Industrial Control System
Cyber Security Institute

ICS Cyber Security Training Curriculum

NEW!!! Ethical Hacking for Industrial Control Systems

Duration 5 days
Available Format(s) Live In-Person
Who should attend Red Team and Purple Team professionals responsible for assessing and mitigating risks to business operations resulting from the disruption of ICS functions and services
Prerequisites Fundamentals of Industrial Control System Cyber Security (GICSP) Ethical Hacking (CE|H or CPT) Kali Linux (OSCP) Type-2 Hypervisors – Hosts + Networks
Hands-On Exercises / Labs Multiple
Expected Outcome (OPERATIONAL) Skills to enumerate, fingerprint, identify, and exploit ICS operations through compound and blended attack techniques
CEUs 60 (Practical Component) or 40 (w/o Practical Component)
Certification Ready None

This exciting new very advanced course supplies an environment to learn and apply offensive cyber operational (OCO) skills to a range of operational technology architectures. It introduces tactics, techniques, and procedures (TTP) to a range of real-world architectures, components, devices, and protocols that leverage both traditional software vulnerabilities and other more subtle, hard to find yet equally if not, more powerful human vulnerabilities that arise from typical system configuration and usage.

This course focuses primarily on lab exercises with presentation-based lectures used to introduce new concepts and review class progress at the completion of each exercise. Exercises will be conducted on a combination of student-hosted platforms (either directly or via local type 2 hypervisors) and the ICSCSI ICS Cyber Range elements accessed via the Learning Management System (LMS).

Introductory exercises will use simple, two-device one-network architectures, and will becoming increasing more advanced with three-zone and five-zone SCADA and DCS architectures that include both redundant and non-redundant server, workstation, network, and control platforms.

The course uses the basic concepts covered under an ethical hacking framework and expands upon this with decades of instructor experience in both conceptual and detailed design covering system procurement, configuration, testing, commissioning, and supporting large-scale integration industrial control systems. This experience provides students with a unique opportunity to understand the true nature of industrial automation and control, the integration of a “system of systems” more fully into a single cohesive architecture, and the contrast between perceived and actual exploitability.

No quizzes will be administered during this course. Student grading will be decided subjectively by the instructor based on student participation, understand of concepts, execution of procedures, and completion of target results. There is no certification that will be offered in the first release of this course. An accredited certification program that includes both written and practical components is expected based on initial student interest. Continuing Education Units (CEU) will be offered for this course. An optional practical exercise is available to get +20 CEUs by submitting a Security Test Report based on one of the scenarios covered in the course.

Learning Objectives

  • Industrial Architectures, Systems & Communications
    • ICS Reference Architecture
    • Common Open Protocols
    • Common Community Protocols
    • Common Proprietary Protocols
    • Sample Vendor Reference Architectures
    • Reference Architecture Data Flow Analysis
  • Ethical Hacking Methodologies & Tools
    • Information Gathering
    • Scanning, Enumeration and Fingerprinting
    • Gaining Access
    • Maintaining Access
    • Covering Your Tracks
  • Basic Exploitation
    • Payload Development
    • Payload Deployment
    • Command and Control
    • Elevation of Privilege
    • Establish Persistence
    • Gather Loot
    • Lateral Movement
    • Chained Exploits
  • Discovering & Exploiting ICS Weaknesses
    • Host-based Targets
    • Device-based Targets
    • Network-based Targets
  • Pwning ICS Operations
    • “Crash and Burn” vs “Conquer and Control”
    • Detection Avoidance
    • “Redundancy or Not”
  • Attacking an Enterprise-Connected SCADA System
    • System Architecture (Gray Box) – Multi-Zone No Redundancy
    • Initial Infection
    • Information Disclosure
    • Enumeration
    • Lateral Movement
    • Hunt and Repeat
    • Finding the Pot of Gold
  • Attacking an Enterprise-Connected DCS System
    • System Architecture (Black Box) – Multi-Zone + Redundancy
    • Drop Point – Open Control Net (Easy)
    • Drop Point – Supervisory Net (Moderate)
    • Drop Point – Closed Control Net (Difficult)
    • Drop Point – DMZ Net (Very Difficult)
    • Drop Point – Office Net (Extremely Difficult)
  • Debriefing
    • Sharing Results
    • Summarizing Findings & Results (Optional)

Student Computer Requirements

Students will have to supply their own laptop to take part in this course. It is recommended that this is NOT a production computer used in the day-to-day business environment of the student, but rather a computer that MUST provide the user with administrative authorization in order to make major system configuration changed, including (but not limited to): installing software, installing hypervisors, modifying system features (Windows), changing network configuration settings, changing BIOS/UEFI settings, and modifying system boot settings (may require disabling TPM). The instructor will also discuss the use of a multiple-boot configuration to host offensive and defensive tools without the potential for interaction between the platforms. More requirements are summarized below:

  • Minimum Computer Requirements
    • Administrative authorization to install applications, platform features, and configuration settings including local policy objects
    • 4C Intel Core i5 64-bit (2.4GHz)
    • 8GB RAM
    • 240GB HDD
    • Wireless NIC
    • Mouse (preferred over Touchpad)
    • 11" Monitor
    • 1 USB2/USB3 Port
  • Recommended Computer Requirements
    • Administrative authorization to install applications, platform features, and configuration settings including local policy objects
    • 4C Intel Core i7 64-bit (3.5GHz)
    • 16GB RAM
    • 500GB HDD
    • Wireless NIC
    • 100/1000BT RJ45 Wired NIC
    • Mouse (preferred over Touchpad)
    • 15" Monitor
    • 2 USB2/USB3 Port

Prerequisites and Basic Skills Requirements

The material is “very advanced” in nature and to cover the vital material outlined above, limited time will be spent teaching basic and intermediate skills. The exercises have detailed descriptive and prescriptive text to complete the activities, but it is impossible for all exercises to address all potential scenarios typical in an advanced learning environment. It is recommended that students have as a minimum the following skills before considering this course. Skills should not be confused with certifications. Students should be able to perform in an operational environment and use skills covered in basic and intermediate security; industrial automation, control, and security fundamentals; and ethical hacking and offensive cyber operations.

  • Working knowledge of the Windows operating system beginning at kernel version 5 including software installation via Store and installation media, navigating the file system, use of encrypted file systems, compression and archiving, modifying application execution authorization level, Command Prompt usage, generating and validating file integrity, PowerShell scripting, managing Roles and Features, manipulating network connections, establishing Virtual Private Networks, and the use of common productive tools.
  • Working knowledge of the Linux operating system (mainly Debian-based distributions including Ubuntu and Kali) that encompasses software installation methods (dpkg, aptitude), use of encrypted file systems, compression and archiving, modifying execution authorization level, shell usage, generating and validating file integrity, manipulating network connection, establishing Virtual Private Networks, and the use of productivity tools.
  • Familiarization with the Kali open-source, Debian-based Linux distributed used for penetration testing, security research, computer forensics, and reverse engineering.
  • Basic understanding of industrial architectures and the protocols used to communicate between application servers, communication servers, human-machine interfaces, infrastructure servers (e.g., file services, directory services, web services, update services), system gateways, and controllers.
  • Basic understanding of networking and network access control technologies including access, distribution and core switching, routing, transparent and routed firewalls, networking bridging, unidirectional communication, the OSI 7-layer model, and the TCP 3-way handshake.
  • Exposure to and some use of passive network analysis, enumeration and characterization tools that include Grass Marlin, Network Miner, tshark, tcpdump, and Wireshark.
  • Exposure to and some use of active network analysis, enumeration, and characterization tools like arp, arping, arp-scan, hping, nmap, and snmp.
  • Exposure to and some use of active vulnerability scanning solutions like Tenable Nessus and Greenbone Vulnerability Manager (OpenVAS) including custom scripting via the Nessus Attack Scripting Language (NASL) and OpenVAS-NASL.
  • Exposure to common exploitation frameworks like Metasploit.
  • Working knowledge of Type-2 (minimum) such as Microsoft Hyper-V, Oracle VM VirtualBox, Parallels Desktop [not recommended], VMware Fusion [not recommended], and VMware Workstation Pro; and the creation of virtual machines and virtual networks, virtual switching and routing, and backup and restoration capabilities (e.g., snapshots).
  • Exposure to and some use of Type-1 (recommended) hypervisors such as Citrix Hypervisor (Xen Server), Microsoft Hyper-V, KVM, Oracle VM, and VMware ESXi; and the creation of virtual machines and virtual networks, virtual switching and routing, and backup and restoration capabilities (e.g., snapshots).

Student Material

A sample of the student supplemental material includes (actual list may be adjusted):

  • Industrial Network Security, 2nd edition (Syngress)
  • Hacking Exposed: Industrial Control Systems (McGraw Hill)
  • Pentesting Industrial Control Processes (Packt)
  • Purple Team Field Manual (Tim Bryant)
  • ICS Purple Team Field Manual (ICSCSI)

Training Logistics

Training classes will currently be capped at eight (8) student maximum. Due to the advanced nature of the material covered, the smaller class size insures sufficient individual attention can be provided. ICSCSI will make training available at various locations globally based on client interest. All ICSCSI arranged venues will include coffee and non-alcoholic drinks through the day, plus lunch. Students will also be provided with public Internet access during the course. Student supplies their own transportation, lodging, meals, and incidental expenses and insurance.

Group Pricing

Discounts are available for groups of four (4) or more. Course can be offered either at ICSCSI designed venue or hosted locally at a private client-provided venue. Discounts for on-site training will be subject to transportation, lodging, meals, and incidental expenses and insurance (if applicable) for the instructor(s). Public, unfiltered Internet connectivity must be supplied for training at any client-provided venue. Contact ICSCSI for group discounts and on-site options. Click here for details on military and government discounts.

Course Registration

This course will only be offered in "live" in-person sessions due to the complexity of the lab environment used throughout the course. This course is highly interactive and depends on student participation and interaction with other students to ensure success. The live sessions will be delivered over a consecutive 5-day period 8-hours each day.

All payments are processed through PayPal using the links below and support a range of payment methods including credit/debit cards (a PayPal account is not required). Please contact ICSCSI if an alternate form of payment is required.

The initial course schedule will be release shortly after the release of the NFL Schedule currently scheduled for May 12. The first initial courses will all be held in a Luxury Suite and the iconic Lambeau Field - home of the World Champion Green Bay Packers.

Course Format Dates Location Price Register
On-Site Summer 2023 NE Wisconsin
Appleton / Green Bay
$ 9,000 CLOSED
On-Site Late Summer 2023 NE Wisconsin
Appleton / Green Bay
$ 9,000 6 Students Max
Contact ICSCSI

After registration and receipt of payment, students will receive an email with sign-on instructions to access the learning management system with early access to preliminary content including a Student Questionnaire that should be completed as soon as possible. All course material will be distributed the first day of class.

Additional information on other courses offered as part of the curriculum can be viewed by selecting from the following list or the Quick Links located in the top righthand section of this page: