClient).Connect("127.0.0.1", 502)3. Configuring Splunk SIEM for OT Log Aggregation
The Gasflow Terminal uses Splunk as its SIEM, consuming 50% of runtime memory. To replicate:
Step‑by‑step guide:
1. Run Splunk Enterprise in Docker (trial mode):
docker run -d -p 8000:8000 -p 8088:8088 -e SPLUNK_START_ARGS=--accept-license -e SPLUNK_PASSWORD=changeme --name splunk splunk/splunk:latest
- Add a HTTP Event Collector (HEC) token via web UI or CLI:
docker exec -it splunk /opt/splunk/bin/splunk add http-event-collector -uri https://localhost:8088 -name OT_Collector -index main -auth admin:changeme
-
Forward Modbus logs from PLC emulator using `curl` or Python:
import requests, json url = "https://localhost:8088/services/collector" headers = {"Authorization": "Splunk <your-token>", "Content-Type": "application/json"} data = {"sourcetype": "_json", "event": {"plc_id": 1, "pressure": 75, "alert": "none"}} requests.post(url, headers=headers, data=json.dumps(data), verify=False) -
Create a Splunk alert for unusual Modbus function codes (e.g., write to safety registers). Use search:
index=ot sourcetype=modbus func_code=06 | stats count by src_ip
4. Implementing an OT‑Friendly IDS with Suricata
The Gasflow Terminal includes one IDS. Suricata can inspect Modbus/TCP and DNP3 traffic.
Step‑by‑step guide:
1. Install Suricata (Ubuntu):
sudo add-apt-repository ppa:oisf/suricata-stable -y sudo apt update && sudo apt install suricata -y
2. Download OT protocol rules:
sudo suricata-update enable-source et/open sudo suricata-update
3. Create custom OT rule (file `/etc/suricata/rules/local.rules`):
alert modbus any any -> any 502 (msg:"OT - Modbus write to SIS register"; modbus.func_code:06; sid:1000001; rev:1;) alert tcp any 44818 -> any any (msg:"OT - CIP/ Ethernet/IP traffic detected"; sid:1000002;)
- Run Suricata on the virtual OT network interface:
sudo suricata -i docker0 -c /etc/suricata/suricata.yaml -v
5. Monitor alerts:
tail -f /var/log/suricata/fast.log
- Hardening the Containerized OT Network with Linux Commands
Security testing must be repeatable. Use Linux network controls to isolate OT services.
Commands to restrict and monitor traffic:
Create a dedicated bridge with no external routing sudo ip link add ot-bridge type bridge sudo ip addr add 10.10.10.1/24 dev ot-bridge sudo ip link set ot-bridge up Block all egress from OT containers except to Splunk (port 8088) sudo iptables -A FORWARD -i br-ot -o eth0 -j DROP sudo iptables -A FORWARD -i br-ot -o eth0 -p tcp --dport 8088 -j ACCEPT Log all Modbus write attempts from the OT network sudo iptables -A FORWARD -p tcp --dport 502 -m string --string "\x06" --algo bm -j LOG --log-prefix "MODBUS_WRITE: "
On Windows (PowerShell as Admin) for monitoring:
Capture Modbus traffic on local interface New-NetEventSession -Name "OT_Session" Add-NetEventPacketCaptureProvider -SessionName "OT_Session" -CaptureType Ethernet -MultiLayer Start-NetEventSession -Name "OT_Session" Stop: Stop-NetEventSession
6. Replicating Full Gasflow Topology with Docker Compose
To fully emulate 26 services (8 PLCs, 7 switches, 4 HMIs, 1 SCADA, 1 IDS, 2 collectors, 1 Splunk, plus others), extend the Docker compose file with multiple instances and a software‑defined switch (Open vSwitch).
Example snippet for multiple PLCs:
plc_bpcs_1: image: mbsim/python-modbus-server networks: [bash] plc_bpcs_2: image: mbsim/python-modbus-server networks: [bash] ... up to 8
Software switch (Open vSwitch):
On host sudo apt install openvswitch-switch sudo ovs-vsctl add-br ot-switch sudo ovs-docker add-port ot-switch eth1 plc_bpcs_1 --ipaddress=10.10.10.2
Then connect each service to the OVS bridge instead of Docker’s default bridge to simulate industrial switching.
7. Testing OT Security Controls in Containerized Runtime
The Labshock philosophy: “OT security must be testable, not documented.” Run automated security tests against your virtual gas station.
Python test suite example using `pymodbus` and `scapy`:
from pymodbus.client import ModbusTcpClient from scapy.all import def test_unauthorized_write(): client = ModbusTcpClient('10.10.10.2') PLC IP client.connect() Attempt to write to a safety register (SIS) rr = client.write_register(100, 0xFFFF) normally blocked if not rr.isError(): print("VULNERABILITY: SIS register modified") client.close() def test_modbus_scan(): pkt = IP(dst="10.10.10.0/24")/TCP(dport=502, flags="S") ans, unans = sr(pkt, timeout=2) for sent, rcvd in ans: print(f"Modbus device found at {rcvd[bash].src}")Run inside a dedicated test container with:
docker run --network ot_net -it python:3 bash pip install pymodbus scapy python test_ot_security.py
What Undercode Say:
- Containers eliminate the “scale illusion” – You can build a fully operational OT environment with 26 services on a laptop using Docker, proving that physical hardware is not required for security testing.
- Repeatability beats documentation – When OT security is defined as code (Dockerfiles, Compose, Python emulators), you can version, share, and automatically test defenses against live process behavior.
The Gasflow Terminal approach is not a simulation or training aid – it is a production‑grade operational runtime that fits in 3GB RAM. For blue teams, this means affordable, high‑fidelity breach and attack simulation. For red teams, it offers a legal, self‑contained target to practice PLC manipulation, SCADA MITM, and SIEM evasion. The industrial world is rapidly becoming a software system; security must evolve to treat OT infrastructure as code – fully runnable, testable, and repeatable without ever stepping into a factory.
Prediction:
Within two years, most OT security trainings and certifications will replace physical PLC labs with containerized emulations like Gasflow Terminal. Cloud providers will offer “OT as a Service” sandboxes, and regulatory frameworks (e.g., IEC 62443) will include testable container images as evidence of compliance. The divide between IT and OT security tooling will collapse as the same DevSecOps pipelines are used to harden both enterprise and industrial controllers. Organizations that adopt runtime‑testable OT models today will have a 10x faster incident response capability compared to those relying on static network diagrams.
▶️ Related Video (74% Match):
https://www.youtube.com/watch?v=2A5ygCKCsmc
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Zakharb Switches – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeTesting & Stay Tuned:
- Add a HTTP Event Collector (HEC) token via web UI or CLI:


