支持端到端高级持续性威胁仿真的工业环境测试平台：SIMPLE-ICS的设计与实现 (Enabling End-to-End APT Emulation in Industrial Environments: Design and Implementation of the SIMPLE-ICS Testbed)

Research on Advanced Persistent Threats (APTs) in industrial environments requires experimental platforms that support realistic end-to-end attack emulation across converged enterprise IT, operational technology (OT), and Industrial Internet of Things (IIoT) networks. However, existing industrial cybersecurity testbeds typically focus on isolated IT or OT domains or single-stage attacks, limiting their suitability for studying multi-stage APT campaigns. This paper presents the design, implementation, and validation of SIMPLE-ICS, a virtualised industrial enterprise testbed that enables emulation of multi-stage APT campaigns across IT, OT, and IIoT environments. The testbed architecture is based on the Purdue Enterprise Reference Architecture, NIST SP 800-82, and IEC 62443 zoning principles and integrates enterprise services, industrial control protocols, and digital twin based process simulation. A systematic methodology inspired by the V model is used to derive architectural requirements, attack scenarios, and validation criteria. An APT campaign designed to mimic the BlackEnergy campaign is emulated using MITRE ATTACK techniques spanning initial enterprise compromise, credential abuse, lateral movement, OT network infiltration, and process manipulation. The testbed supports the synchronised collection of network traffic, host-level logs, and operational telemetry across all segments. The testbed is validated on multi-stage attack trace observability, logging completeness across IT, OT, and IIoT domains, and repeatable execution of APT campaigns. The SIMPLE-ICS testbed provides an experimental platform for studying end-to-end APT behaviours in industrial enterprise networks and for generating multi-source datasets to support future research on campaign-level detection and correlation methods.

翻译：工业环境中高级持续性威胁（APT）的研究需要能够支持跨融合的企业信息技术（IT）、运营技术（OT）和工业物联网（IIoT）网络进行真实端到端攻击仿真的实验平台。然而，现有的工业网络安全测试平台通常侧重于孤立的IT或OT领域或单阶段攻击，限制了其用于研究多阶段APT攻击活动的适用性。本文介绍了SIMPLE-ICS的设计、实现与验证，这是一个虚拟化的工业企业测试平台，支持跨IT、OT和IIoT环境的多阶段APT攻击活动仿真。该测试平台架构基于普渡企业参考架构、NIST SP 800-82和IEC 62443分区原则，并集成了企业服务、工业控制协议以及基于数字孪生的过程仿真。采用一种受V模型启发的系统化方法来推导架构需求、攻击场景和验证标准。一个旨在模拟BlackEnergy攻击活动的APT活动被仿真出来，其使用了MITRE ATTACK技术，涵盖初始企业入侵、凭据滥用、横向移动、OT网络渗透和过程操控。该测试平台支持在所有网段同步收集网络流量、主机级日志和运营遥测数据。测试平台在多阶段攻击痕迹可观测性、跨IT、OT和IIoT领域的日志完整性以及APT攻击活动的可重复执行方面得到了验证。SIMPLE-ICS测试平台为研究工业企业网络中的端到端APT行为提供了一个实验平台，并可用于生成多源数据集，以支持未来关于攻击活动级检测与关联方法的研究。