Industrial Control System
Cyber Security Institute

Ethical Hacking for Industrial Control Systems is NOW OPEN for registration! Check out CURRICULUM->ETHICAL HACKING FOR ICS for more details and registration.

ICS Cyber Security Training Curriculum

NEW!!! Ethical Hacking for Industrial Control Systems

Duration	5 days
Available Format(s)	Live In-Person
Who should attend	Red Team and Purple Team professionals responsible for assessing and mitigating risks to business operations resulting from the disruption of ICS functions and services
Prerequisites	Fundamentals of Industrial Control System Cyber Security (GICSP) Ethical Hacking (CE\|H or CPT) Kali Linux (OSCP) Type-2 Hypervisors – Hosts + Networks
Hands-On Exercises / Labs	Multiple
Expected Outcome	(OPERATIONAL) Skills to enumerate, fingerprint, identify, and exploit ICS operations through compound and blended attack techniques
CEUs	60 (Practical Component) or 40 (w/o Practical Component)
Certification Ready	None

This exciting new very advanced course supplies an environment to learn and apply offensive cyber operational (OCO) skills to a range of operational technology architectures. It introduces tactics, techniques, and procedures (TTP) to a range of real-world architectures, components, devices, and protocols that leverage both traditional software vulnerabilities and other more subtle, hard to find yet equally if not, more powerful human vulnerabilities that arise from typical system configuration and usage.

This course focuses primarily on lab exercises with presentation-based lectures used to introduce new concepts and review class progress at the completion of each exercise. Exercises will be conducted on a combination of student-hosted platforms (either directly or via local type 1 hypervisors) and the ICSCSI ICS Cyber Range elements accessed via the Learning Management System (LMS).

Introductory exercises will use simple, two-device one-network architectures, and will becoming increasing more advanced with three-zone and five-zone SCADA and DCS architectures that include both redundant and non-redundant server, workstation, network, and control platforms.

The course uses the basic concepts covered under an ethical hacking framework and expands upon this with decades of instructor experience in both conceptual and detailed design covering system procurement, configuration, testing, commissioning, and supporting large-scale integration industrial control systems. This experience provides students with a unique opportunity to understand the true nature of industrial automation and control, the integration of a “system of systems” more fully into a single cohesive architecture, and the contrast between perceived and actual exploitability.

No quizzes will be administered during this course. There is no certification that will be offered in the first release of this course. An accredited certification program that includes both written and practical components is expected based on initial student interest and will be part of future course offerings. Continuing Education Units (CEU) will be offered for this course. An optional practical exercise is available to get +20 CEUs by submitting a Security Test Report based on one of the scenarios covered in the course.

Learning Objectives (subject to change)

Industrial Architectures, Systems & Communications

ICS Reference Architecture
Common Open Protocols
Common Community Protocols
Common Proprietary Protocols
Sample Vendor Reference Architectures
Reference Architecture Data Flow Analysis

Ethical Hacking Methodologies & Tools

Information Gathering
Scanning, Enumeration and Fingerprinting
Gaining Access
Maintaining Access
Covering Your Tracks

Basic Exploitation

Payload Development
Payload Deployment
Command and Control
Elevation of Privilege
Establish Persistence
Gather Loot
Lateral Movement
Chained Exploits

Discovering & Exploiting ICS Weaknesses

Host-based Targets
Device-based Targets
Network-based Targets

Pwning ICS Operations

“Crash and Burn” vs “Conquer and Control”
Detection Avoidance
“Redundancy or Not”

Attacking an Enterprise-Connected SCADA System

System Architecture (Gray Box) – Multi-Zone No Redundancy
Initial Infection
Information Disclosure
Enumeration
Lateral Movement
Hunt and Repeat
Finding the Pot of Gold

Attacking an Enterprise-Connected DCS System

System Architecture (Black Box) – Multi-Zone + Redundancy
Drop Point – Open Control Net (Easy)
Drop Point – Supervisory Net (Moderate)
Drop Point – Closed Control Net (Difficult)
Drop Point – DMZ Net (Very Difficult)
Drop Point – Office Net (Extremely Difficult)

Debriefing

Sharing Results
Summarizing Findings & Results (Optional)

Student Computer Requirements

Students will have to supply their own laptop to take part in this course. Kali Linux will be used in this course, and must be available either as a dedicated installation or as a functional virtual machine via a type 2 hypervisor. A pre-installed Kali virtual machine will also be available via the course type 1 hypervisors. It is recommended that this is NOT a production computer used in the day-to-day business environment of the student, but rather a computer that MUST provide the user with administrative authorization in order to make major system configuration changed, including (but not limited to): installing software, installing hypervisors, modifying system features (Windows), changing network configuration settings, changing BIOS/UEFI settings, and modifying system boot settings (may require disabling TPM). The instructor will also discuss the use of a multiple-boot configuration to host offensive and defensive tools without the potential for interaction between the platforms. More requirements are summarized below:

Minimum Computer Requirements

Administrative authorization to install applications, platform features, and configuration settings including local policy objects
4C Intel Core i5 64-bit (2.4GHz)
8GB RAM
240GB HDD
Wireless NIC
Pointing Device
11" Monitor
1 USB2/USB3 Port

Recommended Computer Requirements

Administrative authorization to install applications, platform features, and configuration settings including local policy objects
4C Intel Core i7 64-bit (3.5GHz)
16GB RAM
500GB HDD
Wireless NIC
100/1000BT RJ45 Wired NIC
Mouse (preferred over Touchpad)
15" Monitor
2 USB2/USB3 Port

Prerequisites and Basic Skills Requirements

The material is “very advanced” in nature and to cover the vital material outlined above, limited time will be spent teaching basic and intermediate skills. The exercises have detailed descriptive and prescriptive text to complete the activities, but it is impossible for all exercises to address all potential scenarios typical in an advanced learning environment. It is recommended that students have as a minimum the following skills before considering this course. Skills should not be confused with certifications. Students should be able to perform in an operational environment and use skills covered in basic and intermediate security curriculums; industrial automation, control, and security fundamentals; and ethical hacking and offensive cyber operations.

Working knowledge of the Windows operating system beginning at kernel version 5 including software installation via Store and installation media, navigating the file system, use of encrypted file systems, compression and archiving, modifying application execution authorization level, Command Prompt usage, generating and validating file integrity, PowerShell scripting, managing Roles and Features, manipulating network connections, establishing Virtual Private Networks, and the use of common productive tools.
Working knowledge of the Linux operating system (mainly Debian-based distributions including Ubuntu and Kali) that encompasses software installation methods (dpkg, aptitude), use of encrypted file systems, compression and archiving, modifying execution authorization level, shell usage, generating and validating file integrity, manipulating network connection, establishing Virtual Private Networks, and the use of productivity tools.
Familiarization with the Kali open-source, Debian-based Linux distributed used for penetration testing, security research, computer forensics, and reverse engineering.
Basic understanding of industrial architectures and the protocols used to communicate between application servers, communication servers, human-machine interfaces, infrastructure servers (e.g., file services, directory services, web services, update services), system gateways, and controllers.
Basic understanding of networking and network access control technologies including access, distribution and core switching, routing, transparent and routed firewalls, networking bridging, unidirectional communication, the OSI 7-layer model, and the TCP 3-way handshake.
Exposure to and some use of passive network analysis, enumeration and characterization tools that include Grass Marlin, Network Miner, tshark, tcpdump, and Wireshark.
Exposure to and some use of active network analysis, enumeration, and characterization tools like arp, arping, arp-scan, hping, nmap, and snmp.
Exposure to and some use of active vulnerability scanning solutions like Tenable Nessus and Greenbone Vulnerability Manager (OpenVAS) including custom scripting via the Nessus Attack Scripting Language (NASL) and OpenVAS-NASL.
Exposure to common exploitation frameworks like Metasploit.
Working knowledge of Type-2 (minimum) such as Microsoft Hyper-V, Oracle VM VirtualBox, Parallels Desktop [not recommended], VMware Fusion [not recommended], and VMware Workstation Pro; and the creation of virtual machines and virtual networks, virtual switching and routing, and backup and restoration capabilities (e.g., snapshots).
Exposure to and some use of Type-1 (recommended) hypervisors such as Citrix Hypervisor (Xen Server), Microsoft Hyper-V, KVM, Oracle VM, and VMware ESXi; and the creation of virtual machines and virtual networks, virtual switching and routing, and backup and restoration capabilities (e.g., snapshots).

Student Material

A sample of the student supplemental material includes (actual list may be adjusted):

Industrial Network Security, 2nd edition (Syngress)
Hacking Exposed: Industrial Control Systems (McGraw Hill)
Pentesting Industrial Control Systems (Packt)
Purple Team Field Manual (Tim Bryant)
ICS Purple Team Field Manual (ICSCSI)

Training Logistics

Training classes will currently be capped at this time to a maximum of six (6) students. Due to the advanced nature of the material covered, the smaller class size insures sufficient individual attention can be provided by the instructor. This course is not currently offered outside the United States. All ICSCSI arranged venues will include coffee and non-alcoholic drinks through the day, plus lunch. Students will also be provided with public Internet access during the course. Students must supply their own transportation, lodging, meals, and incidental expenses and insurance.

Group Pricing

Group pricing is not available at this time.

Course Registration

This course will only be offered in "live" in-person sessions due to the complexity of the lab environment used throughout the course. This course is highly interactive and depends on student participation and interaction with other students to ensure success. The live sessions will be delivered over a consecutive 5-day period 8-hours each day.

All payments are processed through PayPal using the links below and support a range of payment methods including credit/debit cards (a PayPal account is not required). All registrations can be cancelled and a partial refund granted up to 60 days before the scheduled date (PayPal processing fees of 3.49-5.49% will not be refunded). Please contact ICSCSI if an alternate form of payment is required.

Due to the nature of the material covered in this course, only VETTED US CITIZENS will be allowed to attend and participate. This ruling will be evaluated and updated accordingly.

Course Format	Dates	Location	Price	Register
Live In-Person	October 2024	Green Bay / De Pere, WI	~~$ 10,000~~	5 Students Max
Live In-Person	Q1 2025	Texas	~~$10,000~~ $9,000
Live In-Person	Q2 2025	Virginia	~~$10,000~~ $9,000
Live In-Person	Q3 2025	Wisconsin	~~$10,000~~ $9,000
Live In-Person	Q4 2025	Arizona	~~$10,000~~ $9,000

Dates for October training in Green Bay will be finalized after the NFL Schedule for the Green Bay Packers is finalized following the Draft in April. After registration and receipt of payment, students will receive an email with sign-on instructions to access the learning management system with complimentary access to the "Fundamentals of ICS Cyber Security" EXPRESS course for refreshing your skills if needed. Approximately 30 days before the course date, students will receive details with early access to preliminary content including a Student Questionnaire that should be completed as soon as possible. All course material will be distributed the first day of class.

Additional information on other courses offered as part of the curriculum can be viewed by selecting from the following list or the Quick Links located in the top righthand section of this page: