Enabling End-to-End APT Emulation in Industrial Environments: Design and Implementation of the SIMPLE-ICS Testbed

TL;DR

The paper introduces SIMPLE-ICS, a comprehensive virtualized testbed that emulates multi-stage APT campaigns across industrial IT, OT, and IIoT environments, enabling realistic cybersecurity research and detection strategies.

Contribution

It presents the design, implementation, and validation of a novel industrial cybersecurity testbed supporting end-to-end APT emulation across diverse industrial networks.

Findings

Supports multi-stage APT campaign emulation

Enables synchronized data collection across domains

Validated for attack trace observability and repeatability

Abstract

Research on Advanced Persistent Threats (APTs) in industrial environments requires experimental platforms that support realistic end-to-end attack emulation across converged enterprise IT, operational technology (OT), and Industrial Internet of Things (IIoT) networks. However, existing industrial cybersecurity testbeds typically focus on isolated IT or OT domains or single-stage attacks, limiting their suitability for studying multi-stage APT campaigns. This paper presents the design, implementation, and validation of SIMPLE-ICS, a virtualised industrial enterprise testbed that enables emulation of multi-stage APT campaigns across IT, OT, and IIoT environments. The testbed architecture is based on the Purdue Enterprise Reference Architecture, NIST SP 800-82, and IEC 62443 zoning principles and integrates enterprise services, industrial control protocols, and digital twin based process simulation. A systematic methodology inspired by the V model is used to derive architectural requirements, attack scenarios, and validation criteria. An APT campaign designed to mimic the BlackEnergy campaign is emulated using MITRE ATTACK techniques spanning initial enterprise compromise, credential abuse, lateral movement, OT network infiltration, and process manipulation. The testbed supports the synchronised collection of network traffic, host-level logs, and operational telemetry across all segments. The testbed is validated on multi-stage attack trace observability, logging completeness across IT, OT, and IIoT domains, and repeatable execution of APT campaigns. The SIMPLE-ICS testbed provides an experimental platform for studying end-to-end APT behaviours in industrial enterprise networks and for generating multi-source datasets to support future research on campaign-level detection and correlation methods.