ICS456: Essentials for NERC Critical Infrastructure Protection

GIAC Critical Infrastructure Protection (GCIP)
GIAC Critical Infrastructure Protection (GCIP)
  • In Person (5 days)
  • Online
31 CPEs
The ICS456: Essentials for NERC Critical Infrastructure Protection course empowers students with knowledge of the what and the how of the version 5/6/7 standards. The course addresses the role of the Federal Energy Regulatory Commission (FERC), North American Electric Reliability Corporation (NERC), and Regional Entities, provides multiple approaches for identifying and categorizing BES Cyber Systems, and helps asset owners determine the requirements applicable to specific implementations.

What You Will Learn

The five-day ICS456: Essentials for NERC Critical Infrastructure Protection empowers students with knowledge of the what and the how of the version 5/6/7 standards. The course addresses the role of the Federal Energy Regulatory Commission (FERC), North American Electric Reliability Corporation (NERC), and Regional Entities, provides multiple approaches for identifying and categorizing BES Cyber Systems, and helps asset owners determine the requirements applicable to specific implementations. Additionally, the course covers implementation strategies for the version 5/6/7 requirements with a balanced practitioner approach to both cybersecurity benefits, as well as regulatory compliance.

This course goes far beyond other NERC Critical Infrastructure Protection (CIP) courses that only teach what the standards are by providing information that will help you develop and maintain a defensible compliance program and achieve a better understanding of the technical aspects of the standards. Our 25 hands-on labs utilize three provided virtual machines that enable students to learn skills ranging from securing workstations to performing digital forensics and lock picking. Our students consistently tell us that these labs reinforce the learning and prepare them to do their jobs better.

You Will Learn

  • BES Cyber System identification and strategies for lowering their impact rating
  • Nuances of NERC defined terms and CIP standards applicability and how subtle changes in definitions can have a big impact on your program
  • The significance of properly determining Cyber System impact ratings and strategies for minimizing compliance exposure
  • Strategic implementation approaches for supporting technologies
  • How to manage recurring tasks and strategies for CIP program maintenance
  • Effective implementations for cyber and physical access controls
  • How to breakdown the complexity of NERC CIP in order to communicate with your leadership
  • What to expect in your next CIP audit, how to prepare supporting evidence, and how to avoid common pitfalls
  • How to understand the most recent Standards Development Team's (SDT) efforts and how that may impact your current CIP program

You Will Be Able To

  • Understand the cybersecurity objectives of the NERC CIP standards
  • Understand the NERC regulatory framework, its source of authority, and the process for developing CIP standards, as well as their relationship to the other BES reliability standards
  • Speak fluent NERC CIP and understand how seemingly similar terms can have significantly different meanings and impacts on your compliance program
  • Break down the complexity to more easily identify and categorize BES Cyber Assets and Systems
  • Develop better security management controls by understanding what makes for effective cybersecurity policies and procedures
  • Understand physical and logical controls and monitoring requirements
  • Make sense of the CIP-007 system management requirements and their relationship to CIP-010 configuration management requirements, and understand the multiple timelines for assessment and remediation of vulnerabilities
  • Determine what makes for a sustainable personnel training and risk assessment program
  • Develop strategies to protect and recover BES Cyber System information
  • Know the keys to developing and maintaining evidence that demonstrates compliance and be prepared to be an active member of the audit support team.
  • Sharpen your CIP Ninja!

Hands-On Training

Day 1

  • Virtual Machine Setup - Windows, Kali Linux, and Security Onion VM will be utilized throughout the five-day course
  • Checkpoint exercise - Ensure familiarity with the NERC website for locating standards, and cover entity registrations, the Functional Model, and a Glossary of Terms
  • Protocol Primer - Use Wireshark to analyze packet captures
  • Analysis of Facility Environments - Walk through assets owned by a ficticious company to determine in-scope assets and approaches to generation segmentation
  • CSET Facility Assessment - Utilize the ICS-CERT's Cybersecurity Evaluation Tool (CSET) to perform a self-assessment on a model network compared to industry standards, including NERC CIP
  • Kaspersky Industrial Protection Simulation (KIPS) - Electric sector "make your own adventure" simulation that challenges students to secure and ensure on-going operations of a fictional combined-cycle gas turbine power plant

Day 2

  • Wireshark Analysis and Network Visualization - Utilize Wireshark to analyze real packet captures from an ICS environment and introduce the Dragos Security CyberLens tool, which can be used to passively discover ICS assets and visualize their network placement and communications
  • Firewall Rule Development and Analysis - Utilize the Common Open Research Emulator (CORE) to emulate a live network and to understand the effect of firewall rules on the network communications
  • ICS Signatures and Alerting - Utilizes the Squil (pronounced squeal) network security monitoring tool to create event driven IDS alerts when replaying pcap packet captures from an ICS environment
  • Breach of Physical Controls - Learn the basics of lock picking with your very own clear padlock and pick tool set
  • Physical Security Review and Response Exercise - Analyze physical security camera images and perimeter access logs to identify potential security and compliance problems

Day 3

  • Windows System Assessment - Utilize a number of tools including Windows Baseline Security Analyzer, NetStat, and Windows Firewall Configurator to analyze the security posture of a provided Windows VM
  • Validating Findings and Demonstrating Impact - Utilize the provided Kali Linux VM and favorite red-team tools such as Cain & Able, remote desktop, and Metasploit Framework to gain unauthorized access to the Windows VM, demonstrating the risks of insecure configuration
  • System Hardening - Learn from the red team's action and use a number of native Windows tools to harden the Windows VM and preventing future exploitation
  • System Log Management - Use Splunk Enterprise to analyze a Windows event log to identify events of interest
  • Basic Change Management from the Command Line - Utilize hashing techniques and Tripwire to identify system file and configuration changes
  • Vulnerability Assessment Tool Capability - Gain familiarity with Nmap, SNMP, and the OpenVAS vulnerability scanning framework

Day 4

  • Information Leakage Awareness - Walk through creating a Shodan account and using it to discover all sorts of interesting Internet-connected devices
  • Steganography Lab - Use the S-Tools application to conceal and identify data hidden in plain sight in order to understand the risk of data exfiltration in your environment
  • Yara Introduction - Learn the basics of Yara, the "Pattern Matching Swiss Knife for Malware," utilizing indicators of compromise (IOC's) to detect malware in memory images
  • Incident Response TTX - Walk through a tabletop exercise that you can take back to your organization for play with your larger team to test incident response capability and security policy/plan effectiveness
  • Forensic Data Preservation - Use FireEye's free Redline tool to learn how to collect and analyze forensic data and the FTL Imager tool to create a system image for data preservation

Day 5

  • Auditor Tools - NERC CIP auditors use NP-View to analyze their environment, and you should too! In this lab you'll analyze firewall configurations for an example electric entity to determine and visualize network communications
  • Power Shell - Learn the basics and get an appreciation for the power of PowerShell for task automation and configuration management
  • Auditor / Defender - Whether you play the role of auditor or audited entity, this exercise will challenge your NERC CIP knowledge and ability to present material to tell a compelling story of compliance

What You Will Receive

  • Electronic Download package containing useful and otherwise hard to find NERC, regional entity, and various CIPC reference documents; SANS posters and brochures; and multiple documents created by SANS to help structure and guide your compliance program
  • Three virtual machines including a Windows 10, Kali Linux, and a Security Onion Linux VM which will be utilized during course labs to demonstrate and highlight security controls consistent with NERC CIP requirements
  • MP3 files of the course author/instructor to help recall course content and examples
  • A clear acrylic padlock and lockpicking tools
  • Incident response and security exercises designed for students to continue to utilize in their organizations
  • On-going access to course authors and instructors via a private NERC CIP focused community forum group

Syllabus (31 CPEs)

Download PDF
  • Overview

    A transition is underway from NERC CIP programs that are well defined and understood to a new CIP paradigm that expands its scope into additional environments and adds significantly more complexity. On day 1, students will develop an understanding of the electric sector regulatory structure and history as well as an appreciation for how the CIP Standards fit into the overall framework of the reliability standards. Key NERC terms and definitions related to NERC CIP are reviewed using realistic concepts and examples that prepare students to better understand their meaning. We will explore multiple approaches to BES Cyber Asset identification and learn the critical role of strong management and governance controls. We'll also examine a series of architectures, strategies, and difficult compliance questions in a way that highlights the reliability and cybersecurity strengths of particular approaches. Unique labs will include a scenario-based competition that helps bring the concepts to life and highlights the important role we play in defending "the grid."

    • Regulatory History and Overview
    • NERC Functional Model
    • NERC Reliability Standards
    • CIP History
    • Terms and Definitions
    • CIP-002: BES Cyber System Categorization
    • CIP-003: Security Management Controls
  • Overview

    Strong physical and cyber access controls are at the heart of any good cybersecurity program. On day 2 we move beyond the what of CIP compliance to understanding the why and the how. Firewalls, proxies, gateways, IDS, and more - you'll learn where and when they help as well as practical implementations to consider and designs to avoid. Physical protection includes more than fences, and you'll learn about the strengths and weaknesses of common physical controls and monitoring schemes. Labs will re-inforce the learnings throughout the day and will introduce architecture review and analysis, firewall rules, IDS rules, compliance evidence demonstration, and physical security control reviews.

    • CIP-005: Electronic Security Perimeter(s)
    • Interactive Remote Access
    • External Routable Communication and Electronic Access Points
    • CIP-006: Physical Security of BES Cyber Systems
    • Physical Security Plan
    • Visitor Control Programs
    • PACS Maintenance and Testing
    • CIP-014: Physical Security
  • Overview

    CIP-007 has consistently been one of the most violated standards going back to CIP version 1. With the CIP Standards moving to a systematic approach with varying requirement applicability based on a system impact rating, the industry now has new ways to design and architect system management approaches. Throughout day 3, students will dive into CIP-007. We'll examine various Systems Security Management requirements with a focus on implementation examples and the associated compliance challenges. We'll also cover the CIP-010 requirements for configuration change management and vulnerability assessments that ensure systems are in a known state and under effective change control. We'll move through a series of labs that reinforce the topics covered from the perspective of the CIP practitioner responsible for implementation and testing.

    • CIP-007: System Management
    • Physical and Logical Ports
    • Patch Management
    • Malicious Code Prevention
    • Account Management
    • CIP-010: Configuration Change Management and Vulnerability Assessments
    • Change Management Program
    • Baseline Configuration Methodology
    • Change Management Alerting/Prevention
  • Overview

    Education is key to every organization's success with NERC CIP, and ICS456 graduates will be knowledgeable advocates for CIP when they return to their place of work. Regardless of their role, students can be a valued resource to their organization's CIP-004 training program and the CIP-011 information protection program. Students will be ready with resources for building and running strong awareness programs that reinforce the need for information protection and cybersecurity training. On day 4, we'll examine CIP-008 and CIP-009, covering identification, classification communication of incidents, and the various roles and responsibilities needed in an incident response or a disaster recovery event. Labs will introduce tools to ensure file integrity and the sanitization of files to be distributed, how to best utilize and communicate with the E-ISAC, and how to preserve incident data for future analysis.

    • CIP-004: Personnel and Training
    • Security Awareness Program
    • CIP Training Program
    • PRA Evaluation Process
    • CIP-011: Information Protection
    • Information Protection Program
    • Data Sanitization
    • CIP-008: Incident Reporting and Response Planning
    • Incident Response Plan/Testing
    • Reporting Requirements
    • CIP-009: Recovery Plans for BES Cyber Systems
    • Recovery Plans
    • System Backup
  • Overview

    On the final course day students will learn the key components for running an effective CIP compliance program. We will review the NERC processes for standards development, violation penalty determination, Requests for Interpretation, and recent changes stemming from the Reliability Assurance Initiative. Additionally, we'll identify recurring and audit-related processes that keep a CIP compliance program on track: culture of compliance, annual assessments, gap analysis, TFE's, and self-reporting. We'll also look at the challenge of preparing for NERC audits and provide tips to be prepared to demonstrate the awesome work your team is doing. Finally, we'll look at some real-life CIP violations and discuss what happened and the lessons we can take away. At the end of day 5, students will have a strong call to action to participate in the on-going development of CIP within their organization and in the industry overall as well as a sense that CIP is do-able! Labs on day 5 will cover DOE C2M2, audit tools, and an audit-focused take on a "blue team - red team" exercise.

    • CIP Processes for Maintaining Compliance
    • Preparing for an Audit
    • Audit Follow-Up
    • CIP Industry Activities
    • Standards Process
    • CIP of the Future

GIAC Critical Infrastructure Protection

The GIAC Critical Infrastructure Protection (GCIP) certification validates that professionals who access, support and maintain critical systems have an understanding of the regulatory requirements of NERC CIP as well as practical implementation strategies.

  • BES cyber system identification and strategies for lowering their impact rating
  • Nuances of NERC defined terms and CIP standards applicability
  • Strategic implementation approaches for supporting technologies
  • Recurring tasks and strategies for CIP program maintenance
More Certification Details

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 8GB of RAM or more is required.
  • 100GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"The SANS ICS456: NERC Critical Infrastructure Protection Essentials course was developed by SANS ICS team members with extensive electric industry experience, including former Registered Entity Primary Contacts, a former NERC officer, and a Co-Chair of the NERC CIP Interpretation Drafting Team. Together the authors bring real-world, practitioner experience gained from developing and maintaining NERC CIP and NERC 693 compliance programs and actively participating in the standards development process."

- Tim Conway and Ted Gutierrez

Register for ICS456

Learn about Group Pricing

Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.