Cyberange

The Phygital Range · HO-Scale · Three Guinness Records

PLC malware throws the isolator — the substation in the model actually goes dark.

Real PLCs speaking your plant’s dialects — Modbus, IEC 61850, DNP3 — replaying the historic ICS incidents on this list, building the ones that aren’t, configurable end to end.

Book a walkthroughWatch the 90-second tour
EMAILT-90dOPERATORT-60dJUMPT-30dHMIT-7dPLCT-0GRIDT+0s

01 / 06 · Power · 2015

Ukraine 2015 — Power Grid

225,000 customers · 30 substations · 6 h outage

What it is

Critical infrastructure you can lift, photograph, and break.

The Cyberange Phygital Range is a set of HO-scale physical models — refineries, substations, water-treatment plants, manufacturing lines, smart-city blocks, metro stations — each wired to its own software and control stack. PLCs talk Modbus and DNP3. SCADA logs ship to a real SIEM. Attack the rack from a laptop; the model responds the way the real plant would: pumps stop, lights go out, the SCADA HMI freezes.

Scale

HO · 1:87

Sector models

6 live · any sector to order

Control stack

PLC · SCADA · SIEM

Standards

IS/IEC 62443-aware

Sector library

One range. Any plant you can touch.

With nearly every critical sector already wired and active, we can mirror whatever environment you are tasked with protecting. From there, every attack scenario, defensive playbook, and infrastructure topology is entirely configurable from end to end.

01 · Oil & Gas

Refinery / Petrochemical

Distillation, blending, terminal handling. Built around the patterns Indian downstream operators run in production.

Reference: BPCL, IOCL downstream architectures.

02 · Power

Power Substation

High-voltage substation with relays, RTUs, breakers. Modelled on the topology Indian utilities deploy at the 132/33 kV step-down.

Reference: CEA cybersecurity guidelines, IEC 61850.

03 · Water

Water & Wastewater

Pumping, chemical dosing, treatment basins. Operators walk the same plant the attacker walked.

Reference: the SCADA architecture that failed at Oldsmar, Florida (2021).

04 · Manufacturing

Manufacturing Line

Discrete and process. PLCs, robots, MES integration. The line stops when the attacker says it stops.

Reference: automotive and pharmaceutical plant patterns.

05 · Smart City

Smart City Block

Traffic signals, street lighting, building management. The block where a single packet turns every light red.

Reference: the model that earned Cyberange’s first Guinness World Record.

06 · Rail

Metro / Rail

Signalling, platform doors, depot SCADA. Trained on the topology Indian metros actually run.

Reference: Mumbai Metro topology, IEC 62443-3-3 alignment.

The demo

Pull the cable. Watch the city struggle.

Every model on the range follows the same loop. Attack lands → control rack responds → SCADA HMI shows it → SIEM logs it → operator decides. The shorter that loop, the safer the plant.

Five-step attack flow: model, control rack, SCADA HMI, SIEM, operator. MODEL HO-scale plant CONTROL RACK PLC · RTU SCADA HMI operator view SIEM log · correlate OPERATOR decides ATTACK 09:14 IST PHYGITAL RANGE · ATTACK LOOP LOOP T < 60s

T+0 sec

Cable pulled. Packet injected. The model knows. The HMI does not.

T+11 sec

SCADA HMI shows a stale reading. Operator unaware. The line is still “green”.

T+47 sec

SIEM correlation rule fires. Now the clock starts. Everything before this was free.

Use cases

What the range is actually for.

01

Operator training

Cohort training for plant SOC analysts, IR teams, and field engineers. They learn on the model what they cannot practise on the live plant.

02

Regulator drills

Quarterly drills for NCIIPC-protected entities, run on a model that mirrors the protected facility&rsquo;s topology. NCIIPC liaison observes; the drill leaves a defensible record.

03

Vendor & technology evaluation

Test a new SIEM, EDR, or anomaly-detection appliance against real ICS traffic and a real attack chain. Zero production risk.

04

Board demonstrations

Show the board what a successful attack looks like &mdash; in 90 seconds, in physical form. Convince the budget signer with light bulbs, not slides.

If you’re a CISO reading this

Your data centre is also OT.

Mainframes, UPS, HVAC, building access — every Tier-1 data centre and every branch you own is operational technology. The same controls that fail at a refinery fail in your DC. The same protocols — BACnet, Modbus, OPC — sit in your basement.

The Phygital Range covers your operational footprint, not just someone else’s.

Talk to a Cyberange architect
Server rack labelled BACnet, Modbus, OPC. BACnet Modbus OPC DNP3 YOUR DC · ALSO OT

Regulators · Critical infrastructure

We work where the OT regulators already do.

NCIIPC’s protected-sector mandate. CEA’s cybersecurity guidelines for the power sector. PNGRB’s oil and gas cyber framework. CERT-In’s Annexure-II categories for ICS incidents. The Bureau of Indian Standards’ IS/IEC 62443 series. We don’t translate American playbooks; we start there.

NCIIPC
CEA
PNGRB
CERT-In
BIS IEC 62443
Regulator brief on request

Walk into the range. Walk out with a runbook.

Operator training, regulator drills, vendor evaluations, board demos. Same range. Different cohort each week.

Book a walkthrough Request a model brief