SCADA Security Essentials

SCADA Security Essentials provides a foundational set of standardized skills and knowledge for industrial cybersecurity professionals. The course is designed to ensure that the workforce involved in supporting and defending industrial control systems is trained to keep the operational environment safe, secure, and resilient against current and emerging cyber threats.

Course Key Learnings:

• An understanding of industrial control system components, purposes, deployments, significant drivers, and constraints.
• Hands-on lab learning experiences to control system attack surfaces, methods, and tools
• Control system approaches to system and network defense architectures and techniques
• Incident-response skills in a control system environment
• Governance models and resources for industrial cybersecurity professionals.

Course Content:

Module1: ICS Overview

Overview

Takeaway: Students will develop and reinforce a common language and understanding of Industrial Control System (ICS) cybersecurity as well as the important considerations that come with cyber-to-physical operations within these environments. Each student will receive a programmable logic controller (PLC) device to keep. The PLC contains physical inputs and outputs that will be programmed in class and mapped to an operator interface, or HMI, also created in class. This improved hardware-enabled approach provides the necessary cyber-to-physical knowledge that allows students to better understand important ICS operational drivers and constraints that require specific safety protection, communications needs, system management approaches, and cybersecurity implementations. Essential terms, architectures, methodologies, and devices are all covered to build a common language for students from a variety of different roles.

Topics

Day 1 ICS Overview

• Global Industrial Cybersecurity Professional (GICSP) Overview
• Overview of ICS
  • Processes & Roles
  • Industries
  • Exercise: Learning from Peers
• Purdue Levels 0 and 1
  • Controllers and Field Devices
  • Programming Controllers
  • Exercise: Programming a PLC
• Purdue Levels 2 and 3
  • HMIs, Historians, Alarm Servers
  • Specialized Applications and Master Servers
  • Control Rooms and Plants
  • SCADA
  • Exercise: Programming an HMI

• IT & ICS Differences

  • ICS Life Cycle Challenges
• Physical and Cyber Security

Module2: Architectures and Processes

Overview

Takeaway: If you know the adversary’s approaches to attacking an ICS environment, you will be better prepared to defend that environment. Numerous attack vectors exist within an ICS environment. Some are similar to traditional IT systems, while others are more specific to ICS. During Day 2, students will develop a better understanding of where these specific attack vectors exist and more defensible architectures for OT/ICS. Students will look at different technologies and communications used in Perdue Levels 0 and 1, the levels that are the most different from an IT network. Students will capture fieldbus traffic from the PLCs they programmed in day 1 and look at what other fieldbus protocols used in the industry.

Topics

Day 2: Field Devices and Controllers

• ICS Attack Surface
  • Threat Actors and Reasons for Attack
  • Attack Surface and Inputs
  • Vulnerabilities
  • Threat/Attack Models
  • Information Leakage
  • Exercise: Identifying External Attack Surfaces
• Secure ICS Network Architectures
  • ICS410 Reference Model
  • Larger ICS Sites
  • Remote Access
  • Regional SCADA
  • Exercise: Architecting a Secure ICS Site
• Purdue Level 0 and 1
  • Purdue Level 0 and 1 Attacks
  • Control Things Platform
  • Exercise: Passwords in EEPROM Dumps
  • Purdue Level 0 and 1 Technologies
  • Fieldbus Protocol Families
  • Exercise: Exploring Fieldbus Protocols
  • Purdue Level 0 and 1 Defenses
  • Safety Instrumented Systems (SIS)

Module3:  Communications and Protocols

Overview

Takeaway: Day 3 will take students through the communication protocols often found throughout control networks. Students will analyze network captures containing other control protocols that traverse Ethernet-only networks and TCP/IP networks, set up a simulated controller, and interact with it through a control protocol. Students will learn about different methods to segment and control the flow of traffic through the control network. Students will explore cryptographic concepts and how they can be applied to communications protocols and on devices that store sensitive data. Students will learn about the risks of using wireless communications in control networks, which wireless technologies are commonly used, and available defenses for each.

Topics

Day 3: Supervisory Systems

• Ethernet and TCP/IP
  • Ethernet Concepts
  • TCP/IP Concepts
  • Exercise: Network Capture Analysis
  • ICS Protocols over TCP/IP
  • Wireshark and ICS Protocols
  • Attacks on Networks
  • Exercise: Enumerating Modbus TCP
• Enforcement Zone Devices
  • Firewalls and NextGen Firewalls
  • Modern Data Diodes
  • NIDS/NIPS and Netflow
  • USB Scanning and Honeypots
• Understanding Basic Cryptography
  • Crypto Keys
  • Encryption, Hashing, and Signatures
  • Exercise: Manual Cryptography
• Wireless Technologies
  • Satellite and Cellular
  • Mesh Networks and Microwave
  • Bluetooth and Wi-Fi

• Wireless Attacks and Defenses

  • 3 Eternal Risks of Wireless
  • Sniffing, DoS, Masquerading, Rogue AP

Module4: Supervisory Systems

Overview

Takeaway: Students will learn essential ICS-related server and workstation operating system capabilities, implementation approaches, and system management practices. After a hand-on network forensics exercise where students follow an attacker from phishing campaign to HMI breach, students will look at HMI, historian, and user interface technologies used in the middle to upper levels of the control network, namely Perdue Levels 2 and 3, while performing attacks on HMI web technologies and interfaces susceptible to password brute force attacks. In the afternoon, Students will learn about how to create baselines and secure Windows-based workstation and servers.

Topics

: Workstations and Servers

• Supervisory Servers
  • Supervisory Attacks
  • Historians and Databases
  • Exercise: Bypassing Auth with SQL Injection
• User Interfaces
  • HMI and UI Attacks
  • Web-based Attacks
  • Password Defenses
  • Exercise: Password Fuzzing
• Defending Microsoft Windows
  • Windows Services
  • Windows Security Policies and GPOs
  • Host Firewalls
  • Exercise: Baselining with PowerShell
• Patching ICS Systems
  • Patch Decision Tree
  • Vendors, CERTS, and Security Bulletin

Module5:ICS Security Governance

Overview

Takeaway: Day 5 will further explore baselines and hardening, but his time on Linux-based workstations and servers. Students will examine concepts that benefit ICS systems such as system hardening, log management, monitoring, alerting, and audit approaches, then look at some of the more common applications and databases used in ICS environments across multiple industries. Finally, students will learn about the various models, methodologies, and industry-specific regulations that are used to govern what must be done to protect critical ICS systems. Key business processes that consider risk assessments, disaster recovery, business impact analysis, and contingency planning will be examined from the perspective of ICS environments.

Topics

ICS Security Governance

• Defending Unix and Linux
  • Differences with Windows
  • Daemons, SystemV, and SystemD
  • Lynis and Bastille
  • Exercise: Hardening Linux
• Endpoint Protection and SIEMS
  • Application Runtime and Execution Control
  • Configuration Integrity and Containers
  • Logs in Windows and Linux
  • Exercise: Windows Event Logs
• Building an ICS Cyber Security Program
  • Starting the Process
  • Frameworks: ISA/IEC 62443, ISO/IEC 27001, NIST CSF
  • Using the NIST CSF
• Creating ICS Cyber Security Policy
  • Policies, Standards, Guidance, and Procedures
  • Culture and Enforcement
  • Examples and Sources
  • Exercise: ICS Security Policy Review
• Measuring Cyber Security Risk
  • Risk Approaches and Calculations
  • DR and BC Planning
• Incident Response
  • Six Step Process
  • Table Top Exercises
• Final Thoughts and Next Steps

Module6:  Capstone CTF

Overview

Students will work through a capture-the-flag (CTF) game based on an incident response exercise. Students must use the knowledge they gained throughout the week to identify indicators of compromise (IoCs), determine actions that should be taken to limit the attacker’s ability to compromise additional assets and react to changes in the attacker’s tactics, techniques, and procedures (TTPs) as they progress deeper into the OT/ICS network. Students will leave with various resources for multiple industries and be well prepared to pursue the GICSP, the internationally accepted and industry-leading ICS-focused professional certification

Course Prerequisite

Course participants need to have a basic understanding of networking and system administration, TCP/IP, networking design/architecture, vulnerability assessment, and risk methodologies.

This course covers many of the core areas of security and assumes a basic understanding of technology, networks, and security. For those who are brand new to the field and have no background knowledge, Intro to Cyber Security would be the recommended starting point

Who Should Attend ?