Um cyber range baseado em contêineres para ensino de cibersegurança em tecnologias operacionais e sistemas de controle industrial
Resumo
Este trabalho apresenta os OTLabs, ambientes de emulação de tecnologias operacionais (do Inglês, ‘operational technology’ [OT]) e sistemas de controle industrial (‘industrial control systems’ [ICS]), projetados para apoiar a aprendizagem experimental em cibersegurança industrial por meio de ‘cyber ranges’ baseados em contêineres. A proposta responde à necessidade de fortalecer a formação prática em OT-ICS, diante da crescente complexidade, digitalização e ampliação da superfície de ataque de sistemas ciberfísicos, especialmente nos setores elétrico e de manufatura industrial. São discutidos a arquitetura típica dos OTLabs, o uso de ‘scripts’ de orquestração e a metodologia de desenvolvimento, considerando aspectos técnicos e educacionais. Como resultado, foram desenvolvidos treze OTLabs, que vão de atividades introdutórias de descoberta de ativos OT-ICS a cenários mais complexos. Os OTLabs têm sido aplicados em disciplina de graduação e em treinamentos, com elevada receptividade e engajamento dos discentes.Referências
Ackerman, P. (2021). Industrial Cybersecurity. Packt Publishing, Birmingham, UK.
Baker, R. (2023). Deep Dive: Exploring the Real-World Value of Open Source Intelligence. John Wiley & Sons, Hoboken, NJ, USA.
Beard, C. (2010). The Experiential Learning Toolkit: Blending Practice with Concepts. Kogan Page, New York, NY, USA.
Bonwell, C. C. and Eison, J. A. (1991). Active Learning: Creating Excitement in the Classroom. The George Washington University, School of Education and Human Development, Washington, DC, USA.
Brooks, C. B. and Craig Jr., P. A. (2022). Practical Industrial Cybersecurity: ICS, Industry 4.0, and IIoT. John Wiley & Sons, Hoboken, NJ, USA.
Cao, L., Jiang, X., Zhao, Y., Wang, S., You, D., and Xu, X. (2020). A Survey of Network Attacks on Cyber-Physical Systems. IEEE Access, 8:44219–44227.
Christopher, J. D. (2025). The State of ICS/OT Security 2025. SANS Institute. [link].
Cybersecurity & Infrastructure Security Agency (2025). Unsophisticated Cyber Actor(s) Targeting Operational Technology. [link].
Errington, E. (2011). Mission Possible: Using Near-World Scenarios to Prepare Graduates for the Professions. International Journal of Teaching and Learning in Higher Education, 23:84–91.
European Parliament and Council of the European Union (2022). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union. NIS2 Directive. [link].
European Union Agency for Cybersecurity (2025). ENISA Threat Landscape 2025. [link].
Flaus, J.-M. (2019). Cybersecurity of Industrial Systems. John Wiley & Sons–ISTE, Hoboken, NJ, USA.
Freitas-Gutierres, L. F. (2025). CITEPS: Cyber Incident Tracker for Electric Power Systems. GitHub [substationworm]. [link].
Hopes, J., editor (2009). Virtualization for Security: Including Sandboxing, Disaster Recovery, High Availability, Forensic Analysis, and Honeypotting. Syngress Publishing, Burlington, MA, USA.
Jain, V. (2022). Wireshark Fundamentals: A Network Engineer’s Handbook to Analyzing Network Traffic. Apress, San Jose, CA, USA.
Kapp, K. M. (2012). The Gamification of Learning and Instrution. Pfeiffer-ASTD, San Francisco, CA, US.
Lyon, G. (2009). Nmap Network Scanning.
Matherly, J. (2017). Complete Guide to Shodan. Leanpub, British Columbia, CA.
Morris, K. (2025). Infrastructure as Code: Designing and Delivering Dynamic Systems for the Cloud Age. O’Reilly Media, Sebastopol, CA, USA, 3 edition.
Muli, J. (2018). Beginning DevOps with Docker. Packt Publishing, Birmingham, UK.
National Initiative for Cybersecurity Education (2023). The Cyber Range: A Guide. National Institute of Standards and Technology. [link].
Organisation for Economic Co-operation and Development (2024). Building a Skilled Cyber Security Workforce in Europe: Insights from France, Germany and Poland. OECD Skills Studies, OECD Publishing, Paris. [link].
Smith, P. (2021). Pentesting Industrial Control Systems. Packt Publishing, Birmingham, UK.
Stoddart, K. (2022). Cyberwarfare: Threats to Critical Infrastructure. Palgrave Macmillan, Cham, Switzerland.
Stouffer, K., Pease, M., Tang, C., Zimmerman, T., Pillitteri, V., Lightman, S., Hahn, A., Saravia, S., Sherule, A., and Thompson, M. (2023). Guide to Operational Technology (OT) Security. National Institute of Standards and Technology. NIST Special Publication 800-82r3.
Styczynski, J. and Beach-Westmoreland, N. (2019). When the Lights Went Out: A Comprehensive Review of the 2015 Attacks on Ukrainian Critical Infrastructure. Booz Allen Hamilton. [link].
The White House (2013). Presidential Policy Directive/PPD-21: Critical Infrastructure Security and Resilience. [link].
van Rensburg, A. J. and Baker, R. (2021). CTF Events: Contemporary Practices and State-of-the-Art in Capture-the-Flag Competitions. European Union Agency for Cybersecurity. [link].
Ward, R. (1998). Active, Collaborative and Case-Based Learning with Computer-Based Case Scenarios. Computers & Education, 30:103–110.
Waterfall Security Solutions (2024). 2024 Threat Report. [link].
Waterfall Security Solutions (2025). 2025 Threat Report. [link].
Yohanandhan, R. V., Elavarasan, R. M., Manoharan, P., and Mihet-Popa, L. (2020). Cyber-Physical Power System (CPPS): A Review on Modeling, Simulation, and Analysis With Cyber Security Applications. IEEE Access, 8:151019–151064.
Yohanandhan, R. V., Elavarasan, R. M., Pugazhendhi, R., Premkumar, M., Mihet-Popa, L., and Terzija, V. (2022a). A Holistic Review on Cyber-Physical Power System (CPPS) Testbeds for Secure and Sustainable Electric Power Grid – Part – I: Background on CPPS and Necessity of CPPS Testbeds. International Journal of Electrical Power & Energy Systems, 136.
Yohanandhan, R. V., Elavarasan, R. M., Pugazhendhi, R., Premkumar, M., Mihet-Popa, L., and Terzija, V. (2022b). A Holistic Review on Cyber-Physical Power System (CPPS) Testbeds for Secure and Sustainable Electric Power Grid – Part – II: Classification, Overview and Assessment of CPPS Testbeds. International Journal of Electrical Power & Energy Systems, 137.
Zetter, K. (2016a). Everything We Know About Ukraine’s Power Plant Hack. WIRED. [link].
Zetter, K. (2016b). Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid. WIRED. [link].
Zetter, K. (2017). ‘Crash Override’: The Malware That Took Down a Power Grid. WIRED. [link].
Baker, R. (2023). Deep Dive: Exploring the Real-World Value of Open Source Intelligence. John Wiley & Sons, Hoboken, NJ, USA.
Beard, C. (2010). The Experiential Learning Toolkit: Blending Practice with Concepts. Kogan Page, New York, NY, USA.
Bonwell, C. C. and Eison, J. A. (1991). Active Learning: Creating Excitement in the Classroom. The George Washington University, School of Education and Human Development, Washington, DC, USA.
Brooks, C. B. and Craig Jr., P. A. (2022). Practical Industrial Cybersecurity: ICS, Industry 4.0, and IIoT. John Wiley & Sons, Hoboken, NJ, USA.
Cao, L., Jiang, X., Zhao, Y., Wang, S., You, D., and Xu, X. (2020). A Survey of Network Attacks on Cyber-Physical Systems. IEEE Access, 8:44219–44227.
Christopher, J. D. (2025). The State of ICS/OT Security 2025. SANS Institute. [link].
Cybersecurity & Infrastructure Security Agency (2025). Unsophisticated Cyber Actor(s) Targeting Operational Technology. [link].
Errington, E. (2011). Mission Possible: Using Near-World Scenarios to Prepare Graduates for the Professions. International Journal of Teaching and Learning in Higher Education, 23:84–91.
European Parliament and Council of the European Union (2022). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union. NIS2 Directive. [link].
European Union Agency for Cybersecurity (2025). ENISA Threat Landscape 2025. [link].
Flaus, J.-M. (2019). Cybersecurity of Industrial Systems. John Wiley & Sons–ISTE, Hoboken, NJ, USA.
Freitas-Gutierres, L. F. (2025). CITEPS: Cyber Incident Tracker for Electric Power Systems. GitHub [substationworm]. [link].
Hopes, J., editor (2009). Virtualization for Security: Including Sandboxing, Disaster Recovery, High Availability, Forensic Analysis, and Honeypotting. Syngress Publishing, Burlington, MA, USA.
Jain, V. (2022). Wireshark Fundamentals: A Network Engineer’s Handbook to Analyzing Network Traffic. Apress, San Jose, CA, USA.
Kapp, K. M. (2012). The Gamification of Learning and Instrution. Pfeiffer-ASTD, San Francisco, CA, US.
Lyon, G. (2009). Nmap Network Scanning.
Matherly, J. (2017). Complete Guide to Shodan. Leanpub, British Columbia, CA.
Morris, K. (2025). Infrastructure as Code: Designing and Delivering Dynamic Systems for the Cloud Age. O’Reilly Media, Sebastopol, CA, USA, 3 edition.
Muli, J. (2018). Beginning DevOps with Docker. Packt Publishing, Birmingham, UK.
National Initiative for Cybersecurity Education (2023). The Cyber Range: A Guide. National Institute of Standards and Technology. [link].
Organisation for Economic Co-operation and Development (2024). Building a Skilled Cyber Security Workforce in Europe: Insights from France, Germany and Poland. OECD Skills Studies, OECD Publishing, Paris. [link].
Smith, P. (2021). Pentesting Industrial Control Systems. Packt Publishing, Birmingham, UK.
Stoddart, K. (2022). Cyberwarfare: Threats to Critical Infrastructure. Palgrave Macmillan, Cham, Switzerland.
Stouffer, K., Pease, M., Tang, C., Zimmerman, T., Pillitteri, V., Lightman, S., Hahn, A., Saravia, S., Sherule, A., and Thompson, M. (2023). Guide to Operational Technology (OT) Security. National Institute of Standards and Technology. NIST Special Publication 800-82r3.
Styczynski, J. and Beach-Westmoreland, N. (2019). When the Lights Went Out: A Comprehensive Review of the 2015 Attacks on Ukrainian Critical Infrastructure. Booz Allen Hamilton. [link].
The White House (2013). Presidential Policy Directive/PPD-21: Critical Infrastructure Security and Resilience. [link].
van Rensburg, A. J. and Baker, R. (2021). CTF Events: Contemporary Practices and State-of-the-Art in Capture-the-Flag Competitions. European Union Agency for Cybersecurity. [link].
Ward, R. (1998). Active, Collaborative and Case-Based Learning with Computer-Based Case Scenarios. Computers & Education, 30:103–110.
Waterfall Security Solutions (2024). 2024 Threat Report. [link].
Waterfall Security Solutions (2025). 2025 Threat Report. [link].
Yohanandhan, R. V., Elavarasan, R. M., Manoharan, P., and Mihet-Popa, L. (2020). Cyber-Physical Power System (CPPS): A Review on Modeling, Simulation, and Analysis With Cyber Security Applications. IEEE Access, 8:151019–151064.
Yohanandhan, R. V., Elavarasan, R. M., Pugazhendhi, R., Premkumar, M., Mihet-Popa, L., and Terzija, V. (2022a). A Holistic Review on Cyber-Physical Power System (CPPS) Testbeds for Secure and Sustainable Electric Power Grid – Part – I: Background on CPPS and Necessity of CPPS Testbeds. International Journal of Electrical Power & Energy Systems, 136.
Yohanandhan, R. V., Elavarasan, R. M., Pugazhendhi, R., Premkumar, M., Mihet-Popa, L., and Terzija, V. (2022b). A Holistic Review on Cyber-Physical Power System (CPPS) Testbeds for Secure and Sustainable Electric Power Grid – Part – II: Classification, Overview and Assessment of CPPS Testbeds. International Journal of Electrical Power & Energy Systems, 137.
Zetter, K. (2016a). Everything We Know About Ukraine’s Power Plant Hack. WIRED. [link].
Zetter, K. (2016b). Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid. WIRED. [link].
Zetter, K. (2017). ‘Crash Override’: The Malware That Took Down a Power Grid. WIRED. [link].
Publicado
19/07/2026
Como Citar
FREITAS-GUTIERRES, Luiz F.; CASSOL, Jhonatan A.; MORAIS, Adriano P.; PINTO, José J. B. S.; RODRIGUES, Miguel G.; FARIAS, Rafael R.; MAXIMIANO, Marisa S.; GOMES, Ricardo J. P..
Um cyber range baseado em contêineres para ensino de cibersegurança em tecnologias operacionais e sistemas de controle industrial. In: SEMINÁRIO INTEGRADO DE SOFTWARE E HARDWARE (SEMISH), 53. , 2026, Gramado/RS.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2026
.
p. 734-745.
ISSN 2595-6205.
DOI: https://doi.org/10.5753/semish.2026.23661.
