Talk With an Expert

ICS515: ICS Visibility, Detection, and Response

ICS515Industrial Control Systems Security
  • 6 Days (Instructor-Led)
  • 36 Hours (Self-Paced)
Course created by:
Robert M. Lee
Robert M. Lee
ICS515: ICS Visibility, Detection, and Response
Course created by:
Robert M. Lee
Robert M. Lee
  • GIAC Response and Industrial Defense (GRID)
  • 36 CPEs

    Apply your credits to renew your certifications

  • In-Person, Virtual or Self-Paced

    Attend a live, instructor-led class at a location near you or remotely, or train on your time over 4 months

  • 25 Hands-On Lab(s)

    Apply what you learn with hands-on exercises and labs

Acquire critical visibility, detection, and response capabilities to protect ICS/OT environments against sophisticated threats while ensuring the safety and reliability of operations.

Course Overview

This ICS incident response course equips security professionals with practical skills to secure industrial environments. Through hands-on exercises using real industrial equipment, you'll learn to gain network visibility, identify assets, detect threats, and respond to incidents in critical infrastructure and other environments that rely on ICS/OT systems. The curriculum covers advanced defensive techniques against sophisticated threats like STUXNET, HAVEX, BLACKENERGY2, CRASHOVERRIDE, TRISIS/TRITON, FROSTYGOOP, EKANS, and PIPEDREAM. You'll work with a real programmable logic controller (PLC) kit, sector simulation board, and virtual machines that you keep post-course to continue skill development. Leveraging industry frameworks , you'll develop repeatable methodologies to secure industrial environments.

What You'll Learn

  • Implement ICS-specific threat detection strategies
  • Apply network security monitoring for OT environments
  • Perform incident response in operational technology
  • Extract intelligence from ICS threat analysis
  • Build effective cybersecurity for industrial systems

Business Takeaways

  • Improve visibility into ICS/OT asset inventories
  • Reduce risk of operational disruption from cyber threats
  • Enhance detection capabilities for ICS-specific attacks
  • Develop effective OT incident response procedures
  • Increase resilience against targeted industrial threats
  • Bridge security gaps between IT and OT environments
  • Apply intelligence-driven approaches to ICS security

Course Syllabus

Explore the course syllabus below to view the full range of topics covered in ICS515: ICS Visibility, Detection, and Response.

Section 1ICS Cyber Threat Intelligence

Learn to leverage threat intelligence to analyze threats, extract indicators of compromise, document tactics, techniques, and procedures, and guide security teams to protect industrial environments.

Topics covered

  • Case Study: STUXNET
  • Introduction to ICS Active Defense
  • Cyber Threat Intelligence Primer
  • ICS Cyber Kill Chain
  • Threat Intelligence Consumption

Labs

  • Building a Programmable Logic Controller
  • Structured Analytical Techniques
  • Analysis of Intelligence Reports
  • ICS Information Attack Space
  • Maltego and Shodan Heatmap

Section 2Visibility and Asset Identification

Understand the networked environment to build comprehensive asset inventories and develop effective collection strategies for both industrial operations and security operations.

Topics covered

  • Case Study: Bhopal Disaster
  • Asset Inventories
  • Collection Management Frameworks
  • ICS Network Visibility
  • IT Discovery Protocols

Labs

  • Operating the Process
  • ICS Traffic Analysis
  • ICS Protocol Analysis
  • ICS Network Mapping

Section 3ICS Threat Detection

Develop detection strategies to remain resilient against targeted and untargeted threats, with focus on safely conducting threat hunting and analyzing attack patterns in industrial environments.

Topics covered

  • Case Study: German Steelworks Attack
  • ICS Threat Hunting
  • Threat Detection Strategies
  • Case Study: SANDWORM
  • ICS Network Security Monitoring

Labs

  • Detecting Stage 1 Intrusions
  • Investigating Stage 2 Compromises
  • Traffic Analysis of Control Manipulation
  • Validating System Logic Changes
  • Logic Manipulation of Control Elements

Section 4Incident Response

Learn to safely perform ICS incident response with focus on acquiring digital evidence while scoping threats and their operational impact, using forensic techniques tailored for industrial environments.

Topics covered

  • Case Study: SANDWORM - Ukraine 2015
  • ICS Digital Forensics
  • Preparing an ICS Incident Response Team
  • Case Study: ELECTRUM and CRASHOVERRIDE
  • Initial Compromise Vectors

Labs

  • Acquisition in an Operational Environment
  • PLC Logic and Protocol Root Cause Analysis
  • Analyzing Phishing Emails
  • HMI Memory Forensics
  • Process Triage

Section 5Threat and Environment Manipulation

Extract information from threats through malware analysis to reduce the effectiveness of threats and create shareable threat intelligence for improved defensive posture.

Topics covered

  • Case Study: XENOTIME - TRISIS
  • ICS Threat Manipulation Goals
  • Environment Manipulation Considerations
  • Threat Analysis and Malware Triaging
  • YARA

Labs

  • Logic Analysis for Root Cause Analysis

Section 6Capstone Day, Under Attack!

A full-day technical challenge where students apply all learned skills to analyze packet captures, logic, memory images, and more from compromised ICS ranges and equipment, simulating real-world scenarios.

Things You Need To Know

Relevant Job Roles

All-Source Analyst (DCWF 111)

DoD 8140: Intelligence (Cyberspace)

Analyzes data from multiple sources to prepare environments, respond to information requests, and support intelligence planning and collection requirements.

Explore learning path

Course Schedule & Pricing

Looking for Group Purchase Options?Contact Us
Filter by:
  • Location & instructor

    Virtual (OnDemand)

    Instructed by Robert M. Lee
    Date & Time
    OnDemand (Anytime)Self-Paced, 4 months access
    Course price
    $9,230 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Huntsville, AL, US & Virtual (live)

    Instructed by Mark Bristow
    Date & Time
    Fetching schedule..View event details
    Course price
    $9,230 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Amsterdam, NL & Virtual (live)

    Instructed by Kai Thomsen
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,630 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Singapore, SG & Virtual (live)

    Instructed by Peter Jackson
    Date & Time
    Fetching schedule..View event details
    Course price
    $9,365 USD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Brisbane, QLD, AU & Virtual (live)

    Instructed by Peter Jackson
    Date & Time
    Fetching schedule..View event details
    Course price
    A$14,045 AUD*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Oslo, NO

    Instructed by Kai Thomsen
    Date & Time
    Fetching schedule..View event details
    Course price
    €8,630 EUR*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Tokyo, JP & Virtual (live)

    Instructed by Lesley Carhart
    Date & Time
    Fetching schedule..View event details
    Course price
    ¥1,404,750 JPY*Prices exclude applicable local taxes
    Registration Options
  • Location & instructor

    Orlando, FL, US & Virtual (live)

    Instructed by Dean Parsons
    Date & Time
    Fetching schedule..View event details
    Course price
    $9,230 USD*Prices exclude applicable local taxes
    Registration Options
Showing 8 of 17

Benefits of Learning with SANS

Instructor teaching to a class

Get feedback from the world’s best cybersecurity experts and instructors

OnDemand Mobile App

Choose how you want to learn - online, on demand, or at our live in-person training events

Resources

Get access to our range of industry-leading courses and resources