Why spend high prices to take courses from other organizations that fail to have instructors that have worked in the OT field designing, commissioning, maintaining and securing Industrial Control Systems? SCADAhacker offers on-line training developed by practitioners in both ICS system design/operation and cyber security design/implementation. SCADAhacker can save companies thousands of dollars over other proprietary courses that lack sophisticated infrastructure associated with today's on-line training methodologies. SCADAhacker blends leading edge ICS cyber security content coupled with an extensive textbook (not offered by any other program!) and an advanced learning management system designed to allow students the opportunity to reinforce learning objectives that may require extra attention. Sound interesting ... keep on reading.

As the recent lead SCADA Security Instructor for InfoSec Institute, and having been involved directly with industrial automation and control systems for more than 35 years, we have quickly realized that there is a shortfall in training to address how to secure industrial control systems like Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS). There are several very good courses currently available,however, when reviewing the syllabi of these courses, it becomes clear that they tend to focus too much on either (1) theoretical aspects of the problem, or (2) the hacking or red team side of ICS security. Knowing this, and not trying to duplicate what is currently available, we am pleased to launch SCADAhacker Online Unversity beginning with the highly successful "Fundamentals of ICS Cyber Security". This course originally offered under the title "Understanding, Assessing and Securing Industrial Control Systems" has evolved since its first launch in May 2012 to include various course offerings that span from basic and introductory to full-scope, comprehensive courses that teach in depth concepts of ICS as well as advanced securing techniques. Additional courses will be added to the curriculum in coming months.

The training program initially launched under the SCADAhacker name has been moved to the newly formed Industrial Control System Cyber Security Institute. Under this exciting new organization, the original course content covered here, is now included as part of a comprehensive ICS cyber security curriculum.

These courses are primarily targetted at end-users, asset owners, integrators and vendors who are faced with the challenge of securing systems.

This exciting new very advanced course supplies an environment to learn and apply offensive cyber operational (OCO) skills to a range of operational technology architectures. It introduces tactics, techniques, and procedures (TTP) to a range of real-world architectures, components, devices, and protocols that leverage both traditional software vulnerabilities and other more subtle, hard to find yet equally if not, more powerful human vulnerabilities that arise from typical system configuration and usage.

This course focuses primarily on lab exercises with presentation-based lectures used to introduce new concepts and review class progress at the completion of each exercise. Exercises will be conducted on a combination of student-hosted platforms (either directly or via local type 2 hypervisors) and the ICSCSI ICS Cyber Range elements accessed via the Learning Management System (LMS).

Introductory exercises will use simple, two-device one-network architectures, and will becoming increasing more advanced with three-zone and five-zone SCADA and DCS architectures that include both redundant and non-redundant server, workstation, network, and control platforms.

The course uses the basic concepts covered under an ethical hacking framework and expands upon this with decades of instructor experience in both conceptual and detailed design covering system procurement, configuration, testing, commissioning, and supporting large-scale integration industrial control systems. This experience provides students with a unique opportunity to understand the true nature of industrial automation and control, the integration of a “system of systems” more fully into a single cohesive architecture, and the contrast between perceived and actual exploitability.

No quizzes will be administered during this course. Student grading will be decided subjectively by the instructor based on student participation, understand of concepts, execution of procedures, and completion of target results. There is no certification that will be offered in the first release of this course. An accredited certification program that includes both written and practical components is expected based on initial student interest. Continuing Education Units (CEU) will be offered for this course. An optional practical exercise is available to get +20 CEUs by submitting a Security Test Report based on one of the scenarios covered in the course.

Learning Objectives

• Industrial Architectures, Systems & Communications
• ICS Reference Architecture
• Common Open Protocols
• Common Community Protocols
• Common Proprietary Protocols
• Sample Vendor Reference Architectures
• Reference Architecture Data Flow Analysis

• Ethical Hacking Methodologies & Tools
• Information Gathering
• Scanning, Enumeration and Fingerprinting
• Gaining Access
• Maintaining Access
• Covering Your Tracks

• Basic Exploitation
• Payload Development
• Payload Deployment
• Command and Control
• Elevation of Privilege
• Establish Persistence
• Gather Loot
• Lateral Movement
• Chained Exploits

• Discovering & Exploiting ICS Weaknesses
• Host-based Targets
• Device-based Targets
• Network-based Targets

• Pwning ICS Operations
• “Crash and Burn” vs “Conquer and Control”
• Detection Avoidance
• “Redundancy or Not”

• Attacking an Enterprise-Connected SCADA System
• System Architecture (Gray Box) – Multi-Zone No Redundancy
• Initial Infection
• Information Disclosure
• Enumeration
• Lateral Movement
• Hunt and Repeat
• Finding the Pot of Gold

• Attacking an Enterprise-Connected DCS System
• System Architecture (Black Box) – Multi-Zone + Redundancy
• Drop Point – Open Control Net (Easy)
• Drop Point – Supervisory Net (Moderate)
• Drop Point – Closed Control Net (Difficult)
• Drop Point – DMZ Net (Very Difficult)
• Drop Point – Office Net (Extremely Difficult)

• Debriefing
• Sharing Results
• Summarizing Findings & Results (Optional)

Student Computer Requirements

Students will have to supply their own laptop to take part in this course. It is recommended that this is NOT a production computer used in the day-to-day business environment of the student, but rather a computer that MUST provide the user with administrative authorization in order to make major system configuration changed, including (but not limited to): installing software, installing hypervisors, modifying system features (Windows), changing network configuration settings, changing BIOS/UEFI settings, and modifying system boot settings (may require disabling TPM). The instructor will also discuss the use of a multiple-boot configuration to host offensive and defensive tools without the potential for interaction between the platforms. More requirements are summarized below:

• Minimum Computer Requirements
• Administrative authorization to install applications, platform features, and configuration settings including local policy objects
• 4C Intel Core i5 64-bit (2.4GHz)
• 8GB RAM
• 240GB HDD
• Wireless NIC
• Mouse (preferred over Touchpad)
• 11" Monitor
• 1 USB2/USB3 Port

• Recommended Computer Requirements
• Administrative authorization to install applications, platform features, and configuration settings including local policy objects
• 4C Intel Core i7 64-bit (3.5GHz)
• 16GB RAM
• 500GB HDD
• Wireless NIC
• 100/1000BT RJ45 Wired NIC
• Mouse (preferred over Touchpad)
• 15" Monitor
• 2 USB2/USB3 Port

Prerequisites and Basic Skills Requirements

The material is “very advanced” in nature and to cover the vital material outlined above, limited time will be spent teaching basic and intermediate skills. The exercises have detailed descriptive and prescriptive text to complete the activities, but it is impossible for all exercises to address all potential scenarios typical in an advanced learning environment. It is recommended that students have as a minimum the following skills before considering this course. Skills should not be confused with certifications. Students should be able to perform in an operational environment and use skills covered in basic and intermediate security; industrial automation, control, and security fundamentals; and ethical hacking and offensive cyber operations.

• Working knowledge of the Windows operating system beginning at kernel version 5 including software installation via Store and installation media, navigating the file system, use of encrypted file systems, compression and archiving, modifying application execution authorization level, Command Prompt usage, generating and validating file integrity, PowerShell scripting, managing Roles and Features, manipulating network connections, establishing Virtual Private Networks, and the use of common productive tools.
• Working knowledge of the Linux operating system (mainly Debian-based distributions including Ubuntu and Kali) that encompasses software installation methods (dpkg, aptitude), use of encrypted file systems, compression and archiving, modifying execution authorization level, shell usage, generating and validating file integrity, manipulating network connection, establishing Virtual Private Networks, and the use of productivity tools.
• Familiarization with the Kali open-source, Debian-based Linux distributed used for penetration testing, security research, computer forensics, and reverse engineering.
• Basic understanding of industrial architectures and the protocols used to communicate between application servers, communication servers, human-machine interfaces, infrastructure servers (e.g., file services, directory services, web services, update services), system gateways, and controllers.
• Basic understanding of networking and network access control technologies including access, distribution and core switching, routing, transparent and routed firewalls, networking bridging, unidirectional communication, the OSI 7-layer model, and the TCP 3-way handshake.
• Exposure to and some use of passive network analysis, enumeration and characterization tools that include Grass Marlin, Network Miner, tshark, tcpdump, and Wireshark.
• Exposure to and some use of active network analysis, enumeration, and characterization tools like arp, arping, arp-scan, hping, nmap, and snmp.
• Exposure to and some use of active vulnerability scanning solutions like Tenable Nessus and Greenbone Vulnerability Manager (OpenVAS) including custom scripting via the Nessus Attack Scripting Language (NASL) and OpenVAS-NASL.
• Exposure to common exploitation frameworks like Metasploit.
• Working knowledge of Type-2 (minimum) such as Microsoft Hyper-V, Oracle VM VirtualBox, Parallels Desktop [not recommended], VMware Fusion [not recommended], and VMware Workstation Pro; and the creation of virtual machines and virtual networks, virtual switching and routing, and backup and restoration capabilities (e.g., snapshots).
• Exposure to and some use of Type-1 (recommended) hypervisors such as Citrix Hypervisor (Xen Server), Microsoft Hyper-V, KVM, Oracle VM, and VMware ESXi; and the creation of virtual machines and virtual networks, virtual switching and routing, and backup and restoration capabilities (e.g., snapshots).

Student Material

A sample of the student supplemental material includes (actual list may be adjusted):

• Industrial Network Security, 2nd edition (Syngress)
• Hacking Exposed: Industrial Control Systems (McGraw Hill)
• Pentesting Industrial Control Processes (Packt)
• Purple Team Field Manual (Tim Bryant)
• ICS Purple Team Field Manual (ICSCSI)

Training Logistics

Training classes will currently be capped at eight (8) student maximum. Due to the advanced nature of the material covered, the smaller class size insures sufficient individual attention can be provided. ICSCSI will make training available at various locations globally based on client interest. All ICSCSI arranged venues will include coffee and non-alcoholic drinks through the day, plus lunch. Students will also be provided with public Internet access during the course. Student supplies their own transportation, lodging, meals, and incidental expenses and insurance.

Group Pricing

Discounts are available for groups of four (4) or more. Course can be offered either at ICSCSI designed venue or hosted locally at a private client-provided venue. Discounts for on-site training will be subject to transportation, lodging, meals, and incidental expenses and insurance (if applicable) for the instructor(s). Public, unfiltered Internet connectivity must be supplied for training at any client-provided venue. Contact ICSCSI for group discounts and on-site options. Click here for details on military and government discounts.

Course Registration

This course will only be offered in "live" in-person sessions due to the complexity of the lab environment used throughout the course. This course is highly interactive and depends on student participation and interaction with other students to ensure success. The live sessions will be delivered over a consecutive 5-day period 8-hours each day.

All payments are processed through PayPal using the links below and support a range of payment methods including credit/debit cards (a PayPal account is not required). Please contact ICSCSI if an alternate form of payment is required.

After registration and receipt of payment, students will receive an email with sign-on instructions to access the learning management system with early access to preliminary content including a Student Questionnaire that should be completed as soon as possible. All course material will be distributed the first day of class.

This course is focused entirely on securing or "blue teaming" the industrial control system (ICS) architecture, and will include technical deep dives, optional demonstrations, and other relevant content that will be used to reinforce the selection and implementation of security controls relating specifically to ICS. The initial online version of this course will NOT include any lab exercises. The lab component of the course has been offered in the latest update launched in 2021. Legacy enrollments can purchase this lab content separately if desired.

Many of those individuals responsible for auditing, installing, or operating industrial control systems are aware of the need for cyber security, yet are confused on exactly what to implement, and how to verify the resulting solution. This course provides a solid foundation in addressing these concepts.

Course syllabus:

• Welcome and Course Overview
  
• ICS Fundamentals (Part 1): Operation, Design and Vulnerabilities
  • Learn what is an Industrial Control System
  • Learn how to simply a complex ICS architecture in terms of resources
  • Understand why ICS "operational" security is different from traditional IT "information" security
  • Understand why ICS are more vulnerable to cyber threats than other IT assets
  • Understand the typical vulnerabilities that exist within ICS architectures
• ICS Fundamentals (Part 2): Networking and Industrial Protocols
  • Understand the OSI 7-Layer Model
  • Learn important Networking Terminology and Concepts
  • Understand common Protocols, Ports and Services
  • Understand the difference between Routers and Firewalls
  • Understand Network Data Analysis
  • Learn about Fieldbus Industrial Protocols
  • Learn about Backend Industrial Protocols
• Assessing and Managing Risk
  • Understand the meaning of risk and how it impacts operational security and integrity
  • Become aware of the threats and vulnerabiltiies that exist within ICS architectures
  • Initate a risk assessment process to identify, classify and rank cyber security risks to ICS
  • Use the results of the risk assessment to select appropriate controls to mitigate the residual risk
• Auditing and Assessing ICS (Part 1): Methodology and Characterization
  • Understand the differences between security auditing, assessing and testing
  • Review some leading methodologies and understand how to tailor them to your unique situation
  • Look at theoretical versus physical security assessments
  • Learn how to perform both passive and active analysis
• Auditing and Assessing ICS (Part 2): System Assessment and Classification
  • Learn additional passive analysis techniques
  • Understand vulnerability assessments
  • Use vulnerability scanners to identify and classify vulnerabilities
  • Use vulnerability scanners to audit configurations against custom and best practice standards
  • Learn now to develop customized testing tools
• Standards and Best Practices for Industrial Security
  • Understand governmental impact on standards and regulations around cyber security
  • Gain insight into the varous cyber security standards and best practices, and how they can be used "concurrently"
  • Understand the difference between "compliance" standards and "performance" standards
  • Familiarize yourself with "industry" specific standards relating to cyber security
• Selecting and Implementing Security Controls for ICS
  • Understand what is meant by a security control
  • Understand the correlation between security controls and risk management
  • Learn about the different classes of security controls
  • Learn about the importance of applying mulitple security controls to meet the desired level of risk reduction
  • Introduction to a variety of security controls catalogs
  • Develop strategy for deploying "reasonable" controls for immediate results to ICS architectures

In addition to informative video lessons, each section contains an extensive list of supplimental information with links to any technical material referenced during the lesson including web sites, technical papers, network captures, and product information. Numerous video demonstrations are also provided, with many supplemented by security vulnerability reports, presentations and papers. This is one of the only courses that includes a textbook - "Industrial Network Security, 2nd ed." providing a learning experience unlike any other. (TVRA Sample Report only provide during select Live/In-Person courses)

This online course also includes a certification preparation module to help students prepare and pass the Certified SCADA Security Architect (CSSA) examination offered through Information Assurance Certification Review Board (IACRB). Save THOUSANDS of dollars off other certification programs!!!

The material covered in this class is sufficient to successfully pass the Global Industrial Cyber Security Professional (GICSP) offered through GIAC.

Each student will receive a Certificate of Training once all modules have been successfully viewed, and the associated self-assessments completed. These Continuing Education Units (CEU) can be used against other professional certifications like CISSP, CEH, etc.

Within 30 days of registration and receipt of payment, students will receive the Course Manual, course textbook "Industrial Network Security, 2nd edition", and sign-on instructions to access the training material online.

Students will receive a local copy of the extensive SCADAhacker Reference Library and catalog of software for creating security testing environments on other computing platforms. Students will also have access to an online library containing supplemental information, addendums, and corrections to course material.

Physical ICS security equipment representing that actually available for deployment in the field will be included as part of the material covered. This will include not only ICS equipment, but also associated security components as well. Some of the technologies that will be covered in this course include:

• Software and devices using common industrial protocols such as Modbus/TCP, TSAP, Ethernet/IP and Common Industrial Protocol (CIP)
• Industrial Firewalls such as the Tofino Security Appliance, Innominate mGuard, Siemens Scalance X, and Ultra/3eTI
• Unidirectional Security Gateways and Data Diodes (Waterfall Security Solutions)
• Application Whitelisting such as Microsoft Software Restriction Policies and McAfee Application Control
• Security Event and Incident Management solutions such as AlienVault OSSIM, McAfee Enterprise Security Manager and Splunk
• Network Encryptors (Certes Networks CEP)
• Firewalls and Firewall Evaluation Tools (Cisco, Athena)
• Vulnerability and Compliance Scanners from Tenable Networks (Nessus)

This course includes a certification preparation module to help students prepare and pass the Certified SCADA Security Architect (CSSA) examination offered through Information Assurance Certification Review Board (IACRB) (certification fees not included in course registration fee). Save THOUSANDS of dollars off other certification programs!!!

The material covered in this class is sufficient to successfully pass the Global Industrial Cyber Security Professional (GICSP) offered through GIAC.

Each student will receive a Certificate of Training once all modules have been successfully viewed, and the associated self-assessments completed. These Continuing Education Units (CEU) can be used against other professional certifications like CISSP, CEH, etc.

All payments are processed through PayPal using the links below and support a range of payment methods including credit/debit cards (a PayPal account is not required). Please contact ICSCSI if an alternate form of payment is required. Group discounts and on-site options are available. Click here for details on military and government discounts.

Why wait - even with the price of the GICSP examination, this college-level course can save you thousands when compared to "similar" SANS ICS course offerings!  Click here to watch an overview of the training program and the how SCADAhacker has built a learning management system unlike any other online training program.

After registration and receipt of payment, students will you will receive an email with sign-on instructions to access the learning management system. For remote streaming and on-demand courses, course materials will be shipped and should arrive in 1-2 weeks.

WHAT PREVIOUS STUDENTS HAVE TO SAY ABOUT SCADAHACKER TRAINING:

"This is a training program that make sense of it all. And is worth every penny if you have a desire to succeed and make a difference in the industry. The concepts and instructor’s approach lay common sense fundamentals in an understandable way to ensure your success incorporating the concepts in any ICS security program. If you need to further proof, take a look at the SCADAhacker and ICSCSI websites or the presentation videos on the S4 site. Listen to Joel Langill present, then you will see that he is one of the best teachers and mentors out there. Having participated in the SCADAhacker training many years ago, I still find myself accessing the online videos simply to keep reinforcing the concepts. Why, because they work. "
Frank Garone
Cyber Security Program Manager - Transportation (USA)

"Joel has meticulously developed very high quality training materials that lay the foundation for a head start in ICS security. Targeting ICS users by focusing on realistic state-of-the-art security methods and techniques. This is indispensable training by one of the rare true experts of the ICS security field. Highly recommended!"
Xander van der Voort
van der Voort Cyber Security (The Netherlands)

"This training is not to be missed!"
Lori Hayes
Cyber Security Specialist - Thornton Tomasetti (USA)

"Coming from an IT background, finally I could find a venue that would walk me through A-Z of ICS security. This training should be made a mandatory requirement for IT security personnel in Oil & Gas!"
Fuad Al-Ansari
Takreer (Abu Dhabi)

"Joel really is on the forefront of ICS/DCS Security! Excellent class!"
Manufacturing Cyber Security Analyst - Pharmaceutical Industry (USA)

"The most rewarding and practical class I have taken on any subject. If ICS security impacts you, this course is a must."
Brock Perry
Spartan Controls Ltd. (Canada)

"Fantastic! Great content and perfect combination of hands-on and theory. I left the course feeling re-energized and well-equipped to address ICS security. If you have an opportunity to attend this class - do it. Joel rocks!"
Andy Fenoglio
Tenaska, Inc. (USA)

"The best way to find out about what you know you don't know about ICS."
Andy McNeil - CISSP, CISA - New Market Services Corp. (USA)

"Despite your skill or exposure level to ICS security, you will walk away with a new perspective."
ICS Vendor (USA)

"This training is an eye opener to any ICS user, but specifically to vendors that should be more serious about ICS security."
ICS Vendor (USA)