The MITRE Caldera for OT team introduced HVACSim, a software-only simulator that plugs into its open-source adversary emulation framework to lower the barriers to OT (operational technology) security training. Designed to emulate a building HVAC (heating, ventilation, and air conditioning) system using the BACnet industrial control protocol, HVACSim lets students, defenders, and researchers experiment with discovery, data collection, and control-impact scenarios without access to physical OT hardware.
By mapping protocol-level actions to visible changes in simulated process behavior, the tool bridges a critical gap in practical OT cybersecurity education at a time when threats to building automation and industrial control environments are rising.
Recognizing the growing intersection of cyber threats and building automation systems, HVACSim was developed to provide defenders with a safe and accessible environment to understand and mitigate these risks before they affect real-world infrastructure.
HVACSim was created by University of Hawaii at Manoa students Elijah Saloma and Jake Dickinson as part of a capstone project, in collaboration with the MITRE Caldera for OT team. The simulator provides a software-only model of a server room HVAC controller and integrates directly with Caldera for OT, enabling hands-on adversary emulation without requiring physical industrial hardware.
“Cyber incidents have demonstrated the real-world relevance of building systems,” Samir Boussarhane, Rachel Murphy, Elijah Saloma, and Jake Dickinson, MITRE researchers, wrote in a MITRE Caldera post on Medium. The 2013 Target breach began with compromised credentials from an HVAC contractor, allowing attackers to pivot into Target’s corporate network and ultimately exfiltrate millions of payment card records. Public reporting and cyber threat intelligence analysis describe how the attackers initially gained access through the HVAC vendor.”
They highlighted that beyond initial access risks, disruption to HVAC systems can have direct operational consequences. “In data centers and healthcare environments, improper temperature control can damage equipment or disrupt critical services. Manipulation of fan speeds or setpoints can increase energy consumption, reduce equipment lifespan, or create unsafe environmental conditions. Even simple changes to control values can demonstrate how cyber actions translate directly into physical process impact.”
HVACSim is a simplified, educational simulator designed for training and experimentation. It does not attempt to replicate vendor-specific implementations or serve as a high-fidelity engineering model. Instead, it focuses on illustrating how BACnet protocol interactions affect a temperature control process.
The simulator models a server room with a temperature control loop that includes ambient and internal heat sources, airflow-based cooling, a proportional-integral (PI) controlled chiller, and sensor noise and actuator lag. Users interact with the system through BACnet ReadProperty and WriteProperty requests. Writable values, such as the temperature setpoint, fan speeds, and emergency stop, directly influence the simulated physical process.
The MITRE researchers detailed that the simulator consists of two components, a BACnet/IP server and a matplotlib-based Human Machine Interface (HMI). “The server listens for and responds to BACnet requests over UDP. The HMI reads values from BACnet objects and updates its display with temperature trends, chiller load, and fan speeds. When controls are adjusted in the HMI, the object values are updated directly in memory.”
Moreover, a BACnet client, such as those operated through Caldera for OT, can send write requests over UDP to modify these same objects, allowing adversaries to observe how their protocol actions change process behavior through the HMI display and network traffic.
“HVACSim responds to common BACnet protocol requests. The simulator can be used with Caldera for OT abilities discovery, collection, and impact tactics,” according to the Medium post. “Discovery can be used to identify devices and their objects. Collection can be used to read process values such as temperature, setpoint, and chiller load. Process impact can be used to change control values and observe the results on the HMI.”
The researchers mentioned that HVACSim exposes a small set of BACnet objects that can be accessed using standard ReadProperty and WriteProperty requests. “Writable objects, such as the temperature setpoint and fan speed values, can be modified using WriteProperty requests, with updated values reflected in the simulator and displayed through the HMI. This allows users to observe how BACnet reads and writes correspond to changes in exposed object values during simulation.”
HVACSim is designed to be lightweight and accessible while still modeling realistic cyber–physical interactions. The simulator runs entirely in software and requires no specialized hardware. It supports Python 3.10+ and runs on Linux, macOS, or Windows. Core dependencies include matplotlib for the HMI and bacpypes for BACnet/IP communications.
When launched, HVACSim starts a BACnet/IP device over UDP and opens an interactive HMI for observing temperature trends, chiller behavior, and airflow changes in real time. Users can configure device identifiers and network parameters through the provided BACpypes[dot]ini file. Linux systems may require additional GUI packages, such as python3-tk, to support the matplotlib interface.
For adversary emulation workflows, HVACSim can be paired with MITRE Caldera and its BACnet plugin. Once running, Caldera agents can perform BACnet ReadProperty and WriteProperty actions against the simulator to exercise discovery, collection, and impact techniques in a controlled environment.
The post identified that “by lowering the barrier to entry for building automation security research, HVACSim enables defenders, educators, and students to safely explore how protocol-level actions translate into physical process behavior, without requiring access to live industrial infrastructure.”
Earlier this month, MITRE Caldera released the Wildcat Dam simulator, which helped lower that barrier by introducing an open-source software-based Modbus simulation that can be used as a virtual OT (operational technology) protocol sandbox. The Aloha Water Treatment Plant builds upon that work by adding a simple water treatment process, supporting Modbus and BACnet control protocols, and includes a web-based HMI.
