Registration is now CLOSED for May Training
Additional class dates/locations will be posted in the near future

As the recent lead SCADA Security Instructor for InfoSec Institute, and having been involved in the ICS security industry for several years, I have quickly realized that there is a shortfall in training to address how to secure industrial control systems like Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS). There are several very good courses currently available, including those offered by InfoSec Institute (which I taught until the end of 2011), Red Tiger Security, Digital Bond, SANS and Idaho National Labs. However, when reviewing the syllabi of these courses, it becomes clear that they tend to focus too much on either (1) theoretical aspects of the problem, or (2) the hacking or red team side of ICS security. Knowing this, and not trying to duplicate what is currently available, I have decided to launch my own course entitled "Understanding and Securing Industrial Control Systems".

This course is focused entirely on securing or blue teaming the ICS, and will include not only hands-on labs, but also extensive demonstrations and group case studies that will be used to reinforce the selection and implementation of security controls relating specifically to ICS. Many responsible auditing, installing, or operating industrial control systems are aware of the need for cyber security, yet are confused on exactly what to implement, and how to verify the resulting solution. This course should provide a solid foundation in addressing these concepts.

The course agenda is outlined below:

• Understanding the Unique Threat Landscape of Industrial Control Systems
  • What is an Industrial Control System
  • Simplifying the ICS Architecture
  • Why is ICS Security different from traditional IT Security
  • Why ICS are more vulnerable to cyber threats than other IT assets
• Understanding Current Standards and Best Practices from a Security and Compliance Point of View
  • ISA-99, IEC-62443, ISO-2700x, NERC-CIP R3/R5, CFATS, NIST 800-82, SANS, CPNI
• Understanding RIsk in terms of Threats, Vulnerabilities, and Consequences
  • Threats to the ICS and Operational Integrity
  • Typical ICS Vulnerabilities
  • Consequences of an ICS Attack
  • Risk Identification and Classification
• Understanding and Identifing ICS Vulnerabilities
  
  
• Selecting and Implementing Security Controls
  • Administrative Security Controls
  • Technical Security Controls
  • Network Considerations
  • Compensating Controls
  • Allocating Security Controls to ICS Architecture Resources
• Auditing and Assessing ICS Security
  • Security Audits
  • Security Assessments ("Theoretical" versus "Physical")
  • Vulnerability Assessments
    • Nessus Home Feed versus Professional Feed
    • Nessus SCADA Plugins
    • Compliance Audit Files for Nessus (including Bandolier)
    • Creating Custom Audit Files for Nessus
• A Hands-On Look at Key New Emerging Technologies
  • Industrial Firewalls with Stateful Deep Packet Inspection (DPI) of ICS Protocols
  • Personal/Portable Firewalls / VPNs
  • Unidirection Security Appliances (aka Data Diodes)
  • Layer 2 Encryption Technologies
  • Intrusion Detection and Prevention Systems (IDS/IPS)
  • Security Incident and Event Monitoring (SIEM)
  • Application Whitelisting / Host-based Intrusion Prevention System (HIPS)
• Case Studies
  • Using Chained Exploits to Gain Access to Trusted Internal Networks and Attack an ICS from the "Inside-Out"
  • A detailed look at Stuxnet - how it infects and spreads, and what could be done to stop similar attacks (actual live Stuxnet worm will be used for this study)
  • Using Security Tools and Toolkits
  • Assessing the Current Security Posture of an ICS Architecture
  • Improving the Security Posture of a Vulnerable ICS Architecture

Students will use their own computers and will be supplied with a bootable external drive which contains the testing environment and other tools studied during the week. Students must be able to either (1) boot from alternate media, (2) install and use external removeable media, and (3) install software locally on their machine (VMware Player plus Virtual Machines). A computer with 4GB of memory is recommended to improve performance of the virtual machines. No significant hard disk space is required, as an external hard drive will be supplied.

Many labs will utilize physical ICS equipment providing a realistic scenario to that actually existing in the field. This will include not only ICS equipment, but also associated security components as well.

Each student will receive the following material as part of the course (subject to change):

• Bootable USB-3.0 Hard Disk utilizing a customized version of Backtrack 5R1 (bootable ISO and virtual machine)
• Additional Virtual Machines that will be used to cover such topics as SCADA Systems, SCADA Protocols, Industrial Firewalls, Event Logging, Security Event Monitoring, and Intrusion Detection/Prevention Systems 
• Electronic copies of current Standards, Guidelines, and Best Practices (as allowed by applicable copyright laws) in a web-friendly navigation environment
• Printed copy of all course material including Lectures, Case Studies, and Labs
• Copy of several printed books covering Threats, Defense, Policy, Testing, and Analysis

Due to the material presented, the course size will be limited to a maximum of 8 students. Each course will begin at 8:30am on Monday morning and conclude by 1:00pm Friday afternoon. The fee for the course is $3,850. Registration is fully refundable (less a 5% processing fee), up to 7 days prior to the start of the course.  Cancellations made within 7 days of the course start, will be handled on a case-by-case basis. No refunds will be granted after the start of the course.

This course is also available on-site, and at international locations. Vendors, distributors, and system integrators who are interested in a private course should contact me for additional details and pricing.

This course provides an introduction to the cyber security as it relates to manufacturing, critical infrastructure, and other industry sectors that rely on industrial control systems (ICS) commonly referred to as Supervisory Control and Data Acqusition (SCADA) or Distributed Control Systems (DCS).  This course is intended for those that currently possess very little knowledge of cyber security, but have a basic understanding of control systems (design, commission, operate, and maintain), and basic information technologies (operating systems, networks, Internet/Intranet).

The course agenda is outlined below:

• Why are industrial control systems prone to cyber attacks
• What are the differences between ICS security and traditional IT security
• Looking at risk in terms of manufacturing assets rather than just IT assets
• Understanding and Identifing ICS Vulnerabilities
• Preparing for the next-generation of cyber threats
  
  
• Demonstrations will include:
  • A detailed look at Stuxnet - how it infects and spreads (actual live Stuxnet worm will be used for this study)
  • How Social Engineering can be used to exploit an ICS system vulnerability

Each student will receive the following material as part of the course (subject to change):

• A copy of the book "Cyber Within: A Security Awareness Story and Guide for Employees"
• Electronic copies of current Standards, Guidelines, and Best Practices (as allowed by applicable copyright laws) in a web-friendly navigation environment
• Printed copy of all course material

This course will begin at 8:00am and conclude at 5:00pm (with a 1-hour break for lunch). The fee for the course is $500. Group discounts are available. A 10% discount will be given when registering 2-3 students at the same time, and a 15% discount when registering 4 or more for the 1-day conference. Registration is fully refundable (less a 5% processing fee), up to 7 days prior to the start of the course.  Cancellations made within 7 days of the course start, will be handled on a case-by-case basis. No refunds will be granted after the start of the course.

Students who initially attend this course and later decide to take either the 5-day Advanced or 1-day Assessment training will receive a 10% off the regular course fee.

This course is also available on-site, and at international locations. Vendors, distributors, and system integrators who are interested in a private course should contact me for additional details and pricing.

Performing thorough security assessments on industrial control systems has not been a common practice within the manufacturing sector, mainly due to the level of risk in performing the assessment versus the associated risk reduction in discovering and mitigating associated system vulnerabilities. As can be seen in the new DRAFT version 5 of the NERC CIP standards, a new section CIP-010-1 has been included setting the requirements for a new level of assessment. It is important that those conducting such assessments have sufficient training and practice on how such a test is performed on typical ICS architectures.

This course provides a focused look at conducting security assessments for industrial control systems. This is not only focused on the more traditional "vulnerability assessments", but also looks at how security audits can be performed on production systems. Unlike typical vulnerability assessments that will evaluate a system for deficiencies from "known" weaknesses, this 1-day course looks at the methodologies that have been successfully used to identify system-wide weaknesses that are not typically identified by vulnerability "scanners". It also looks at how new game-changing tools can be used to check the security level of a control system against those specified in project requirements.

The course agenda is outlined below:

• Considerations for a Hybrid Testing Methodology specifically for ICS
• Security Audits
• Security Assessments ("Theoretical" versus "Physical")
• Vulnerability Assessments
  • Nessus Home Feed versus Professional Feed
  • Nessus SCADA Plugins
  • Compliance Audit Files for Nessus (including Bandolier)
  • Creating Custom Audit Files for Nessus

During the 1-day session, students will take a look at a Case Study which is designed to emulate a real-world security assessment, looking at the control system "holistically" and identifying weaknesses that may lead to potential cyber security breaches.

Students will use their own computers and will be accessing a licensed test environment via remote desktop protocols (Microsoft RDP, VNC, or similar).  Students must have the ability to manually set IP addresses and launch applications that may be resident on external CD/DVD. 

Each student will receive the following material as part of the course (subject to change):

• Electronic copies of current Standards, Guidelines, and Best Practices (as allowed by applicable copyright laws) in a web-friendly navigation environment
• Printed copy of all course material including Lectures, Case Studies, and Labs
• Copy of several printed books covering Security Testing, and Analysis

This course will begin at 8:00am and conclude at 5:00pm (with a 1-hour break for lunch provided and included in the course registration). This course is not limited in size.  You can reserve a spot by contacting me directly.  The fee for this course is $995. Registration is fully refundable (less a 5% processing fee), up to 7 days prior to the start of the course.  Cancellations made within 7 days of the course start, will be handled on a case-by-case basis. No refunds will be granted after the start of the course. To register for the class, please contact me  for additional information.

Dates and locations for this course will be made available in the near future.

This course is also available on-site, and at international locations. Vendors, distributors, and system integrators who are interested in a private course should contact me for additional details and pricing.