OTLab Training Platform

A hands-on ICS / OT security training lab. One Raspberry Pi. Full DMZ + Process Control fabric — firewall, virtual PLCs, Modbus + DNP3, Suricata IDS, operator dashboard. Built for ICS Village at DEF CON.

Tour the Dashboard Train Your Team
1
Raspberry Pi
9
Containerized Services
7
Dashboard Tabs
~30min
First-Run Deploy
OTLab Architecture tab — Purdue model with the lab's actual assets placed at canonical levels.
One Pi. One WiFi. That's It.

The Whole ICS Fabric in Containers

OTLab packs an industrial DMZ + Process Control Network onto a single Raspberry Pi 5 using ContainerLab. Firewall, DHCP, DNS, virtual PLCs, Modbus and DNP3 outstations, a master polling loop, Suricata IDS, and a 7-tab operator dashboard — all in containers, all on one Pi.

The single-Pi build is shipped and working. Optional expansions (additional Pis with real GPIO, Conpot honeypot personas, RS485 industrial sensors, ESP32 wireless IoT) layer on top without changing the core lab.

  • Industrial DMZ (L3.5) + Process Control Network (L1/L2)
  • Containerized iptables firewall with SNAT + DNS forwarding
  • Maple Ridge Treatment Plant scenario, live on the dashboard
  • MIT-licensed, public, fork-and-teach-with-it
What You Get

A Complete Teaching Environment

Eight categories of real OT infrastructure, on the same Pi a student carries home in a backpack.

Network Segmentation
Industrial DMZ (L3.5) + Process Control Network (L1/L2), enforced by a containerized iptables firewall with SNAT + DNS forwarding.
DHCP / DNS
Per-zone dnsmasq DHCP with static reservations. DNS forwarder integrated into the firewall, all queries logged — "DNS exfil at the firewall" as a teachable signal.
Master / Outstation
modbus-master polling sensor-sim at 10 Hz — deterministic, observable Modbus TCP traffic on the wire.
OpenPLC
Two virtual OpenPLC instances with web UIs on ports :8081 and :8082 for IEC 61131-3 click-around lessons.
DNP3
Pure-stdlib DNP3 outstation on :20000.
IDS
Suricata sniffing pcn-br0 with OTLAB rules for Modbus FC5/6/15/16 writes from non-master IPs plus SSH brute-force detection.
Dashboard
7-tab Flask + vanilla JS operator surface: Overview · Architecture · IDS · Firewall · DHCP · Live Data · Teaching.
Admin UIs
Cockpit (Linux), Portainer (Docker), EdgeShark (live packet capture in browser).
The Dashboard

Maple Ridge Treatment Plant, Live on Your Pi

The OTLab dashboard is a working water-utility operator surface. Animated process schematic, live IDS alerts, real firewall counters, a Modbus write playground — the same artifacts a defender works with on a real plant.

See It at Our Events
01 · Overview OTLab Overview tab — animated SVG synoptic of the Maple Ridge treatment plant with live tank levels, temperature, and discharge pressure.

Overview

Live process state with an animated SVG synoptic, cards for every container, and live Modbus poll telemetry from the master loop.

02 · Architecture OTLab Architecture tab — Purdue model with lab assets placed at canonical levels and auto-discovered network topology.

Architecture

Purdue model with the lab's actual assets placed at their canonical levels, plus an auto-discovered network topology view.

03 · IDS OTLab IDS tab — Suricata stats with 24h timeline, top signatures, sources, targets, and recent alerts.

IDS

Suricata stats — counts (5m / 1h / 24h), 24-hour timeline, top signatures, top sources, top targets, recent alerts.

04 · Firewall OTLab Firewall tab — live iptables chains with packet counters, conntrack snapshot, and DNS query stats.

Firewall

Live iptables (5 chains) with packet counters, conntrack snapshot, DNS query stats, and the rolling DNS log.

05 · DHCP OTLab DHCP tab — per-zone lease tables with static reservations and recent transactions.

DHCP

Per-zone (DMZ + PCN) lease tables, static reservations, and recent transactions.

06 · Live Data OTLab Live Data tab — system health, audit log, and pcap captures.

Live Data

System health, full audit log, and on-demand pcap captures from the PCN bridge.

07 · Teaching OTLab Teaching tab — Risks, walkthroughs, runnable test library, Modbus Write Playground, Inject Fault, Cohort Reset.

Teaching

The lesson surface: scenario risks, incident walkthroughs, a runnable test library, the Modbus Write Playground (teaching artifact, intentionally no auth), Inject Fault, and one-click Cohort Reset between students.

Expanding the Lab

From Single Pi to Full Plant Fabric

Each stage is independent and optional. The single-Pi lab is fully functional on its own — you don't need any of these expansions to teach the core curriculum.

Stage 2

Physical OpenPLC Pi

Add a second Raspberry Pi with real GPIO, real Modbus on the wire, and Phase 2 hardware — relays, indicators, pushbutton inputs. Students wire real I/O and watch ladder logic drive it.

Optional
Stage 2

Physical Conpot Pi

Three vendor honeypot personas (Siemens / Schneider / Rockwell) running on a separate physical Pi. Great for teaching attacker enumeration vs. real OT vs. honeypot traffic.

Optional
Stage 3

RS485 Industrial Sensor

Connect a real industrial sensor (temperature, energy meter, etc.) over RS485 using a Waveshare RS485-to-Ethernet gateway. Real fieldbus traffic next to the virtual fabric.

Optional
Stage 4

Wireless IoT

ESP32 Modbus client over WiFi joining the PCN segment. Teaches wireless threat surface, MQTT/Modbus translation, and the "unmanaged device" reality of modern plants.

Optional
Looking for Contributors

Help Build the Curriculum

The single-Pi lab is shipped and working. The next chunk of work is the curriculum — Attack/Detect/Defend exercises mapped to MITRE ATT&CK for ICS, CTF challenges, and runnable scripts in the dashboard's Teaching tab.

  • Curriculum & Exercises
  • CTF Challenges
  • Conpot Personas
  • Wire-Feed Sniffer
  • Take-Home Topologies
  • Documentation
  • Video Walkthroughs
  • Translation
Get Involved
Who Teaches On It

Built And Taught By Working Practitioners

OTLab is the lab the ICS Village instructors actually carry. The curriculum is anchored to it — students sit at the same dashboard, hit the same Modbus Write Playground, and watch the same Suricata alerts that the instructor demonstrated minutes earlier.

Aaron Crow

Aaron Crow

Instructor
DL

Dillon Lee

Instructor
TV

Tom Van Norman

Co-Founder, ICS Village
NB

Neil Brandon

Instructor

Instructor photos coming soon. Want to teach on OTLab?

Where We Teach

Conference Floors, Academic Classrooms, and Partner Sites Worldwide

ICS Village instructor with the OTLab Trainer Kit at a partner venue.
Academic Partnership

Harvard Summer School

CSCI S-148, Operational Technology Security Fundamentals, taught by David Cass (Federal Reserve Bank of NY) and Vladislav Gostomelsky (TP-Link). OTLab runs in the classroom.

  • Summer TermCambridge MA
DEF CON banner above the conference floor where ICS Village runs OTLab trainings.
DEF CON Delivery

DEF CON 34 / Singapore / Middle East

OTLab on the floor at every flagship DEF CON event, with the Trainer Kit fleet supporting hands-on sessions and the Modbus Write Playground open all weekend.

  • DEF CON 34Las Vegas, Aug 2026
  • DEF CON SingaporeApr 2026
  • DEF CON Middle EastBahrain, Nov 2026
ICS Village and Capture the Flag banners at Critical Effect DC.
Policy & Convening

Critical Effect DC

OTLab demos and capture-the-flag at the annual ICS Village policy convening in Washington. Practitioners brief regulators in front of a working plant.

  • Critical Effect DCWashington DC
Get Started

Bring OTLab to Your Team

Image a Pi, deploy the lab fabric, and run real Modbus traffic on your desk in under an hour. Sponsor a fleet for your conference, bring OTLab into a classroom, or take a private cohort through the curriculum.

Train Your Team Sponsor OTLab