Register by tomorrow to save $300 on cutting-edge cyber security training at SANS Miami 2020!

Oil & Gas Cybersecurity Summit 2019

Houston, TX | Mon, Sep 16 - Sun, Sep 22, 2019
This event is over,
but there are more training opportunities.

ICS612: ICS Cyber Security In-Depth Waitlist

Tue, September 17 - Sat, September 21, 2019

This is the BEST day 1 Iíve ever had in a SANS course. The amount of labs and hardware made it very fun!

Ryan Paradis, BPA

ICS612 is an exceptional advanced ICS security course from the device level up to the head end. A must do course after ICS515.

Michael Hoffman, Shell

ICS-AWARE MALWARE AND ATTACKS ON CRITICAL INFRASTRUCTURE ARE INCREASING IN FREQUENCY AND SOPHISTICATION. YOU NEED TO IDENTIFY THREATS AND VULNERABILITIES AND METHODS TO SECURE YOUR ICS ENVIRONMENT. LET US SHOW YOU HOW!

The ICS612: ICS Cybersecurity In-Depth course will help you:

  • Learn active and passive methods to safely gather information about an ICS environment
  • Identify vulnerabilities in ICS environments
  • Determine how attackers can maliciously interrupt and control processes and how to build defenses
  • Implement proactive measures to prevent, detect, slow down, or stop attacks
  • Understand ICS operations and what "normal" looks like
  • Build choke points into an architecture and determine how they can be used to detect and respond to security incidents
  • Manage complex ICS environments and develop the capability to detect and respond to ICS security events

The course concepts and learning objectives are primarily driven by the focus on hands-on labs. The in-classroom lab setup was developed to simulate a real-world environment where a controller is monitoring/controlling devices deployed in the field along with a field-mounted touchscreen Human Machine Interface (HMI) available for local personnel to make needed process changes. Utilizing operator workstations in a remotely located control center, system operators use a SCADA system to monitor and control the field equipment. Representative of a real ICS environment, the classroom setup includes a connection to the enterprise, allowing for data transfer (i.e., Historian), remote access, and other typical corporate functions.

The labs move students through a variety of exercises that demonstrate how an attacker can attack a poorly architected ICS (which, sadly, is not uncommon) and how defenders can secure and manage the environment.

Course Syllabus


Tim Conway ,
Jason Dely ,
Jeffrey Shearer
Tue Sep 17th, 2019
9:00 AM - 5:00 PM

Overview

Learning Objective - Review of Lab Setup

  • Students will become familiar with the Programmable Logic Controller (PLC), I/O, and software used in the lab.
  • Goal: Students will learn and review ICS nomenclature and terminology and set up their lab station.

Learning Objective - Introduction to the PLC Platform Application Tools

  • Use ICS software to download and operate an existing PLC project.
  • Walk through the basic PLC programming terminology.
  • Download a new firmware file and download and run an existing project file.
  • Interact with the PLC and demonstrate an error in the program.
  • Goal: Students will understand the tools required to have a functional PLC. They will begin to understand the operational relationships between ICS hardware and software.

Learning Objective - Introduction to Programming a PLC

  • Carried over from the previous lab, troubleshoot and fix the programming error.
  • Apply the fix and verify correctness.
  • Observe lack of required authentication, or use of weak credentials in ICS.
  • Goal: Students will understand what is required to modify the logic in a PLC. They will begin to learn some of the attack surface of the PLC.

Learning Objective - Service Discovery on PLC

  • Using NMAP, discover the services available on the PLC.
  • Where possible, interact with those identified services.
  • Determine the purpose and use of each available service.
  • Goal: Students will understand what services are available, the purposes they serve, and their criticality. They will expand their knowledge of the attack surface of the PLC.

Learning Objective - Introduction to the HMI Platform Application Tools

  • Use the ICS software to download and operate an existing HMI project.
  • Walk through the basic HMI programming terminology through an existing project.
  • Interact with the HMI and correlate the HMI configuration (objects/tags) with the PLC program.
  • Goal: Students will understand how a basic HMI operates. They will also learn the data relationships between PLC and HMI used in later labs.

Learning Objective - Understand HMI to PLC Communication

  • Using Wireshark, capture and dissect the ICS communication between the HMI and PLC.
  • Correlate the traffic with how the configuration of these devices transfer data over Ethernet.
  • Build foundational knowledge needed to build a network-level attack against the system.
  • Goal: Students will learn how data flows between PLC and HMI on the network. They will also begin to understand the weakness within ICS protocols.

CPE/CMU Credits: 6

Topics
  • Process familiarization using the Purdue model
  • Communication flow mapping referencing the Zones and conduit approach
  • Components of Level 0-2
  • Local I/O and local HMI communications
  • Understand operational functions
  • Understand inherent process weaknesses
  • Protocol dissection of operational data
  • Embedded device essentials
  • Operator Interface (I/O) subsystems and communications
  • Safety systems
  • Process time

Tim Conway ,
Jason Dely ,
Jeffrey Shearer
Wed Sep 18th, 2019
9:00 AM - 5:00 PM

Overview

Learning Objective - Introduction to Peer-to-Peer Communications

  • Set up a Zone/Cell/Area to the larger Level 3 classroom "Production System" ICS network
  • Connect to a central L3 router, monitor its system, and establish peer-to-peer system communications.
  • Detect additional PLC attacks from the Level 3 system and configure defenses to thwart the attack.
  • Goal: This lab will help students recognize the relationships between Zones/Cells/Areas. Just like in the real world, students will communicate with owners of adjacent systems to map out baseline communications within an ICS.

Learning Objective - Introduction to SCADA Systems

  • Identify components of a SCADA system and the components of the classroom "Production System" setup.
  • Walk through the common use cases and weaknesses and defenses of traditional IT network services, including Active Directory, DNS, DHCP, NTP, SMB, etc.
  • Goal: Students will learn the components and communications of a SCADA system. They will also learn the overlap and use of traditional IT technologies within ICS.

Learning Objective - OPC Communications

  • Configure, or validate, the connectivity between the OPC server and their local PLC.
  • Create an OPC client connection from its local station to the OPC server at the front of the room.
  • Observe an OPC exploit against the system and navigate and configure the local Operating System security configurations to mitigate exploit.
  • Goal: Students will learn the common OS components, weaknesses of OPC communications, and possible defenses.

CPE/CMU Credits: 6

Topics
  • Learn components of Level 3
  • Learn peer-to-peer communications between PLCs
  • Learn SCADA/OPC communications
  • Learn the use and dependencies of traditional IT services (DNS, AD, DHCP, NTP, etc.)
  • Vendor security models and industrial DMZs
  • Learn attack vectors and defense techniques from Level 3

Tim Conway ,
Jason Dely ,
Jeffrey Shearer
Thu Sep 19th, 2019
9:00 AM - 5:00 PM

Overview

Learning Objective - Network Architecture and Technology in ICS

  • Learn the weaknesses and defense options (i.e., segmentation) for a flat ICS network.
  • Identify service and communication requirements between Level 2 and 3 and build appropriate segmentation/defenses.
  • Invoke an attack on the system and configure and compare the differences between stateful and stateless ACLs.
  • Goal: Students will learn how common IT network technology is deployed in the environment, its common weaknesses, and defense strategies. Student will learn some basic (yet highly overlooked) firewall settings to build a defensive perimeter.

Learning Objective - ICS Firewalls

  • Implement in-line firewall.
  • Implement data diode.
  • Management network (iLo, Remote Management, Lantronix).

Learning Objective - ICS Perimeter

  • Learn methods to map ICS data flows and communication paths.
  • Identify and architect networks that support ICS business requirements.
  • Learn methods to restrict/reduce ICS network access to support minimal operations.
  • Learn common use cases; Historian, Remote Access, and Telemetry.

Learning Objective - Historians

  • Identify the business requirements for Historian systems.
  • Observe Historian system compromise and modify the architecture and configuration to defend.
  • Goal: Students will learn the components of a Historian system. They will learn how to securely architect, configure, and operate a Historian system into an ICS environment.

Learning Objective - Remote Access and Jump Host/2FA

  • Identify the business requirements for remote access.
  • Observe remote access compromise and modify system architecture, configure a jump host sever, and implement 2FA access to mitigate.
  • Goal: Students will learn how to securely architect, configure, and operate a jump host providing access into an ICS environment.

CPE/CMU Credits: 6

Topics
  • Understand connected process
  • Analyze case studies in ICS environments and secure plant design
  • Identify typical trusted communications flows (Time, File sharing, Remote Access, Historians, AD replication, Reverse Web Proxies, Patch servers)

Tim Conway ,
Jason Dely ,
Jeffrey Shearer
Fri Sep 20th, 2019
9:00 AM - 5:00 PM

Overview

Learning Objective - ICS System Monitoring and Logging

  • Establish logging and alerting of local process assets into the environment log aggregator.
  • Goal: Students will ensure logged events are tuned for "events of interest" and implement industry-leading tools to view and detect abnormal behavior.

Learning Objective - ICS Asset Management

  • Evaluate patching and change management strategies and solutions to ensure asset management and system integrity visibility.
  • Goal: Students will learn how to manage a complex set of ICS assets and develop the capability to detect and respond to security events occurring at the control system level.

Learning Objective - ICS Asset Validation

  • Evaluate approaches to ensure or restore the integrity of a system to a known good state.
  • Goal: Students will evaluate the pre-work necessary for an organization to have the ability to return a compromised system to a reliable operating state.

CPE/CMU Credits: 6

Topics
  • Logging and traffic collection in an ICS environment
  • Monitoring and alerting in ICS networks
  • Monitoring and alerting in a serial network
  • System integrity verification

Tim Conway ,
Jason Dely ,
Jeffrey Shearer
Sat Sep 21st, 2019
9:00 AM - 5:00 PM

Overview

Learning Objective - Hands on environment troubleshooting

Attack/Defend - ICS NetWars Style Challenge

  • Level 1: questions on local process
  • Level 2: questions on shared process
  • Level 3: questions on the head end process environment
  • Level 4: questions on environment manipulation

CPE/CMU Credits: 6

Topics
  • Pivoting and positioning in an ICS target environment
  • Operational traffic reverse engineering
  • Protocol-level manipulation
  • Firmware manipulation
  • Industrial wireless discovery and attack
  • Time synchronization manipulation
  • Data table and scaling modifications

Additional Information

!!IMPORTANT - BRING YOUR OWN SYSTEM CONFIGURED USING THESE DIRECTIONS!!

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

The ICS612 course consists of instruction and a significant number of hands-on exercises. The exercises are designed to allow students to put knowledge gained throughout the course into practice in an instructor-led environment. Students will have the opportunity to install, configure, and use the tools and techniques that they have learned.

NOTE: Do not bring a regular production laptop for this class! When installing software, there is always a chance of breaking something else on the system. Students should assume that all data could be lost.

NOTE: It is critical that students have administrator access to the operating system and the ability to disable all security software installed. Changes may need to be made to personal firewalls and other host-based software in order for the labs to work.

Laptop requirements include the following:

  • 64-bit processor with 64-bit operating system
  • VT or other 64-bit virtualization settings enabled in your BIOS to run 64-bit VMs
  • At least 8 GB of RAM
  • At least 50 GB of free hard-drive space
  • At least one USB port
  • Ability to update BIOS configuration settings to enable virtualization (VT) support
  • VMware Player 15 (or later), VMware Workstation 15 (or later), or VWware Fusion 11 (or later) installed BEFORE class
  • Access to an account with administrative permissions and the ability to disable all security software on your laptop such as Antivirus and/or firewalls if needed for the class
  • If you are using Linux for your host machine, you will need ExFAT drivers installed to read the class USB drive

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

  • ICS410 Course Alumni - Students who have successfully completed ICS410: ICS/SCADA Security Essentials will have the base knowledge considered as a prerequisite for this course.
  • Process Control Engineers
  • Systems or Safety System Engineers
  • Active Defenders in ICS
  • Anyone with significant control system experience interested in understanding processes and methods to secure the ICS environment

ICS612 is an advanced course that focuses on the engineering, implementation, and support of a secure control system environment. We recommend that students complete ICS410 or have a strong understanding of the topics covered in that course.

  • Student USB drive loaded with ICS lab data, device configurations, and PLC and HMI project files.
  • Multiple virtual machine images including RELICS, which is designed for asset identification and for performing security assessments on ICS systems.
  • A PLC and local HMI system for student labs. Students will use this equipment throughout the course and will keep them after the course is completed.
  • Local analog and digital devices for interacting with the PLC system.

ICS612: ICS CYBERSECURITY IN-DEPTH WILL PREPARE YOUR TEAM TO:

  • Gain hands-on experience with typical assets found within an industrial environment, including Programmable Logic Controller (PLC), Operator Interfaces (OI) for local control, Human Machine Interface (HMI) servers, Historian server, switches, routers, and firewall(s).
  • Gain an understanding of PLC execution through hands-on exercises.
  • Identify security methods that can be applied to real-time control and Input/Output systems.
  • Understand the pros and cons of various PLC and HMI architectures with recommendations for improving security postures of these real-time control systems.
  • Identify where critical assets exist within an industrial environment.
  • Understand the role and design of an Industrial Demilitarized Zone (IDMZ).
  • Gain hands-on experience with firewalls placed within the industrial zone to achieve cell-to-cell isolation and perimeter restrictions.
  • Dissect multiple industrial protocols to understand normal and abnormal traffic used in the operational control of assets.
  • Gain an understanding of the role of IT network services within ICS and identify security methods that can be applied.
  • Use the RELICS virtual machine for asset and traffic identification.
  • Troubleshoot configuration errors within an operational environment.
  • Understand adversary approaches in targeting and manipulating industrial control systems.

ICS612: ICS CYBERSECURITY IN-DEPTH

  • Introduction to the PLC Platform Application Tools
  • Introduction to Programming a PLC
  • Service Discovery on PLC
  • Introduction to the HMI Platform Application Tools
  • Understand HMI to PLC Communication
  • HMI Bypass Attack, Direct to PLC
  • Level 0-2 Defense Techniques
  • Introduction to Peer-to-Peer Communications
  • Introduction to SCADA Systems
  • OPC Communications
  • Network Architecture and Technology in ICS
  • ICS Firewalls
  • ICS Perimeter
  • Historian
  • Remote Access and Jump Host/2FA
  • Wireless and Telemetry Network Defense Techniques
  • ICS System monitoring and logging
  • ICS Asset Management
  • ICS Asset Validation
  • Attack/Defend - ICS NetWars-style Challenge

Author Statement

"During my 30+ years of working directly in the field of industrial automation, the biggest change I have seen is not with control fundamentals. Rather, the most disruptive change has been with connectivity technology. By connectivity technology I mean there has been a move away from proprietary physical and logical layers to a pervasive adoption to commercial off-the-shelf Ethernet technology. Ethernet adoption has changed the industrial control discipline. Industrial control engineers are forced to either learn networking and security principles or work with other professionals to achieve a reliable and secure infrastructure to support real-time control systems."

- Jeff Shearer

"I am very excited to be a part of the author team that has worked on and will be bringing this great course to the dedicated industrial control system community. This course has been designed to provide students with practitioner-focused, hands-on lab exercises that have been developed to reinforce the skills necessary for professionals working to defend critical operational environments. As these control system environments become increasingly cyber-enabled, interconnected, and targeted by adversaries; it is essential that the capabilities of the workforce continue to progress in order to ensure safe and reliable operations. The lab exercises, tools, control system components, exposure to leading ICS solutions, and development of expanded defender capabilities in this course will be immediately applicable for students."

- Tim Conway

"I am excited to bring my 20 years of working on and securing industrial control systems (ICS) across multiple industries to this course to help others accelerate the development of their knowledge and skills. Under what might seem like a simple category such as ICS, it is easy to overlook the complex variations around business requirements, technologies, and operations across various industry types and organizations. ICS supports the mission of the organization and we must secure these environments in alignment with what makes them unique. To do this, the selection of the right security technology and security processes requires an ability to discover and understand the 'glue' behind the entire technology stack and operational requirements that make these systems unique. The students will take a journey that teaches them how to pull back the curtain and truly understand how to engineer security specific to the environments they will face in their career."

- Jason Dely

"I am really excited to be on the team developing this course and to be able to share some of the things I have learned over my career. As the ICS industry continues to change and evolve, we, as security practitioners, need to understand the capabilities and risks of these ICS environments and be prepared to support and defend them. While many SANS courses focus on either defending or attacking the environment or responding to an attack, this course is designed to give the students the complete picture. Students will learn everything from programming a PLC to designing a more secure ICS environment to understanding how an attacker may try to circumvent the protections in place. This is truly a hands-on class that promises to have something for everyone."

- Chris Robinson