Full Report
The MITRE Caldera for OT team introduced HVACSim, a software-only simulator that plugs into its open-source adversary emulation... The post MITRE Caldera releases HVACSim to train OT security defenders without physical hardware appeared first on Industrial Cyber.
Analysis Summary
# Tool/Technique: HVACSim (MITRE Caldera for OT)
## Overview
HVACSim is an open-source, software-only simulator designed to emulate a building’s Heating, Ventilation, and Air Conditioning (HVAC) system. It integrates with the MITRE Caldera for OT adversary emulation framework, allowing defenders to simulate cyber-attacks on industrial control systems (ICS) and observe physical process impacts via the BACnet protocol without requiring expensive physical hardware.
## Technical Details
- **Type:** Adversary Emulation Tool / Training Simulator
- **Platform:** Linux/Windows (Cross-platform via Python/Caldera Environment)
- **Capabilities:** BACnet protocol emulation, thermal process modeling, sensor/actuator simulation, and integration with Caldera for automated adversary emulation.
- **First Seen:** March 06, 2026 (Article Release Date)
## MITRE ATT&CK Mapping
- **[TA0108 - Discovery]**
- [T0846 - Remote System Discovery]
- **[TA0102 - Collection]**
- [T0813 - Data from Information Repositories]
- **[TA0105 - Impair Process Control]**
- [T0836 - Modify Parameter]
- **[TA0112 - Impact]**
- [T0828 - Loss of Control]
- [T0879 - Damage to Physical Property]
## Functionality
### Core Capabilities
- **BACnet Emulation:** Acts as a virtual HVAC controller communicating over the standard Building Automation and Control networks (BACnet) protocol.
- **Physical Modeling:** Simulates a server room environment including ambient heat, internal heat loads, and cooling dynamics.
- **Logic Control:** Features a simulated Proportional-Integral (PI) controlled chiller and airflow-based cooling.
- **Protocol Interaction:** Maps protocol-level commands (e.g., writing to a BACnet object) to visible changes in the simulated temperature.
### Advanced Features
- **Deterministic Simulation:** Includes sensor noise and actuator lag to provide a more realistic (though simplified) representation of industrial hardware.
- **Caldera Integration:** Plugs directly into the "Caldera for OT" framework, enabling automated "abilities" and "adversary profiles" to be tested against the simulation.
- **Process Visualization:** Demonstrates how simple value changes (setpoints) translate into physical equipment stress or environmental failure.
## Indicators of Compromise
*Note: As a training simulator, HVACSim itself is not malicious; however, the following indicators relate to its execution during exercises.*
- **File Names:** `hvac-sim` (GitHub repository/project folder).
- **Network Indicators:** Default BACnet communication typically occurs on UDP port `47808`.
- **Behavioral Indicators:** Unexpected BACnet `WriteProperty` services directed at HVAC setpoints or fan speed configurations.
## Associated Threat Actors
- While the tool is for defense, it emulates techniques historically used by actors targeting critical infrastructure or using lateral movement via building automation (e.g., the **2013 Target Breach** style pivot via HVAC vendors).
## Detection Methods
- **Signature-based detection:** Monitoring for unauthorized HVAC/BACnet scanning tools (e.g., `nmap` scripts for BACnet).
- **Behavioral detection:** Identifying "Set Point Manipulation" where values are moved outside of normal operating ranges (High/Low temperature thresholds).
- **Protocol Analysis:** Deep Packet Inspection (DPI) to monitor for anomalous BACnet traffic originating from non-engineering workstations.
## Mitigation Strategies
- **Network Segmentation:** Isolate HVAC and Building Automation Systems (BAS) from corporate IT networks using industrial firewalls.
- **Least Privilege:** Restrict BACnet "Write" permissions to authorized controller interfaces only.
- **Secure Remote Access:** Ensure vendors and contractors utilize Multi-Factor Authentication (MFA) and jump hosts for remote maintenance.
## Related Tools/Techniques
- **MITRE Caldera:** The parent adversary emulation framework.
- **ModbusSim / PLCsim:** Similar tools used for simulating other industrial protocols.
- **BACnet-stack:** Open-source libraries often used to interact with these systems.