CyDes Lab Environment - Purdue Model Topology

Level 5: Internet & External Threats

WAN: 145.220.74.142/25

Fontys Router

145.220.74.254

Main ISP Uplink infrastructure interface.

Enterprise VPN Tunnel Termination Domain

Boundary: RT-01 (Main Router / pfSense)

LAN: 192.168.172.1/24 (VLAN A) | OPT1: 10.10.10.1/24 (VLAN B)

VPN Landing Target: Secure multi-factor authentication engine lands requests here

Static Route: 10.20.20.0/24 via Industrial Firewall (10.10.10.254)

Level 4: Enterprise IT & SOC

Tristan SIEM Stack

SRV-UBT-WAZUH

Intrusion Detection System

Security analytics, file integrity tracking, and active system threat monitoring environment.

Level 3: Operations Systems

PVlanA - 192.168.172.0/24

WS-UBT-Eng-Station (VPN Tunnel Destination)
192.168.172.11
Secure Engineering Workstation running newly deployed OpenPLC Editor v4 environment. Incoming edge VPN connection streams drop securely inside this endpoint host. Outbound connection origin interface forcing double-jump secure proxy pipelines.

Level 3.5: IT/OT Security DMZ

PVlanE - 10.20.20.0/24

Host Jump Server
10.20.20.10
Ingress Buffer: Stripped Ubuntu Server infrastructure build. Follows strict least functionality constraints by avoiding all desktop GUI configurations to minimize the available vulnerability attack surface. Demands explicit external access authorization, Multi-Factor Authentication validation, and thorough session keystroke logging. Gateway mapping targeting internal elements: 10.20.20.254.

Industrial Firewall (IEC 62443 Zone Enforcement / pfSense)

WAN: 10.10.10.254/24 | DMZ_VLAN_E (OPT1): 10.20.20.254/24 | LAN: 172.16.0.1/24

Rule 1: Allow inbound RDP (3389) / SSH (22) from IT strictly to 10.20.20.10

Rule 2: Allow originating Jump Server (10.20.20.10) to L3 Management PC (10.10.10.11)

Rule 4: Implicit Deny Enforced (Broad cross-routing to 10.10.10.x / 172.16.0.x blocked)

Level 2: Supervisory Control

PVlanB - 10.10.10.0/24

Jump Server Remote
10.10.10.20
Conduit Termination Point: Intermediate platform executing explicit pipeline jumps. Hardened Netplan configuration parameters block default routing lookups, forcing all target operations addressing the isolated PLC network segment to steer natively through the front door of the Industrial Firewall interface gateway at 10.10.10.254.

Level 1: Process Control

PVlanC - 172.16.0.0/24

OpenPLC Runtime v4
172.16.0.11
Headless industrial core runtime implementation. Built with systemd defense parameters including restricted syscall execution architectures and strict system component access controls (NoNewPrivileges, ProtectSystem=strict). Verification loops confirmed via direct diagnostic trace ping transactions.

                        HTTPS API: Port 8443 (4096-bit RSA TLS Cert Coverage)

                        OPC-UA: Port 4840 (Sign & Encrypt / Basic256Sha256 Authentication)
                    

WS-UBT-VLAN-C

Isolated OT Node

Additional tracking node confined within the process control layer execution ring.

Active Connection Line: Multi-Hop SSH Conduit Trace

0. Ingress Access Target

VPN Tunnel Pool
→ RT-01 Interface

➔

1. Origin Node

WS-UBT-Eng-Station

192.168.172.11

➔

2. 1st Hop (DMZ Buffer)

Host Jump Server

10.20.20.10

➔

3. 2nd Hop (OT Conduit)

Jump Server Remote

10.10.10.20

➔

4. Target Interface

OpenPLC Core Engine

172.16.0.11:8443