Home -> Training

Industrial Control System (DCS/SCADA)
Cyber Security Training

Do not be fooled by other courses claiming to offer "defensive" "blue team" training. Only SCADAhacker offers an in-depth, 40 hour curriculum that looks at proven methodologies to assess risk and implement the necessary security controls to help mitigate risk based on the unique threats facing your organization!

As the recent lead SCADA Security Instructor for InfoSec Institute, and having been involved in the ICS security industry for several years, I have quickly realized that there is a shortfall in training to address how to secure industrial control systems like Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS). There are several very good courses currently available, including those offered by InfoSec Institute (which I taught until the end of 2011), Red Tiger Security, Digital Bond, SANS and Idaho National Labs. However, when reviewing the syllabi of these courses, it becomes clear that they tend to focus too much on either (1) theoretical aspects of the problem, or (2) the hacking or red team side of ICS security. Knowing this, and not trying to duplicate what is currently available, I have decided to launch my own course entitled "Understanding and Securing Industrial Control Systems".

Understanding and Securing Industrial Control Systems (5-days)

This course is focused entirely on securing or "blue teaming" the industrial control system (ICS) architecture, and will include not only hands-on labs, but also extensive demonstrations that will be used to reinforce the selection and implementation of security controls relating specifically to ICS. Many of those individuals responsible for auditing, installing, or operating industrial control systems are aware of the need for cyber security, yet are confused on exactly what to implement, and how to verify the resulting solution. This course provides a solid foundation in addressing these concepts.

The course agenda is outlined below:

  • Understanding the Unique Threat Landscape of Industrial Control Systems
    • What is an Industrial Control System
    • Simplifying the ICS Architecture
    • Why is ICS Security different from traditional IT Security
    • Why ICS are more vulnerable to cyber threats than other IT assets
  • Understanding Current Standards and Best Practices from a Security and Compliance Point of View
    • ISA-99, IEC-62443, ISO-27000, NERC-CIP R3-R5, CFATS, NIST 800-53/800-82, SANS, CPNI
  • Understanding Risk in terms of Threats, Vulnerabilities, and Consequences
    • Threats to the ICS and Operational Integrity
    • Typical ICS Vulnerabilities
    • Consequences of an ICS Attack
    • Risk Identification and Classification
  • Understanding and Identifying ICS Vulnerabilities

  • Selecting and Implementing Security Controls
    • Administrative Security Controls
    • Technical Security Controls
    • Network Considerations
    • Compensating Controls
    • Allocating Security Controls to ICS Architecture Resources
  • Auditing and Assessing ICS Security
    • Security Audits
    • Security Assessments ("Theoretical" versus "Physical")
    • Vulnerability Assessments
      • Nessus Home Feed versus Professional Feed
      • Nessus SCADA Plugins
      • Compliance Audit Files for Nessus (including Bandolier)
      • Creating Custom Audit Files for Nessus
  • A Hands-On Look at Key New Emerging Technologies
    • Industrial Firewalls with Stateful Deep Packet Inspection (DPI) of ICS Protocols
    • Personal/Portable Firewalls / VPNs
    • Unidirectional Security Appliances (aka Data Diodes)
    • Layer 2 Encryption Technologies
    • Intrusion Detection and Prevention Systems (IDS/IPS)
    • Security Incident and Event Monitoring (SIEM)
    • Application Whitelisting / Host-based Intrusion Prevention System (HIPS)
  • Case Studies
    • Using Chained Exploits to Gain Access to Trusted Internal Networks and Attack an ICS from the "Inside-Out"
    • Implementing a Network Behavior-based Intrusion Detection System for Industrial Control Systems
    • Network Segmentation and IP Addressing
    • Network Architectures and Active Directory Considerations
    • Network Communications and ICS Protocols
    • A detailed look at Stuxnet - how it infects and spreads, and what could be done to stop similar attacks (actual live Stuxnet worm will be used for this study)
    • Working with Firewalls: Analysis, Testing and Validation
    • Using Vulnerability Scanners (Nessus Home/Pro Feeds, OpenVAS)
    • Assessing the Current Security Posture of an ICS Architecture
    • Improving the Security Posture of a Vulnerable ICS Architecture

All students will receive their own modified Chromebook laptop computer to use during the course, This environment has been preloaded with a variety of security related applications that will be used during the course, as well as the extensive SCADAhacker Reference Library and catalog of software for creating security testing environments on other computing platforms. Students will also receive a library of virtual machines that can be used to reinforce the hands-on portion of the course, and help in developing a local security testing lab.

Many labs will utilize physical ICS equipment providing a realistic scenario to that actually existing in the field. This will include not only ICS equipment, but also associated security components as well. Some of the technologies that will be covered in this advanced course include:

  • Industrial Protocols such as Modbus/TCP, TSAP, Ethernet/IP and Common Industry Protocol (CIP)
  • Industrial Firewalls such as Tofino Security Appliance, mGuard, Zenwall and others
  • Unidirectional Security Gateways and Data Diodes (Waterfall Security Solutions)
  • Application Whitelisting such as Microsoft Software Restriction Policies and McAfee Application Control
  • Security Event and Incident Management solutions such as McAfee Enterprise Security Manager and AlienVault OSSIM
  • Network Encryptors (Certes Networks CEP)
  • Firewalls and Firewall Evaluation Tools (Cisco, pfSense, Vyatta, Athena, Firewalker, FWBuilder)
  • Vulnerability Scanners from Tenable Networks (Nessus)

Each student will receive the following material as part of the course (subject to change):

  • Customized Linux Laptop (based on Chromebook) with built-in 320GB hard drive preloaded with security applications used in the course. Due to export limitations, all international courses will utilize a bootable HDD complete with a customized Backtrack environment to conduct all hands-on exercises.
  • Additional Virtual Machines that will be used to cover such topics as SCADA Systems, SCADA Protocols, Industrial Firewalls, Event Logging, Security Event Monitoring, and Intrusion Detection/Prevention Systems 
  • Electronic copies of current Standards, Guidelines, and Best Practices (as allowed by applicable copyright laws) in a web-friendly navigation environment
  • Printed copy of all course material including Lectures, Case Studies, and Labs
  • A copy of the book "Industrial Network Security: Securing Infrastructure Networks for Smart Grid, SCADA, and other Industrial Control Systems" by Eric D. Knapp.

Due to the material presented, the course size will be limited to a maximum of 12 students. Each course will begin at 8:00am on Monday morning and conclude by 2:00pm Friday afternoon. The fee for the course is $3,850. A deposit of $500 is required in advance, with the balance due on the first day of training. Registration is fully refundable (less any processing fees levied by the credit card company), up to 7 days prior to the start of the course.  Cancellations made within 7 days of the course start, will be handled on a case-by-case basis. No refunds will be granted after the start of the course.

The course dates for 2013 have been released and are identified below. Some of the dates will be contingent upon the final 2013-2014 Green Bay Packer schedule (August - October courses) and will be adjusted as soon as the schedule is finalized. The April course will be offered in Phoenix, Arizona the week BEFORE the bi-annual ICSJWG conference. For those attending this course and staying for the ICSJWG conference, a special weekend social and professional event is planned - details will be provided closer to the event. All other courses will be held at Lambeau Field (home of the Green Bay Packers) and include a group stadium tour and Thursday evening social event.

  June 24-28 (Mercure Hotel - The Hague Central, The Hague, Netherlands) CLOSED
  September 9 - 13 Reserve Now
  October 7 - 11 Reserve Now
   

There are several hotels in the close proximity to Lambeau Field at a rate of $75-$150 per night, depending on location and accommodations. Due to student feedback, and invidual preferences, there will not be a group code for a single hotel during the event. A list of hotels and typical rates will be available upon request (click here for Kayak search). There will also be a Stadium Tour conducted during the week for the attendees.  The nearest airport is Austin-Straubel Field (GRB) in the city of Green Bay. Appleton/Outagamie Regional Airport (ATW) is approximately 40 minutes away.

This course is also available on-site, and at international locations. Vendors, distributors, and system integrators who are interested in a private course should contact me for additional details and pricing.

What recent attendees have to say about the advanced training program ...

"Fantastic! Great content and perfect combination of hands-on and theory. I left the course feeling re-energized and well-equipped to address ICS security. If you have an opportunity to attend this class - do it. Joel rocks!"
Andy Fenoglio
Tenaska, Inc.

"The best way to find out about what you know you don't know about ICS."
Andy McNeil - CISSP, CISA - New Market Services Corp.

"Despite your skill or exposure level to ICS security, you will walk away with a new perspective."
ICS Vendor

"This training is an eye opener to any ICS user, but specifically to vendors that should be more serious about ICS security."
ICS Vendor

Introduction to Cyber Security for Industrial Control Systems (1-day)

This course is in the process of being migrated to an on-line, on-demand format, and will be available in early-2014.

This course provides an introduction to the cyber security as it relates to manufacturing, critical infrastructure, and other industry sectors that rely on industrial control systems (ICS) commonly referred to as Supervisory Control and Data Acqusition (SCADA) or Distributed Control Systems (DCS).  This course is intended for those that currently possess very little knowledge of cyber security, but have a basic understanding of control systems (design, commission, operate, and maintain), and basic information technologies (operating systems, networks, Internet/Intranet).

The course agenda is outlined below:

  • Why are industrial control systems prone to cyber attacks
  • What are the differences between ICS security and traditional IT security
  • Looking at risk in terms of manufacturing assets rather than just IT assets
  • Understanding and Identifing ICS Vulnerabilities
  • Preparing for the next-generation of cyber threats

  • Demonstrations will include:
    • A detailed look at Stuxnet - how it infects and spreads (actual live Stuxnet worm will be used for this study)
    • How Social Engineering can be used to exploit an ICS system vulnerability

Each student will receive the following material as part of the course (subject to change):

  • A copy of the book "Cyber Within: A Security Awareness Story and Guide for Employees"
  • Electronic copies of current Standards, Guidelines, and Best Practices (as allowed by applicable copyright laws) in a web-friendly navigation environment
  • Printed copy of all course material

This course will begin at 8:00am and conclude at 5:00pm (with a 1-hour break for lunch). The fee for the course is $500. Group discounts are available. A 10% discount will be given when registering 2-3 students at the same time, and a 15% discount when registering 4 or more for the 1-day conference. Registration is fully refundable (less a 5% processing fee), up to 7 days prior to the start of the course.  Cancellations made within 7 days of the course start, will be handled on a case-by-case basis. No refunds will be granted after the start of the course.

Students who initially attend this course and later decide to take either the 5-day Advanced or 1-day Assessment training will receive a 10% off the regular course fee.

This course is also available on-site, and at international locations. Vendors, distributors, and system integrators who are interested in a private course should contact me for additional details and pricing.

Conducting Security Assessments for Industrial Control Systems (2-days)

This course is in the process of being migrated to an on-line, on-demand format, and will be available in mid- to late-2013.

Performing thorough security assessments on industrial control systems has not been a common practice within the manufacturing sector, mainly due to the level of risk in performing the assessment versus the associated risk reduction in discovering and mitigating associated system vulnerabilities. As can be seen in the new DRAFT version 5 of the NERC CIP standards, a new section CIP-010-1 has been included setting the requirements for a new level of assessment. It is important that those conducting such assessments have sufficient training and practice on how such a test is performed on typical ICS architectures.

This course provides a focused look at conducting security assessments for industrial control systems. This is not only focused on the more traditional "vulnerability assessments", but also looks at how security audits can be performed on production systems. Unlike typical vulnerability assessments that will evaluate a system for deficiencies from "known" weaknesses, this 2-day course looks at the methodologies that have been successfully used to identify system-wide weaknesses that are not typically identified by vulnerability "scanners". It also looks at how new game-changing tools can be used to check the security level of a control system against those specified in project requirements.

The second day of this course is devoted entirely to an actual assessment of a model control system, complete with actual ICS software (servers, HMI, historian) and hardware (PLCs). Students will utilize the tools learned in this course to identify actual and potential security problems and weaknesses, and then develop a strategy to improve the security of the system. State-of-the-art technology, like the Nessus vulnerability scanner from Tenable Network Security and the use of the Professional Feed with SCADA plugins. The class will be dividied into teams, and each team will present their findings to the class.

The course agenda is outlined below:

  • Day 1
    • Considerations for a Hybrid Testing Methodology specifically for ICS
    • Security Audits
    • Security Assessments ("Theoretical" versus "Physical") including use of the Cyber Security Evaluation Tool (CSET)
    • Vulnerability Assessments
      • Nessus Home Feed versus Professional Feed
      • Nessus SCADA Plugins
      • Compliance Audit Files for Nessus (including Bandolier)
      • Creating Custom Audit Files for Nessus
    • Day 2
      • Assessing the Current Security Posture of an ICS Architecture
      • Improving the Security Posture of a Vulnerable ICS Architecture

    Students will use their own computers and will be accessing a licensed test environment via remote desktop protocols (Microsoft RDP, VNC, or similar).  Students must have the ability to manually set IP addresses and launch applications that may be resident on external CD/DVD. 

    Each student will receive the following material as part of the course (subject to change):

    • Customized version of Backtrack 5R3 on bootable DVD preinstalled with tools necessary for ICS defenesive strategies (pre-registered Nessus Home Feed, pre-configured OpenVAS, firewall utilities, and much more)
    • Software DVD containing library of tools and applications used throughout the class, including Windows and/or Linux versions
    • Access to additional Virtual Machines that can be used in creating your own test lab including sample SCADA Systems, SCADA Protocols, Industrial Firewalls, Event Logging, Security Event Monitoring, and Intrusion Detection/Prevention Systems 
    • Electronic copies of current Standards, Guidelines, and Best Practices (as allowed by applicable copyright laws) in a web-friendly navigation environment
    • Printed copy of all course material including Lectures and Case Studies
    • A copy of the book "Industrial Network Security: Securing Infrastructure Networks for Smart Grid, SCADA, and other Industrial Control Systems" by Eric D. Knapp.

    This course will begin at 8:00am and conclude at 5:00pm (with a 1-hour break for lunch provided and included in the course registration). This course is not limited in size.  You can reserve a spot by contacting me directly.  The fee for this course is $1995. Registration is fully refundable (less a 5% processing fee), up to 7 days prior to the start of the course.  Cancellations made within 7 days of the course start, will be handled on a case-by-case basis. No refunds will be granted after the start of the course. To register for the class, please contact me  for additional information.

    Dates and locations for this course will be made available in the near future.

    This course is also available on-site, and at international locations. Vendors, distributors, and system integrators who are interested in a private course should contact me for additional details and pricing.