Industrial Control System
Cyber Security Institute



ICS Cyber Security Training Curriculum


NEW!!! Ethical Hacking for Industrial Control Systems

Duration 5 days
Available Format(s) Live In-Person
Who should attend Red Team and Purple Team professionals responsible for assessing and mitigating risks to business operations resulting from the disruption of ICS functions and services
Prerequisites Fundamentals of Industrial Control System Cyber Security (GICSP)
Ethical Hacking (CE|H or CPT)
Kali Linux (OSCP)
Type-2 Hypervisors – Hosts + Networks
Hands-On Exercises / Labs Multiple
Expected Outcome (OPERATIONAL) Skills to enumerate, fingerprint, identify, and exploit ICS operations through compound and blended attack techniques
CEUs  60 (Practical Component) or 40 (w/o Practical Component)
Certification Ready None

This exciting new very advanced course supplies an environment to learn and apply offensive cyber operational (OCO) skills to a range of operational technology architectures. It introduces tactics, techniques, and procedures (TTP) to a range of real-world architectures, components, devices, and protocols that leverage both traditional software vulnerabilities and other more subtle, hard to find yet equally if not, more powerful human vulnerabilities that arise from typical system configuration and usage.

This course focuses primarily on lab exercises with presentation-based lectures used to introduce new concepts and review class progress at the completion of each exercise. Exercises will be conducted on a combination of student-hosted platforms (either directly or via local type 1 hypervisors) and the ICSCSI ICS Cyber Range elements accessed via the Learning Management System (LMS).

Introductory exercises will use simple, two-device one-network architectures, and will becoming increasing more advanced with three-zone and five-zone SCADA and DCS architectures that include both redundant and non-redundant server, workstation, network, and control platforms.

The course uses the basic concepts covered under an ethical hacking framework and expands upon this with decades of instructor experience in both conceptual and detailed design covering system procurement, configuration, testing, commissioning, and supporting large-scale integration industrial control systems. This experience provides students with a unique opportunity to understand the true nature of industrial automation and control, the integration of a “system of systems” more fully into a single cohesive architecture, and the contrast between perceived and actual exploitability.

No quizzes will be administered during this course. There is no certification that will be offered in the first release of this course. An accredited certification program that includes both written and practical components is expected based on initial student interest and will be part of future course offerings. Continuing Education Units (CEU) will be offered for this course. An optional practical exercise is available to get +20 CEUs by submitting a Security Test Report based on one of the scenarios covered in the course.

Learning Objectives (subject to change)

  • Industrial Architectures, Systems & Communications
    • ICS Reference Architecture
    • Common Open Protocols
    • Common Community Protocols
    • Common Proprietary Protocols
    • Sample Vendor Reference Architectures
    • Reference Architecture Data Flow Analysis
  • Ethical Hacking Methodologies & Tools
    • Information Gathering
    • Scanning, Enumeration and Fingerprinting
    • Gaining Access
    • Maintaining Access
    • Covering Your Tracks
  • Basic Exploitation
    • Payload Development
    • Payload Deployment
    • Command and Control
    • Elevation of Privilege
    • Establish Persistence
    • Gather Loot
    • Lateral Movement
    • Chained Exploits
  • Discovering & Exploiting ICS Weaknesses
    • Host-based Targets
    • Device-based Targets
    • Network-based Targets
  • Pwning ICS Operations
    • “Crash and Burn” vs “Conquer and Control”
    • Detection Avoidance
    • “Redundancy or Not”
  • Attacking an Enterprise-Connected SCADA System
    • System Architecture (Gray Box) – Multi-Zone No Redundancy
    • Initial Infection
    • Information Disclosure
    • Enumeration
    • Lateral Movement
    • Hunt and Repeat
    • Finding the Pot of Gold
  • Attacking an Enterprise-Connected DCS System
    • System Architecture (Black Box) – Multi-Zone + Redundancy
    • Drop Point – Open Control Net (Easy)
    • Drop Point – Supervisory Net (Moderate)
    • Drop Point – Closed Control Net (Difficult)
    • Drop Point – DMZ Net (Very Difficult)
    • Drop Point – Office Net (Extremely Difficult)
  • Debriefing
    • Sharing Results
    • Summarizing Findings & Results (Optional)

Student Computer Requirements

Students will have to supply their own laptop to take part in this course. Kali Linux will be used in this course, and must be available either as a dedicated installation or as a functional virtual machine via a type 2 hypervisor. A pre-installed Kali virtual machine will also be available via the course type 1 hypervisors. It is recommended that this is NOT a production computer used in the day-to-day business environment of the student, but rather a computer that MUST provide the user with administrative authorization in order to make major system configuration changed, including (but not limited to): installing software, installing hypervisors, modifying system features (Windows), changing network configuration settings, changing BIOS/UEFI settings, and modifying system boot settings (may require disabling TPM). The instructor will also discuss the use of a multiple-boot configuration to host offensive and defensive tools without the potential for interaction between the platforms. More requirements are summarized below:

  • Minimum Computer Requirements
    • Administrative authorization to install applications, platform features, and configuration settings including local policy objects
    • 4C Intel Core i5 64-bit (2.4GHz)
    • 8GB RAM
    • 240GB HDD
    • Wireless NIC
    • Pointing Device
    • 11" Monitor
    • 1 USB2/USB3 Port
  • Recommended Computer Requirements
    • Administrative authorization to install applications, platform features, and configuration settings including local policy objects
    • 4C Intel Core i7 64-bit (3.5GHz)
    • 16GB RAM
    • 500GB HDD
    • Wireless NIC
    • 100/1000BT RJ45 Wired NIC
    • Mouse (preferred over Touchpad)
    • 15" Monitor
    • 2 USB2/USB3 Port

Prerequisites and Basic Skills Requirements

The material is “very advanced” in nature and to cover the vital material outlined above, limited time will be spent teaching basic and intermediate skills. The exercises have detailed descriptive and prescriptive text to complete the activities, but it is impossible for all exercises to address all potential scenarios typical in an advanced learning environment. It is recommended that students have as a minimum the following skills before considering this course. Skills should not be confused with certifications. Students should be able to perform in an operational environment and use skills covered in basic and intermediate security curriculums; industrial automation, control, and security fundamentals; and ethical hacking and offensive cyber operations.

  • Working knowledge of the Windows operating system beginning at kernel version 5 including software installation via Store and installation media, navigating the file system, use of encrypted file systems, compression and archiving, modifying application execution authorization level, Command Prompt usage, generating and validating file integrity, PowerShell scripting, managing Roles and Features, manipulating network connections, establishing Virtual Private Networks, and the use of common productive tools.
  • Working knowledge of the Linux operating system (mainly Debian-based distributions including Ubuntu and Kali) that encompasses software installation methods (dpkg, aptitude), use of encrypted file systems, compression and archiving, modifying execution authorization level, shell usage, generating and validating file integrity, manipulating network connection, establishing Virtual Private Networks, and the use of productivity tools.
  • Familiarization with the Kali open-source, Debian-based Linux distributed used for penetration testing, security research, computer forensics, and reverse engineering.
  • Basic understanding of industrial architectures and the protocols used to communicate between application servers, communication servers, human-machine interfaces, infrastructure servers (e.g., file services, directory services, web services, update services), system gateways, and controllers.
  • Basic understanding of networking and network access control technologies including access, distribution and core switching, routing, transparent and routed firewalls, networking bridging, unidirectional communication, the OSI 7-layer model, and the TCP 3-way handshake.
  • Exposure to and some use of passive network analysis, enumeration and characterization tools that include Grass Marlin, Network Miner, tshark, tcpdump, and Wireshark.
  • Exposure to and some use of active network analysis, enumeration, and characterization tools like arp, arping, arp-scan, hping, nmap, and snmp.
  • Exposure to and some use of active vulnerability scanning solutions like Tenable Nessus and Greenbone Vulnerability Manager (OpenVAS) including custom scripting via the Nessus Attack Scripting Language (NASL) and OpenVAS-NASL.
  • Exposure to common exploitation frameworks like Metasploit.
  • Working knowledge of Type-2 (minimum) such as Microsoft Hyper-V, Oracle VM VirtualBox, Parallels Desktop [not recommended], VMware Fusion [not recommended], and VMware Workstation Pro; and the creation of virtual machines and virtual networks, virtual switching and routing, and backup and restoration capabilities (e.g., snapshots).
  • Exposure to and some use of Type-1 (recommended) hypervisors such as Citrix Hypervisor (Xen Server), Microsoft Hyper-V, KVM, Oracle VM, and VMware ESXi; and the creation of virtual machines and virtual networks, virtual switching and routing, and backup and restoration capabilities (e.g., snapshots).

Student Material

A sample of the student supplemental material includes (actual list may be adjusted):

  • Industrial Network Security, 2nd edition (Syngress)
  • Hacking Exposed: Industrial Control Systems (McGraw Hill)
  • Pentesting Industrial Control Systems (Packt)
  • Purple Team Field Manual (Tim Bryant)
  • ICS Purple Team Field Manual (ICSCSI)

Training Logistics

Training classes will currently be capped at this time to a maximum of six (6) students. Due to the advanced nature of the material covered, the smaller class size insures sufficient individual attention can be provided by the instructor. This course is not currently offered outside the United States. All ICSCSI arranged venues will include coffee and non-alcoholic drinks through the day, plus lunch. Students will also be provided with public Internet access during the course. Students must supply their own transportation, lodging, meals, and incidental expenses and insurance.

Group Pricing

Group pricing is not available at this time.

Course Registration

This course will only be offered in "live" in-person sessions due to the complexity of the lab environment used throughout the course. This course is highly interactive and depends on student participation and interaction with other students to ensure success. The live sessions will be delivered over a consecutive 5-day period 8-hours each day.

All payments are processed through PayPal using the links below and support a range of payment methods including credit/debit cards (a PayPal account is not required). All registrations can be cancelled and a partial refund granted up to 60 days before the scheduled date (PayPal processing fees of 3.49-5.49% will not be refunded). Please contact ICSCSI if an alternate form of payment is required.

Due to the nature of the material covered in this course, only VETTED US CITIZENS will be allowed to attend and participate. This ruling will be evaluated and updated accordingly.

Course Format Dates Location Price Register
Live In-Person October 2024 Green Bay / De Pere, WI SOLD OUT
Live In-Person Q3 2025 Texas $10,000
$9,000
Live In-Person Q3 2025 Virginia $10,000
$9,000
Live In-Person Q4 2025 Wisconsin $10,000
$9,000
Live In-Person Q4 2025 Arizona $10,000
$9,000

After registration and receipt of payment, students will receive an email with sign-on instructions to access the learning management system with complimentary access to the "Fundamentals of ICS Cyber Security" EXPRESS course for refreshing your skills if needed. Approximately 30 days before the course date, students will receive details with early access to preliminary content including a Student Questionnaire that should be completed as soon as possible. All course material will be distributed the first day of class.


Additional information on other courses offered as part of the curriculum can be viewed by selecting from the following list or the Quick Links located in the top righthand section of this page: