Next Article in Journal
AI-Based Indoor Localization Using Virtual Anchors in Combination with Wake-Up Receiver Nodes
Previous Article in Journal
Quantifying AI Model Trust as a Model Sureness Measure by Bidirectional Active Processing and Visual Knowledge Discovery
Previous Article in Special Issue
PUF-Based Secure Authentication Protocol for Cloud-Assisted Wireless Medical Sensor Networks
 
 
Search for Articles:
Title / Keyword
Author / Affiliation / Email
Journal
Article Type
 
 
Advanced Search
 
Section
Special Issue
Volume
Issue
Number
Page
 
Journals
Electronics
Volume 15
Issue 3
10.3390/electronics15030582
electronics-logo
Submit to this Journal Review for this Journal Propose a Special Issue
Article Menu

Article Menu

share Share announcement Help format_quote Cite question_answer Discuss in SciProfiles
first_page
settings
Order Article Reprints
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Virtual Testbed for Cyber-Physical System Security Research and Education: Design, Evaluation, and Impact

by
Minal Akeel
,
Salaheddin Hosseinzadeh
*,
Muhammad Zeeshan
,
Hamid Homatash
,
Nsikak Owoh
and
Moses Ashawa
Department of Cybersecurity and Networks, Glasgow Caledonian University, Glasgow G4 0BA, UK
*
Author to whom correspondence should be addressed.
Electronics 2026, 15(3), 582; https://doi.org/10.3390/electronics15030582
Submission received: 2 December 2025 / Revised: 8 January 2026 / Accepted: 26 January 2026 / Published: 29 January 2026
(This article belongs to the Special Issue Trends in Information Systems and Security)
Browse Figures
Versions Notes

Abstract

This article presents the design and implementation of a Virtual Cyber-Physical Testbed (VCPT) for transportation systems, featuring an automated level-crossing process. The proposed design improves network fidelity while keeping the platform lightweight. Key components include the Programmable Logic Controller (PLC), sensors, actuators, the Supervisory Control and Data Acquisition (SCADA) system, and OPNsense. Guided by NIST SP 800-115, penetration testing revealed several vulnerabilities and weaknesses that can be exploited and mitigated. Six attack scenarios—enumeration, brute force, remote code execution, ARP poisoning, DoS, and command injection—were executed, demonstrating realistic impacts on process safety and availability. Mitigation strategies using custom firewall and Intrusion Detection and Prevention System (IDPS) rules contributed to improving the security posture of VCPT. Educational evaluation with 41 cybersecurity students showed a 24% increase in average scores and a significant rise in top performers, further supported by positive feedback on engagement and realism. These results validate the VCPT as an effective platform for cybersecurity research, training, and experiential learning.

1. Introduction

In recent decades, a large portion of critical infrastructure has been connected to the computer networks and internet with the aim of improved automation, management, and improved efficiency, leading to the emergence of Cyber-Physical Systems (CPSs). CPSs tightly integrated computing, networking, and control systems intertwined with physical processes for the purpose of monitoring and controlling real-world operations [1]. As part of modern critical infrastructure, CPSs are increasingly deployed across diverse domains such as healthcare, transportation, smart manufacturing, smart buildings, and robotics [1,2]. These systems are composed of heterogeneous components including sensors, actuators, communication networks, and embedded devices that introduce significant complexity and pose challenges related to interoperability, security, and privacy [3,4]. Furthermore, several CPSs rely on legacy technology and were not originally designed with cybersecurity in mind, making them particularly vulnerable to modern attack vectors [5]. The ongoing convergence of Informational Technology (IT) and Operational Technology (OT) has further expanded the attack surface, hence increasing the risks and challenges associated with securing CPSs [6,7]. Waterfall’s cyberattack report [8] reveals that the number of affected industrial sites has increased by 146% in recent years.
The safety concerns and severe consequences of cyber-physical attacks have caught the attention of nation states, governing bodies, and researchers addressing these challenges. Examining CPSs is essential to understand their functionality and to conduct research aimed at developing effective security measures for safeguarding critical infrastructure. However, achieving this objective presents several challenges. The inherent heterogeneity and complexity of CPSs not only introduce significant cybersecurity concerns but also make them difficult to model and simulate [9,10]. Gaining access to or examining live industrial systems presents significant challenges due to the risk of disrupting critical operations and compromising sensitive data confidentiality [11,12]. Moreover, the financial investment required for building and maintaining CPSs for research and development is substantial [13].
To overcome these challenges, researchers have pioneered Cyber-Physical Testbeds (CPTs) as an alternative. CPTs provide a safe and controlled environment in which researchers can test new configurations, simulate cyberattacks, and evaluate defence strategies without endangering operational systems [14]. By replicating physical processes and integrating key components, CPTs enable system behaviour analysis under diverse scenarios [14]. They offer a cost-effective alternative for mitigating accessibility limitations while facilitating experimentation and research on CPSs [15,16]. Furthermore, CPTs serve as valuable educational platforms, allowing practitioners and professionals to gain hands-on experience in OT cybersecurity [15,16]. Therefore, CPTs allow both cyber and physical elements to be examined accurately, while supporting the secure and effective validation of CPS operations and the development of robust cybersecurity strategies [16].

2. Related Work

CPTs provide a controlled environment for testing, experimentation, and the evaluation of technologies, mechanisms, and applications. Their design and implementation vary depending on the specific domain and intended purpose. CPTs can be implemented using different approaches, namely physical, hybrid, and virtual. Each approach offers distinct advantages and limitations.

2.1. Physical Testbeds

Physical CPTs are composed of real hardware components such as sensors, actuators, and networking devices. They enable a more realistic integration and interaction between physical processes and networked systems [17]. They are often used to test solutions under realistic conditions, enabling the accurate measurement of system behaviours such as latency, deviations, and performance that are crucial for validation and real-time testing [14,18,19]. Despite their benefits, physical CPTs also present several drawbacks. They are comparatively the most expensive to develop and maintain [18], require significant development time, and may not always provide a completely safe means of replicating or executing physical attacks; therefore, safety concerns are still present [14,18]. Examples of such CPTs are EPIC [20], HAI Testbed [21], WaDi [22], and SWaT [23] that are deployed in power and robotics domains [20,24].

2.2. Virtual Testbeds

Virtual CPTs simulate the CPSs using software programmes [17]. Compared to the physical CPTs, they provide a cost-effective alternative and are particularly useful for replicating dangerous processes [17]. They are also easier to reconfigure, scale, and maintain [14,17]. While virtual environments offer several advantages, they may lack the realistic behaviour that is offered by physical CPTs, depending on the integrity of the software emulation solutions. This reduces their fidelity and makes it challenging to accurately verify certain system behaviours [14,17]. Also, virtual CPTs can be implemented on computers making them easily accessible to researchers and practitioners, in contrast to physical CPTs that require specialised hardware [18]. Virtual CPTs are widely utilised in fields such as education, manufacturing, and cybersecurity research [18]. Representative examples include GRFICS [25], VICSORT [26], Maynard-SCADA [27], and TASSCS [28].

2.3. Hybrid Testbeds

Hybrid CPTs incorporate both virtual simulations and physical components, leveraging the strengths of physical and virtual approaches [14,17]. They are particularly effective for representing complex systems such as the Internet of Things (IoT) or smart cities, where a balance between realism and scalability is essential [29]. Hybrid CPTs enable the realistic validation of CPS functionality while reducing costs by eliminating the need for a full physical setup [17]. However, their design and implementation are challenging, as they face significant complexity in terms of system integration and interoperability [14]. Despite these difficulties, hybrid CPTs have proven valuable in domains such as smart grids and aerospace [17]. Some examples are hybrid level crossing by Golder et al. [30], HYDRA [31], and MSICST [32].

2.4. Comparative Analysis of CPT Types

Physical CPTs offer high network fidelity, enabling realistic interactions between hardware and software components. However, they are costly to build and maintain, lack scalability and flexibility, and pose safety limitations [18,33]. Virtual CPTs offer high scalability, flexibility, cost-effectiveness, and safety due to their fully simulated environments; however, they lack the network fidelity needed to accurately replicate real-world hardware–software interactions [14]. Hybrid CPTs lie between the two extremes, offering moderate levels of network fidelity, flexibility, scalability, cost-effectiveness, and safety [18,33]. A relative comparison of different types of CPTs are provided in Table 1.

2.5. Overview of Virtual CPTs

Conti et al. [18] have published a comprehensive survey of all three types of CPTs. Their survey identified 20 virtualised CPTs, none of which pertain to the transport sector. However, due to the use of proprietary software, only a few of these CPTs, about six, are accessible. Furthermore, not all of these six CPTs have elaborate network topologies, physical processes, or visual interactive components. Notable examples include SCADASim [18], Maynard-SCADA [26], TASSCS [27], MiniCPS [34], SCADAVT [35], SCADA-SST [36], and DVCP [37]. MiniCPS and SCADASim are frameworks for creating simulations, and they use Mininet and OMNeT++ for network simulation, respectively. Network simulation or emulation tools, such as Mininet, OMNeT++, and OPNET, model network behaviour logically while offering scalability and controlled experimentation. However, they abstract lower-layer network dynamics such as real Ethernet framing, ARP exchanges, and routing behaviours, thereby reducing network fidelity.
Maynard-SCADA and SCADA-SST are missing realistic elaborate physical processes. Maynard-SCADA RTUs are only configured to “return random process data” [38], and SCADA-SST requires users to implement physical process behaviour in C++. TASSCS uses OPNET for network simulation. Although it lacks 3D visualisation, it uses schematics to convey process states.
To make the CPTs more realistic and streamline their development, DVCP took advantage of MATLAB and Simulink [39]. TASSCS used PowerWorld [40]. Ghaleb et al. [36] recognised that using similar proprietary simulators, such as MATLAB/Simulink, PowerWorld and Factory IO [41], makes CPTs less accessible to the public because users must acquire licences for these components.
GRFICS and VICSORT addressed the network and physical process simulation shortfalls. They took advantage of gaming engines to develop a dedicated physical process in the form of an interactive 3D game. This game simulates and visualises a simplified version of the Tennessee Eastman process [42] and allows the monitoring of the process during cyberattacks, providing visual feedback and demonstrating their impact on the physical process. This approach also removed licencing constraints and facilitated CPT distribution.
To improve network fidelity, GRFICS utilises Oracle VirtualBox [43] to implement virtual machines (VMs) that replicate components such as the PLC, supervisory control and data acquisition (SCADA), firewall, and engineering workstation (EWS). This design allows modularity, enabling components to be easily replaced. This enabled the developers of GRFICS to use SCADABR [44] as their industrial interactive software platform for the monitoring, control, and visualisation of the industrial process and pfSense [45] as the firewall appliance. VICSORT [26] modified GRFICS to improve resource efficiency by using LXC/LXD containers for virtualisation instead of VirtualBox. GRFICS and VICSORT are capable of full network stack operations, enabling real packet exchange and protocol interactions, thereby providing higher network fidelity and allowing a more realistic assessment of communication performance and security mechanisms [46]. Both CPTs implement levels 0 to 3 of the Purdue model, separating zones through subnets and using pfSense [45] to establish secure conduits between zones.
However, network fidelity is impaired in both platforms, GRFICS and VICSORT, due to the field devices and the PLC being implemented within a single VM, perhaps to keep the platform lightweight. Although this approach reduces computational resource requirements, it compromises the realism of network communication, as all field devices and the PLC share the same physical MAC address while having different IP addresses. Consequently, this limits the ability to examine the CPTs’ behaviour in the data link layer. Furthermore, the firewall configuration is overly permissive, allowing unrestricted traffic between zones and lacking any built-in intrusion detection or prevention mechanisms to mitigate the CPTs’ vulnerabilities.

2.6. Summary of Contributions

This article aims to address existing limitations and develop a novel CPT that is resource-efficient and open-source and offers improved network fidelity by following best practices. The contributions of this article are as follows:
  • Simulation and visualisation of the first transport-sector physical process using game engines.
  • Improved network fidelity while maintaining resource efficiency, through lightweight Linux end nodes.
  • Successfully testing end node DoS attacks, by carefully adjusting VirtualBox configuration.
  • IDPS inclusion and custom rule implementation through OPNsense integration.

3. CPT Design and Implementation

A cost-effective and virtualised CPT (VCPT) is proposed and designed for the transportation industry. The motivation stems from the sector’s growing exposure to cyberattacks and the notable absence of dedicated CPTs to support cybersecurity research and training. Unlike physical, hybrid, or other reviewed VCPTs, this design strikes an effective balance between network fidelity and efficient resource utilisation, making it broadly accessible to practitioners, researchers, students, and cybersecurity enthusiasts. A VCPT is easier to maintain and provides greater accessibility, as it has no geographical constraints, can be accessed remotely or deployed on consumer-grade computers, does not require industrial equipment, and is cost-efficient. This VCPT draws inspiration from GRFICS, which leverages free and open-source components, and from the work of Hosseinzadeh et al. [47], who developed a simplified, transport-themed physical CPT for Operational Technology research and education. The primary aim of this VCPT is to offer a safe and controlled environment for cybersecurity professionals to explore real-world critical infrastructure, simulate cyberattacks, and evaluate mitigation strategies.

3.1. Physical Process

A level-crossing physical process [47] was chosen for this VCPT. The motivation for selecting a transportation-based process lies in the fact that, according to the Waterfall’s cyberattack report [8], transportation is the most targeted sector, receiving 37% of cyberattacks. Furthermore, the survey conducted by Conti et al. [18] reveals the lack of CPTs with the transport theme, as the majority of CPTs pertain to smart grids.
Automated level-crossing process is simple and therefore easy to understand [47]; it is a process that many have experienced, and it is a safety critical system where a malfunction or a cyberattack could result in life-threatening consequences. According to Network Rail [48], there are about 6000 level crossings in the UK and over 1400 have been closed since 2009; while closure is the only way to eliminate risk, many crossings cannot be practically removed due to cost and community impacts [49]. Additional reasons for selecting the level crossing as the physical process include its human-in-the-loop safety dynamics, which allow the realistic simulation of operational procedures [50]. Furthermore, level crossings offer a practical platform for verifying safety properties, assessing system timing during fault conditions, and validating system upgrades under controlled scenarios [51].

3.2. Architecture

The implementation of the VCPT and its challenges are guided by the Purdue Enterprise Reference Architecture (PERA) model [52], as illustrated in Figure 1, and the industrial cyber kill chain [53], respectively. This design places particular emphasis on the industrial zone, which highlights the OT layer and includes the following components:
  • Level 0: field devices such as sensors and actuators.
  • Level 1: consists of the PLC.
  • Levels 2 and 3: the SCADA system, HMI, and data historian.
  • Level 3.5: Industrial DMZ, which hosts the firewall, router, and IDPS.
Electronics 15 00582 g001
Figure 1. Purdue Enterprise Reference Architecture PERA.
Figure 1. Purdue Enterprise Reference Architecture PERA.
Electronics 15 00582 g001

3.3. Components

The automated level crossing serves as the physical representation of the industrial control system (ICS) process in this study. It is developed using the Unity® game engine [54] and runs on a lightweight Linux. The gaming engine was used to visualise the process featuring barriers, signal lights for both train and vehicle traffic, alarm system, and interactive vehicle, allowing users to simulate scenarios such as vehicles crossing the level crossing or becoming stranded on the tracks.

3.3.1. Control Zone (Level 0–1)

Level 0 hosts the physical sensors and actuators, and these are implemented in software in VCPTs [25,26]. This implementation includes a total of two sensors and three actuators that are communicating with a single PLC. These end nodes and their function in the VCPT are listed in Table 2.
Existing frameworks such as GRFICS and VICSORT collocate all simulated devices on a single Linux host. This design compromises network fidelity because multiple IP addresses end up sharing the same MAC address. Consequently, layer-2 behaviour, such as ARP resolution, MAC learning, and broadcast domain isolation, is lost. This prevents the accurate modelling or execution of layer-2 attacks (e.g., ARP spoofing, man-in-the-middle) and even end node DoS attacks, since all nodes share the same operating system instance and the same resource pool allocated to the VM.
To overcome these limitations while minimising computational overhead, we implemented each end node as an independent Linux system using Alpine Linux [55], chosen for its lightweight footprint and resource efficiency. Each node consumes approximately 60 MB of RAM and 250 MB of storage. Deploying nodes in this manner preserves network fidelity. By ensuring that each node has its own MAC address and dedicated resources, our approach maintains realistic layer-2 and resource-based behaviour, improving the overall fidelity of the design [25,26].
In this design, the PLC collects sensor data to understand the state of operation, and coordinates between end nodes by issuing appropriate actuation signals. The train light signal indicates when the train is permitted to pass through the level crossing if the tracks are clear. However, if the track is obstructed, detected via the obstacle detection sensor, the system signals the train to stop. An approaching train is detected by a pair of sensors on each side of the crossing, triggering the alarm, traffic signal, and gates to stop vehicle traffic. Once the train passes through, the crossing returns to its normal state.

3.3.2. Industrial Zone (Level 2–3)

Level 2 to 3 includes the SCADA system, the human machine interface (HMI), and data historian. ScadaBR [44] is a unified HMI, SCADA, and historian platform; it is open-source and a popular choice in VCPTs. Importantly, its legacy implementation exposes a range of known vulnerabilities, which provided a realistic environment for cybersecurity activities such as penetration testing and red and blue team exercises [56].

3.3.3. Industrial Demilitarised Zone (Level 3.5)

OPNsense [57] was selected because it is open-source, actively maintained, and offers an intuitive interface. It serves as the firewall, router, default gateway, and DHCP server. Compared to alternatives such as pfSense [35], OPNsense comes preconfigured with an integrated IDPS based on Suricata, supporting locally defined custom rules [58]. This provides built-in IDPS functionality without an additional setup. In contrast, pfSense requires installing extra packages for IDPS integration, which is impractical in offline deployments.

3.4. Network Topology

Figure 2 illustrates the abstracted network topology of the VCPT. The LAN (subnet A) consists of sensors, actuators, and the PLC, while the WAN (subnet B) hosts the SCADA system. OPNsense provides routing between the two subnets and allocates IP addresses to all devices. This configuration enables scenarios where potential vulnerabilities can be identified, exploited, and mitigated using OPNsense’s security controls.
Section 3 presents the structured approach adopted in this paper:
  • Identification: use of vulnerability scanners to discover weaknesses.
  • Exploit: demonstration of exploitation of key vulnerabilities.
  • Mitigation: use of OPNsense as the main defence mechanism.

4. Penetration Testing the VCPT

Security testing was guided by the NIST SP 800-115, Technical Guide to Information Security Testing and Assessment guideline [59]. The framework suggests first defining clear objectives, scope, and rules of engagement. In this instance, the VCPT is an isolated environment, therefore allowing for the scope of testing to include all systems and components without having safety concerns or safety measures in place. First, information-gathering techniques are employed to map the network, identify active services, and detect potential vulnerabilities. Exploitation is subsequently carried out to validate the existence and impact of these vulnerabilities, followed by the analysis of the potential consequences in terms of safety, availability, and integrity. Finally, findings are documented with a few recommended mitigating solutions. This structured approach ensures that the assessment process is systematic, repeatable, and aligned with recognised best practices.

4.1. Vulnerability Scanning

By conducting vulnerability scanning, a range of embedded software, hardware, web applications, and industrial vulnerabilities were discovered. Nessus [60] and Nmap network scans revealed nine vulnerabilities that posed medium-to-critical cybersecurity risks. Additionally, Nmap was employed to detect and verify relevant ports and services running on the devices. Table 3 only presents the vulnerabilities ranging from critical-to-medium severity; vulnerabilities that were exploited are highlighted.

4.2. Vulnerability Testing

Each attack scenario is mapped to relevant techniques from the MITRE ATT&CK framework [61] to ensure consistency with recognised adversarial behaviour, facilitate reproducibility of the test scenarios, and allow for clearer communication of threat vectors to both technical and non-technical stakeholders. The mappings help contextualise the attacks within a broader threat landscape and support the development of targeted mitigation strategies.

4.2.1. Attacks on SCADA System

An enumeration attack was first conducted to exploit CWE-204: observable response discrepancy, which allowed the attacker to determine valid usernames based on differing server responses to login attempts. Once valid usernames were identified, a dictionary attack was launched to guess passwords. This was made possible due to the system’s failure to limit repeated authentication attempts, aligning with CWE-307: improper restriction of excessive authentication attempts. The open-source tool Hydra was used to automate both stages of the attack. Once valid credentials were obtained, the attacker gained unauthorised access to the SCADA interface, compromising the confidentiality of sensitive process data. This access also enabled potential malicious interactions with physical processes, posing serious risks to system safety and availability. The overall attack aligns with the MITRE ATT&CK technique T1110: brute force.
The SCADA system was exploited via CVE-2020-1938 (Ghostcat), which targets the Apache JServ Protocol (AJP) in vulnerable versions of Apache Tomcat. This vulnerability enables local file inclusion (LFI) and can lead to remote code execution (RCE). The attacker uploaded a payload file containing the code to establish a reverse-shell connection. Execution was triggered by accessing the file through a direct URL from the SCADA interface, allowing arbitrary code execution. This aligns with MITRE ATT&CK technique T1190: exploit public-facing application. Once the reverse shell was established with the remote command and control (C2) server, the attacker gained the ability to execute commands on the SCADA host, escalated privileges, and began establishing persistence. This unauthorised access compromised the confidentiality and enabled access to the SCADA server. The attacker could modify configurations, posing threats to availability, safety, and overall system integrity. These actions align with MITRE ATT&CK for ICS tactic TA0110: persistence, which encompasses techniques used to maintain long-term access to industrial systems.
A separate vulnerability affecting the SCADA system is CVE-2021-26829, a persistent (stored) cross-site scripting (XSS) flaw in the web interface. This allows attackers to inject malicious JavaScript that is stored on the server and executed when users access the affected page. Two payloads were used to demonstrate the impact: one for session ID theft and another for keylogging [62]. The payload is executed in the victim’s browser and data exfiltrated to the attacker’s HTTP server. These attacks compromised sensitive user information, with session hijacking posing a significant risk. The demonstration highlights how a single XSS vulnerability can enable multiple attack paths, ranging from credential theft to monitoring user input and behaviour. This exploitation aligns with MITRE ATT&CK for ICS technique T1059.007: JavaScript, under the execution (TA0104) tactic. Additionally, the theft of credentials and monitoring of user input may support credential access (TA0006) and collection (TA0100) tactics.

4.2.2. Attacks on Field Devices

Multiple attacks were conducted against the ModbusTCP protocol, targeting devices at the perception layer, corresponding to Level 0 and Level 1 of the PERA. The protocol’s lack of encryption and authentication exposed industrial communications to interception, manipulation, and disruption. These weaknesses align with CWE-300: channel accessible by any end node, CWE-319: cleartext transmission of sensitive information, and CWE-306: missing authentication for critical function.
An MitM attack was executed using ARP poisoning, allowing the attacker to intercept and redirect traffic between the PLC and connected sensors and actuators. This compromised the confidentiality of control signals. The attack was performed using an Ettercap filter to manipulate ModbusTCP packets, suppressing alarm signals and forcing the traffic light to remain green, compromising the safety and process integrity. This aligns with MITRE ATT&CK technique T1557: man-in-the-middle and tactics: collection (TA0100) impair process control (TA0107).
Two DoS scenarios were executed using Hping3. A SYN flood targeted the PLC, and an ICMP flood targeted the obstacle detector sensor. Overwhelming the PLC with connection requests disconnected its connection to the HMI, resulting in warning signs; see Figure 3. Furthermore, PLC failed to execute its routine control processes. An ICMP flood targeting the obstacle detector sensor resulted in the end node denial of service and the loss of connection to the PLC. This effect was achieved by adjusting and throttling the CPU utilisation of PLC through Virtualbox’s CPU Execution Cap setting. However, these attacks did not result in network-level denial of service. This is because virtual environments typically lack realistic bandwidth constraints and physical network infrastructure, making it difficult to saturate the network in the same way as in a physical deployment. Both cases align with MITRE ATT&CK T1499: endpoint denial of service. These attacks compromised safety and availability.
A coordinated command injection attack targeted three devices simultaneously: the alarm and traffic signal, the barrier, and the train signal. A custom Python script was used to inject unauthorised ModbusTCP commands, altering device behaviour and causing out-of-sync operations, demonstrated in Figure 4. This required the detailed knowledge of the system and resulted in a significant compromise of safety and process coordination, resembling MITRE ATT&CK technique: T0855: command injection.

4.3. Improving Security Posture

Once vulnerabilities have been identified through security testing, NIST SP 800-115 suggests enhancing the system’s security posture. This process includes prioritising vulnerabilities based on their potential impact and exploitability, implementing appropriate mitigation strategies, and validating the effectiveness of those remediations.
In the case of this VCPT, explicit prioritisation is deemed unnecessary due to prior knowledge of vulnerability severity via CVE scores, and the fact that all demonstrated exploits led to safety compromises. Mitigation strategies typically include patch management, configuration hardening, network segmentation, and tuning of firewall and intrusion detection/prevention systems (IDPSs). This study focuses specifically on the latter, leveraging OPNsense’s firewall and IDPS capabilities.
To improve the VCPT’s security posture, custom firewall rules and traffic policies were enforced using OPNsense. These controls were designed to regulate inter-subnet communication and detect malicious traffic patterns. A key assumption in this setup is that attack traffic traverses the OPNsense firewall, which implies that attacks must originate from a subnet different from the target. This assumption allows the firewall and IDPS to act as a control point for both detection and prevention.

4.3.1. Custom IDPS Rules

A total of five custom IDPS rules were implemented using OPNsense’s IDPS to prevent specific attacks, as listed in Table 4.
Rule IDs 101 and 102 are designed to prevent RCE. The rule ID 101 inspects HTTP Get requests and looks for the URI parameter “=” or for commands such as ls, pwd, whoami, or similar, which attackers often use to pass system commands to vulnerable applications. Rule ID 102 inspects POST requests sent to SCADA’s “view_edit.shtm” and blocks malicious packets based on attack signatures in the payload. By performing deep packet inspection and signature-based detection, these rules raise an alert whenever the pattern is detected, helping to identify and mitigate the RCE vulnerabilities in the SCADA. The rule ID 103 monitors TCP traffic to port 502 and inspects a SYN flag in connection requests. If a single source sends 5000 or more SYN packets within 5 s, the rule raises an alert. This blocks a potential SYN flood attack. Similarly, rule ID 104 inspects ICMP traffic and counts repeated echo request packets. It helps detect and prevent potential ICMP flood if an abnormally high number of packets are observed from the same source within a short timeframe. Both rules mitigate DoS vulnerability for field devices. And, finally, rule ID 105 raises an alert if 10 or more HTTP POST requests are detected from the same source within five seconds and also drops the traffic to prevent potential brute-force or dictionary attacks against the SCADA system.

4.3.2. Custom Firewall Rules

As shown in Figure 5 and Figure 6, there are a total of four firewall rules implemented, two for LAN (Subnet A) and two for WAN (Subnet B). Starting with the LAN interface, from top to the bottom, these rules are as follows:
  • Permits traffic from the PLC to ScadaBR, through port 502;
  • Blocks SSH traffic from PLC to all devices, except for tester machine (192.168.5.20).
Electronics 15 00582 g005
Figure 5. Firewall traffic rules for LAN interface.
Figure 5. Firewall traffic rules for LAN interface.
Electronics 15 00582 g005
Electronics 15 00582 g006
Figure 6. Firewall traffic rules for WAN interface.
Figure 6. Firewall traffic rules for WAN interface.
Electronics 15 00582 g006
In Figure 6, the first WAN rule strictly permits traffic from ScadaBR to reach the PLC, and the second rule allows the tester machine to reach PLC via SSH.

5. Evaluation of Pedagogical Effectiveness and User Experience

Using simulations and testbeds for practical learning is strongly supported by research in education. Virtual labs and simulations in networking and cybersecurity enhance both conceptual understanding and practical skills by offering safe, scalable environments for experimentation, thus avoiding hardware risks [63]. This work concentrates on the same concept through a VCPT, facilitating the understanding of abstract concepts, an area where students often struggle, and can lead to poor performance, disengagement, or disengaging [64]. Cognitive and educational psychology, especially the embodied cognition theory, highlights that grasping abstract ideas is more difficult without sensory or experiential grounding [65]. Constructivist and experiential learning theories also emphasise the importance of active, hands-on involvement for deep understanding and skill development [66,67]. Gamification and virtualisation have also been proven to be effective in increasing motivation and learning outcomes in computing education [68,69]. Additionally, a meta-analysis of 86 studies demonstrates that digital game-based learning in science, technology, engineering, and math (STEM) significantly improves conceptual understanding, motivation, and performance, with medium-to-strong positive effects [70].

5.1. Methodology and Data Ethics

To enable comparison, this study involved two separate cohorts: a control group without the VCPT (2023/24) and an experimental group using the VCPT (2024/25). However, the evaluation was not designed as a longitudinal study across multiple years, and therefore, it does not assess long-term retention or sustained learning impact. These aspects are identified as areas for future research.
To assess the pedagogical effectiveness and user experience of the VCPT, a study was conducted with 41 fourth-year students from the BSc in Cybersecurity and Networking programme. The 2023/24 cohort included 83 students, while the 2024/25 had 95 students. Over 11 weeks, students participated in instructor-led lab sessions that followed a structured, scaffolded approach. Each week introduced a specific learning goal built upon the previous one, gradually expanding students’ knowledge and skills. Students worked in small groups to promote peer learning, using lab-books and the VCPT, while the tutor provided demonstrations and guided support. This study received full ethical approval from the institutional ethics committee.

5.2. Analysis

To evaluate the pedagogical effectiveness and user experience of the VCPT, post-module questionnaires were distributed to the 2024/5 cohort (N = 95), with 41 responses received. These responses along with the analysis of final students’ assessment results revealed a notable improvement in student performance following the integration of the VCPT into the module as a teaching and learning tool. Median of assessment results increased from 54 to 70, and the average increased from 54 to 67, marking a 24% overall improvement. More importantly, the proportion of students scoring 50 or higher grew significantly from 60.2% to 81.1%, and the distribution of higher grades showed substantial gains: scores in the 70–79 range increased by 21.1%, while scores in 80–89 range rose by 13.1%. A chi-square test confirmed that this change is statistically significant (p < 0.001), indicating that the hands-on, problem-solving environment enhanced both conceptual understanding and practical application of CPS security principles.
This quantitative improvement echoes findings of other educational studies that utilised similar technologies. For instance, gamified learning and simulation-based training in computing have been shown to increase motivation and foster a deeper understanding, leading to higher assessment scores [71]. For instance, in one university study, students using a gamified system saw their scores on practical assignments rise significantly—by over 25 points in presentations and nearly 30 points in databases compared to the control group [72], and students who actively engaged with the gamified elements achieved a final course score that was 14 points higher than their peers on the traditional learning track [72]. This is further supported by a broader meta-analysis of serious games, which found that their use for knowledge acquisition resulted in a significant effect size of 0.67, comparable to a 12.6% increase in performance scores [73]. The VCPT’s interactive, visually engaging “train model” acts as a form of gamification, boosting intrinsic motivation by making learning more engaging and enjoyable, as reported in similar studies [74].
Additional support for these findings comes from the post-module questionnaires, which received highly positive feedback. For example, of the 41 respondents, over 87% agreed or strongly agreed that the course delivered a valuable and effective learning experience, highlighting strong student endorsement. Of the 41 students, 95% (39 of 41) had no prior experience with Operational Technology (OT), yet 92% believed that the testbed enhanced their understanding of CPS security. Students also appreciated the hands-on nature of the labs, with comments like “love the test bed,” “Train model is cool,” and “The model gave us a real-world look at our attacks in real time.” They described the labs as “interesting and immersive,” “very interactive,” and “great fun and very informative,” emphasising how the VCPT helped visualise processes and link theory to practice. The emphasis on “immersion” and “real-world look’” in student feedback illustrates the instructional benefit of simulations in creating authentic learning environments. This authenticity helps bridge the “transfer gap,” allowing students to apply abstract concepts to practical problems, which is one of the key challenges in engineering education [75]. The positive feedback and high engagement levels are important, as they are indicators of the improved learning outcomes observed in the assessment results.
The VCPT provides clear educational advantages, as reflected in improved student assessment results. Its design is based on the constructivist learning theory, which emphasises the importance of hands-on experience for learning [76]. The organised, instructor-led approach combines problem-solving and peer collaboration, consistent with situated learning [67] and experiential learning [66].
It is important to note that, while these results demonstrate strong short-term improvements, they are preliminary and based on a relatively small sample size. This study was not longitudinal, and although two distinct cohorts were used—one control and one experimental group—further investigation is needed to confirm long-term knowledge retention and the ongoing impact of the VCPT. Future work will include multi-year longitudinal studies, larger cohorts, follow-up assessments, student interviews, and exploratory evaluations of the VCPT in professional and industrial contexts beyond the academic environment.

6. Conclusions

A virtualised automated level-crossing CPT was designed, tested, and evaluated to determine its effectiveness in simulating vulnerabilities, conducting attacks, and developing mitigation strategies for cybersecurity education and research. This VCPT represents a cost-effective and resource-efficient solution. Integration of OPNsense as an IDPS and inclusion of preconfigured rules enabled deep packet inspection and signature-based prevention. The VCPT boasts a simple gamified level crossing; it enhances accessibility for students and researchers, enabling them to grasp fundamental concepts without prior industrial knowledge of the process. Different attacks and their impact on the physical process were observed. The proposed VCPT was successfully tested with end node DoS attacks, thereby validating its modelling capability. Five vulnerabilities were successfully mitigated through signature-based intrusion detection and prevention, which improved the security posture of this CPT. Moreover, user feedback confirmed strong engagement and learning benefits, with over 87% rating the experience as effective and highlighting the immersive, hands-on nature of the VCPT. These perceptions align with the observed improvement in assessment scores, reinforcing its value as an educational tool. Future work includes extending capabilities to support offensive and defensive cybersecurity exercises by developing and embedding vulnerabilities that can be attacked and exploited. It also involves enhancing vulnerability assessment strategies to improve detection, response, and mitigation of attacks. One limitation of this work is its focus on secure conduits; in the future, the security posture of the VCPT can be strengthened through comprehensive hardening and defensive measures. Another limitation is the restricted support for network-level DoS attacks, which will require future studies on the impact of traffic policies’ development and the integration of traffic-shaping mechanisms. Additionally, several remaining vulnerabilities require further investigation. Finally, a longitudinal study across multiple cohorts would be necessary to validate the preliminary user testing results and assess sustained impact over time.

Author Contributions

Conceptualization, S.H. and M.Z.; methodology, M.A. (Minal Akeel), S.H. and M.Z.; software, M.A. (Minal Akeel), S.H. and H.H.; validation, M.A. (Minal Akeel), S.H., and M.Z.; formal analysis, M.A. (Minal Akeel) and M.Z.; investigation, M.A. (Minal Akeel) and M.Z.; resources, S.H., H.H., N.O. and M.A. (Moses Ashawa); data curation, M.A. (Minal Akeel), S.H. and M.Z.; writing—original draft, M.A. (Minal Akeel); writing—review and editing, M.A. (Minal Akeel), S.H., M.Z., H.H., N.O. and M.A. (Moses Ashawa); visualisation, H.H.; supervision, S.H., N.O. and M.A. (Moses Ashawa); project administration, N.O. and M.A. (Moses Ashawa). All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

This study was conducted according to the guidelines of the Declaration of Helsinki and approved by the research ethic committee of Glasgow Caledonian University (codes: SSE25018 and SSE25019; date of approval: 30 March 2024).

Informed Consent Statement

Informed consent was obtained from all subjects involved in this study.

Data Availability Statement

The original contributions presented in this study are included in the article. Further inquiries can be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. Alguliyev, R.; Imamverdiyev, Y.; Sukhostat, L. Cyber-physical systems and their security issues. Comput. Ind. 2018, 100, 212–223. [Google Scholar] [CrossRef]
  2. Zhang, K.; Shi, Y.; Karnouskos, S.; Sauter, T.; Fang, H.; Colombo, A.W. Advancements in Industrial Cyber-Physical Systems: An Overview and Perspectives. IEEE Trans. Ind. Inform. 2023, 19, 716–729. [Google Scholar] [CrossRef]
  3. Duo, W.; Zhou, M.; Abusorrah, A. A Survey of Cyber Attacks on Cyber Physical Systems: Recent Advances and Challenges. IEEE/CAA J. Autom. Sin. 2022, 9, 784–800. [Google Scholar] [CrossRef]
  4. Humayed, A.; Lin, J.; Li, F.; Luo, B. Cyber-Physical Systems Security—A Survey. IEEE Internet Things J. 2017, 4, 1802–1831. [Google Scholar] [CrossRef]
  5. Gunes, V.; Peter, S.; Givargis, T.; Vahid, F. A Survey on Concepts, Applications, and Challenges in Cyber-Physical Systems. KSII Trans. Internet. Inf. Syst. 2014, 8, 4242–4268. [Google Scholar] [CrossRef]
  6. Amiri, A.; Steindl, G.; Hollerer, S. Integrated Safety and Security by Design in the IT/OT Convergence of Industrial Cyber-Physical Systems. In Proceedings of the 2024 IEEE 7th International Conference on Industrial Cyber-Physical Systems (ICPS), St. Louis, MO, USA, 12–15 May 2024. [Google Scholar]
  7. Hollerer, S.; Brenner, B.; Bhosale, P.R.; Fischer, C.; Hosseini, A.M.; Maragkou, S.; Papa, M.; Schlund, S.; Sauter, T.; Kastner, W. Challenges in OT Security and Their Impacts on Safety-Related Cyber-Physical Production Systems. In Digital Transformation; Vogel-Heuser, B., Wimmer, M., Eds.; Springer Vieweg: Berlin/Heidelberg, Germany, 2023. [Google Scholar] [CrossRef]
  8. Machtemes, R.; Hale, G.; Walhof, M.; Ginter, A. Waterfall Security Solutions. 2025 Threat Report. March 2025. Available online: https://waterfall-security.com/wp-content/uploads/2025/03/2025-OT-Cyber-Security-Threat-Report.pdf?mc_cid=53c324e382&mc_eid=0069fc2d69 (accessed on 1 October 2025).
  9. Törngren, M.; Sellgren, U. Complexity Challenges in Development of Cyber-Physical Systems. In Principles of Modeling; Lohstroh, M., Derler, P., Sirjani, M., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2018; Volume 10760. [Google Scholar] [CrossRef]
  10. Zhou, X.; Gou, X.; Huang, T.; Yang, S. Review on Testing of Cyber Physical Systems: Methods and Testbeds. IEEE Access 2018, 6, 52179–52194. [Google Scholar] [CrossRef]
  11. Talukder, M.R.H. CPS Security Testbed: Requirement Analysis, Prototype Design and Protection Framework. Master’s Thesis, Colorado State University, Fort Collins, CO, USA, 2023. [Google Scholar]
  12. Neema, H.; Potteiger, B.; Koutsoukos, X.; Karsai, G.; Volgyesi, P.; Sztipanovits, J. Integrated simulation testbed for security and resilience of CPS. In Proceedings of the 33rd Annual ACM Symposium on Applied Computing, (SAC ‘18); Association for Computing Machinery: New York, NY, USA, 2018; pp. 368–374. [Google Scholar]
  13. Graja, I.; Kallel, S.; Guermouche, N.; Cheikhrouhou, S.; Kacem, A.H. A comprehensive survey on modeling of cyber-physical systems. Concurr. Comput. Pract. Exp. 2020, 32, 4850. [Google Scholar] [CrossRef]
  14. Geng, Y.; Wang, Y.; Liu, W.; Wei, Q.; Liu, K.; Wu, H. A survey of industrial control system testbeds. In IOP Conference Series: Materials Science and Engineering; IOP Publishing: Bristol, UK, 2019. [Google Scholar]
  15. Sahu, A.; Wlazlo, P.; Mao, Z.; Huang, H.; Goulart, A.; Davis, K.; Zonouz, S. Design and evaluation of a cyber-physical testbed for improving attack resilience of power systems. IET Cyber-Phys. Syst. Theory Appl. 2021, 6, 208–227. [Google Scholar] [CrossRef]
  16. Zhou, J. The Need of Testbeds for Cyberphysical System Security. IEEE Secur. Priv. 2024, 22, 4–6. [Google Scholar] [CrossRef]
  17. Robles-Durazno, A.; Moradpoor, N.; McWhinnie, J.; Russell, G.; Porcel-Bustamante, J. Implementation and Evaluation of Physical, Hybrid, and Virtual Testbeds for Cybersecurity Analysis of Industrial Control Systems. Symmetry 2021, 13, 519. [Google Scholar] [CrossRef]
  18. Conti, M.; Donadel, D.; Turrin, F. A survey on industrial control system testbeds and datasets for security research. IEEE Commun. Surv. Tutor. 2021, 23, 2248–2294. [Google Scholar] [CrossRef]
  19. Gao, H.; Peng, Y.; Jia, K.; Dai, Z.; Wang, T. The design of ics testbed based on emulation, physical, and simulation (eps-ics testbed). In Proceedings of the 2013 Ninth International Conference on Intelligent Information Hiding and Multimedia Signal Processing, Beijing, China, 16–18 October 2013. [Google Scholar]
  20. Adepu, S.; Kandasamy, N.K.; Mathur, A. EPIC: An Electric Power Testbed for Research and Training in Cyber-Physical Systems Security. In Computer Security. SECPRE/CyberICPS 2018; Katsikas, K.S., Cuppens, F., Cuppens, N., Lambrinoudakis, C., Anton, A., Gritzalis, S., Mylopoulos, J., Kalloniatis, C., Eds.; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2019; Volume 11387. [Google Scholar] [CrossRef]
  21. Shin, H.K.; Lee, W.; Yun, J.H.; Kim, H.C. Implementation of programmable CPS testbed for anomaly detection. In Proceedings of the 12th USENIX Workshop on Cyber Security Experimentation and Test (CSET 2019); USENIX Association: Berkeley, CA, USA, 2019; p. 2. [Google Scholar]
  22. Ahmed, C.M.; Palleti, V.R.; Mathur, A.P. WADI: A water distribution testbed for research in the design of secure cyber physical systems. In Proceedings of the 3rd International Workshop on Cyber-Physical Systems for Smart Water Networks (CySWATER ‘17), Pittsburgh, PA, USA, 21 April 2017; pp. 25–28. [Google Scholar]
  23. Mathur, A.P.; Tippenhauer, N.O. SWaT: A water treatment testbed for research and training on ICS security. In Proceedings of the 2016 International Workshop on Cyber-Physical Systems for Smart Water Networks (CySWater), Vienna, Austria, 11–14 April 2016. [Google Scholar]
  24. Kundig, S.; Angelopoulos, C.M.; Rolim, J. Modelled Testbeds: Visualizing and Augmenting Physical Testbeds with Virtual Resources. In Information Technology & Systems (ICITS 2018); Rocha, A., Guarda, T., Eds.; Advances in Intelligent Systems and Computing; Springer: Cham, Switzerland, 2018; Volume 721. [Google Scholar]
  25. Formby, D.; Rad, M.; Beyah, R. Lowering the barriers to industrial control system security with GRFICS. In Proceedings of the 2018 USENIX Workshop on Advances in Security Education (ASE 18), Baltimore, MD, USA, 13 August 2018. [Google Scholar]
  26. Ekisa, C.; Briain, D.Ó.; Kavanagh, Y. VICSORT-A Virtualised ICS Open-source Research Testbed. In Proceedings of the 2022 Cyber Research Conference-Ireland (Cyber-RCI), Galway, Ireland, 25 April 2022. [Google Scholar]
  27. Maynard, P.; McLaughlin, K.; Sezer, S. An open framework for deploying experimental scada testbed networks. In Proceedings of the 5th International Symposium for ICS & SCADA Cyber Security Research 2018, Hamburg, Germany, 29–30 August 2018. [Google Scholar]
  28. Mallouhi, M.; Al-Nashif, Y.; Cox, D.; Chadaga, T.; Hariri, S. A testbed for analyzing security of SCADA control systems (TASSCS). In Proceedings of the 2011 IEEE PES Innovative Smart Grid Technologies (ISGT 2011), Anaheim, CA, USA, 17–19 January 2011; pp. 1–7. [Google Scholar]
  29. Cintuglu, M.H.; Mohammed, O.A.; Akkaya, K.; Uluagac, A.S. A survey on smart grid cyber-physical system testbeds. IEEE Commun. Surv. Tutor. 2016, 19, 446–464. [Google Scholar] [CrossRef]
  30. Golder, A.; Gupta, D.; Roy, S.; Al Ahasan, M.A.; Haque, M.A. Automated Railway Crossing System: A Secure and Resilient Approach. In Proceedings of the 2023 IEEE 14th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), New York, NY, USA, 12–14 October 2023; pp. 247–253. [Google Scholar]
  31. Bernieri, G.; Del Moro, F.; Faramondi, L.; Pascucci, F. A testbed for integrated fault diagnosis and cyber security investigation. In Proceedings of the 2016 International Conference on Control, Decision and Information Technologies (CoDIT), Saint Julian’s, Malta, 6–8 April 2016; pp. 454–459. [Google Scholar]
  32. Xu, W.; Tao, Y.; Yang, C.; Chen, H. MSICST: Multiple-Scenario Industrial Control System Testbed for Security Research. Comput. Mater. Contin. 2019, 60, 691–705. [Google Scholar] [CrossRef]
  33. Smadi, A.A.; Ajao, B.T.; Johnson, B.K.; Lei, H.; Chakhchoukh, Y.; Al-Haija, Q.A. A Comprehensive survey on cyber-physical smart grid testbed architectures: Requirements and challenges. Electronics 2021, 10, 1043. [Google Scholar] [CrossRef]
  34. Antonioli, D.; Tippenhauer, N.O. MiniCPS: A Toolkit for Security Research on CPS Networks. In Proceedings of the First ACM Workshop on Cyber-Physical Systems-Security and/or Privacy, Denver, CO, USA, 16 October 2015. [Google Scholar] [CrossRef]
  35. Almalawi, A.; Tari, Z.; Khalil, I.; Fahad, A. SCADAVT-A framework for SCADA security testbed based on virtualization technology. In Proceedings of the 38th Annual IEEE Conference on Local Computer Networks, Sydney, NSW, Australia, 21–24 October 2013; pp. 639–646. [Google Scholar]
  36. Ghaleb, A.; Zhioua, S.; Almulhem, A. SCADA-SST: A SCADA security testbed. In Proceedings of the 2016 World Congress on Industrial Control Systems Security (WCICSS), London, UK, 12–14 December 2016; pp. 1–6. [Google Scholar]
  37. Krotofil, M.; Larsen, J. Rocking the Pocket Book: Hacking Chemical Plants. In DefCon Conference; DEFCON: Las Vegas, NV, USA, 2015. [Google Scholar]
  38. Maynard, P. ICS Testbed Framework. Github Repository. Available online: https://github.com/PMaynard/ICS-TestBed-Framework (accessed on 20 January 2026).
  39. Simulink; MathWorks: Natick, MA, USA, 2024. Available online: https://www.mathworks.com/products/simulink.html (accessed on 20 January 2026).
  40. PowerWorld Simulator; PowerWorld Corporation: Champaign, IL, USA, 2025. Available online: https://www.powerworld.com/ (accessed on 20 January 2026).
  41. Factory I/O; Realism Ltd.: El Segundo, CA, USA, 2014. Available online: https://factoryio.com/ (accessed on 20 January 2026).
  42. Downs, J.J.; Vogel, E.F. A plant-wide industrial process control problem. Comput. Chem. Eng. 1993, 17, 245–255. [Google Scholar] [CrossRef]
  43. Oracle Corporation. Virtual Box. Available online: https://www.virtualbox.org/ (accessed on 4 November 2025).
  44. ScadaBR. Available online: http://www.scadasoftware.net/software/scadabr.html (accessed on 28 July 2025).
  45. Electric Sheep Fencing, LLC. pfSense. Available online: https://www.pfsense.org/ (accessed on 28 July 2025).
  46. Gomez, J.; Kfoury, E.F.; Crichigno, J.; Srivastava, G. A survey on network simulators, emulators, and testbeds used for research and education. Comput. Netw. 2023, 237, 110054. [Google Scholar] [CrossRef]
  47. Hosseinzadeh, S.; Voutos, D.; Barrie, D.; Owoh, N.; Ashawa, M.; Shahrabi, A. Design and Development Considerations of a Cyber Physical Testbed for Operational Technology Research and Education. Sensors 2024, 24, 3923. [Google Scholar] [CrossRef] [PubMed]
  48. Network Rail. Level Crossing Safety. Available online: https://www.networkrail.co.uk/communities/safety-in-the-community/level-crossing-safety/ (accessed on 10 September 2025).
  49. Office of Rail and Road. Annual Report of Health and Safety on Britain’s Railways 2024 to 2025. Available online: https://www.orr.gov.uk/annual-report-health-and-safety-britains-railways-2024-2025 (accessed on 10 September 2025).
  50. Rail Accident Investigation Branch. Report 05/2025–Passenger Train Collision with a Road Vehicle at Redcar Level Crossing, Redcar and Cleveland, 1 May 2024. Department for Transport (Crown Copyright), April 2025. Available online: https://assets.publishing.service.gov.uk/media/67ee5b5753fa8521c3248c63/R052025_250403_Redcar.pdf (accessed on 10 September 2025).
  51. Network Rail. Giving You More Efficient and Reliable Level Crossings. Available online: https://www.networkrail.co.uk/stories/giving-you-more-efficient-and-reliable-level-crossings/ (accessed on 10 September 2025).
  52. Williams, T.J. The Purdue enterprise reference architecture. Comput. Ind. 1994, 24, 141–158. [Google Scholar] [CrossRef]
  53. Assante, M.J.; Lee, R.M. The industrial control system cyber kill chain. SANS Inst. InfoSec Read. Room 2015, 1, 2. [Google Scholar]
  54. Unity Technologies. Unity. Available online: https://unity.com/ (accessed on 13 November 2025).
  55. Alpine Linux. Available online: https://www.alpinelinux.org/about/ (accessed on 28 July 2025).
  56. de Brito, I.B.; de Sousa, R.T., Jr. Development of an Open-Source Testbed Based on the Modbus Protocol for Cybersecurity Analysis of Nuclear Power Plants. Appl. Sci. 2022, 12, 7942. [Google Scholar] [CrossRef]
  57. OPNsense. Available online: https://opnsense.org/ (accessed on 28 July 2025).
  58. OPNsense Team. OPNsense Documentation. Available online: https://docs.opnsense.org/ (accessed on 14 July 2025).
  59. Scarfone, K.; Souppaya, M.; Cody, A.; Orebaugh, A. Technical Guide to Information Security Testing and Assessment. In NIST Special Publication 800-115; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2008. [Google Scholar]
  60. Nessus. Tenable. Available online: https://www.tenable.com/products/nessus (accessed on 28 July 2025).
  61. MITRE Corporation. MITRE ATT&CK® Framework. Available online: https://attack.mitre.org/ (accessed on 3 August 2025).
  62. PortSwigger Ltd. PortSwigger. Available online: https://portswigger.net/ (accessed on 3 August 2025).
  63. Abril, T.; Gamito, P.; da Motta, C.; Oliveira, J.; Dias, F.; Pinto, F.; Oliveira, M. Exploring a novel approach to cybersecurity: The role of ecological simulations on cybersecurity risk behaviors. Virtual Real. 2025, 29, 150. [Google Scholar] [CrossRef]
  64. Schnitzler, K.; Holzberger, D.; Seidel, T. All better than being disengaged: Student engagement patterns and their relations to academic self-concept and achievement. Eur. J. Psychol. Educ. 2021, 36, 627–652. [Google Scholar] [CrossRef]
  65. Dove, G. The challenges of abstract concepts. In Handbook of Embodied Psychology: Thinking, Feeling, and Acting; Springer Nature: New York, NY, USA, 2021; pp. 171–195. [Google Scholar]
  66. Kolb, D.A. Experiential Learning: Experience as the Source of Learning and Development; FT Press: Upper Saddle River, NJ, USA, 2014. [Google Scholar]
  67. Lave, J.; Wenger, E. Situated Learning: Legitimate Peripheral Participation; Cambridge University Press: Cambridge, UK, 1991. [Google Scholar]
  68. Lampropoulos, G.; Sidiropoulos, A. Impact of gamification on students’ learning outcomes and academic performance: A longitudinal study comparing online, traditional, and gamified learning. Educ. Sci. 2024, 14, 367. [Google Scholar] [CrossRef]
  69. Triantafyllou, S.A.; Sapounidis, T.; Stamovlasis, D. Gamification and Computational Thinking in Education: A Review and a Meta-Analysis. In Technology, Knowledge and Learning; Springer Nature: New York, NY, USA, 2025; pp. 1–36. [Google Scholar]
  70. Gui, Y.; Cai, Z.; Yang, Y.; Kong, L.; Fan, X.; Tai, R.H. Effectiveness of digital educational game and game design in STEM learning: A meta-analytic review. Int. J. STEM Educ. 2023, 10, 36. [Google Scholar] [CrossRef]
  71. Srikant, S.; Aggarwal, V. A system to grade computer programming skills using machine learning. In Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, New York, NY, USA, 24–27 August 2014; pp. 1887–1896. [Google Scholar]
  72. Domínguez, A.; Saenz-de-Navarrete, J.; De-Marcos, L.; Fernández-Sanz, L.; Pagés, C.; Martínez-Herráiz, J.J. Gamifying learning experiences: Practical implications and outcomes. Comput. Educ. 2013, 63, 380–392. [Google Scholar] [CrossRef]
  73. Connolly, T.M.; Boyle, E.A.; MacArthur, E.; Hainey, T.; Boyle, J.M. A systematic literature review of empirical evidence on computer games and serious games. Comput. Educ. 2012, 59, 661–686. [Google Scholar] [CrossRef]
  74. Deterding, S.; Dixon, D.; Khaled, R.; Nacke, L. From game design elements to gamefulness: Defining” gamification. In Proceedings of the 15th International Academic MindTrek Conference: Envisioning Future Media Environments, Tampere, Finland, 28–30 September 2011; pp. 9–15. [Google Scholar]
  75. Prince, M.J.; Felder, R.M. Inductive teaching and learning methods: Definitions, comparisons, and research bases. J. Eng. Educ. 2006, 95, 123–138. [Google Scholar] [CrossRef]
  76. Qian, M.; Clark, K.R. Game-based Learning and 21st century skills: A review of recent research. Comput. Hum. Behav. 2016, 63, 50–58. [Google Scholar] [CrossRef]
Electronics 15 00582 g002
Figure 2. VCPT network topology.
Figure 2. VCPT network topology.
Electronics 15 00582 g002
Electronics 15 00582 g003
Figure 3. HMI status affected by SYN flood.
Figure 3. HMI status affected by SYN flood.
Electronics 15 00582 g003
Electronics 15 00582 g004
Figure 4. Physical impact of Modbus command injection.
Figure 4. Physical impact of Modbus command injection.
Electronics 15 00582 g004
Table 1. Comparison of CPT types.
Table 1. Comparison of CPT types.
CPT TypeNetwork FidelityFlexibilityScalabilityCost-EffectiveSafety
PhysicalHighLowLowLowLow
VirtualLowHighHighHighHigh
HybridModerateModerateModerateModerateModerate
Table 2. Field devices and their function.
Table 2. Field devices and their function.
Sensor/ActuatorFunction
PLCAutomation of the level-crossing operations
Traffic light signal and alarmSignal vehicles of train arrival using lights and alarm
Train light signalSingal trains about state of crossing
BarrierLowered or raised for traffic control
Train detectionDetect train arrival
Obstacle detectionDetect stranded vehicles on tracks
Table 3. Nessus vulnerabilities scan results. Highlighted rows denote the specific vulnerabilities that were selected for exploitation in this study.
Table 3. Nessus vulnerabilities scan results. Highlighted rows denote the specific vulnerabilities that were selected for exploitation in this study.
VulnerabilityDescriptionSeverity
SCADA
CVE-2020-1938 (Ghostcat)File inclusion and remote code execution (RCE) via AJP in Apache TomcatCritical
CVE-2021-26828Remote code execution (RCE) of JSP files via view_edit.shtmCritical
CWE-1104 Use of unmaintained components, Apache Tomcat 6.0.x end of lifeCritical
CWE-89Improper neutralisation of special elements used in an SQL command (SQL injection)High
CWE-204
CWE-307		Observable response discrepancy
Improper restriction of excessive authentication attempts		High
CWE-530Exposure of Apache Tomcat backup filesMedium
CWE-1021Improper restriction of rendered UI layers or frames, resulting in clickjackingMedium
CVE-2021-26829Stored XSS vulnerability via system_settings.shtmMedium
PLC and Field Devices
CWE-300
CWE-319
CWE-306		Protocol (Modbus) accessible by any end node
Clear text transmission and lack of encryption
Missing authentication
Resulting in false data injection, man-in-the-middle, etc.		High
OpenSSH vulnerabilities
CVE-2024-6387
CVE-2024-39894		Arbitrary code execution to escalate root privilegesHigh
CVE-2023-48795
CVE-2023-51384
CVE-2023-51385
CVE-2025-32728		Earlier versions of OpenSSH are vulnerable, which allows man-in-the-middle attacks
Proper enforcement of DisableForwarding directive is not established		Medium
Table 4. OPNsense custom IDPS rules.
Table 4. OPNsense custom IDPS rules.
Action/IDDescriptionMitigated Vulnerability
Block/101HTTP GET request contains “=|whoami|ls|pwd” or similarCVE-2020-1938 (Ghostcat)
Block/102HTTP POST request to “view_edit.shtm” contains “exec|bash” or similarCVE-2021-26828
Block/103more than 5000 SYN packets from same source in 5 s triggers the ruleDoS, SYN flood
Block/104more than 5000 ICMP requests from same source in 5 s triggers the ruleDoS, ICMP flood
Block/105more than 10 HTTP-POST attempts from same source in 5 s triggers the ruleEnumeration attack via HTTP-Proxy service
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Akeel, M.; Hosseinzadeh, S.; Zeeshan, M.; Homatash, H.; Owoh, N.; Ashawa, M. Virtual Testbed for Cyber-Physical System Security Research and Education: Design, Evaluation, and Impact. Electronics 2026, 15, 582. https://doi.org/10.3390/electronics15030582

AMA Style

Akeel M, Hosseinzadeh S, Zeeshan M, Homatash H, Owoh N, Ashawa M. Virtual Testbed for Cyber-Physical System Security Research and Education: Design, Evaluation, and Impact. Electronics. 2026; 15(3):582. https://doi.org/10.3390/electronics15030582

Chicago/Turabian Style

Akeel, Minal, Salaheddin Hosseinzadeh, Muhammad Zeeshan, Hamid Homatash, Nsikak Owoh, and Moses Ashawa. 2026. "Virtual Testbed for Cyber-Physical System Security Research and Education: Design, Evaluation, and Impact" Electronics 15, no. 3: 582. https://doi.org/10.3390/electronics15030582

APA Style

Akeel, M., Hosseinzadeh, S., Zeeshan, M., Homatash, H., Owoh, N., & Ashawa, M. (2026). Virtual Testbed for Cyber-Physical System Security Research and Education: Design, Evaluation, and Impact. Electronics, 15(3), 582. https://doi.org/10.3390/electronics15030582

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Article metric data becomes available approximately 24 hours after publication online.
Back to TopTop