This work addresses the limitations of existing industrial cybersecurity testbeds, which struggle to support end-to-end, multi-stage APT attack simulations spanning IT, OT, and IIoT domains, thereby hindering in-depth analysis of complex attack behaviors. To overcome this, the authors design and implement SIMPLE-ICS, a virtualized testbed that uniquely integrates enterprise IT, industrial control OT, and IIoT environments. Grounded in the Purdue model and IEC 62443 zoning principles, the platform leverages digital twin-based process simulation, MITRE ATT&CK technique mapping, and a V-model architecture to deliver an end-to-end APT simulation environment with full observability, comprehensive logging, and reproducibility. The platform successfully replicates BlackEnergy-like attack chains, enables synchronized cross-domain attack trace collection, and generates a multi-source dataset to support subsequent detection and correlation analysis research.

Research on Advanced Persistent Threats (APTs) in industrial environments requires experimental platforms that support realistic end-to-end attack emulation across converged enterprise IT, operational technology (OT), and Industrial Internet of Things (IIoT) networks. However, existing industrial cybersecurity testbeds typically focus on isolated IT or OT domains or single-stage attacks, limiting their suitability for studying multi-stage APT campaigns. This paper presents the design, implementation, and validation of SIMPLE-ICS, a virtualised industrial enterprise testbed that enables emulation of multi-stage APT campaigns across IT, OT, and IIoT environments. The testbed architecture is based on the Purdue Enterprise Reference Architecture, NIST SP 800-82, and IEC 62443 zoning principles and integrates enterprise services, industrial control protocols, and digital twin based process simulation. A systematic methodology inspired by the V model is used to derive architectural requirements, attack scenarios, and validation criteria. An APT campaign designed to mimic the BlackEnergy campaign is emulated using MITRE ATTACK techniques spanning initial enterprise compromise, credential abuse, lateral movement, OT network infiltration, and process manipulation. The testbed supports the synchronised collection of network traffic, host-level logs, and operational telemetry across all segments. The testbed is validated on multi-stage attack trace observability, logging completeness across IT, OT, and IIoT domains, and repeatable execution of APT campaigns. The SIMPLE-ICS testbed provides an experimental platform for studying end-to-end APT behaviours in industrial enterprise networks and for generating multi-source datasets to support future research on campaign-level detection and correlation methods.