Cyber-Physical Security Portfolio – From network intrusion to physical sabotage! A comprehensive forensic analysis of a simulated hybrid attack on UK critical water infrastructure, blending digital forensics, OT system compromise, and psychological operations to reveal systemic vulnerabilities and deliver actionable mitigation strategies. 🔍🛡️

Project: Forensic Analysis of the Thames Water Cyber-Physical Attack "When hackers target the taps – and the trust!" ⚠️ This project presents a full-scale incident response simulation of Operation Tainted Flow, a sophisticated multi-vector attack that combines network intrusion, industrial control system sabotage, and coordinated disinformation campaigns. The simulated scenario involves an attack on a Thames Water Treatment Facility (UK Critical National Infrastructure) on October 27, 2025. The kill chain progresses through reconnaissance, credential theft, lateral movement, OT sabotage, and psychological operations (PSYOPS). The pivotal moment occurs when a malicious Modbus/TCP payload — WRITE:ATTACK — is sent to PLC register 40001 with value 0x0000, effectively halting chlorine dosing and creating a severe public health risk. Forensic analysis includes an in-depth Wireshark examination of the provided packet capture (Thameswaterattack.pcap), uncovering internal reconnaissance via LDAP and Kerberos probes, credential exfiltration through HTTP POST to a command-and-control server (updcdn.ru), and anomalous Modbus traffic. A detailed timeline reconstruction maps the attack from initial beaconing at approximately 0 seconds to the sabotage spike around 3400 seconds, visualized through flow graphs and conversation statistics. Impact assessment highlights risks affecting 15 million people, estimated financial losses of £450 million, and widespread psychological effects such as panic buying and eroded institutional trust. Key insights reveal critical vulnerabilities including absent IT/OT network segmentation, unencrypted Modbus/TCP communications, and weak credential management practices. The attacker profile exhibits APT-like tactics, techniques, and procedures with potential state-sponsored indicators, custom tooling (Custom-APT-Client/1.0), and false-flag operations. The accompanying disinformation campaign, featuring deepfake news articles under the hashtag #ToxicTaps, amplified public panic and drove a 22% surge in bottled water sales. Defensive measures include an immediate mitigation script that automates iptables rules to block known C2 IPs (e.g., 198.51.100.12) and restrict Modbus port 502 to authorized subnets only. A structured response plan outlines phased actions: 0–30 days for containment, 30–90 days for system hardening, and 6–18 months for long-term modernization incorporating Zero Trust architecture and migration to secure protocols like OPC UA. Counter-disinformation strategies emphasize AI-powered monitoring, rapid rebuttal protocols, and public resilience education. The analysis leverages tools and techniques such as Wireshark, MITRE ATT&CK for ICS framework, STRIDE threat modeling, Bash scripting, and standardized incident response playbooks. Supporting evidence includes screenshots of network traffic, malicious packets, fabricated media, and attack timelines.  

To explore the forensic findings and test the defensive measures on your local machine, you will need a Linux-based system (such as Ubuntu or Kali) with root or sudo privileges and a basic understanding of network security concepts. Begin by cloning the repository to your computer using the command git clone https://github.com/yourusername/thames-water-cyber-forensics.git, then navigate into the directory with cd thames-water-cyber-forensics. The repository contains the full forensic report in Word format, reference sources, evidentiary screenshots, and the practical mitigation script. To execute the mitigation script (Mitigation.sh), which demonstrates immediate containment by blocking malicious IPs and restricting OT protocol access, first make it executable with chmod +x Mitigation.sh, then run it with elevated privileges using sudo ./Mitigation.sh. Afterward, you can monitor blocked traffic in real time by running tail -f /var/log/kern.log | grep "BLOCKED_". The script applies only sample firewall rules in educational environments and can be easily reversed with sudo iptables -F.

OT security remains critically important because legacy industrial protocols represent soft targets — encryption and network segmentation are essential requirements rather than optional enhancements. Hybrid threats combining cyber and physical elements with disinformation are an emerging reality that creates compounded societal impact. Proactive preparation through real-time monitoring, air-gapped backups, and well-rehearsed incident response playbooks is vital for maintaining resilience in critical national infrastructure.

This repository is intended solely for educational, research, and training purposes. All depicted attack scenarios are entirely simulated, and any referenced IPs, domains, or entities are fictitious or appropriately anonymized. No real infrastructure was accessed or harmed during the creation of this material.

If this simulation enhanced your understanding of cyber-physical threats, inspired your next red or blue team exercise, or you require custom forensics training, OT security assessments, or incident response consulting, I am available to collaborate. You can support further work by donating via PayPal at [email protected] or reaching out directly on WhatsApp at +254702896107. Your support enables more realistic simulations and broader open cybersecurity education. Thank you! 🫶