OT/SCADA Physics¶
NetForge models physical process variables on PLC hosts using first-order lag differential equations, enabling safety-critical RL research for power grids and industrial control systems.
Physical state per PLC host¶
Each host with os == 'PLC_Firmware' carries three process variables and their corresponding setpoints:
| Attribute | Description | Nominal range |
|---|---|---|
temperature |
Process temperature (°C) | 40–60 |
pressure |
Process pressure (bar) | 90–110 |
flow_rate |
Volumetric flow (L/min) | 40–60 |
temperature_setpoint |
PLC target for temperature | same as nominal |
pressure_setpoint |
PLC target for pressure | same as nominal |
flow_rate_setpoint |
PLC target for flow | same as nominal |
Physics engine¶
PLCPhysicsEngine (netforge_rl/scenarios/ot_physics.py) is ticked once per environment step, after action effects are applied and before termination is checked.
Update rule per variable x with setpoint x_sp and time constant τ:
| Variable | τ (ticks) | σ (noise) |
|---|---|---|
| temperature | 20 | 0.1 |
| pressure | 10 | 0.2 |
| flow_rate | 5 | 0.3 |
Alarm thresholds¶
| Variable | Alarm (SCADA_PHYSICAL_ALARM) | Critical (SCADA_KINETIC_BREACH) |
|---|---|---|
| temperature | > 80°C | > 120°C |
| pressure | > 130 or < 70 bar | > 180 or < 30 bar |
| flow_rate | > 90 or < 20 L/min | > 150 or < 5 L/min |
Alarm alerts are pushed to the SIEM at severity 7. Critical breach sets system_integrity = 'kinetic_destruction' and fires a severity-10 SIEM event, which terminates the episode in ot_stuxnet.
Attack path¶
OverloadPLC (red action ID 20) manipulates setpoints on a compromised PLC host:
temperature_setpoint += uniform(80, 150) # drives process toward 120–210°C
pressure_setpoint *= uniform(1.5, 2.0) # 1.5–2× nominal → kinetic range
flow_rate_setpoint = 3.0 # near-zero choke
Physical destruction follows roughly 10–15 ticks after setpoint manipulation, giving Blue agents a detection window via SIEM alarm events.
Defense¶
Blue agents can respond to SCADA_PHYSICAL_ALARM events (visible in the SIEM embedding) by isolating the PLC before critical thresholds are crossed. IsolateHost stops physics ticking on the isolated host.