ICS612: ICS Cybersecurity In-Depth

  • In Person (5 days)
30 CPEs

ICS612 is an in-classroom lab setup that move students through a variety of exercises that demonstrate how an adversary can attack a poorly architected ICS and how defenders can secure and manage the environment. Representative of a real ICS environment, the classroom setup includes a connection to the enterprise, allowing for data transfer (i.e., Historian), remote access, and other typical corporate functions.

What You Will Learn


The ICS612: ICS Cybersecurity In-Depth course will help you:

  • Learn active and passive methods to safely gather information about an ICS environment
  • Identify vulnerabilities in ICS environments
  • Determine how attackers can maliciously interrupt and control processes and how to build defenses
  • Implement proactive measures to prevent, detect, slow down, or stop attacks
  • Understand ICS operations and what "normal" looks like
  • Build choke points into an architecture and determine how they can be used to detect and respond to security incidents
  • Manage complex ICS environments and develop the capability to detect and respond to ICS security events

The course concepts and learning objectives are primarily driven by the focus on hands-on labs. The in-classroom lab setup was developed to simulate a real-world environment where a controller is monitoring/controlling devices deployed in the field along with a field-mounted touchscreen Human Machine Interface (HMI) available for local personnel to make needed process changes. Utilizing operator workstations in a remotely located control center, system operators use a SCADA system to monitor and control the field equipment. Representative of a real ICS environment, the classroom setup includes a connection to the enterprise, allowing for data transfer (i.e., Historian), remote access, and other typical corporate functions.

The labs move students through a variety of exercises that demonstrate how an attacker can attack a poorly architected ICS (which, sadly, is not uncommon) and how defenders can secure and manage the environment.

Syllabus (30 CPEs)

Download PDF
  • Overview

    Learning Objective - Review of Lab Setup

    • Students will become familiar with the Programmable Logic Controller (PLC), I/O, and software used in the lab.
    • Goal: Students will learn and review ICS nomenclature and terminology and set up their lab station.

    Learning Objective - Introduction to the PLC Platform Application Tools

    • Use ICS software to download and operate an existing PLC project.
    • Walk through the basic PLC programming terminology.
    • Download a new firmware file and download and run an existing project file.
    • Interact with the PLC and demonstrate an error in the program.
    • Goal: Students will understand the tools required to have a functional PLC. They will begin to understand the operational relationships between ICS hardware and software.

    Learning Objective - Introduction to Programming a PLC

    • Carried over from the previous lab, troubleshoot and fix the programming error.
    • Apply the fix and verify correctness.
    • Observe lack of required authentication, or use of weak credentials in ICS.
    • Goal: Students will understand what is required to modify the logic in a PLC. They will begin to learn some of the attack surface of the PLC.

    Learning Objective - Service Discovery on PLC

    • Using NMAP, discover the services available on the PLC.
    • Where possible, interact with those identified services.
    • Determine the purpose and use of each available service.
    • Goal: Students will understand what services are available, the purposes they serve, and their criticality. They will expand their knowledge of the attack surface of the PLC.

    Learning Objective - Introduction to the HMI Platform Application Tools

    • Use the ICS software to download and operate an existing HMI project.
    • Walk through the basic HMI programming terminology through an existing project.
    • Interact with the HMI and correlate the HMI configuration (objects/tags) with the PLC program.
    • Goal: Students will understand how a basic HMI operates. They will also learn the data relationships between PLC and HMI used in later labs.

    Learning Objective - Understand HMI to PLC Communication

    • Using Wireshark, capture and dissect the ICS communication between the HMI and PLC.
    • Correlate the traffic with how the configuration of these devices transfer data over Ethernet.
    • Build foundational knowledge needed to build a network-level attack against the system.
    • Goal: Students will learn how data flows between PLC and HMI on the network. They will also begin to understand the weakness within ICS protocols.
    • Process familiarization using the Purdue model
    • Communication flow mapping referencing the Zones and conduit approach
    • Components of Level 0-2
    • Local I/O and local HMI communications
    • Understand operational functions
    • Understand inherent process weaknesses
    • Protocol dissection of operational data
    • Embedded device essentials
    • Operator Interface (I/O) subsystems and communications
    • Safety systems
    • Process time
  • Overview

    Learning Objective - Introduction to Peer-to-Peer Communications

    • Set up a Zone/Cell/Area to the larger Level 3 classroom "Production System" ICS network
    • Connect to a central L3 router, monitor its system, and establish peer-to-peer system communications.
    • Detect additional PLC attacks from the Level 3 system and configure defenses to thwart the attack.
    • Goal: This lab will help students recognize the relationships between Zones/Cells/Areas. Just like in the real world, students will communicate with owners of adjacent systems to map out baseline communications within an ICS.

    Learning Objective - Introduction to SCADA Systems

    • Identify components of a SCADA system and the components of the classroom "Production System" setup.
    • Walk through the common use cases and weaknesses and defenses of traditional IT network services, including Active Directory, DNS, DHCP, NTP, SMB, etc.
    • Goal: Students will learn the components and communications of a SCADA system. They will also learn the overlap and use of traditional IT technologies within ICS.

    Learning Objective - OPC Communications

    • Configure, or validate, the connectivity between the OPC server and their local PLC.
    • Create an OPC client connection from its local station to the OPC server at the front of the room.
    • Observe an OPC exploit against the system and navigate and configure the local Operating System security configurations to mitigate exploit.
    • Goal: Students will learn the common OS components, weaknesses of OPC communications, and possible defenses.
    • Learn components of Level 3
    • Learn peer-to-peer communications between PLCs
    • Learn SCADA/OPC communications
    • Learn the use and dependencies of traditional IT services (DNS, AD, DHCP, NTP, etc.)
    • Vendor security models and industrial DMZs
    • Learn attack vectors and defense techniques from Level 3
  • Overview

    Learning Objective - Network Architecture and Technology in ICS

    • Learn the weaknesses and defense options (i.e., segmentation) for a flat ICS network.
    • Identify service and communication requirements between Level 2 and 3 and build appropriate segmentation/defenses.
    • Invoke an attack on the system and configure and compare the differences between stateful and stateless ACLs.
    • Goal: Students will learn how common IT network technology is deployed in the environment, its common weaknesses, and defense strategies. Student will learn some basic (yet highly overlooked) firewall settings to build a defensive perimeter.

    Learning Objective - ICS Firewalls

    • Implement in-line firewall.
    • Implement data diode.
    • Management network (iLo, Remote Management, Lantronix).

    Learning Objective - ICS Perimeter

    • Learn methods to map ICS data flows and communication paths.
    • Identify and architect networks that support ICS business requirements.
    • Learn methods to restrict/reduce ICS network access to support minimal operations.
    • Learn common use cases; Historian, Remote Access, and Telemetry.

    Learning Objective - Historians

    • Identify the business requirements for Historian systems.
    • Observe Historian system compromise and modify the architecture and configuration to defend.
    • Goal: Students will learn the components of a Historian system. They will learn how to securely architect, configure, and operate a Historian system into an ICS environment.

    Learning Objective - Remote Access and Jump Host/2FA

    • Identify the business requirements for remote access.
    • Observe remote access compromise and modify system architecture, configure a jump host sever, and implement 2FA access to mitigate.
    • Goal: Students will learn how to securely architect, configure, and operate a jump host providing access into an ICS environment.
    • Understand connected process
    • Analyze case studies in ICS environments and secure plant design
    • Identify typical trusted communications flows (Time, File sharing, Remote Access, Historians, AD replication, Reverse Web Proxies, Patch servers)
  • Overview

    Learning Objective - ICS System Monitoring and Logging

    • Establish logging and alerting of local process assets into the environment log aggregator.
    • Goal: Students will ensure logged events are tuned for "events of interest" and implement industry-leading tools to view and detect abnormal behavior.

    Learning Objective - ICS Asset Management

    • Evaluate patching and change management strategies and solutions to ensure asset management and system integrity visibility.
    • Goal: Students will learn how to manage a complex set of ICS assets and develop the capability to detect and respond to security events occurring at the control system level.

    Learning Objective - ICS Asset Validation

    • Evaluate approaches to ensure or restore the integrity of a system to a known good state.
    • Goal: Students will evaluate the pre-work necessary for an organization to have the ability to return a compromised system to a reliable operating state.
    • Logging and traffic collection in an ICS environment
    • Monitoring and alerting in ICS networks
    • Monitoring and alerting in a serial network
    • System integrity verification
  • Overview

    Learning Objective - Hands on environment troubleshooting

    Attack/Defend - ICS NetWars Style Challenge

    • Level 1: questions on local process
    • Level 2: questions on shared process
    • Level 3: questions on the head end process environment
    • Level 4: questions on environment manipulation
    • Pivoting and positioning in an ICS target environment
    • Operational traffic reverse engineering
    • Protocol-level manipulation
    • Firmware manipulation
    • Industrial wireless discovery and attack
    • Time synchronization manipulation
    • Data table and scaling modifications


ICS612 is an advanced course that focuses on the engineering, implementation, and support of secure control system environments. Students taking ICS612 should have completed ICS410 or should have a strong understanding of the objectives taught in that course. The course also builds upon the skills learned in ICS515 and ICS612 students should have working knowledge of network security monitoring and data collection techniques.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

The ICS612 course consists of instruction and a significant number of hands-on exercises. The exercises are designed to allow students to put knowledge gained throughout the course into practice in an instructor-led environment. Students will have the opportunity to install, configure, and use the tools and techniques that they have learned.

NOTE: Do not bring a regular production laptop for this class! When installing software, there is always a chance of breaking something else on the system. Students should assume that all data could be lost.

NOTE: It is critical that students have administrator access to the operating system and the ability to disable all security software installed. Changes may need to be made to personal firewalls and other host-based software in order for the labs to work.

Laptop requirements include the following:

  • Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.
  • 64-bit processor with 64-bit operating system
  • VT or other 64-bit virtualization settings enabled in your BIOS to run 64-bit VMs
  • At least 8 GB of RAM
  • At least 120 GB of free hard-drive space
  • At least one USB port
  • Ability to update BIOS configuration settings to enable virtualization (VT) support
  • VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
  • Access to an account with administrative permissions and the ability to disable all security software on your laptop such as Antivirus and/or firewalls if needed for the class
  • If you are using Linux for your host machine, you will need ExFAT drivers installed to read the class USB drive
  • Connection to a physical Ethernet switch is necessary, a laptop with an Integrated physical network port or a supported external Ethernet USB adapter will be required

Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

"During my 30+ years of working directly in the field of industrial automation, the biggest change I have seen is not with control fundamentals. Rather, the most disruptive change has been with connectivity technology. By connectivity technology I mean there has been a move away from proprietary physical and logical layers to a pervasive adoption to commercial off-the-shelf Ethernet technology. Ethernet adoption has changed the industrial control discipline. Industrial control engineers are forced to either learn networking and security principles or work with other professionals to achieve a reliable and secure infrastructure to support real-time control systems."

- Jeff Shearer

"I am very excited to be a part of the author team that has worked on and will be bringing this great course to the dedicated industrial control system community. This course has been designed to provide students with practitioner-focused, hands-on lab exercises that have been developed to reinforce the skills necessary for professionals working to defend critical operational environments. As these control system environments become increasingly cyber-enabled, interconnected, and targeted by adversaries; it is essential that the capabilities of the workforce continue to progress in order to ensure safe and reliable operations. The lab exercises, tools, control system components, exposure to leading ICS solutions, and development of expanded defender capabilities in this course will be immediately applicable for students."

- Tim Conway

"I am excited to bring my 20 years of working on and securing industrial control systems (ICS) across multiple industries to this course to help others accelerate the development of their knowledge and skills. Under what might seem like a simple category such as ICS, it is easy to overlook the complex variations around business requirements, technologies, and operations across various industry types and organizations. ICS supports the mission of the organization and we must secure these environments in alignment with what makes them unique. To do this, the selection of the right security technology and security processes requires an ability to discover and understand the 'glue' behind the entire technology stack and operational requirements that make these systems unique. The students will take a journey that teaches them how to pull back the curtain and truly understand how to engineer security specific to the environments they will face in their career."

- Jason Dely

"I am really excited to be on the team developing this course and to be able to share some of the things I have learned over my career. As the ICS industry continues to change and evolve, we, as security practitioners, need to understand the capabilities and risks of these ICS environments and be prepared to support and defend them. While many SANS courses focus on either defending or attacking the environment or responding to an attack, this course is designed to give the students the complete picture. Students will learn everything from programming a PLC to designing a more secure ICS environment to understanding how an attacker may try to circumvent the protections in place. This is truly a hands-on class that promises to have something for everyone."

- Chris Robinson

Register for ICS612

  • In Person

Training events and topical summits feature presentations and courses in classrooms around the world.

Learn more
  • Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Learn more
  • OnDemand

Study and prepare for GIAC Certification with four months of online access. Includes labs and exercises, and support.

Learn more