What You Will Learn
Cybersecurity practitioners working in critical infrastructure sectors around the world have seen an increase in requirements to perform penetration tests and assessments on key systems and devices. This course will prepare professionals with the necessary knowledge to perform these tasks in a manner that prioritizes operational safety, reliability, and cybersecurity outcomes.
This course considers the unique drivers and constraints that exist within Industrial Control System (ICS) environments and provides direct hands-on training to ensure each student develops penetration testing and assessment capabilities specific to ICS devices, applications, architectures, communications, and process environments. Students will leave this course having the knowledge and necessary skills to perform real world penetration tests and full operational system assessments.
You Will Be Able To
- Understand an adversary’s approach to attacking ICS networks
- Understand attack vectors, exploits, and tools used against industrial control systems
- Understand an Industrial process and site from a Penetration Test and Cyber Assessor’s perspective
- Understand the various components of a local and remote process and its communication pathways back to the control system.
- Prepare and Plan for safe and effective Industrial Control System Cyber Engagements.
- Develop a process to assess and test Industrial Control System devices
- Develop a strategy and approach to assessing distributed Industrial Control Systems
- Assess cyber tools for effectiveness and safety before their use on control system devices and networks
- Understand the use of virtualization to aid in pen-testing for engagement rehearsals, assessment capability, and tradecraft development
- Develop cyber engagement project platforms like laptops, mobile, networks, and cloud
- Understand network/serial taps, one-way diodes, and sensors
- Develop a network/serial tap and sensor plan both from an offensive and defensive perspective
- Understand the limitations of protocol dissectors and plugins for industrial protocols and how to adapt
- Understand the architecture of distributed control systems from a Cyber perspective
- Understand Industrial Wireless and Industrial RF, including Cellular gateways
- Develop capabilities and develop tradecraft to live off the land within DCS environments
- Apply learned tradecraft within a Distributed Control System
- Conduct a pentest of industrial devices and network
- Understand documentation and cyber engagement plans
- Assess the SANS Distributed Control System network
- Document findings and final reports
- ICS Assessments Methodologies
- ICS Pentesting Methodologies and documents like the OSSTMM3, PTES, and ACI TTP for ICS and CIS Critical Security Controls
- Use of MITRE ICS, Atomic Red Team, ISA/IEC 62443x, ISO/IEC 27001, NIST SP 800-82 for ICS Cyber Engagements
- Use of OWASPs Web Security Testing Guide and OWASPs Embedded Application Security methodologies, and ISA/IEC 62443-3 for assessing Industrial components and systems
- Use of specific cyber tools to interact and interrogate ICS devices and systems
- Analyzing Exploits and plugins to develop individual and team capabilities
- Use of tunnels, proxies, and shells to open connections between the pentester and the target environment
- Use of protocol, web app, database, and OS-related tools to gain and expand access within the ICS environment
- Privilege escalation techniques within ICS networks, winpeas, and manual TTPs
- Analyzing Industrial Embedded Systems and Real-Time Operating Systems
- Command-line interactions with Windows, Linux, ESXi, IDRAC, and other Real-Time Operating Systems found within ICS environments
- Live-off-the land within ICS and DCS
- Analyzing alerts and advisories for attack vector analysis and pentest/assessment TTP development
- Testing tools and their impact on a specific system or environment
- Security tools to validate controller ISASecure and Achilles certifications
- Use of ChatGPT for quick script prototype development
- Assessing DCS field devices, hosts, network devices, physical and virtual servers, and cloud-edge services
- Firmware analysis for pentest/assessment TTPs development
- Use of VMware, HyperV, docker, and Windows containers, qemu, and wsl2 to mount OS and RTOS
- Interact with various Real-Time Operating Systems (RTOS)
- Interact with multiple DCS vendor-specific tools and cybersecurity applications
- Interact with the DCS components using both windows and Linux command-line tools
- Capture and analyze Industrial RF and network-based communication
What You Will Receive
- Books, PDF copies of the printed material, and recorded audio
- Lab and Electronic Labs
- CLickPLC Plus
- ICS613 LNG Board
- Windows Virtual Machine, Linux Virtual Machines, RTOS VMs
- Serial and Network Tap
Syllabus (30 CPEs)
ICS613.1: Safety First
The objective of Section 1 is to outline the differences between a penetration test within a corporate network and a control network. Students with experiences in corporate penetration tests will need to be introduced to Operational Technology (OT), how they are used in processes, and the consequences of their actions. Students with experiences in OT will need to be introduced to the different types of penetration tests, the tools used for these assessments, and the consequences of their actions. These objectives will be achieved by covering the concepts and reinforcing them using labs where standard tools cause a physical failure within a process. The day will also be used to introduce students to the virtual machines with ICS tools, virtual systems, and tools and to ensure access to lab resources.
ICS613.2: Assessment Engagement
Section 2 will introduce the student to an assessment methodology that follows the ICS Attack Kill Chain. Students will be informed about the considerations for scoping a penetration test for a control network, including the expectations and limitations they will encounter. This will be reinforced using a lab that will leverage penetration testing tools and process that will highlight environment specific considerations when performing various tasks and what can happen to a process when appropriate precautions are not taken. Students will then be exposed to physical security considerations because of their importance as a primary control in most organizations. Techniques for bypassing physical controls will be discussed.
Students will learn how attackers gain digital access to key personnel workstations and gather information about the control process, learning to mimic this behavior in a lab to find and compile documents and credentials and leverage these credentials to pivot into the control network. Students will then perform safe system and service enumeration activities to collect information about the control network. Finally, students will learn how to use scripts to enumerate information from a management server using an industrial protocol and identify how to attack a processor/field device using another industrial protocol. The day will finish by outlining penetration testing reporting and ICS-specific mitigation considerations.
ICS613.3: Under the Hood: Real-Time Operating Systems, Controllers, and Certification Overview
As a cyber defender working in industrial control systems (ICS) environments, it is imperative to understand that these systems are composed of many computer systems, network components, and field devices, each running various operating systems and real-time operating systems. Therefore, to effectively assess the cybersecurity posture of these systems, you must have a solid foundation in these operating systems and how to approach them to identify vulnerabilities systematically.
Developing ICS operating systems expertise requires system knowledge and hands-on experience through lab exercises. By gaining this knowledge and experience, you can better prepare yourself and your team to conduct assessments beyond surface-level vulnerabilities and uncover adversary attack surfaces at deeper system layers. In addition, you will learn the foundation of assessing controllers, devise Real-Time Operating Systems, and develop simple tests and procedures to validate controller Certifications.
By taking a systematic approach and building a solid understanding of ICS operating systems, you can improve your ability to assess the security of these critical systems and help ensure their resilience in the face of cyber threats against Industrial Control System networks, systems, and devices.
ICS613.4: From Field Devices to DCS
Many ICS Cyber Teams have a solid foundation in cyber essentials. However, they sometimes need more opportunities to expand their Industrial Cyber knowledge and tradecraft at the OT network level by interacting with live field devices and distributed control systems.
It is critical to learn and use a set of safety-based tactics, techniques, and procedures (TTPs) that prioritize the protection of life, equipment, and the underlying process when conducting cybersecurity assessments, penetration tests, red team/blue teaming, and hunting operations within industrial control systems networks.
It is essential to engage in hands-on training that focuses on real-world scenarios and includes exposure to existing distributed control systems, DCS networking, field devices, and actual “plug-in” conditions that limit the use of traditional cyber tools.
ICS613.5: From DCS Servers, Hosts, to Network Devices
The final day of the course will continue to highlight live DCS system components and appropriate assessment approaches and methodologies. The content and hands on labs will provide an excellent foundation for conducting cyber engagements on these systems, including using DCS-specific vendor tools, adversary exploit techniques, Atomic Red Team assessment tradecraft, and the more traditional penetration testing techniques.
The industry is rapidly evolving to move beyond simple Pen tests and vulnerability assessments of individual devices and instead toward conducting assessments on offline deployed systems and eventually to live systems. It is, therefore, critical that ICS cyber teams build their knowledge and expertise in a way that allows them to assess these complex systems safely and effectively while ensuring the protection of critical infrastructure and the people who depend on it.
This 600-level course is applied to assessments and pen-testing within ICS systems and networks. It would be beneficial for students to have a solid cyber foundation in assessing systems, pen-testing networks, digital forensics of hosts and servers, assessing wireless, and the fundamentals of ICS. Some suggested SANS courses are:
- ICS410: ICS/SCADA Security Essentials
- ICS612: ICS Cybersecurity In-Depth
- SEC560: Enterprise Penetration Testing
- SEC542: Web App Penetration Testing and Ethical Hacking
- SEC617: Wireless Penetration Testing and Ethical Hacking
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
NOTE: Students must have administrator access to the operating system and all security software installed. Changes need to be made to personal firewalls and other host-based software for the labs to work.
- The latest version of Windows 10 or higher, macOS 10.15.x or later, or Linux also can install and run VMware virtualization products described below.
- Windows system can run Windows Subsystem for Linux
- 64-bit processor with the 64-bit operating system
- At least a USB port and a USB 3.0 Hub with a network adapter
- Ability to update BIOS configuration settings to enable virtualization (VT) support
- VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
- Access to an account with administrative permissions and the ability to disable all security software on your laptop, such as Antivirus and firewalls, if needed for the class
- At least 160 GB of free hard-drive space
- At least 8 GB of RAM and 16 GB recommended
- Wireless Ethernet 802.11 B/G/N/AC
NOTE: Apple systems using the M1 processor cannot perform the necessary virtualization and cannot be used for this course.
Your course media will now be delivered via download. The media files for class can be large, some in the 40-50 GB range. Therefore, you need to allow plenty of time for the download to complete. Internet connections and speed vary significantly and are dependent on many different factors. Consequently, it is impossible to estimate the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes use an electronic workbook in addition to PDFs. In this new environment, a second monitor and a tablet device can be helpful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
“We operate within a Complex Adaptive System, where the Adversary and the Cyber Defenders have to continuously expand and enhance their tradecraft and experiences to evolve and bring some level of order and homeostasis within the networks and systems we defend. The adversary is dynamic and often a Team or an Organization, but in ICS, we are few defending a large OT landscape; we will always clamor for more and better tradecraft, TTPs, and tools. We have to do more than just adapt; we must overcome.” – Fred Alvarez
"Assessing risk in control environments can be dangerous and the consequences extreme. My experiences at Cutaway Security have demonstrated to me that having a consistent methodology to gather information through threat modeling, interviews, walkthroughs, network analysis, and safe attack surface mapping are necessary to make operations teams comfortable. The authors of this course have pulled from years of experience in evaluating production environments to create tactics and techniques that improve safety, reliability, and availability in any industrial or automation environment. This course is our method for passing this knowledge on to future generations and improve our societies." – Don C. Weber