ICS-SimLab: Containerized ICS Simulation
- ICS-SimLab is a containerized software suite that provides comprehensive simulation of Industrial Control Systems using lightweight Docker containers.
- It offers a modular architecture with configurable PLCs, HMIs, sensors, actuators, and HIL components defined through a unified JSON configuration file.
- The platform supports realistic cyberattack emulation and dataset generation, enabling robust testing and benchmarking of intrusion detection systems.
ICS-SimLab is a containerized software suite designed for the comprehensive simulation of Industrial Control Systems (ICSs) in cybersecurity research. It provides an end-to-end, highly configurable platform for modeling a range of ICS environments, enabling virtualized representations of programmable logic controllers (PLCs), human-machine interfaces (HMIs), sensors, actuators, and hardware-in-the-loop (HIL) components. Using lightweight process isolation through Docker and Docker Compose, ICS-SimLab allows rapid deployment of varied ICS topologies modeled closely after real-world architectures, including those adhering to the Purdue Enterprise Reference Architecture. This facilitates the testing and benchmarking of security solutions, notably Intrusion Detection Systems (IDS), across multiple ICS types and under numerous cyber-attack scenarios.
1. Core Architecture and Design Principles
ICS-SimLab employs a modular architecture where each ICS device—be it a PLC, HMI, sensor, actuator, or HIL module—is encapsulated in its own Docker container. The system design emphasizes:
- Resource Efficiency: Containers share the host's kernel, yielding lower computational overhead than VM-based testbeds. This allows simulating large ICS environments on commodity hardware.
- Configurability: The entire structure of a simulation is specified in a single JSON configuration file, which defines components, network topologies (TCP/IP for Modbus-TCP and serial lines for Modbus-RTU), logical relationships (using “inbound_connections”, “outbound_connections”, etc.), and physical process emulation.
- Custom Logic Integration: Python scripts can define custom device logic, process behavior, and attack patterns, providing researchers with a versatile experimentation environment.
- Layered Configuration: Components are organized according to the Purdue model, supporting separation between field devices, control networks, and supervisory systems.
2. Simulation Environment and Configuration
ICS-SimLab’s simulation design centers on the use of a JSON configuration file that explicitly enumerates devices, connections, parameterizations, and process logic. Key configuration parameters include:
Component Parameter | Description | Example |
---|---|---|
network |
Defines the underlying network layer | Modbus-TCP, Modbus-RTU |
inbound_connections |
Sources of data/control messages | E.g., from a sensor or PLC |
outbound_connections |
Destinations for control/setpoint updates | To actuators or process HIL |
registers , monitors |
Specific data monitored or set via Modbus registers | Input/output mapping |
controllers |
Logic for controlling process or safety behaviour | Threshold-based actions |
logic |
Custom Python logic for complex behaviors | Process simulation |
This configuration method enables rapid prototyping and seamless switching among radically different ICS setups, such as single-loop control systems, synchronized multi-PLC environments, or substation-like architectures.
3. Supported ICS Architectures
ICS-SimLab is engineered to support diverse ICS layouts reflecting the Purdue Enterprise Reference Architecture. The hierarchical arrangement includes:
- Physical/Field Layer: Simulated or emulated sensors, actuators, and process HIL modules.
- Control Layer: PLCs responsible for real-time logic and inter-device communication.
- Supervisory Layer: HMIs and higher-level management/interfacing systems.
- Network Configuration: Both IP-based and serial communications are supported. Protocol emulation—primarily via Modbus—is tightly integrated, with packet structure fidelity ensured (e.g., Address, Function Code, Data, and CRC for Modbus-RTU).
The layered architecture is designed to sustain complex industrial scenarios, replicate latency and reliability characteristics of real deployments, and formally adhere to industrial networking best practices.
4. Use Cases and Simulation Examples
ICS-SimLab includes three published, pre-configured virtual ICS scenarios that demonstrate its versatility:
- Solar Panel Smart Grid: Emulates solar generation and grid switching with HIL for physical modeling, power meter sensors, and logic to switch between solar and mains power based on measurement thresholds.
- Water Bottle Filling Facility: Models coordinated control across two PLCs for water tank management and synchronized conveyor operations, capturing inter-device coordination and state notification flows.
- Intelligent Electronic Device (IED) System: Simulates substation scenarios with transformer tap changes, voltage monitoring, and automated protection actions (e.g., breaker trips on voltage violation), reflecting temporal and event-driven process dynamics.
These use cases illustrate the platform’s ability to model cross-device logic, process variability, sensor/actuator interactions, and end-to-end industrial workflows.
5. Cybersecurity Experimentation and Dataset Generation
ICS-SimLab provides a controlled environment for executing and studying a wide array of ICS-specific cyberattacks, including:
- Reconnaissance Attacks: Modbus function scans, address enumeration, and device discovery queries.
- Measurement/Response Injection: Naive or sporadic injection of sensor values to compromise process state visibility.
- Command Injection: Malicious control commands such as “Force Listen Mode” or device resets.
- Denial of Service (DoS): Both data-flood (overloading the ICS network with spurious data) and connection-flood attacks are supported.
Traffic is captured using tools such as Wireshark, and detailed datasets are generated in PCAP format. The datasets include timestamped packet traces with metadata: MAC and IP addresses, function codes, register values, and labeled attack/benign flags. This data is foundational for the benchmarking and validation of IDS schemes, especially those using data-driven or machine learning-based detection.
6. Technical Features and Representation
Technical details critical to ICS-SimLab’s operation are represented with LaTeX-formatted figures for packet structures (e.g., Modbus-RTU frame: Address, Function Code, Data, CRC) and architecture diagrams (showing device layering per Purdue model). Configuration tables are rendered using LaTeX to systematically present component and network properties, reflecting the formalism appropriate for precise experimental replication. There are no nontrivial mathematical formulas; the focus is on structural and protocol fidelity.
7. Significance, Limitations, and Research Impact
ICS-SimLab addresses the common limitation in existing ICS testbeds that are restricted to a single simulation type, which introduces experimental bias. By supporting rapid reconfiguration and deployment of heterogeneous ICS architectures within a unified, resource-efficient platform, the suite allows researchers to:
- Test IDS and defense mechanisms across a spectrum of realistic ICS scenarios.
- Replicate complex attack patterns and paper interdependencies in multi-device environments.
- Generate reproducible, labeled datasets critical for advancing ML-based intrusion detection and forensic analysis.
The framework is especially well suited to current research needs where evaluating cyber defense tools against diverse, realistic industrial scenarios is necessary for robust security validation. ICS-SimLab is positioned as a foundational infrastructure for both academic and industrial cybersecurity research, enabling targeted development of solutions for the evolving landscape of industrial control environments.
ICS-SimLab represents a comprehensive, containerized ICS simulation suite that operationalizes a broad range of industrial scenarios, cyber-attack emulation, and high-fidelity data generation. Its architectural flexibility, layered protocol emulation, and focus on reproducible experiments make it a central tool for the rigorous evaluation of ICS security solutions (Brown et al., 27 Sep 2025).