SPHERE CPS Enclave: Reconfigurable Testbed for CPS

Project Overview

The SPHERE CPS Enclave provides a modular ICS environment for reproducible cyber-physical security research. It combines PLC-based control, modular I/O, SCADA/HMI interaction, and an isolated configurable network segment, with optional simulated components to emulate larger process contexts.

Our current public-facing workflow demonstrates a water-treatment scenario from setup through execution: provisioning control and monitoring stacks, running baseline behavior, introducing representative faults or adversarial manipulations, and collecting synchronized controller, network, and process telemetry for replay and offline analysis.

As part of the broader NSF SPHERE infrastructure, the CPS enclave is designed to support cross-team collaboration through standardized experiment packaging and reproducibility-first workflows.

Key Capabilities

• Provision PLC logic, I/O mappings, monitoring tools, and network topology through a unified SPHERE workflow
• Run baseline and adversarial scenarios with safe, controlled fault/attack injection
• Capture synchronized process variables, controller state, and network traces for replay and post-hoc analysis
• Support both hardware-in-the-loop setups and simulation-backed experiments
• Enable remote experimentation with security policies aligned to safe research operations

Example Use Cases

• Physics-aware detection and resilience evaluation using digital-twin-informed monitoring
• SCADA/ICS cyber-physical exercises and adversarial scenario testing
• PLC control-logic manipulation studies under realistic process constraints
• Formal verification and conformance checks grounded in testbed telemetry

Research Themes