Industrial Control System
Cyber Security Institute

ICS Cyber Security Training Curriculum


Understanding, Assessing and Securing Industrial and Facility-Related Control Systems

Duration 5 days
Available Format(s) Live / Online
Who should attend Personnel responsible for installing, maintaining, or auditing cyber security on ICS/FRCS
Prerequisites Fundamentals of Information and Operational Technology Systems
Network + (or equivalent)
Security + (or equivalent)
Linux Fundamentals
Hands-On Exercises / Labs Multiple
Expected Outcome (OPERATIONAL) Skills to perform asset inventory, vulnerability identification and security controls and countermeasures selection
CEUs 40
Certification Ready Global Industrial Cyber Security Professional (GICSP)
Certified SCADA Security Architect (CSSA)

This advanced course utilizes four complimentary components to introduce, reinforce and apply the information presented. Standard presentation-based lectures comprise approximately 25% of allotted time. Instructor-led demonstrations are used to show a variety of relevant technologies accounting for 15% of the time. Trainees participate in several case studies providing an opportunity to review, analyze and learn from actual ICS cyber events for roughly 10% of the time. Students will engage in a variety of hands-on exercises to expand on lecture material, including a practical assessment of an actual ICS designed to replicate an actual field exercise. These exercises compromise the remaining 50% of the course time. The final day is best used as an unstructured session (live delivery only) allowing trainees to apply newly learned skills to further explore host-based and network-based weaknesses and exploitation concepts specific to ICS. This course can also include a site visit at an operational site (if allowed via live delivery) to identify ICS components and learn about how the system(s) operate and are integrated with adjacent infrastructure.

All material covered in the course will adequately prepare students for either the IACRB Certified SCADA Security Architect (CSSA) or GIAC Global Industrial Cyber Security Professional (GICSP) certification examinations. United States Dept. of Defense employees and contractors should refer to the Approved 8570 Baseline Certifications for more details on information assurance workforce requirements. Certification exam fees are not included with the course pricing. ICSCSI can arrange for proctored examinations in certain physical course locations. Students must arrange for their own examination through Pearson Vue for online courses.

Learning Objectives

  • ICS/FRCS Overview and Architectures
    • SCADA, DCS and FRCS Operation
    • Basic Control and Safety/Life-Safety System Operation
    • Supervisory, Control and Fieldbus Protocols
    • Industrial Network Design
    • Reference Architectures
  • Unique Threat Landscape of ICS/FRCS
    • Challenges in Securing ICS/FRCS Architectures
    • Consequences of an ICS/FRCS Compromise
    • Major Security Objectives
    • Operational (OT) versus Information (IT) Security
  • Risk Management
    • Components of Risk
    • ICS/FRCS Security Incidents
    • Risk Assessment Methodology
    • Risk Identification
    • Risk Classification
  • Standards and Best Practices
    • ICS, FRCS and Critical Infrastructure
    • Center for Internet Security
    • ICS/IEC 62443 (ISA 99)
    • NIST 800-82
    • AuDSD
    • DoD - STIGs and SRGs
    • DoE - NERC CIP
  • Auditing and Assessing ICS/FRCS Security
    • Security Assessment Methodology
    • Theoretical Assessments (CSET)
    • Physical Assessments
    • System Characterization
    • White Box versus Black Box Techniques
    • Network Assessment Tools and Techniques
    • Firewall, Router and Switch Analysis
    • Vulnerability Scanning and Prioritization
    • Compliance Auditing
  • ICS/FRCS Vulnerabilities
    • Policy and Procedure Vulnerabilities
    • Configuration Vulnerabilities
    • Platform and Device Vulnerabilities
    • Application and Software Vulnerabilities
    • Network Vulnerabilities
    • Project Execution Vulnerabilities
  • Selecting and Implementing Controls
    • Security Controls and Risk Reduction
    • Cyber Security and ICS/FRCS Procurement
    • Access Control
    • Active Directory
    • Network Segmentation, Zones and Conduits
    • IP Addressing
    • Network Access Control
    • Remote Access
    • Encyrption
    • Unidirectional Communications
    • Patch Management
    • Malware Prevention
    • Intrusion Monitoring
    • Network Behavior Analysis
    • Incident Response
  • Hands-On Skills
    • Hardware Inventory
    • Software Inventory
    • Host Characterization (Ports/Services)
    • System Architecture
    • Network Characterization (Data Flows)
    • Vulnerability Identification
    • Host Auditing
    • Host- and Network-based Exploitation
  • Site Visit (optional - live format only)
    • System Operation
    • Hardware Identification
    • Field Instrumentation
    • Data Integration / Enclaves
    • Security Controls
    • Knowledge Management

Case Studies

It is important to have flexibility in the delivery of training material to adjust and align with the learning objectives of the trainees. This approach has proven successful and allows detailed analysis of related events to be shared, along with the techniques utilized and lessons learned for mitigation of risk. ICSCSI utilizes case studies to accomplish this, and has developed topics that include:

  • Understanding ICS/FRCS attacks: A technical look at Stuxnet and how it installed, executed, and propogated
  • Using open-sourced intelligence to successfully attack a SCADA system
  • Successfully attacking an ICS/FRCS: How well do you know your system?
  • Successfully attacking an ICS/FRCS controller: What users are not always told by their vendor
  • Network misconfiguration immobilitizes military base
  • Understanding the risk of connecting an ICS/FRCS to the Internet: Whose fault is it?
  • Applying deception techniques to analyze ICS/FRCS attractiveness

Some of the case studies will only be presented in physical live course settings and are not available via the online learning management system. Certain material shared will provide invaluable insight into cyber events targeting ICS/FRCS that is not typically available in public or open-sourced venues.

Learn with Actual Real-World Industrial Security Technologies

Exposure to physical ICS security equipment that can be deployed in the field will be included as part of the material covered. This will include not only ICS equipment, but also associated security components as well. Some of the technologies that will be covered in this course include:

  • Software and devices using common industrial protocols such as Modbus/TCP, TSAP, EtherNet/IP and Common Industrial Protocol (CIP)
  • Industrial Firewalls such as the Tofino Security Appliance, Innominate mGuard, Siemens Scalance X, and Ultra/3eTI CyberFence
  • Unidirectional Security Gateways and Data Diodes (Waterfall Security Solutions)
  • Application Whitelisting such as Microsoft Software Restriction Policies and McAfee Application Control
  • Security Event and Incident Management solutions such as AlienVault OSSIM, McAfee Enterprise Security Manager and Splunk
  • Network Encryptors (Certes Networks CEP)
  • Firewalls and Firewall Evaluation Tools (Cisco, Athena)
  • Vulnerability and Compliance Scanners from Tenable Networks (Nessus)

Prerequisites

It is strongly recommended that students plan to take the 1-day fundamentals course since the material covered in this course is “advanced” in nature. Concepts will only be reviewed, and students are assumed to possess fundamental skills around platforms, operating systems, and networking. All course material is reinforced with specific chapters taken from a publication co-authored by one of the instructors. It is helpful for trainees to be comfortable working in both Windows and Linux operating systems and possess basic networking knowledge. Additional material is provided to assist students in any areas that require individual development and improvement if they do not possess sufficient prerequisites.

Student Material

Lecture-based training must be augmented to improve not only the level of understanding by the trainee, but also the amount of knowledge retained once the formal course is complete. ICSCSI has put together an extensive collection of material that will be distributed to each attendee during the course. Textbooks provide much needed background into the topics covered – something that is typically not possible during a fixed-duration course. ICSCSI is one of the only providers that offers a textbook co-authored by one of the instuctors to supplement the course material. ICSCSI supplements this material with tools that can be used on future ICS/FRCS cyber engagements. Students will utilize an advanced Learning Management System to interact with a cyber training range and access to additional data supplementing the course activities.

A sample of the student supplemental material includes:

  • Industrial Network Security, 2nd edition (Syngress)
  • Course Manual (containing copies of all slides)

Certification

This course does not offer an independent certification at this time. ICSCSI is in the process of obtaining accreditation of this course and the ICS cyber security curriculum. ICSCSI is also planning to establish in independent certification authority similar to GIAC (SANS) and IACRB (InfoSec Institute).

This course includes a certification preparation module to help students prepare and pass the Certified SCADA Security Architect (CSSA) examination offered through Information Assurance Certification Review Board (IACRB) (certification fees not included in course registration fee). Save THOUSANDS of dollars off other certification programs!!!

The material covered in this class is sufficient to successfully pass the Global Industrial Cyber Security Professional (GICSP) offered through GIAC.

Each student will receive a Certificate of Training once all modules have been successfully viewed, and the associated self-assessments completed. These Continuing Education Units (CEU) can be used against other professional certifications like CISSP, CEH, etc.

Course Registration

This course is available via three different delivery methods. The traditional "live" format is available and will be offered based on current restrictions and safety protocols in response to the COVID-19 pandemic. Live courses will be delivered over a consecutive 5-day period 8-hours each day.

Two different options are available for remote learning. The first is a structured "live /streaming" virtual session that will take place over a fixed period of time with each day beginning with instructor delivered content, followed by unstructured time where students can work on assignments, exercises and quizzes at their own pace with the instructor available to provide assistance as needed.

For those interested in a self-paced, unstructured format, the course can be completed using an "on demand" format. All courses will utilize the learning management system for content delivery, supplimental information, assignment and exercise instructions and submissions, and examinations. Students will also have access to content via the LMS after the completion of the course using any delivery method.

All payments are processed through PayPal using the links below and support a range of payment methods including credit/debit cards (a PayPal account is not required). Please contact ICSCSI if an alternate form of payment is required. Group discounts and on-site options are available.

Delivery
Method
Dates Location Price Register
Live / Streaming June 7-18 Anywhere $ 5,000
Live / In-Person June 21-25 Lambeau Field
Green Bay, Wisconsin
$ 5,000
On Demand Anytime Anywhere $ 4,500

After registration and receipt of payment, students will receive an email with sign-on instructions to access the learning management system. For remote streaming and on-demand courses, course materials will be shipped and should arrive in 1-2 weeks.



Additional information on other courses offered as part of the curriculum can be viewed by selecting from the following list or the Quick Links located in the top righthand section of this page: