SCADA Security Training
This is a hands-on SCADA Security course with over 20 exercises and labs that are performed on a portable SCADA lab that contains over 15 different PLCs, RTUs, RF, and telemetry devices. This course has been refined over the past 4 years, and over 1300 professionals have been trained around the world by this course. It was designed to bridge the skills sets of Control System Engineers, Technicians, and IT Security professionals. The first day is spent diving deep into teaching how ICS and SCADA Systems work from the ground up. Instrumentation, I/O, control techniques, automation theory, HMI visualization, and data archival systems are broken down at their functional level. Several SCADA protocols are taught, captured, dissected, and then used to hack into the embedded devices. OPC, ModbusTCP, and EthernetIP are some of the ICS protocols that are used in live hands-on exercises and labs.
Everyone in the course builds their own SCADA system by implementing and designing their own OPC servers, data tags, and HMI graphics. RF and telemetry systems used in SCADA, ICS, and Smart Grid applications are covered, and live demonstrations are provided on the following RF systems: 900 MHz Spread Spectrum, Zigbee (802.15.4), WirelessHART, Bluetooth, and WiFi (2.4 and 5.6 GHz). Wireless hacking demonstrations are provided to convey the weaknesses and security hardening required when using wireless systems in ICS and SCADA applications.
Once all of the ICS and RF concepts are completely understood, then the course shifts into a Penetration and Exploitation mindset. The students are taught how to find security vulnerabilities in ICS and SCADA system components, how to safely conduct penetration testing against live ICS and SCADA systems, and how to conduct Cyber Vulnerability Assessments that satisfy the NERC CIP and DHS CFATS regulations. The Metasploit framework is taught using the BackTrack environment. The hands-on exercises start with basic Linux commands, and by the end of the course, students are creating their own buffer overflows and other exploits using Metasploit, NETCAT, HPING, and other open source tools.
After everyone has built their own SCADA system, and spent time learning how to attack these real-time systems, then the course rounds out the process by explaining how to defend these systems from similar threats. The defense techniques include how to design secure SCADA architectures, where to place firewalls, how to implement secure remote access into SCADA environments, where to deploy IDS / IPS systems, and tips for implementing centralized log aggregation and network monitoring solutions.
The instructors for this course have collectively over 20 years of experience conducting Cyber Security Penetration Testing and Vulnerability Assessments on live operational ICS and SCADA Systems, and the students like the ability to bring complex problems to the instructors for feedback and quick consulting tips during the course.
Answers These and Other Similar Questions Related to SCADA Security:
- What are unique vulnerabilities and security risks with ICS systems?
- What approach should be used to test Internet, Enterprise IT, and ICS Systems for security vulnerabilities?
- What are the common security weaknesses in Internet and Enterprise IT Systems that pose the greatest risk to ICS systems?
- Can poorly managed ICS systems pose an even greater risk to Enterprise IT and Internet-connected systems?
- What is a solid approach to testing SCADA systems for security vulnerabilities?
- When and how to conduct Penetration Testing on live SCADA equipment
- How to use open source security tools to research and discover unknown vulnerabilities with ICS equipment
- What are solid techniques to securing SCADA Systems that are not vendor-specific, and require low administrative overhead?
- Can social networking information about employees found in sites like Facebook, Linkedin, MySpace, and Twitter be used to compromise critical industrial facilities?
- What is a Red Team or Tiger Team Attack Exercise, and how can these scenarios simulate a targeted attack on a SCADA facility?
SANS Hosted are a Series of Classes Presented by Other Educational Providers to Complement Your Needs for Training Outside of our Current Course Offerings.
|Section 1: SCADA and Industrial Control Systems Technology (from instrumentation through HMI and Data Historians)|
CPE/CMU Credits: 6
1.1 Course Overview, Introductions and Ground rules
Operation 1.1.1: Configuring & Understanding Virtual Machines
1.2 ICS Systems Overview
1.3 ICS Inputs, Outputs, and Sensor Networks
1.4 Controllers, Embedded Systems and Protocols
Operation 1.4.1: Locating PLC equipment on a LAN
Operation 1.4.2: Reviewing the PLC Ladder Logic program
Operation 1.4.3: Scanning internal PLC registers
1.5 SCADA and ICS Protocols
Operation 1.5.1: Capturing and Analyzing ModbusTCP Protocol
Operation1.5.2: Installing and Configuring an OPC Server
Operation 1.5.3: Installing and Configuring an HMI Operator Console
Operation 1.5.4: Working with a ModbusTCP Simulator
|Section 2: Wireless Technology / SCADA System Security Testing (Passive Techniques)|
CPE/CMU Credits: 6
2.1 Introduction to Wireless Networks (SCADA/Smart Grid)
Operation 2.1.1: 900 MHz, 2.4 GHz, and 5.6 GHz RF Spectrum Analysis - LIVE Demonstration using new USB radios
Operation 2.1.2: WiFi and Bluetooth Wireless Discovery
2.2 802.11 WiFi
2.3 Wireless Networks Security Testing
Operation 2.3.1: Candidates will observe a working version of Jasager, which showcases a LIVE wireless man-in-the-middle exploit.
2.4 Overview of tests performed against SCADA Systems
2.5 SCADA Vulnerability Assessment Methodology (Passive Approach for Conducting Testing of Live Operational Systems)
Operation 2.5.1: SCADA-Scanning - Candidates will use various tools to scan a live SCADA environment. Objective is to learn about the attack surface of various embedded controllers, telemetry equipment, and applications to discover security weaknesses.
|Section 3: SCADA System Security Testing (Active Techniques)|
CPE/CMU Credits: 6
3.1 SCADA and Smart Grid Vulnerabilities
3.2 SCADA Testing Techniques Recap (Passive Vs. Active)
3.3 Red Team Attack Exercises
3.4 Introduction to the BackTrack Environment
Operation 3.4.1: Several hands-on operations within the BackTrack environment
Operation 3.5.1: Several hands-on operations leveraging Netcat as a listener or transmitter of packets for chat sessions, file transfer, or remote administration and exploitation
3.6 External Penetration Techniques
Operation 3.6.1: Follow along with several tools for external penetration testing discovery steps (NSLOOKUP, DIG, WHOIS, GOOGLE, SHODAN etc..)
3.7 Internal Penetration Techniques
|Section 4: Exploiting SCADA Systems (Entire Day Full of Hands-on Operations - Too many to list here)|
CPE/CMU Credits: 6
4.1 Basic Principals of Computing
4.2 Understanding the Exploitation Process
4.3 The Metasploit Framework
4.4 The Metasploit Framework
4.5 Free for All Session
|Section 5: Defense Techniques|
CPE/CMU Credits: 6
5.1 SCADA DMZ Design and Network Segmentation
5.2 SCADA Remote Access Design Considerations
5.3 Deployment of IDS/IPS - Including Custom Signatures
5.4 Security Event Monitoring and Logging for SCADA
5.5 Overview of Security Frameworks that impact SCADA (NIST 800-53, NIST 800-82, ISA S99, CFATS, NERC CIP)
5.6 SCADA Security Product Breakdown
5.7 Writing Effective Deliverables
Students should bring their own laptops to the course, and these should have the following minimum system resources:
If you have additional questions about the laptop specifications, please contact firstname.lastname@example.org.
*CPE/CMU credits not offered for the SelfStudy delivery method