Building an ICS Firing Range (in our kitchen): sharing our journey & lessons learned (so you don’t have to)


View Recording


/files/slides/001_05-ML3CFD-ICS_Firing Range _ BSides 2022.pdf

View Slides


Aiming to improve our own expertise in ICS security, we went to build our own ICS firing range for internal and external trainings, and hacking demos. It covers multiple technical aspects about IT infrastructure, PLC configuration and programming, ICS protocols and specific methodologies for red and blue teaming. Beginning with a bridge operation scenario we planned our approach on implementing the ICS Firing Range addressing all levels of the Purdue Model, from enterprise to physical processes. We were faced with a variety of practical challenges and challenges specific to the ICS context and prototyping: we learned how to implement ladder logic, how CAD modelling works, how to print 3D models with a 3D printer and how to combine all ICS and bridge components into a single, confined and mobile lab environment. Lastly, we designed a series of kill chains for our firing range that we use for trainings on a variety of professions such as digital forensics and incident response.

Nico Leidecker

Nico has worked in IT security for over 15 years as security consultant and penetration tester. For the past years, his focus has been on all several aspects of OT security. At NVISO Germany, he leads the security assessment team.


Moritz Thomas

Moritz is a security consultant working in the Software and Security assessment team at NVISO. He is an ICS and IoT enthusiast, getting into the latest technologies in both fields. He loves to program, reverse engineer and break stuff.