Registration for ICS613 is currently unavailable due to course development.
If you wish to be notified via email when ICS613 is open for registration, fill out this form
What You Will Learn
Engineering, operations, and security professionals working in industrial environments and critical infrastructure sectors around the world are increasingly required to perform penetration tests and security assessments on key systems and devices. This course provides students with the necessary knowledge and skills to perform these tasks safely while ensuring operational reliability and resiliency and achieving effective cybersecurity outcomes.
ICS613 addresses the unique drivers and constraints of ICS environments and provides direct hands-on training to develop penetration testing and assessment capabilities specific to ICS devices, applications, architectures, communications, and process environments. By the end of this course, students will be equipped to perform real-world penetration tests and conduct security assessments of fully operational environments.
You Will Be Able To
- Plan and execute safe, effective, and valuable penetration tests and security assessments using both passive and active techniques to assess operational resilience in ICS environments.
- Tailor ICS penetration tests and security assessments to serve the customer’s organizational and operational security objectives.
- Collaborate with customers to identify realistic ICS attack scenarios targeting Crown Jewel Assets (CJA).
- Communicate and coordinate with stakeholders to define expectations, goals, and outcomes for ICS security assessments.
- Understand the benefits of a top-down/bottom-up approach to active testing and how aligning penetration test methodologies to the ICS Cyber Kill chain provides appropriate adversary context to engagement activities, findings, and recommendations.
- Evaluate tools and techniques for effectiveness and safety before applying them to ICS devices and networks.
- Identify relevant targets and select applicable adversary TTPs for developing effective attack scenarios in ICS penetration tests and security assessments, regardless of industry sector.
- Write and deliver timely status updates and accurate, actionable reports that support customer goals and outcomes.
What You Will Receive
- A fully functional SANS ICS613 Student Kit that students will keep after class:
- A CLICK PLC Plus Controller w/ Bluetooth and Wi-Fi, including additional modules and communication cards with a sector simulation board.
- Physical components and attachments for I/O connections to the SANS sector simulator board.
- Commercial Click PLC Programming software from KOYO Electronics.
- Commercial human machine interface (HMI) control system runtime applications from Rockwell Automation.
- Commercial OPC server application software from Matrikon.
- A SANS ICS613 Windows Virtual Machine.
- A SANS ICS613 Kali Virtual Machine.
- Access to the in-class physical ICS range running a distributed control system (DCS) and automation components.
- Unique custom tools that can be used for hardware and software asset data collection, industrial protocol network analysis, attack surface mapping, and ICS vulnerability validation.
Syllabus (30 CPEs)
Download PDFICS Assessment Types and Concepts
Overview
This section introduces students to the various types of passive and active security assessments leveraged in ICS environments.
Exercises
- Build and program the student kit.
- Leverage industry frameworks and threat intel to add real-world adversary context to assessment activities.
- Identify and exploit operator workstation services.
- Develop custom scripts for process discovery and manipulation.
- Validate tools and techniques before using them in production environments.
Topics
- Identify and define assessment goals and outcomes.
- Choose appropriate assessment approaches aligned with industry directives, standards, and guidelines.
- Apply industry frameworks and threat intelligence to security assessment.
- Understand concepts, terminology, and resources related to ICS penetration testing and security assessments.
- Analyze consequences and impacts to physical equipment and its operations from assessments and threat group activities.
ICS Assessment Engagements
Overview
This section prepares students to plan, prepare, and execute safe and effective ICS security assessments.
Exercises
- Collect and analyze documentation during planning to define engagement scope and objectives.
- Analyze industrial communications using common tools and custom scripts to generate target lists.
- Identify unknown industrial protocols to develop enumeration capabilities.
- Automate system security posture assessment using existing OS tools and utilities.
- Perform adversary-in-the-middle attacks and manipulate device communication to demonstrate loss of control scenario.
Topics
- Outline a phased assessment methodology that includes planning, scoping, targeting, and passive and active analysis.
- Collaborate and coordinate with stakeholders from engineering, operations, administrators, and cybersecurity teams.
- Understand the importance of documentation, communication, and daily status reports.
- Align assessment activities with the SANS Five ICS Cybersecurity Critical Controls.
- Master network capture, analysis, replay, and spoofing techniques.
Top-Down Active Methodology
Overview
This section introduces a top-down active penetration methodology aligned to the ICS Cyber Kill Chain. Students will gain the skills to plan, prepare, and achieve engagement objectives in a simulated production DCS environment using “living off the land” techniques.
Exercises
- Exploit Active Directory Certificate Services to escalate privileges in an enterprise domain.
- Abuse credential reuse across IT/OT boundaries to pivot into the operational technology (OT) DMZ.
- Transfer tools to compromised systems and exfiltrate data using living-off-the-land binaries.
- Use existing system utilities to hijack operator sessions and gain access critical control network assets.
- Assess command and control (C2) capabilities in ICS environments.
- Bypass endpoint hardening controls and escape restricted operator environments.
- Enumerate control networks using built-in functionality and vendor tools.
Topics
- Align engagement scoping and reconnaissance with the ICS Cyber Kill Chain.
- Understand how Crown Jewel Analysis (CJA) aligns with targeting activities in the ICS Cyber Kill Chain.
- Understand why OT penetration test should follow an assumed breach scenario.
- Understand process enumeration techniques essential for realistic ICS attack scenario development.
- Identify the most effective targets and TTPs for process enumeration, regardless of industry sector.
Bottom-Up Passive Methodology
Overview
This section covers the bottom-up approach to ICS attack identification, delivery and execution, aligned with the ICS Cyber Kill Chain. Students will be able to develop and discuss realistic ICS attack scenarios with engagement stakeholders and gain the skills to demonstrate ICS attack impacts in controlled lab environments.
Exercises
- Enumerate DCS architectures and system functionality using vendor tools.
- Deploy and configure a shadow HMI to enumerate industrial process information.
- Identify and develop realistic ICS attack scenarios against DCS targets with expected physical consequences.
- Demonstrate an ICS attack on a safety system in a controlled lab environment.
Topics
- Collaborate with the customer to identify realistic ICS attack scenarios.
- Focus on Attack Delivery and Attack Execution applicable to their defense readiness to identify the most effective mitigation identification.
- Identify the most relevant targets and TTPs for effective attack scenario development in ICS penetration tests.
- Structure accurate and actionable penetration test report.
- Provide appropriate context to findings.
- Identify different mitigation options balanced across cost, effectiveness and time.
Active Assessment and Capture-the-Flag Exercise
Overview
This lively section represents the culmination of the ICS Penetration Testing and Assessments course. Students will apply the skills mastered in the course in a comprehensive, hands-on exercise where they will continue the penetration test and assessment against their local ICS613 kit and in-class physical range. Students will be provided with the scope and rules of engagement and work to identify and prioritize the weaknesses and vulnerabilities of the target organization’s industrial control systems. As a final step, students recommend next steps to improve their ICS defenses.
Exercises
- Apply skills learned throughout the course.
- Assess operational weaknesses and vulnerabilities.
- Identify and prioritize recommendations.
Topics
- Conduct an unstructured ICS assessment in a real-world scenario.
- Understand the impact associated with specific, learned, operational functions.
- Evaluate and prioritize security recommendations to enhance ICS defenses.
Prerequisites
This 600-level course is applied to assessments and pen-testing within ICS systems and networks. It would be beneficial for students to have a solid cyber foundation in assessing systems, pen-testing networks, digital forensics of hosts and servers, assessing wireless, and the fundamentals of ICS. Some suggested SANS courses are:
Laptop Requirements
Important! Bring your own system configured according to these instructions.
A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.
NOTE: Students must have administrator access to the operating system and all security software installed. Changes need to be made to personal firewalls and other host-based software for the labs to work.
- The latest version of Windows 10 or higher, macOS 10.15.x or later, or Linux also can install and run VMware virtualization products described below.
- Windows system can run Windows Subsystem for Linux
- 64-bit processor with the 64-bit operating system
- At least a USB port and a USB 3.0 Hub with a network adapter
- Ability to update BIOS configuration settings to enable virtualization (VT) support
- VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
- Access to an account with administrative permissions and the ability to disable all security software on your laptop, such as Antivirus and firewalls, if needed for the class
- At least 160 GB of free hard-drive space
- At least 8 GB of RAM and 16 GB recommended
- Wireless Ethernet 802.11 B/G/N/AC
NOTE: Apple Silicon devices cannot perform the necessary virtualization and cannot be used for this course.
Your course media will now be delivered via download. The media files for class can be large, some in the 40-50 GB range. Therefore, you need to allow plenty of time for the download to complete. Internet connections and speed vary significantly and are dependent on many different factors. Consequently, it is impossible to estimate the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.
SANS has begun providing printed materials in PDF form. Additionally, certain classes use an electronic workbook in addition to PDFs. In this new environment, a second monitor and a tablet device can be helpful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.
If you have additional questions about the laptop specifications, please contact customer service.
Author Statement
"Assessing risk in control environments can be dangerous and the consequences extreme. My experiences at Cutaway Security have demonstrated to me that having a consistent methodology to gather information through threat modeling, interviews, walkthroughs, network analysis, and safe attack surface mapping are necessary to make operations teams comfortable. The authors of this course have pulled from years of experience in evaluating production environments to create tactics and techniques that improve safety, reliability, and availability in any industrial or automation environment. This course is our method for passing this knowledge on to future generations and improving our societies."
"My experience developing internal offensive security programs for an asset owner and leading teams that execute penetration test engagements in live control system environments across nearly every industry vertical has taught me three things. First, penetration testing in the ICS/OT space requires a unique attitude, skillset, and approach. Second, the offensive security practices that work well in IT don't often translate to safe and effective pentests in OT, and in general, OT pentesting is not yet well defined or understood in the industry at large, whether by asset owners or by the professionals tasked with executing these assessments. And finally, my experience has left me with the conviction that there is an effective methodology for OT pentesting, it can be done safely, and it can be extraordinarily valuable as we work to secure our critical infrastructure. This class distills the expertise and experience of three authors, all with distinct yet complementary backgrounds, into a definitive methodological approach for real-world OT offensive security practitioners. It develops a mindset, defines a methodology, and documents a library of techniques to support safe, effective, and valuable OT penetration tests and assessments for the ICS/OT industry."
"Whether performed on a small, single facility ICS operation or a large, multi-national ICS corporation each ICS penetration testing or security assessment must be tailored to accommodate the organization’s needs in support of both their business goals and operational needs that extend beyond corporate IT environment. For most, these activities are employed to measure and improve cybersecurity defenses for the purpose of maintaining a safe, reliable and resilient ICS operation.
In my experience, the extreme variations and uniqueness in the deployment of technologies within ICS environments stem directly from the physical equipment for which these technologies are implemented. The scale in size and complexity common in these systems can be daunting when attempting to identify all vulnerabilities, ascertain all exposed weaknesses, and distill findings into actionable recommendations that are achievable and genuinely enhance the ICS defense posture. Therefore, performing ICS penetration testing or security assessments are focused around what protections are required to operate physical equipment safely and reliably.
This course equips students with the knowledge and skills to assess these environments with the utmost care and respect for the unique impacts and consequences they entail. It also emphasizes the identification, understanding, and assessment of weaknesses that directly affect the safety, reliability, and resilience of ICS physical systems and operations. Furthermore, the course provides guidance on selecting and employing appropriate tools and methodologies for ICS penetration tests and security assessments. In conclusion, this course will equip you with the assessment skills necessary to effectively present and demonstrate a clear path forward. This path will clearly outline the most advantageous actions to take immediately, the achievable goals to pursue, and the optimal strategies for moving forward."