Industrial Operational Technology (OT) environments face escalating cybersecurity challenges due to increasing interconnectedness, device heterogeneity, and the integration of legacy systems not designed with modern security requirements. Operators struggle with security validation in OT settings due to the complexity of static reasoning across multilayered architectures and the impracticality of in-production testing, which risks operational disruptions and safety hazards. To address these limitations, we propose SAFARI, a framework that leverages the concepts of digital twin and cyber range to enable Security-Investigation-as-Code for OT environments, automating the creation, deployment, and security testing of faithful OT architecture replicas. SAFARI uses technologies such as Terraform, Proxmox SDN, and MITRE Caldera to provide scalable, reproducible security assessment capabilities while maintaining complete air-gapping for safe malware testing. We demonstrate SAFARI’s effectiveness through a comprehensive case study examining three industrial network architectures exhibiting increasing segmentation. Our results show that SAFARI successfully automates complex security scenarios, enables regression testing of architectural refinements, and provides quantifiable insights into attack resistance improvements. The framework represents a significant advancement in OT security testing methodology, offering security operators a practical tool for systematic vulnerability assessment and architectural validation without compromising operational continuity.
Callegati, F., Giallorenzo, S., Melis, A., Melloni, S., Prandini, M., Vannini, A. (2025). Investigating operational technology attacks as code. EMPIRICAL SOFTWARE ENGINEERING, 30(6), 1-37 [10.1007/s10664-025-10713-2].
Investigating operational technology attacks as code
Callegati, Franco;Giallorenzo, Saverio;Melis, Andrea;Prandini, Marco;Vannini, Alessandro
2025
Abstract
Industrial Operational Technology (OT) environments face escalating cybersecurity challenges due to increasing interconnectedness, device heterogeneity, and the integration of legacy systems not designed with modern security requirements. Operators struggle with security validation in OT settings due to the complexity of static reasoning across multilayered architectures and the impracticality of in-production testing, which risks operational disruptions and safety hazards. To address these limitations, we propose SAFARI, a framework that leverages the concepts of digital twin and cyber range to enable Security-Investigation-as-Code for OT environments, automating the creation, deployment, and security testing of faithful OT architecture replicas. SAFARI uses technologies such as Terraform, Proxmox SDN, and MITRE Caldera to provide scalable, reproducible security assessment capabilities while maintaining complete air-gapping for safe malware testing. We demonstrate SAFARI’s effectiveness through a comprehensive case study examining three industrial network architectures exhibiting increasing segmentation. Our results show that SAFARI successfully automates complex security scenarios, enables regression testing of architectural refinements, and provides quantifiable insights into attack resistance improvements. The framework represents a significant advancement in OT security testing methodology, offering security operators a practical tool for systematic vulnerability assessment and architectural validation without compromising operational continuity.| File | Dimensione | Formato | |
|---|---|---|---|
|
s10664-025-10713-2.pdf
accesso aperto
Tipo:
Versione (PDF) editoriale / Version Of Record
Licenza:
Licenza per Accesso Aperto. Creative Commons Attribuzione (CCBY)
Dimensione
5 MB
Formato
Adobe PDF
|
5 MB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
