ICS612: ICS Cyber Security In-Depth

  • In Person (5 days)
30 CPEs

A different perspective and approach are required for securing OT vs. IT environments. Given that each OT system is uniquely engineered specific to an organization's specific operational needs, how should we go about securing these systems? Through our immersive in-classroom operations environment, ICS612 will take you from theory to practical learning over this five-day course. You'll learn the methodology needed to identify operational vulnerabilities and build defenses through the roles of engineering, operations, red and blue teams. You'll navigate from fundamental PLC and HMI operations to the complexities of advanced IT and OT security architecture and monitoring, gaining insight into how threat actors attack operations through ICS systems and personnel. You'll reinforce these skills through hands-on lab exercises and conclude the course with an incident response scenario in which you will investigate and recover classroom operations. Leave this course with a thorough understanding of how to analyze an unknown system to secure and maintain operational resilience.

What You Will Learn

ICS-Aware malware and attacks on critical infrastructure are increasing in frequency and sophistication. You need to identify threats and vulnerabilities and methods to secure your ICS environment. Let us show you how!

The ICS612: ICS Cybersecurity In-Depth course will help you

  • Learn active and passive methods to safely gather information about an ICS environment
  • Identify vulnerabilities in ICS environments
  • Determine how attackers can maliciously interrupt and control processes and how to build defenses
  • Implement proactive measures to prevent, detect, slow down, or stop attacks
  • Understand ICS operations and what "normal" looks like
  • Build choke points into an architecture and determine how they can be used to detect and respond to security incidents
  • Manage complex ICS environments and develop the capability to detect and respond to ICS security events

The course concepts and learning objectives are primarily driven by the focus on hands-on labs. The in-classroom lab setup was developed to simulate a real-world environment where a controller is monitoring/controlling devices deployed in the field along with a field-mounted touchscreen Human Machine Interface (HMI) available for local personnel to make needed process changes. Utilizing operator workstations in a remotely located control center, system operators use a SCADA system to monitor and control the field equipment. Representative of a real ICS environment, the classroom setup includes a connection to the enterprise, allowing for data transfer (i.e., Historian), remote access, and other typical corporate functions.

The labs move students through a variety of exercises that demonstrate how an attacker can attack a poorly architected ICS (which, sadly, is not uncommon) and how defenders can secure and manage the environment.

Syllabus (30 CPEs)

Download PDF
  • Overview

    Learning Objective - Review of Lab Setup

    • Students will become familiar with the Programmable Logic Controller (PLC), I/O, and software used in the lab.
    • Goal: Students will learn and review ICS nomenclature and terminology and set up their lab station.

    Learning Objective - Introduction to the PLC Platform Application Tools

    • Use ICS software to download and operate an existing PLC project.
    • Walk through the basic PLC programming terminology.
    • Download a new firmware file and download and run an existing project file.
    • Interact with the PLC and demonstrate an error in the program.
    • Goal: Students will understand the tools required to have a functional PLC. They will begin to understand the operational relationships between ICS hardware and software.

    Learning Objective - Introduction to Programming a PLC

    • Carried over from the previous lab, troubleshoot and fix the programming error.
    • Apply the fix and verify correctness.
    • Observe lack of required authentication, or use of weak credentials in ICS.
    • Goal: Students will understand what is required to modify the logic in a PLC. They will begin to learn some of the attack surface of the PLC.

    Learning Objective - Service Discovery on PLC

    • Using NMAP, discover the services available on the PLC.
    • Where possible, interact with those identified services.
    • Determine the purpose and use of each available service.
    • Goal: Students will understand what services are available, the purposes they serve, and their criticality. They will expand their knowledge of the attack surface of the PLC.

    Learning Objective - Introduction to the HMI Platform Application Tools

    • Use the ICS software to download and operate an existing HMI project.
    • Walk through the basic HMI programming terminology through an existing project.
    • Interact with the HMI and correlate the HMI configuration (objects/tags) with the PLC program.
    • Goal: Students will understand how a basic HMI operates. They will also learn the data relationships between PLC and HMI used in later labs.

    Learning Objective - Understand HMI to PLC Communication

    • Using Wireshark, capture and dissect the ICS communication between the HMI and PLC.
    • Correlate the traffic with how the configuration of these devices transfer data over Ethernet.
    • Build foundational knowledge needed to build a network-level attack against the system.
    • Goal: Students will learn how data flows between PLC and HMI on the network. They will also begin to understand the weakness within ICS protocols.
    • Process familiarization using the Purdue model
    • Communication flow mapping referencing the Zones and conduit approach
    • Components of Level 0-2
    • Local I/O and local HMI communications
    • Understand operational functions
    • Understand inherent process weaknesses
    • Protocol dissection of operational data
    • Embedded device essentials
    • Operator Interface (I/O) subsystems and communications
    • Safety systems
    • Process time
  • Overview

    Learning Objective - Introduction to Peer-to-Peer Communications

    • Set up a Zone/Cell/Area to the larger Level 3 classroom "Production System" ICS network
    • Connect to a central L3 router, monitor its system, and establish peer-to-peer system communications.
    • Detect additional PLC attacks from the Level 3 system and configure defenses to thwart the attack.
    • Goal: This lab will help students recognize the relationships between Zones/Cells/Areas. Just like in the real world, students will communicate with owners of adjacent systems to map out baseline communications within an ICS.

    Learning Objective - Introduction to SCADA Systems

    • Identify components of a SCADA system and the components of the classroom "Production System" setup.
    • Walk through the common use cases and weaknesses and defenses of traditional IT network services, including Active Directory, DNS, DHCP, NTP, SMB, etc.
    • Goal: Students will learn the components and communications of a SCADA system. They will also learn the overlap and use of traditional IT technologies within ICS.

    Learning Objective - OPC Communications

    • Configure, or validate, the connectivity between the OPC server and their local PLC.
    • Create an OPC client connection from its local station to the OPC server at the front of the room.
    • Observe an OPC exploit against the system and navigate and configure the local Operating System security configurations to mitigate exploit.
    • Goal: Students will learn the common OS components, weaknesses of OPC communications, and possible defenses.
    • Learn components of Level 3
    • Learn peer-to-peer communications between PLCs
    • Learn SCADA/OPC communications
    • Learn the use and dependencies of traditional IT services (DNS, AD, DHCP, NTP, etc.)
    • Vendor security models and industrial DMZs
    • Learn attack vectors and defense techniques from Level 3
  • Overview

    Learning Objective - Network Architecture and Technology in ICS

    • Learn the weaknesses and defense options (i.e., segmentation) for a flat ICS network.
    • Identify service and communication requirements between Level 2 and 3 and build appropriate segmentation/defenses.
    • Invoke an attack on the system and configure and compare the differences between stateful and stateless ACLs.
    • Goal: Students will learn how common IT network technology is deployed in the environment, its common weaknesses, and defense strategies. Student will learn some basic (yet highly overlooked) firewall settings to build a defensive perimeter.

    Learning Objective - ICS Firewalls

    • Implement in-line firewall.
    • Implement data diode.
    • Management network (iLo, Remote Management, Lantronix).

    Learning Objective - ICS Perimeter

    • Learn methods to map ICS data flows and communication paths.
    • Identify and architect networks that support ICS business requirements.
    • Learn methods to restrict/reduce ICS network access to support minimal operations.
    • Learn common use cases; Historian, Remote Access, and Telemetry.

    Learning Objective - Historians

    • Identify the business requirements for Historian systems.
    • Observe Historian system compromise and modify the architecture and configuration to defend.
    • Goal: Students will learn the components of a Historian system. They will learn how to securely architect, configure, and operate a Historian system into an ICS environment.

    Learning Objective - Remote Access and Jump Host/2FA

    • Identify the business requirements for remote access.
    • Observe remote access compromise and modify system architecture, configure a jump host sever, and implement 2FA access to mitigate.
    • Goal: Students will learn how to securely architect, configure, and operate a jump host providing access into an ICS environment.
    • Understand connected process
    • Analyze case studies in ICS environments and secure plant design
    • Identify typical trusted communications flows (Time, File sharing, Remote Access, Historians, AD replication, Reverse Web Proxies, Patch servers)
  • Overview

    Learning Objective - ICS System Monitoring and Logging

    • Establish logging and alerting of local process assets into the environment log aggregator.
    • Goal: Students will ensure logged events are tuned for "events of interest" and implement industry-leading tools to view and detect abnormal behavior.

    Learning Objective - ICS Asset Management

    • Evaluate patching and change management strategies and solutions to ensure asset management and system integrity visibility.
    • Goal: Students will learn how to manage a complex set of ICS assets and develop the capability to detect and respond to security events occurring at the control system level.

    Learning Objective - ICS Asset Validation

    • Evaluate approaches to ensure or restore the integrity of a system to a known good state.
    • Goal: Students will evaluate the pre-work necessary for an organization to have the ability to return a compromised system to a reliable operating state.
    • Logging and traffic collection in an ICS environment
    • Monitoring and alerting in ICS networks
    • Monitoring and alerting in a serial network
    • System integrity verification
  • Overview

    Learning Objective - Hands on environment troubleshooting

    Attack/Defend - ICS NetWars Style Challenge

    • Level 1: questions on local process
    • Level 2: questions on shared process
    • Level 3: questions on the head end process environment
    • Level 4: questions on environment manipulation
    • Pivoting and positioning in an ICS target environment
    • Operational traffic reverse engineering
    • Protocol-level manipulation
    • Firmware manipulation
    • Industrial wireless discovery and attack
    • Time synchronization manipulation
    • Data table and scaling modifications


ICS612 is an advanced course that focuses on the engineering, implementation, and support of secure control system environments. Students taking ICS612 should have completed ICS410 or should have a strong understanding of the objectives taught in that course. The course also builds upon the skills learned in ICS515 and ICS612 students should have working knowledge of network security monitoring and data collection techniques.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple Silicon devices cannot perform the necessary virtualization and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 150GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.
  • A wired Ethernet network adapter is required for this course. This can be either an internal or an external USB-based network adapter but you cannot use wireless networking alone.
  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Microsoft Office (any version) or OpenOffice installed on your host. Note that you can download Office Trial Software online (free for 30 days).
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

If you have additional questions about the laptop specifications, please contact support.

Author Statement

"During my 30+ years of working directly in the field of industrial automation, the biggest change I have seen is not with control fundamentals. Rather, the most disruptive change has been with connectivity technology. By connectivity technology I mean there has been a move away from proprietary physical and logical layers to a pervasive adoption to commercial off-the-shelf Ethernet technology. Ethernet adoption has changed the industrial control discipline. Industrial control engineers are forced to either learn networking and security principles or work with other professionals to achieve a reliable and secure infrastructure to support real-time control systems."

- Jeff Shearer

"I am very excited to be a part of the author team that has worked on and will be bringing this great course to the dedicated industrial control system community. This course has been designed to provide students with practitioner-focused, hands-on lab exercises that have been developed to reinforce the skills necessary for professionals working to defend critical operational environments. As these control system environments become increasingly cyber-enabled, interconnected, and targeted by adversaries; it is essential that the capabilities of the workforce continue to progress in order to ensure safe and reliable operations. The lab exercises, tools, control system components, exposure to leading ICS solutions, and development of expanded defender capabilities in this course will be immediately applicable for students."

- Tim Conway

"I am excited to bring my 20 years of working on and securing industrial control systems (ICS) across multiple industries to this course to help others accelerate the development of their knowledge and skills. Under what might seem like a simple category such as ICS, it is easy to overlook the complex variations around business requirements, technologies, and operations across various industry types and organizations. ICS supports the mission of the organization and we must secure these environments in alignment with what makes them unique. To do this, the selection of the right security technology and security processes requires an ability to discover and understand the 'glue' behind the entire technology stack and operational requirements that make these systems unique. The students will take a journey that teaches them how to pull back the curtain and truly understand how to engineer security specific to the environments they will face in their career."

- Jason Dely

"I am really excited to be on the team developing this course and to be able to share some of the things I have learned over my career. As the ICS industry continues to change and evolve, we, as security practitioners, need to understand the capabilities and risks of these ICS environments and be prepared to support and defend them. While many SANS courses focus on either defending or attacking the environment or responding to an attack, this course is designed to give the students the complete picture. Students will learn everything from programming a PLC to designing a more secure ICS environment to understanding how an attacker may try to circumvent the protections in place. This is truly a hands-on class that promises to have something for everyone."

- Chris Robinson

Register for ICS612

Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.