Embedded Files
Last Update: 2025/08/05 09:00
CySEC-vRT is a virtualized ICS testbed designed to simulate cross-layer cyberattacks targeting hydraulic infrastructure. The platform integrates both IT and OT components, enabling realistic reproduction of multi-stage adversarial behaviors that span phishing, privilege escalation, lateral movement, and control system compromise.
Built entirely on virtual machines, CySEC-vRT emulates a reservoir environment capable of simulating dam gate operations, including gate opening, discharge control, and water level regulation. This enables realistic testing of attack scenarios where adversaries escalate from IT-layer exploitation to OT-layer disruption—such as unauthorized manipulation of sluice gates, tampering with PLC control logic, or falsifying HMI visualizations - thereby demonstrating the full spectrum of cyber-physical impact on hydraulic infrastructure.
VM Configuration
IT Network (VLAN10)
Windows Server-based AD & EWS
Ubuntu NIDS for IT traffic
Docker stack includes InfluxDB & Grafana for log storage and visualization
Network Segmentation
Using pfSense as firewall
Implements VLAN separation via vSwitch
Enables IT-to-OT traffic control for simulating lateral movement
OT Network (VLAN20)
OpenPLC emulates reservoir control logic
Node-RED (deployed via Docker) delivers HMI and automation workflows
OT-side NIDS and EWS monitor control traffic
The HMI is divided into three main panels:
Left – Digital I/O
Left – Digital I/O
Displays gate status and alarms (DI), and provides manual control signals (DO) for gate operations.
Center – Analog & Status
Center – Analog & Status
Shows gate current, gate voltage, water level, and flow rates. The Flows chart tracks inflow and outflow trends.
Right – Simulation & Data
Right – Simulation & Data
Controls for loading historical data (including inflow and intake flow) and running simulations. Below are progress indicators and visualizations of reservoir storage.
Human Machine Interface (HMI) for Reservoir Operation
Human Machine Interface (HMI) for Reservoir Operation
Dataset Generation
Dataset Generation
The CySEC-vRT testbed reproduces a range of advanced adversarial behaviors, encompassing both IT- and OT-layer exploitation. The reconstructed attack chain includes the following cybersecurity techniques:
Phishing
Reverse Shell
Credential Dumping (LSASS)
Pass-the-Ticket
NTDS Extraction
Credential Decryption
Brute-force Attack
HMI Access
Malicious Logic Injection
OT Network Scanning
Modbus Command Injection
Denial-of-Service (DoS)
Replay Attack
Following the reproduction of multi-stage cyberattacks on the CySEC-vRT testbed, a structured dataset was generated to capture adversarial behavior across IT and OT layers. All experiments conducted in June 2025 have been compiled into the dataset, organized into three main directories:
Reservoir_Operation: Includes process-level logs (Attacked_RsvOperation_log.csv) and full-packet captures from both IT and OT networks, enabling traffic analysis across system layers.
IDSLogs: Contains Suricata-generated network-based intrusion detection logs. Both fast alert logs (fastlog) and structured event logs (eventlog) are available in .log and .json formats.
WindowsLogs: Collects Windows event logs (.evtx) to reflect host-level system activities such as service execution and login attempts.
A README file is included to guide dataset navigation and explain file structures.
You may request access to the dataset or the CySEC-vRT resources through the link below.
Report abuse