We’re asked this regularly. The answer is short and the answer is long.
The short version
A simulator behaves the way someone modelled a system to behave. A real PLC behaves the way the PLC actually behaves — including the parts the modeller never anticipated, the timing quirks the spec doesn’t mention, the field-protocol edge cases that only show up on the third attack iteration.
You can train a SOC analyst on a simulator. You cannot train an OT operator on one.
The long version
When the Cyberange Phygital Range was first designed, two decisions were locked in early:
- Real PLCs in every module. Siemens-class controllers where the threat model is Siemens-class. Schneider-class where the threat model is Schneider-class. Same firmware. Same protocols. Same timing.
- A bus that speaks the same dialects as the field. Modbus, IEC 61850, DNP3, OPC-UA. No synthetic abstraction layer between the attacker’s payload and the controller.
Both decisions cost money. Both decisions also closed the gap between the model on the bench and the plant in the field to something that can be measured in milliseconds rather than abstractions.
When the difference shows up
The difference is invisible during a slide-deck demo and decisive during a real exercise. Replay the historic ICS attacks on the range and the operator sees the exact same SCADA HMI behaviour, the exact same telemetry deltas, the exact same alarm patterns they would see in production. The muscle memory transfers.
This is the part most ICS-cyber training programmes never have. It’s not a minor optimisation. It’s the whole product.