homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defense Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
      • Cyber Aces
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. A Look Into ICS612: ICS Cybersecurity In-Depth: Part 1
370x370_jeffrey-shearer.jpg
Jeffrey Shearer

A Look Into ICS612: ICS Cybersecurity In-Depth: Part 1

ICS practitioners can immediately use their ICS612 training in real-world situations.

December 15, 2021

ICS_Cybersecurity_In_Depth_1.png


Landing The Plane

I know a CEO of a production plant, let’s call him Bill, who wanted his key team members to really understand the pressures his operations team endured daily to meet production goals. Bill also wanted his managers and support staff to appreciate that there is a difference between “making it happen” and “watching it happen.” In other words, he wanted his team to recognize the difference between thinking you have the skills and knowing you have skills, and to have a firm understanding that there will be a different outcome if you have only “educational knowledge” but not “knowledge combined with experience.”

What did Bill do to instill this lesson? He bought a one-hour flying lesson for 10 of his key staff members.

What? A flying lesson? Why?

To start, as Bill explained, it is not easy to coach someone to do a task if they don’t have context or prior experience. If you are expecting a successful outcome, you’ll need to reset your expectation, purposely expose them to a relevant experience, and coach them as they work through the real-world scenario. Flying is a good example. It seems simple enough, the instructor has an exact copy of the flight controls and is sitting right beside the student telling him or her what to do. But until students have enough skills and experience to correct their own mistakes and eventually land the plane, the instructor will end up taking the flight controls and making sure they don’t run into trouble.

So Bill basically used the one-hour flight scenario to instill the lesson that even a seasoned flight instructor cannot coach a student through a complex scenario like landing a plane if the student lacks experience. From the students’ perspective, they may believe they have a sufficient knowledge of the flight controls, and they may even have practiced with a control yoke connected to a computer simulation. But they will soon find out that to successfully land a plane, knowledge must be married with relevant experience, and in many cases the experience must not be simulated. Relevant experience is… well, relevant.

So, how do you gain relevant experience?

In order to answer this question, let’s talk about what “relevant” experience is. We must first look at how factories or plants are constructed and organized to create a product at a profit. Factories or plants are made up of a collection of original equipment manufacturer (OEM) equipment that is engineered and brought together to produce a product or control a process that ultimately ends up as a consumable good. We can use examples of anything from producing toothpaste to refining gasoline. These wonders of the modern world are indeed fascinating works of art, each in its own right. I have spent my over three-decade career marveling with curiosity about how things are made.

It is only recently that we have connected the machinery together in such a manner that cybersecurity has entered our vocabulary. The control discipline has not fundamentally changed for many years, but the changes in connectivity have forced us to add cybersecurity skills to our toolkit.

In most cases, an OEM has created its own specialized type of machinery or engineered a solution predicated on having expertise or experience with creating a particular product or controlling a particular process. For instance, one OEM may fully understand how to fill a toothpaste tube or put liquid in a bottle, while another may have expertise in heating and mixing all the ingredients together to make the toothpaste. But each OEM lacks the expertise or experience to do what the other does. We must also understand that while the OEM knows the design of its own machinery, the end customer will have a different type of experience that includes learning how to operate, maintain, and troubleshoot the equipment. The OEM must design its equipment taking into account the customer’s different, but no less relevant, perspective, while at the same time develop the skills of its own team to carry out its particular task as efficiently as possible. For example, an OEM’s training regimen may teach such skills as how to code or how to size a control valve. End users’ training, on the other hand, may be more meaningful if they learn how to adjust and tune the machine or troubleshoot electrical problems.

Why is this story relevant? It goes back to the premise that getting relevant experience will lead to success. For instance, I worked for several machinery OEMs, and my relevant experience in that context was understanding how to design control systems to control certain processes. The experience I needed to gain was to understand how the control valves responded with respect to the sizing and responses of the physical valves. This involved understanding the responses of the control system and combining the right control elements together so the operators could enter their desired setpoints and the physical machinery would respond in a predictable and consistent manner.

Contrast my relevant experience with that of an operator. An operator needs to understand how to set values of control setpoints and how the machinery responds, how to enter and adjust those critical parameters, and how to respond to alarm conditions. For instance, if operators were making a baked good and it required them to understand the cooking and taste differences between cane sugar and beet sugar, they would need to know how to adjust the machinery parameters so the product tastes the same regardless of the types of sugar used. For me, as someone working with the OEM manufacturer, I barely know there are different kinds of sugar and I certainly don’t know what the differences are when you bake with either sweetener.

These respective relevant experiences are different, but both are required to achieve success. We can all certainly appreciate that not all experiences are equal or relevant for every actor. This is also true when it comes to ICS cybersecurity training. The experience relevant for your training ultimately depends on what environment you operate in and what skills you need to be successful.

ICS_Cybersecurity_In_Depth_2.jpeg


ICS Cybersecurity In-Depth

So now let’s talk about the goals and learning experiences we want to achieve with the SANS ICS612: ICS Cybersecurity In-Depth course. All of the course co-authors felt that we needed to distill the types of systems a security practitioner would find within a production or operational environment and expose students to hands-on labs that give them relevant experience to operate, maintain, monitor, troubleshoot, respond, restore, and defend common elements in an industrial arena. For instance, if I were asked what common elements are found in 90% of all factories or plants I have come across, I would categorize the common elements as follows:

  • Real-time embedded control systems like a Programmable Logic Controller (PLC) that will control some machine or process
  • Digital and analog input/output subsystems
  • Protocol-based “smart” sensors and valves (e.g., Ethernet/IP, Highway Addressable Remote Transducer [HART], DeviceNet, Profibus DP, Profibus PA, etc.)
  • Process visibility element(s) like the Electronic Operator Interface (EOI), Human Machine Interfaces (HMIs), and, sometimes, a Supervisory Control and Data Acquisition (SCADA) system
  • Process data storage like Historian or local process trending databases
  • Network equipment that can be traditional Ethernet-based protocols and some flavors of a real-time control standard such as Ethernet/IP, Modbus, Profibus, etc.
  • Security controls such as firewalls, monitoring systems, etc.

The above list is a high-level, albeit not detailed, categorization of common elements that help determine the major domains of the possible training one needs. These categories should be considered in your training because chances are that you will run into these types of technologies in an industrial environment.

When we developed ICS612, we decided that each student must gain experience by participating in hands-on labs. We felt that this would provide students with relevant experience and enable them, by the end of the course, to confidently identify issues and restore plant operations. Of course, if we wanted our students to restore plant operations we needed to create a plant. So, we created an environment where students construct a working coffee factory using PLCs, Networked I/O, EOIs, an HMI server, a Historian server, and other supporting elements such as remote connectivity technology and a working industrial demilitarized zone. This allows us to work with students on each element and eventually in a “system of systems” model that really represents a system comprised of complex systems.

Understanding how to program and operate common industrial assets is a fundamentally necessary component of ICS612, but we felt the class would not be complete without working through asset attack labs. Each asset found within an industrial production environment has different vulnerabilities, and knowing how to architect and protect these critical assets is paramount. The hands-on attack labs have been mindfully constructed to show the strengths and weakness of these assets. We believe the right mix for an industrial cybersecurity class entails learning how to get the asset working in a normal operating condition, defend the asset through lab exercises, and discover vulnerabilities through attack labs. Understanding how to defend and attack is not only fun, but is also very important.

As I mentioned earlier, the course culminates on day five with a scenario involving a broken-down coffee factory. Each student is expected to get his or her part of the plant up and running. As parts of the coffee factory are restored, we encourage students to help one another get their part of the factory restored. As we know, cybersecurity is a team sport (which makes training in a virtual environment all the more difficult). Once we actually work through the failure modes, the real troubleshooting begins. Students quickly understand that working on real equipment is much different than simulated environments. When motors don’t turn on, or a fuse blows and you smell smoke, or the lights are indicating something incorrectly because the relay contact isn’t working, the adventure and confidence you get from solving the problem builds to something beyond a computer simulation. Our day five students are much different than our day one students. They have been given relevant ICS cybersecurity experience that they can immediately use in their work environment. Our goal is to provide training that allows practitioners to immediately use their ICS612 classroom training in real-world situations. Feedback from our ICS612 alumni has consistently echoed our goal that their training has been relevant and allowed them to feel more confident and effective within an industrial operation environment.

So how did the one-hour flight experience of Bill’s 10 staff members come out? He says the experience for the participants will forever change their perspective about thinking they know something as opposed to really knowing that they know something. Ask yourself, if you had to put your simulated flying skills on the line in a real airplane, how confident are you that you could land a plane?

It all goes to show that knowledge and the right experience are the key to success in anything. As a side note, one of 10 participants in Bill’s experiment went on to become a pilot, an aircraft owner, and even has his own runway!

And oh yes, by the way, I’m also a private pilot.

In my next blog, I will dive a little deeper into the learning objectives of ICS612: ICS Cybersecurity In-Depth and more specifically why we chose to challenge our students with a “broken” coffee factory to reinforce all of the skills we have honed during our first four days of class.

Hope to see you in class!

Email: jshearer@sans.org 

Find Upcoming ICS612 Training In-Person:

ICS_ICS612_Live_In_Person_Social12.jpg



Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • ICS418: ICS Security Essentials for Managers
  • SEC573: Automating Information Security with Python
  • ICS410: ICS/SCADA Security Essentials

Tags:
  • Industrial Control Systems Security

Related Content

Blog
ICS_blog_-_ICS_Security_Management_VS._ICS_Attack_Targeting2.jpg
Industrial Control Systems Security
September 7, 2022
ICS Security Management VS. ICS Attack Targeting
ICS/OT security managers can build an effective team and take an effective approach to risk management.
DeanParsons_340x340.png
Dean Parsons
read more
Blog
ICS_blog_-_Developing_ICS_OT_Engineering_Cyber_Defense_Teams2.jpg
Industrial Control Systems Security
August 17, 2022
Developing ICS/OT Engineering Cyber Defense Teams
ICS security managers don't get to choose if they're a target of a cyber attack, but do get to choose many things about their OT security program.
DeanParsons_340x340.png
Dean Parsons
read more
Blog
ICS_Blog_Series-_A_Look_into_ICS-Part_22.jpg
Industrial Control Systems Security
April 4, 2022
A Look Into ICS612: ICS Cybersecurity In-Depth: Part 2
In OT security, you'll eventually be placed in an environment where you'll face the pressures of dealing with a process that's not responding.
370x370_jeffrey-shearer.jpg
Jeffrey Shearer
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn