SANS Security West 2021 is right around the corner! Choose from over 30 interactive courses, plus Core & Cyber Defense NetWars.
No classes scheduled at this time.


Please note that early bird discounts do not apply to Hosted courses.

Critical Infrastructure and Control System Cybersecurity

Course Syllabus  ·  30 CPEs  ·   Laptop Provided

Critical Infrastructure Control System Cybersecurity Course Description

This course is an intermediate to advanced course covering control system cybersecurity vulnerabilities, threats and mitigating controls. This course will provide hands-on analysis of control system environments allowing students to understand the environmental, operational and economic impacts of attacks like Stuxnet and supporting mitigating controls.

  • Hands-on environment (PLC, HMI, Network Communications, Backtrack)
  • Operational, Cyber and Physical Protective Solutions
  • Kits provided and used by pods of two attendees (Laptop, Customized I/O Trainer, PLC, HMI, communications infrastructure, CYBATIFIED Backtrack)

Attendee Laboratory Training Kit Details

  • Allen Bradley (AB) MicroLogix and Siemens S7 PLC
  • SCADA and DCS Communication Configuration and Analysis
  • Configurable COTS OPC/HMI (Displays, Tags, Communication Protocols)
  • PLC Ladder-Logic Programming using AB RSLogix and Siemens Simatic Step 7
  • CYBATIFIED Backtrack Virtual Machine

Hands-on Critical Infrastructure Control System Cybersecurity 5-Day Course


What material is covered during the course?

  • Brief history of critical infrastructure and control systems
  • Control system risk management (Threats, Vulnerabilities and Exploits)
  • Surveying your attack surface; fingerprinting control system components and communications inside your organization
  • Introduction to programmable logic controllers, function block diagrams, ladder logic, points/tags, communications and OLE for process control (OPC) / Human Machine Interface (HMI) programming
  • Sensor and actuator design analysis using customizable I/O control system trainer units
  • Performing physical-cyber-operational assessments and penetration tests
  • Hardware hacking networks, mice, technician PLC/PAC USB cables and more within control systems using a Teensyduino++, Arduino and Netduino Plus
  • Analyze small scale mock control system environments
  • AB PCCC, Ethernet/IP, DNP3, IEC Variants, ICCP, Modbus communication protocol analysis
  • Secure remote access solutions; Architecture and operations for administrative and operations remote access
  • Integrating and monitoring layered operational, cyber and physical controls
  • Simulated power grid control system red team / blue team exercise

What are the security risks of Control System components, communication protocols and operations?

Whether the Control System is automating an industrial facility or a local amusement park roller coaster, the system was designed to operate in a physically, cyber and operationally secure domain. This domain extends throughout the facility using a combination of Programmable Logic Controllers, Programmable Automation Controllers, embedded logic controllers, Remote Terminal Units, as well as Human Machine Interfaces interlinked with one or a variety of SCADA systems and communication protocols across local and long distance geographic regions. The risks vary from simple eavesdropping or electronic denial of service to more sophisticated asset misuse and destruction. To further compound the challenge, today there are not enough professionals with security skills to sufficiently deter, detect and defend active threats against our critical infrastructure's control systems.

How can we progress from Control System security policy development to design, deployment, and assessment?

This course was designed to help organizations struggling with control system cybersecurity by equipping personnel with the skills needed to design, deploy, operate, and assess a control system's cybersecurity architecture. The course begins by quickly describing the risks and then introducing the participants to a customizable actuator and sensor control system trainer and programmable logic environment. This automation programming analysis creates the platform to identify logic flaws that combined with active cyber, physical, and operational procedures may lead to increased risk. The participants then utilize this knowledge to analyze the control system architecture through cyber, physical and operational risks including:

Control System component engineered, programmed and firmware logic flaws

Wired and wireless communication protocol analysis

Physical, cyber and operational procedures

Deterrence, detection and response to threats

The participant's knowledge is challenged through non-kinetic and kinetic analysis associated with common industry components as well as red team/blue team exercises of both physical and simulated control system environments such as Traffic Lights, Chemical Storage and Mixing, Pipelines, Robotic Arms, Heavy Rail and Power Grids.

What is critical infrastructure Control System cybersecurity?

Control Systems (Local, Distributed and SCADA systems) are used throughout the world to automate common processes. These systems need to provide reliable and safe automation for such critical infrastructures as the Bulk Electric System (BES), natural gas, oil, transportation, chemical, mining, fresh water/waste water, manufacturing, food, and defense. The critical necessities for both government and its people to survive are automated using industrial control systems. In the past decade, advances in technology have added automation that has intertwined of these systems with the Internet, wireless, business networks and traditional hardware and communications protocols. Many Control Systems (CSs) are in some way electronically connected to networks of less trust, potentially even a slight distance away from the Internet. These CSs typically use vulnerable communication protocols. Many even use TCP/IP and in specific situations, common off-the-shelf hardware and chipsets. It is paramount to the safety of our society to sufficiently understand the architecture of and protect these critical systems.



SANS Hosted are a series of classes presented by other educational providers to complement your needs for training outside of our current course offerings.

Course Syllabus

CPE/CMU Credits: 6


Critical Infrastructure Control System Cybersecurity Background

  • Brief History of Critical Infrastructure and Control Systems
  • Risk Management (Threats, Vulnerabilities and Exploits)
  • Laboratory: Training Kit Orientation and Setup
  • Control System Cyber Architecture and Device Programming

Control System Cyber Architecture Components

  • Programmable Logic Controllers, Ladder Logic, Points and OPC/HMI
  • Laboratory: Introduction to Programmable Logic Controllers, Ladder Logic, Communications and OLE for Process Control (OPC) / Human Machine Interface (HMI) Programming

CPE/CMU Credits: 6


Cyber Asset Vulnerability Assessments

  • Case Study Review and Analysis (e.g. Bellingham Gas Pipeline; BP Texas Refinery; Washington DC Metro)
  • ICS-CERT Vulnerability Notification Review and Analysis
  • Open Source Intelligence (OSINT)
  • Cyber, Physical and Operational Security Assessments
  • Cyber Toolsets
  • Laboratory: PLC Vulnerability Assessments
  • Laboratory: Analyze and develop control system oriented Metasploit modules
  • Laboratory: Mock Environment Analysis (e.g. Robotic Arm, Traffic Lights, Heavy Rail)

CPE/CMU Credits: 6


Automation Technologies Attack Surface and Mitigations

  • Programmable Logic Controller Analysis
  • Mitigating Controls
  • Laboratory: PLC Exploit Analysis and Control
  • Analyzing Control System IEDs
  • Laboratory: Applied IED Security Analysis

OLE for Process Control / Human Machine Interface Attack Surface and Mitigations

  • OPC / HMI Analysis
  • Mitigating Controls
  • Laboratory: OPC/HMI Exploit Analysis and Control

CPE/CMU Credits: 6


Communications Attack Surface and Mitigations

  • General Communications Protocol Analysis
  • DNP3, IEC Variants, ICCP, Modbus Specific Protocol Analysis
  • Vulnerabilities and Exploits
  • Analyzing Wireless in Control Systems
  • Mitigating Controls
  • Laboratory: Communications Exploit Analysis and Control
  • Laboratory: Protocol Spoofing and Fuzzing
  • Laboratory: Industrial Wireless (802.11, 900 Mhz, GPRS and Zigbee) Analysis

CPE/CMU Credits: 6


Integrated Defense in Depth Security Controls

  • Layered Operational, Cyber and Physical Controls
  • Forensics and attribution in control systems
  • Performing Physical-Cyber-Operational Assessments and Penetration Tests
  • Laboratory: Automation Technology Exploration and Vulnerability Assessments
  • Situation Awareness and Incident Response
  • Laboratory: Simulated Power Grid Control System Environment Attack and Defend

Additional Information

Each team of two participants (a Pod) are provided training kits containing all hardware and software necessary for the course: a laptop, PLC programming software, HMI software, customizable actuator/sensor training unit, communications network and cabling, external wireless card, teensyduino++, customized Backtrack platform. The participant is not required to bring any technology to the class; however, the participant may use their own analysis tools.

If you have additional questions about the laptop specifications, please contact

The class establishes a high-level understanding of Control System cybersecurity valuable to a wide-range of professionals, whether directly in the field or responsible for compliance. The class also dives into a great deal of real-world cybersecurity applications and satisfies those who need or want to understand the inner-workings of the systems as well as the programming behind industrial automation. Therefore, the class is applicable to:

  • Security personnel whose job involves assessing, deploying, or securing control system components, communications and operations
  • Programmers, network and system administrators supporting control systems
  • Process engineers and field technicians
  • Operations and plant management personnel
  • Control System vendor personnel
  • Penetration testers
  • NERC CIP, DHS CFATS and other Auditors who need to build deeper technical skills
  • Computer emergency response teams

Author Statement

I wrote this class so that people could understand the elements of, ethically hack and proactively defend our control systems. This course will help the participants figuratively and literally get their hands around the challenges of protecting local and geographically dispersed control environments.

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.