5 Days Left to Save $400 on SANS Network Security 2014

EU SCADA & Process Summit 2012

Barcelona, Spain | Wed Dec 5 - Tue Dec 11, 2012

SCADA Security Training

Taught by Red Tiger Security

This is a hands-on SCADA Security course with over 20 exercises and labs that are performed on a portable SCADA lab that contains over 15 different PLCs, RTUs, RF, and telemetry devices. This course has been refined over the past 4 years, and over 1300 professionals have been trained around the world by this course. It was designed to bridge the skills sets of Control System Engineers, Technicians, and IT Security professionals. The first day is spent diving deep into teaching how ICS and SCADA Systems work from the ground up. Instrumentation, I/O, control techniques, automation theory, HMI visualization, and data archival systems are broken down at their functional level. Several SCADA protocols are taught, captured, dissected, and then used to hack into the embedded devices. OPC, ModbusTCP, and EthernetIP are some of the ICS protocols that are used in live hands-on exercises and labs.

Everyone in the course builds their own SCADA system by implementing and designing their own OPC servers, data tags, and HMI graphics. RF and telemetry systems used in SCADA, ICS, and Smart Grid applications are covered, and live demonstrations are provided on the following RF systems: 900 MHz Spread Spectrum, Zigbee (802.15.4), WirelessHART, Bluetooth, and WiFi (2.4 and 5.6 GHz). Wireless hacking demonstrations are provided to convey the weaknesses and security hardening required when using wireless systems in ICS and SCADA applications.

Once all of the ICS and RF concepts are completely understood, then the course shifts into a Penetration and Exploitation mindset. The students are taught how to find security vulnerabilities in ICS and SCADA system components, how to safely conduct penetration testing against live ICS and SCADA systems, and how to conduct Cyber Vulnerability Assessments that satisfy the NERC CIP and DHS CFATS regulations. The Metasploit framework is taught using the BackTrack environment. The hands-on exercises start with basic Linux commands, and by the end of the course, students are creating their own buffer overflows and other exploits using Metasploit, NETCAT, HPING, and other open source tools.

After everyone has built their own SCADA system, and spent time learning how to attack these real-time systems, then the course rounds out the process by explaining how to defend these systems from similar threats. The defense techniques include how to design secure SCADA architectures, where to place firewalls, how to implement secure remote access into SCADA environments, where to deploy IDS / IPS systems, and tips for implementing centralized log aggregation and network monitoring solutions.

The instructors for this course have collectively over 20 years of experience conducting Cyber Security Penetration Testing and Vulnerability Assessments on live operational ICS and SCADA Systems, and the students like the ability to bring complex problems to the instructors for feedback and quick consulting tips during the course.

Answers These and Other Similar Questions Related to SCADA Security:

  • What are unique vulnerabilities and security risks with ICS systems?
  • What approach should be used to test Internet, Enterprise IT, and ICS Systems for security vulnerabilities?
  • What are the common security weaknesses in Internet and Enterprise IT Systems that pose the greatest risk to ICS systems?
  • Can poorly managed ICS systems pose an even greater risk to Enterprise IT and Internet-connected systems?
  • What is a solid approach to testing SCADA systems for security vulnerabilities?
  • When and how to conduct Penetration Testing on live SCADA equipment
  • How to use open source security tools to research and discover unknown vulnerabilities with ICS equipment
  • What are solid techniques to securing SCADA Systems that are not vendor-specific, and require low administrative overhead?
  • Can social networking information about employees found in sites like Facebook, Linkedin, MySpace, and Twitter be used to compromise critical industrial facilities?
  • What is a Red Team or Tiger Team Attack Exercise, and how can these scenarios simulate a targeted attack on a SCADA facility?


SANS Hosted are a series of classes presented by other educational providers to complement your needs for training outside of our current course offerings.

Course Syllabus
Course Contents InstructorsSchedule
  HST.1: SCADA and Industrial Control Systems Technology (from instrumentation through HMI and Data Historians) Daniel Michaud-Soucy, Jonathan Pollet Wed Dec 5th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


1.1 Course Overview, Introductions and Ground rules

  • Pass out course Virtual Machine files and Course Binders
  • Virtual Environment Installation, Configuration, and Customization

Operation 1.1.1: Configuring & Understanding Virtual Machines

1.2 ICS Systems Overview

  • Classification of Typical ICS Systems
  • SCADA Component Functions

1.3 ICS Inputs, Outputs, and Sensor Networks

1.4 Controllers, Embedded Systems and Protocols

  • PLCS, DCS, Hybrid Controllers, PC-Control

Operation 1.4.1: Locating PLC equipment on a LAN

Operation 1.4.2: Reviewing the PLC Ladder Logic program

Operation 1.4.3: Scanning internal PLC registers

1.5 SCADA and ICS Protocols

  • Evolution of Serial Protocols
  • RS-232, RS-485, Proprietary vs. Open Protocols
  • Parsing Modbus RTU and Modbus TCP as examples
  • OPC and its role in connecting device drivers to HMI Applications

Operation 1.5.1: Capturing and Analyzing ModbusTCP Protocol

Operation1.5.2: Installing and Configuring an OPC Server

Operation 1.5.3: Installing and Configuring an HMI Operator Console

Operation 1.5.4: Working with a ModbusTCP Simulator

  HST.2: Wireless Technology / SCADA System Security Testing (Passive Techniques) Daniel Michaud-Soucy, Jonathan Pollet Thu Dec 6th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


2.1 Introduction to Wireless Networks (SCADA/Smart Grid)

  • Spread Spectrum Technology (used in SCADA and Security Systems)
  • 802.15.4 (Zigbee used in SCADA and Smart Grid Systems)

Operation 2.1.1: 900 MHz, 2.4 GHz, and 5.6 GHz RF Spectrum Analysis - LIVE Demonstration using new USB radios

Operation 2.1.2: WiFi and Bluetooth Wireless Discovery

2.2 802.11 WiFi

  • History of WiFi and WEP
  • WPA and WPA2 (Personal and Enterprise)
  • WiFi Scanning (WarWalking, WarDriving, WarChalking, WarCharting, WarKiting, WarBalloning, and WarRocketing)

2.3 Wireless Networks Security Testing

  • Detailed description of each step in a WiFi connection from the originating client to the Access Point (with clues to weaknesses in this process)
  • Jasager, Interceptor, and Fon Bomb (learning about AUTH and DEAUTH)

Operation 2.3.1: Candidates will observe a working version of Jasager, which showcases a LIVE wireless man-in-the-middle exploit.

2.4 Overview of tests performed against SCADA Systems

  • External Penetration Testing (from the Internet)
  • Internal Penetration Testing (from the Corporate LAN)
  • Vulnerability Assessments (inside the SCADA LAN)
  • Wireless Audits
  • Annual Testing Cycle (SCADA Security Lifecycle)

2.5 SCADA Vulnerability Assessment Methodology (Passive Approach for Conducting Testing of Live Operational Systems)

  • 6-Layer Assessment Methodology
  1. Physical Security
  2. Network Infrastructure (Switches, Routers, and Firewalls)
  3. Assets in the SCADA DMZ
  4. Control Room Servers, Workstations, and Applications
  5. SCADA Protocols
  6. PLC, RTU, DCS, and Embedded Controllers
  • Review of Sample Assessment Report Deliverable

Operation 2.5.1: SCADA-Scanning - Candidates will use various tools to scan a live SCADA environment. Objective is to learn about the attack surface of various embedded controllers, telemetry equipment, and applications to discover security weaknesses.

  HST.3: SCADA System Security Testing (Active Techniques) Daniel Michaud-Soucy, Jonathan Pollet Fri Dec 7th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


3.1 SCADA and Smart Grid Vulnerabilities

  • SCADA Vulnerabilities from a data set of over 38,000 vulnerabilities from over 150 assessments performed out in the field and in industrial facilities
  • Vulnerabilities with new SMART Grid Technology
  • Provides a lead into the rest of Day 3 - SCADA Security Testing (Active Techniques)

3.2 SCADA Testing Techniques Recap (Passive Vs. Active)

3.3 Red Team Attack Exercises

  • Purpose and Overview of the Red Team Attack
  • Structure and Process for a Red Team Attack
  • Selecting the Target
  • Physical and Cyber Security Teams
  • Physical and Cyber Recon
  • Gaining Access (Physical and Cyber)
  • Obtaining Proof of Access
  • USB-based Physical Access Tools

3.4 Introduction to the BackTrack Environment

  • A little bit of background on the Linux OS
  • Finding your way around BackTrack
  • Managing the various BackTrack services
  • The Bash environment, text manipulation and scripting

Operation 3.4.1: Several hands-on operations within the BackTrack environment

3.5 Netcat

  • Connecting to a port
  • Listening on a port
  • File transfer
  • Remote connection for administration or exploitation
    • Bind shell
    • Reverse shell

Operation 3.5.1: Several hands-on operations leveraging Netcat as a listener or transmitter of packets for chat sessions, file transfer, or remote administration and exploitation

3.6 External Penetration Techniques

  • The role that External Penetration Testing has in securing SCADA and Control Systems
  • What to look for with External (public) networks
  • The Attacker's Cycle

    • Footprinting, Scanning, Enumeration, Exploitation, Privilege Escalation, Harvesting, Backdoors, Backups, Covering Tracks
  • DNS lookup, Netblock, Zone Transfer
  • Open Source Intelligence Gathering
    • Whois
    • Samspade
    • Maltego
    • Google hacking
    • Shodan

Operation 3.6.1: Follow along with several tools for external penetration testing discovery steps (NSLOOKUP, DIG, WHOIS, GOOGLE, SHODAN etc..)

3.7 Internal Penetration Techniques

  • The role that Internal Penetration Testing has in securing SCADA and Control Systems
  • Active versus Passive Tools
  • Overview of Several Tools

    • TCPDUMP, Wireshark, HPING, Ear/Trumpet, NMAP, NCAT, NESSUS
  • Video Demos:
    • Locating and gaining access to a DCS Operator Console with no knowledge of any usernames / passwords
    • Pivoting off of servers in DMZs to then route attacks into process controllers

  HST.4: Exploiting SCADA Systems (Entire Day Full of Hands-on Operations - Too many to list here) Daniel Michaud-Soucy, Jonathan Pollet Sat Dec 8th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


4.1 Basic Principals of Computing

  • Simple computer architecture
  • Different levels of programming languages
  • CPU registers
  • Execution of a program

4.2 Understanding the Exploitation Process

  • Finding bugs
  • Replicating the crash
  • Controlling the instruction pointer
  • Locating space for your Shellcode
  • Redirecting the execution flow
  • Basic Shellcode creation

4.3 The Metasploit Framework

  • An introduction to the Metasploit framework
  • Discuss a bit of terminology
  • Present the different ways to interface with Metasploit
  • Discover the different types of payloads
  • Learn about the basic steps of exploitation using MSF

4.4 The Metasploit Framework

  • An introduction to the Metasploit framework
  • Discuss a bit of terminology
  • Present the different ways to interface with Metasploit
  • Discover the different types of payloads
  • Learn about the basic steps of exploitation using MSF

4.5 Free for All Session

  • Discover all SCADA device IP addresses and open ports
  • Determine vulnerable services
  • Gain presence on some of the devices or cause them to operate in a way they were not programmed
  • Exploit other virtual environments available on the local network
  • Compete for free prize giveaways for 1st to exploit systems and original and interesting exploitation techniques

  HST.5: Defense Techniques Daniel Michaud-Soucy, Jonathan Pollet Sun Dec 9th, 2012
9:00 AM - 5:00 PM

CPE/CMU Credits: 6


5.1 SCADA DMZ Design and Network Segmentation

  • Compare and Contrast insecure and best practice network designs
  • DMZ Architectures for SCADA Networks
  • Leveraging SCADA DMZ Designs for Additional Security Benefits

5.2 SCADA Remote Access Design Considerations

  • Review of insecure methods for remote access and dial-up solutions
  • 2-Factor Remote Access Solutions Designed Specifically for SCADA
  • Managing Employee, Contractor, and Vendor Access to SCADA

5.3 Deployment of IDS/IPS - Including Custom Signatures

  • Where and how to properly deploy IDS and IPS sensors
  • IDS / IPS System Tuning
  • Where and how to properly deploy IDS and IPS sensors
  • HIDS versus Application Whitelisting

5.4 Security Event Monitoring and Logging for SCADA

  • Security Event Monitoring - what systems create events/logs?
  • SMNP-to-OPC, Syslog, and log aggregation options
  • Alert Management - Incident Response

5.5 Overview of Security Frameworks that impact SCADA (NIST 800-53, NIST 800-82, ISA S99, CFATS, NERC CIP)

  • Review each of the major SCADA Security Standards and Regulations
  • Show how they can map to one all-inclusive security controls matrix
  • Map components of the matrix to Physical, Cyber, and Procedural controls

5.6 SCADA Security Product Breakdown

  • The SCADA Security product landscape is growing, and some of our clients are confused as to how all of the solutions fit together, do they overlap, where should they be deployed, and are they effective?
  • This session breaks down various recent SCADA Security products by where they are typically deployed in the 6 layered model.

5.7 Writing Effective Deliverables

  • Making the case - Turning Vulnerabilities Into Recommendations
  • Bridging the Gap Between Operations, Engineering, and IT
  • Knowing the Audience, and Writing Tips for Reaching Executives

Additional Information
  Laptop Required

Students should bring their own laptops to the course, and these should have the following minimum system resources:

  • 4 GB RAM, minimum
  • Ethernet Interface
  • Wireless chipset or dongle
  • CD/DVD-RW drive
  • 30 GB free disk space
  • USB 2.0 or Firewire

Please remember that although we are supplying the Virtual Machines and slide content, laptops will not be provided for you. You will need to bring your own laptop with any modern operating system that supports VM Ware. You will need to have administrative privileges of your laptop to be able to change your systems IP address settings and other system changes. You should also ensure that your laptop has the following minimum system resources:

  • 4 GB of RAM (8GB preferred)
  • 20 GB of available free disk space

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.