M. S.

Palya, Bengaluru – 560097

DEPARTMENT OF CSE (CYBER SECURITY)

LAB MANUAL
For
INDUSTRIAL CYBER SECURITY

SUB CODE: BCYL657A

Version: 1

Prepared by Reviewed by
Prof. Manjula K.B Dr. Sanjeetha. R
 M. S. Palya, Bengaluru – 560097

DEPARTMENT OF CSE (CYBER SECURITY)

Review of Lab Manual

Subject: BCYL657A Industrial Cyber Security

Manual Prepared by: Prof. Manjula K.B

Reviewed by: Dr. Sanjeetha. R

It is certified that the Lab manual for BCYL657A Industrial Cyber Security of VI

Semester B.E., CSE (Cyber Security), Sambhram Institute of Technology affiliated to

Visvesvaraya Technological University, Belagavi, is reviewed and found to be correct

and complete.

Signatures

(Prepared by) (Reviewer) HOD - Dept. CSE(CY)

 PROGRAM OUTCOMES

Engineering Graduates will be able to:

PO1: Engineering knowledge: Apply the knowledge of mathematics, science,

engineering fundamentals, and an engineering specialization to the solution of complex
engineering problems.

PO2: Problem analysis: Identify, formulate, review research literature, and analyse
complex engineering problems reaching substantiated conclusions using first principles
of mathematics, natural sciences, and engineering sciences.

PO3: Design/development of solutions: Design solutions for complex engineering

problems and design system components or processes that meet the specified needs
with appropriate consideration for the public health and safety, and the cultural,
societal, and environmental considerations.

PO4: Conduct investigations of complex problems: Use research-based knowledge

and research methods, including design of experiments, analysis and interpretation of
data, and synthesis of the information to provide valid conclusions.

PO5: Modern tool usage: Create, select, and apply appropriate techniques, resources,
and modern engineering and IT tools, including prediction and modelling to complex
engineering activities with an understanding of the limitations.

PO6: The Engineer and society: Apply reasoning informed by the contextual
knowledge to assess societal, health, safety, legal and cultural issues and the
consequent responsibilities relevant to professional engineering practice.

PO7: Environment and sustainability: Understand the impact of professional

engineering solutions in societal and environmental contexts, and demonstrate the
knowledge of, and need for, sustainable development.

PO8: Ethics: Apply ethical principles and commit to professional ethics and
responsibilities and norms of engineering practice. Individual and team work: Function
effectively as an individual, and as a member or leader in diverse teams, and in
multidisciplinary settings.

PO9: Individual and team work: Function effectively as an individual, and as a

member or leader in diverse teams, and in multidisciplinary settings.
PO10: Communication: Communicate effectively on complex engineering activities
with the engineering community and with society at large, such as, being able to
comprehend and write effective reports and design documentation, make effective
presentations, and give and receive clear instructions.

PO11: Project management and finance: Demonstrate knowledge and understanding

of the Engineering and management principles and apply these to one’s own work, as a
member and leader in a team, to manage projects and in multidisciplinary
environments.

PO12: Life-long learning: Recognize the need for and have the preparation and ability
to engage in independent and life -long learning in the broadest context of
technological change.
 M. S. Palya, Bengaluru – 560097

INSTITUTE VISION AND MISSION

VISION

The future is embodied in the present generation. Professional education combined

with practical exposure to create values in the students who are the future of our
nation.

MISSION

Work-oriented education combined with ethical values and character building in

the context of today`s millennium.
 M. S. Palya, Bengaluru – 560097

DEPARTMENT OF CSE (CYBER SECURITY)

DEPARTMENT VISION AND MISSION

VISION

The Cybersecurity Department aims to empower current students with hands-on

skills and ethical values, preparing them to protect our nation's digital realm with
expertise and integrity.

MISSION

 Fostering skilled cybersecurity professionals with ethics and character for

the digital age.
 Empowering students with practical cybersecurity knowledge and strong
values.
 Preparing graduates to secure the digital world through work-oriented
education and ethical grounding

PROGRAM EDUCATIONAL OBJECTIVES (PEOs)

PEO 1: Graduates will possess strong cybersecurity expertise, excelling in

Computer Science & Engineering roles and contributing to a safer online
environment.

PEO 2: Graduates will adeptly address cyber challenges and continuously update
their skills in evolving Computer Science-related technologies.
PEO 3: Graduates will be trained to become collaborative leaders, leading
cybersecurity initiatives that align with organizational objectives and showcase
expertise across diverse fields. check grammar

PROGRAM SPECIFIC OUTCOMES (PSOs)

PSO 1: Understand the foundational principles of basic sciences and hardware to

enable the hands-on application of theoretical knowledge

PSO 2: Develop proficiency in utilizing a wide array of programming languages to

design, code, and debug efficient and innovative software solutions for diverse
applications.

PSO 3: Create secure system architectures, evaluate vulnerabilities, conduct

penetration tests, and devise incident response strategies, guaranteeing robust
defense against cyber threats and seamless operational flow.

COURSE LEARNING OBJECTIVES

To demonstrate network traffic analysis and intrusion detection.

● To understand security for ICS and PLC environments.
● To gain knowledge on configuration files for firewalls and Web systems.
● To conduct experiments for Incident Response Simulation and risk assessment

COURSE OUTCOMES

At the end of the course the student will be able to:

● Experiment with network traffic analysis and intrusion detection.
● Demonstrate ICS and PLC environment security.
● Develop configuration files for firewall and Web systems.
● Experiment with risk assessment and incident response in ICS environment
Sl. Experiments
NO
1 Network Traffic Analysis in ICS/SCADA Systems
Scenario: A manufacturing plant experiences intermittent communication issues between its
SCADA system and field devices. IT suspects abnormal traffic patterns are overwhelming the
network.
Objective: Use Wireshark to capture and analyze network traffic to detect anomalies such as
unauthorized Modbus commands or excessive network scanning.
Tools: Wireshark
Deliverables: A detailed report of the traffic analysis, highlighting malicious or unusual traffic
patterns and recommendations for mitigation.

2 Configuring and Testing an Intrusion Detection System (IDS)

Scenario: An oil refinery has deployed an IDS in its control room but has not tested its
effectiveness. Simulated attacks are needed to evaluate the IDS's detection capability.
Objective: Configure Snort with custom rules to detect unauthorized login attempts, PLC
command injections, or DoS attacks on the refinery’s network.
Tools: Snort
Deliverables: A configured IDS, attack simulation results, and a performance evaluation
report.

3 Vulnerability Assessment of a Simulated ICS Network

Scenario: A power plant is transitioning to a new ICS network. The cybersecurity team must
perform a vulnerability assessment before the network goes live.
Objective: Scan the simulated ICS network for open ports, outdated software, and
misconfigurations.
Tools: Nmap, OpenVAS
Deliverables: A vulnerability assessment report listing critical issues, potential exploitation
risks, and suggested fixes.

4 Securing a PLC Environment

Scenario: A water treatment facility reports unauthorized access to its PLCs, leading to
erroneous water treatment settings. Students are tasked with securing the PLC environment.
Objective: Simulate unauthorized PLC access, implement secure configurations, and
 monitor PLC traffic for anomalies.
Tools: OpenPLC, Wireshark
Deliverables: A secured PLC configuration and a log of identified unauthorized commands
5
Simulating Cyber Attacks on ICS and Designing Defences
Scenario: An attacker compromises an engineering workstation and uses it to issue malicious
commands to ICS devices. Students must simulate this attack and propose defences.
Objective: Perform simulated attacks such as PLC logic manipulation and denial-of-service,
then implement measures like firewall rules or intrusion prevention systems.
Tools: Metasploit Framework, Security Onion
Deliverables: A report describing the attack, its impact, and the defence mechanisms
implemented

6 Web Application Security for Industrial Systems

Scenario: The web-based interface of a chemical plant’s ICS is suspected to have
vulnerabilities that attackers could exploit to alter chemical mix ratios.
Objective: Conduct a security assessment of the web interface for vulnerabilities like SQL
injection, cross-site scripting, and improper authentication mechanisms.
Tools: OWASP ZAP
Deliverables: A vulnerability scan report with remediation recommendations for the ICS web
application

7
Securing ICS Protocols and Communication Channels

Scenario: A logistics company faces unauthorized Modbus/TCP communication between its

control system and conveyor belt motors, disrupting operations.

Objective: Configure secure communication using encryption and analyse normal vs.
malicious protocol traffic.

Tools: OpenSSL, Wireshark

Deliverables: Secured Modbus/TCP communication setup and a comparative analysis of traffic

logs.

8
Incident Response Simulation in an ICS Environment

Scenario: A simulated ransomware attack encrypts critical ICS files at a gas distribution
 station. Students act as the incident response team.

Objective: Detect the ransomware, isolate affected systems, and recover operations using
backup and monitoring tools.

Tools: Security Onion, GRR

Deliverables: An incident response report, including root cause analysis and recovery steps.d.
Perform Insertion and Deletion at Front of DLL
9 Firewall and Access Control Configuration for ICS
Scenario: An unauthorized laptop connects to the ICS network at a steel factory and issues
shutdown commands to operational systems.
Objective: Implement access control policies and configure firewalls to block unauthorized
devices and restrict communication to trusted sources.
Tools: pfSense, MoD Security
Deliverables: Firewall and access control configuration files, along with a report on
unauthorized device mitigation.
10 Risk Assessment and Mitigation Planning for ICS
Scenario: A renewable energy plant wants to evaluate cybersecurity risks before connecting its
wind turbines to the grid.
Objective: Conduct a risk assessment considering hardware vulnerabilities, communication
protocols, and environmental factors. Propose a mitigation plan.
Tools: Custom scripts, risk assessment frameworks
Deliverables: A comprehensive risk assessment report and a prioritized mitigation strategy.

Course outcomes (Course Skill Set):

At the end of the course, the student will be able to:
● Experiment with network traffic analysis and intrusion detection.
● Demonstrate ICS and PLC environment security.
● Develop configuration files for firewall and Web systems.
● Experiment with risk assessment and incident response in an ICS environment
 Table of Contents

Sl. Content Page

No. No.
Network Traffic Analysis in ICS/SCADA Systems
Scenario: A manufacturing plant experiences intermittent
communication issues between its SCADA
system and field devices. IT suspects abnormal traffic patterns are
overwhelming the network. 1
Objective: Use Wireshark to capture and analyze network traffic
1. to detect anomalies such as unauthorized Modbus commands or
excessive network scanning.
Tools: Wireshark
Deliverables: A detailed report of the traffic analysis, highlighting
malicious or unusual traffic patterns and recommendations for
mitigation.

Configuring and Testing an Intrusion Detection System (IDS)

Scenario: An oil refinery has deployed an IDS in its control room
but has not tested its effectiveness. Simulated attacks are needed to
4
evaluate the IDS's detection capability.
Objective: Configure Snort with custom rules to detect
2.
unauthorized login attempts, PLC command injections, or DoS
attacks on the refinery’s network.
Tools: Snort
Deliverables: A configured IDS, attack simulation results, and a
performance evaluation report.
3. Vulnerability Assessment of a Simulated ICS Network
Scenario: A power plant is transitioning to a new ICS
network. The cybersecurity team must perform a
vulnerability assessment before the network goes live.
Objective: Scan the simulated ICS network for open ports,
 outdated software, and misconfigurations. 7
Tools: Nmap, OpenVAS
Deliverables: A vulnerability assessment report listing critical
issues, potential exploitation risks, and
suggested fixes.
Securing a PLC Environment
Scenario: A water treatment facility reports unauthorized
access to its PLCs, leading to erroneous water
10
treatment settings. Students are tasked to secure the
PLCenvironment.
4.
Objective: Simulate unauthorized PLC access, implement
secure configurations, and monitor PLC traffic for anomalies.
Tools: OpenPLC, Wireshark
Deliverables: A secured PLC configuration and a log of
identified unauthorized commands
Simulating Cyber Attacks on ICS and Designing Defenses
Scenario: An attacker compromises an engineering
13
workstation and uses it to issue malicious commands
to ICS devices. Students must simulate this attack and
propose defenses.
Objective: Perform simulated attacks such as PLC logic
5.
manipulation and denial-of-service, then implement measures
like firewall rules or intrusion prevention systems.
Tools: Metasploit Framework, Security Onion
Deliverables: A report describing the attack, its impact, and
the defense mechanisms implemented.

Web Application Security for Industrial Systems

Scenario: The web-based interface of a chemical plant’s ICS
is suspected to have vulnerabilities that attackers could
exploit to alter chemical mix ratios.
Objective: Conduct a security assessment of the web 16
6.
interface for vulnerabilities like SQL injection, cross-site
scripting, and improper authentication mechanisms.
Tools: OWASP ZAP
Deliverables: A vulnerability scan report with remediation
recommendations for the ICS web application.
7. Securing ICS Protocols and Communication Channels
Scenario: A logistics company faces unauthorized
Modbus/TCP communication between its control system and
 conveyor belt motors, disrupting operations.
Objective: Configure secure communication using encryption
and analyse normal vs. malicious protocol traffic.
19
Tools: OpenSSL, Wireshark
Deliverables: Secured Modbus/TCP communication setup
and a comparative analysis of traffic logs.
Incident Response Simulation in an ICS Environment
Scenario: A simulated ransomware attack encrypts critical 22
ICS files at a gas distribution station. Students act as the
incident response team.
Objective: Detect the ransomware, isolate affected systems,
8.
and recover operations using backup and monitoring tools.
Tools: Security Onion, GRR
Deliverables: An incident response report, including root
cause analysis and recovery steps.

Firewall and Access Control Configuration for ICS

Scenario: An unauthorized laptop connects to the ICS
network at a steel factory and issues shutdown commands to
operational systems.
Objective: Implement access control policies and configure 26
9. firewalls to block unauthorized devices and restrict
communication to trusted sources.
Tools: pfSense, MoD Security
Deliverables: Firewall and access control configuration files,
along with a report on unauthorized device
mitigation.
Risk Assessment and Mitigation Planning for ICS
Scenario: A renewable energy plant wants to evaluate
cybersecurity risks before connecting its wind turbines to the
31
grid.
Objective: Conduct a risk assessment considering hardware
10. vulnerabilities, communication protocols, and environmental
factors. Propose a mitigation plan.
Tools: Custom scripts, risk assessment frameworks
Deliverables: A comprehensive risk assessment report and a
prioritized mitigation strategy.
@#@
 Program 1
1. Network Traffic Analysis in ICS/SCADA Systems
Scenario: A manufacturing plant experiences intermittent communication issues between its
SCADA system and field devices. IT suspects abnormal traffic patterns are overwhelming the
network.
Objective: Use Wireshark to capture and analyze network traffic to detect anomalies such as
unauthorized Modbus commands or excessive network scanning.
Tools: Wireshark
Deliverables: A detailed report of the traffic analysis, highlighting malicious or unusual traffic
patterns and recommendations for mitigation.
STEP-1: Start Modbus Poll, modRSsim2.
STEP-2: Assign the Names on Modbus Poll (oil pressure, temp, Coil).
STEP-3: Click on connect and start the Modbus Poll simulator.
STEP-4: Now start Wireshark and click on your network option, and then in the filter add this
tcp. port==502 to check the Modbus traffic. You can see the Read Holding Register.
STEP-5: Now send a write single by modifying the value of any one Slave for ex oil pressure.
Double-click on the value, modify the value by 0000, and click send
STEP-6: Now, in Wireshark, you can see the Write Single Register.
Output:

1
2
3
4
Program 2
2. Configuring and Testing an Intrusion Detection System (IDS)
Scenario: An oil refinery has deployed an IDS in its control room but has not tested its
effectiveness. Simulated attacks are needed to evaluate the IDS's detection capability.
Objective: Configure Snort with custom rules to detect unauthorized login attempts, PLC
command injections, or DoS attacks on the refinery’s network.
Tools: Snort
Deliverables: A configured IDS, attack simulation results, and a performance evaluation report.
STEP-1: Start the Kali Linux machine in a virtual machine and start Snort by using these
commands
“Sudo snort -c /etc./snort/snort. Lua -i eth0 –T”
“Sudo snort -c /etc./snort/snort. Lua -i eth0 –A alert fast –s 65535 –k none.”
This command starts the Snort IDS system and starts to monitor the network for unauthorized
login attempts, PLC command injections, or DoS attacks on the refinery’s network.
STEP-2: Start a DOS attack with this command
“Sudo hping3 -1 <Ip-add>”
This will start a DOS attack on the machine, and the snort will detect and display the attack with
the attacker’s Ip address.

5
6
7
Program 3
3. Vulnerability Assessment of a Simulated ICS Network
Scenario: A power plant is transitioning to a new ICS network. The cybersecurity team must
perform a vulnerability assessment before the network goes live.
Objective: Scan the simulated ICS network for open ports, outdated software, and
misconfigurations.
Tools: Nmap, OpenVAS
Deliverables: A vulnerability assessment report listing critical issues, potential exploitation
risks, and suggested fixes.
STEP-1: Start the OpenPLC Runtime in windows machine and log in to the Openplc webui and
start the OpenPLC by clicking the Start PLC.
STEP-2: Now start the Kali Linux machine in a virtual machine and ping the openplc ip by using
this command
“Ping <openplc Ip add>”
STEP-3: Do an Nmap can on this Openplc Ip add using this command
“Nmap –A –p 1-1000 <Ip add>.”
“Nmap –sU –p 502 –script Modbus-discover <Ip add>.”
STEP-4: Use Nikto instead of OpenVAS. Use this command to do a web application
vulnerability test using Nikto
“Nikto –h <openplc webui URL>”
Username and password to log in to Openplc is openplc: openplc

Output:

8
9
10
Program 4
4. Securing a PLC Environment
Scenario: A water treatment facility reports unauthorized access to its PLCs, leading to
erroneous water treatment settings. Students are tasked with securing the PLC environment.
Objective: Simulate unauthorized PLC access, implement secure configurations, and monitor
PLC traffic for anomalies.
Tools: OpenPLC, Wireshark
Deliverables: A secured PLC configuration and a log of identified unauthorized commands.

STEP-1: Start the OpenPLC Runtime in windows machine and log in to the Openplc webui and
start the Open PLC by clicking the Start PLC.
STEP-2: Now start the Kali Linux machine in a virtual machine and ping the openplc ip by using
this command
“Ping <openplc Ip add>”
STEP-3: In kali Linux machine, we have to use a Python code to send an unauthorized PLC
access command.
Run the Python script by using this command
“python3 [Link].”
Then the unauthorized write single coil register will go
STEP-4: To configure a secure configuration and monitor PLC traffic, use Docker and Conpot in
Kali Linux.
Command to start ConPot on Docker
“Sudo docker run -it -p 80:8800 -p 102:10201 -p 502:5020 -p 161:16100/udp -p
47808:47808/udp -p 623:6230/udp -p 21:2121 -p 69:6969/udp -p 44818:44818 --network=bridge
honeynet/conpot: latest”
And write a new rule to monitor the PLC Modbus traffic on Snort locally. Rules
STEP-5: Start the mod poll and send the slave signals
Commands
“Mod poll –m tcp –t 4 –r 1 –c 1 <local host Ip add>.”
Then monitor the ConPot to Modbus traffic, and it willalerto unauthorized PLC access.
Output:

11
12
13
Program 5
5. Simulating Cyber Attacks on ICS and Designing Defenses
Scenario: An attacker compromises an engineering workstation and uses it to issue malicious
commands to ICS devices. Students must simulate this attack and propose defenses.
Objective: Perform simulated attacks such as PLC logic manipulation and denial-of-service,
then implement measures like firewall rules or intrusion prevention systems.
Tools: Metasploit Framework, Security Onion
Deliverables: A report describing the attack, its impact, and the defense mechanisms
implemented.

STEP-1: Start the OpenPLC Runtime in windows machine and log in to the Openplc webui and
start the Open PLC by clicking the Start PLC.
STEP-2: Now start the Kali Linux machine in a virtual machine and ping the openplc ip by using
this command
“Ping <openplc Ip add>”
STEP-3: Do an Nmap scan to check the port no 502 status.
“Nmap –p502 <openplc Ip>”
STEP-4: Now, use the MSF console in Kali Linux and start the Metasploit Framework. In the
MSF console, search for Modbus
Commands:
-------- search Modbus
-------- use 2 or use auxiliary/scanner/Scada/Modbus client
-------- show options
-------- set rhost <openplc Ip add>
-------- set DATA 100
-------- set DATA_REGISTERS 1
-------- set ACTION WRITE_COIL
------- set DATA 1
------- run.
STEP-5: Open Wireshark and monitor the traffic.
Output:

14
15
16
Program 6
6. Web Application Security for Industrial Systems
Scenario: The web-based interface of a chemical plant’s ICS is suspected to have vulnerabilities
that attackers could exploit to alter chemical mix ratios.
Objective: Conduct a security assessment of the web interface for vulnerabilities like SQL
injection, cross-site scripting, and improper authentication mechanisms.
Tools: OWASP ZAP
Deliverables: A vulnerability scan report with remediation recommendations for the ICS web
application.
STEP-1: Open the [Link] website in any web Brower.
STEP-2: Open the OWASP ZAP application on the Windows machine, ZAP 2.16.1.
STEP-3: In ZAP, select Automated Scan and past the testphp URL, and click start, and ZAP will
start a full automated web application vulnerability scan and generate a full report also. To get
the report, click on the Report, then click on the generate report, the full report will be generated
automatically.

Output:

17
18
19
Program 7
7. Securing ICS Protocols and Communication Channels
Scenario: A logistics company faces unauthorized Modbus/TCP communication between its
control system and conveyor belt motors, disrupting operations.
Objective: Configure secure communication using encryption and analyze normal vs. malicious
protocol traffic.
Tools: OpenSSL, Wireshark
Deliverables: Secured Modbus/TCP communication setup and a comparative analysis of traffic
logs.
STEP-1: Start the docker conpot by this command
“sudo docker run -it -p 80:8800 -p 102:10201 -p 502:5020 -p 161:16100/udp -p
47808:47808/udp -p 623:6230/udp -p 21:2121 -p 69:6969/udp -p 44818:44818 --network=bridge
honeynet/conpot: latest”
STEP-2: Start mod poll with this command
: “mod poll -m tcp -t 4 -r 1 -c 1 [Link].”
STEP-3: Open Wireshark and monitor the traffic.
Go to Wireshark -> in filter type
tcp. port==502 or Modbus.
STEP-4: To start a secure OpenSSL communication, use these commands: sudo pkill stunnel,
sudo stunnel/etc./stunnel/[Link]
sudo netstat -tulnp | grep 1502
STEP-5: Now, use mod poll to send a secure handshake by using these commands
“mod poll -m tcp -t 4 -r 1 -c 1 -p 1502 [Link].”
STEP-6: Now go to Wireshark and monitor the traffic filters for
tcp. port==1502.

Output:

20
21
22
Program 8
[Link] Response Simulation in an ICS Environment

 Wireshark – Packet capture and protocol analysis (Modbus, DNP3, etc.)

 Zeek (Bro) – Network traffic analysis

 Security Onion – IDS + NSM platform

 Snort or Suricata – Intrusion Detection System

 Splunk / ELK Stack – Log monitoring and correlation

Procedure
Preparation
 Start all virtual machines.
 Enable logging on:
1. Windows Event Viewer (Engineering Workstation)
2. SCADA/HMI logs
 Start Wireshark capture on the Control Network interface.
 Start IDS (Snort/Suricata/Security Onion).
 Configure IDS rule to alert on Modbus Write Function Codes (05, 06, 15, 16).
 Ensure SIEM is receiving logs (if configured).

Normal Operation Baseline

 Observe normal PLC–HMI communication in Wireshark.
 Note normal Modbus traffic (Read Coils / Read Registers).
 Save 2–3 minutes of normal traffic as baseline PCAP.

Attack Simulation
 Log in to Kali Linux (Attacker).
 Perform network scan:
nmap -sV <PLC_IP>
 Use a Modbus client tool to send unauthorized write command to PLC register.
 Record the time of attack.
Detection
 Check IDS dashboard for alerts.
 Identify:
o Source IP address
o Destination (PLC IP)
o Alert type (Modbus Write / Scan)
 Open Wireshark capture.
 Apply filter:
modbus
 Locate suspicious Modbus Write request packets.
 Note function code and register being modified.
Analysis
20. Verify if PLC register value changed.
23
 21. Check HMI for abnormal process values.
22. Review Engineering Workstation logs for unauthorized access.
23. Collect evidence:
o IDS alert screenshot
o PCAP file
o Log files

Containment
 Block attacker IP using firewall rule.
 Disconnect Engineering Workstation network adapter (simulate isolation).
 Stop malicious Modbus client on Kali machine.
Eradication
 Scan Engineering Workstation with antivirus (simulated).
 Remove suspicious tools/files (if any).
 Change passwords of ICS user accounts.
Recovery
 Restore correct PLC register values.
 Reconnect Engineering Workstation to network.
 Monitor traffic for 5 minutes in Wireshark.
 Confirm no further unauthorized Modbus write commands.
Documentation
 Record:
1. Date and time of incident
2. Attacker IP
3. Target system
4. Type of malicious command
 Attach:
1. IDS alert logs
2. PCAP evidence
3. Screenshots of abnormal and restored state

Output :

24
25
26
 Program 9
9. Firewall and Access Control Configuration for ICS
Scenario: An unauthorized laptop connects to the ICS network at a steel factory and issues
shutdown commands to operational systems.
Objective: Implement access control policies and configure firewalls to block unauthorized
devices and restrict communication to trusted sources.
Tools: pfSense, MoD Security
Deliverables: Firewall and access control configuration files, along with a report on
unauthorized device mitigation.
Start the PFsense and Kali machines after boot up
------->NOTE for this, we need two Kali Linux or any Linux machine running
Step 1: - Start the PFsense machine in VM
Start Kali 1, make sure Adapter 1 (LAN): Attached to Internal Network (e.g., name it intnet), and
ping [Link], open Firefox, and log in to pfsense by [Link]
Start Kali 2, make sure Adapter 1 (LAN): Attached to Internal Network (e.g., name it intnet) and
ping [Link], and open Firefox and access PFsense by [Link]
Kali 1 is to run PFsense.
Kali 2 is the machine on which we can test the rules.
First, we need to ping the PFsense from Kali 2 to check that the network is working.
----then set the rules from Kali 1 access the PFsense in Firefox by [Link]
username: admin
password: pfsense
Firewall---->Aliases---->IP---->click on Add---->
Name=Trusted devices
Type=Host
IP or FQDN= Kali 1 Ip add---->click on Add host----> Kali 2 Ip add---->Save
Start Kali 2 and ping the PFsense [Link]
Go to kali 1 and in PFsense, remove the Ip of kali 2 from trusted devices
Go to kali 2 and try to ping the pfSense [Link] and try to access webui also.
Output:

27
28
29
30
31
Program 10
10. Risk Assessment and Mitigation Planning for ICS
Scenario: A renewable energy plant wants to evaluate cybersecurity risks before connecting its
wind turbines to the grid.
Objective: Conduct a risk assessment considering hardware vulnerabilities, communication
protocols, and environmental factors. Propose a mitigation plan.
Tools: Custom scripts, risk assessment frameworks
Deliverables: A comprehensive risk assessment report and a prioritized mitigation strategy.
Identify Potential Vulnerabilities in ICS
 Goal: Discover vulnerable components in a basic ICS network.
 For this experiment, we need two systems, both running in the same system. I have
taken Kali Linux and CSI Linux for this experiment. “Can use any Linux OS.”
Step 1: Research ICS Cyber Attacks
 Studied Stuxnet, Triton, and the Ukraine Power Grid attack.
 Noted their targets, attack vectors, and impact.
Step 2: Set up the ICS Environment
 Kali Linux as an attacker on VirtualBox.
 CSI Linux as a victim on VirtualBox with a Modbus TCP server using pymodbus.
 Verified communication over bridged network.
Step 3: Start Modbus Service in CSI Linux
 Installed pymodbus using:
sudo pip3 install pymodbus
There is a Python code to start a Modbus service. I’ll provide the code
mousepad Modbus_service.py
past the Python code
Run the code by
Sudo python3 modbus_service.py
Step 4: Perform Vulnerability Scanning
 On Kali, ran:
Nmap -sV -p 502 [CSI_IP]
· Found Modbus port open and accessible.
· Used Wireshark to observe Modbus TCP traffic.
Start mod poll in Kali Linux
mod poll -m tcp -a 1 -r 1 -c 5 [CSI_LINUX_IP]
Go back to CSI Linux and monitor the Modbus service, you’ll get the Modbus traffic
Start Wireshark in the kali and use this filter
[Link]==502
To monitor the traffic
Step 5: Simulate Environmental and Communication Risks in kali Linux machine on the
CSI Linux
 Goal: Observe how ICS behaves under threat conditions.
 Instructions:
1. Use a tool like hping3 or Python scripts to simulate a network flood:
2. hping3 --flood -p 502 [target IP]
3. Try removing a sensor or communication link in the simulator.

32
 4. Observe the effect on HMI, PLCs, or control logic.
5. Log the behavior (e.g., alarm triggered, control loss, crash).
Step 3: Apply a Risk Assessment Framework
 Goal: Analyze risks using a formal methodology.
 Instructions:
1. Use the NIST SP 800-30 or IEC 62443 guidelines (PDFs will be shared).
2. List at least 3 or 5 assets in your ICS.
3. For each, identify threats and vulnerabilities, and assign:
 Likelihood (Low, Medium, High)
 Impact (Low, Medium, High)
4. Use this formula to calculate Risk:
 Risk = Likelihood x Impact
5. Fill out the Risk Matrix table (Excel or manually).
 Expected Output:
o A completed risk matrix with at least 3 to 5 entries.
The Python code to start the Modbus service in CSI Linux
from pymodbus. Server import StartTcpServer
from pymodbus. Device import ModbusDeviceIdentification
from pymodbus. Data store import ModbusSequentialDataBlock
from pymodbus. datastore import ModbusSlaveContext, ModbusServerContext
import logging
# Optional: Enable logging if you want to see what's happening
logging. basicConfig ()
log = logging. get Logger ()
log. set Level (logging. DEBUG)
# Define Modbus data store with some dummy values
store = ModbusSlaveContext (
di=ModbusSequentialDataBlock (0, [0] *100),
co=ModbusSequentialDataBlock (0, [0] *100),
hr=ModbusSequentialDataBlock (0, [123] *100), # Example holding register
ir=ModbusSequentialDataBlock (0, [456] *100)
)
context = ModbusServerContext (slaves=store, single=True)
# Device identity (optional)
identity = ModbusDeviceIdentification ()
identity. Vendor Name = 'OpenAI Lab'
identity. Product Code = 'PM'
identity. Vendor URL = '[Link]
identity. ProductName = 'Modbus Server'
identity. Model Name = 'MoD Sim'
identity. MajorMinorRevision = '3.0'
# Start the Modbus TCP server
StartTcpServer (context, identity=identity, address=("[Link]", 502))
The code is for understanding purposes; it’s not necessary to write it in a record.

33
Output:

34
35
.

36
37