Operational Technology

Learn the peculiarities of computers that interact with the physical environment.

Cyber threat actors have already proven they can turn off electricity to hundreds of thousands of homes from a remote location. In today’s environment, motors, pumps, switches, and valves are operated via special computing devices called industrial control systems. In our Operational Technology (OT) class, you will be immersed in cybersecurity topics focused on industrial control systems. The course consists of two days of content. Day one includes the DOE CyberStrike training, which is designed to highlight OT cybersecurity issues with exercises that target a programmable logic controller, human machine interface, and the underlying networking infrastructure connecting the hardware. On day two, the cyber exercises further target industrial control systems as well as physical protection systems.

What to expect

The OT course is a combination of lectures and hands-on cyber exercises with industrial control systems and physical protection systems. There will be a morning break, lunch break, and an afternoon break during each day.

Day 1

  • Perform OT-focused open source reconnaissance techniques
  • Connect to a human machine interface (HMI) and exploit a known vulnerability
  • Take unauthorized control of an HMI
  • Connect to and send unauthorized commands to a programmable logic controller (PLC)
  • Extract, open, and analyze a piece of firmware
  • Perform traffic capture of ICS communications data and extract operations-specific data bits to enable process control
  • Manipulate HMI view and PLC functionality in a way that would make the two data streams appear to mismatch
  • Segment a single network on a managed switch into two virtual local area networks

Day 2

  • Explore the basic functionality of the Siemens TIA portal and how to connect to and operate a PLC process
  • Perform Windows Event Log auditing to determine how unexpected actions were carried out on the Engineering Workstation
  • Remove unauthorized services and modify the Windows Firewall
  • Fingerprint the normal network traffic for the Industrial Control System
  • Identify all connected systems, what protocols are in use, and then use that fingerprint to identify new and malicious traffic
  • Identify the vulnerable system components that lead to system compromise
  • Identify and remove persistent malware
  • Operate the ICS in a normal scenario to baseline how the system behaves, and then monitor the system while malicious activities are conducted
  • Perform remote debugging and analysis of a headless embedded PPS controller that has been compromised
  • Investigate new behavior of a surveillance station following a system update
  • Determine how the remote command and control instructions are sent to the surveillance station
  • Explore the functionality of a 2 factor access control system
  • Identify different behaviors as the system is remotely manipulated to change the normal operating behavior

Who should attend?

  • Security operation center staff
  • Incident responders
  • Reverse engineers
  • Software engineers
  • IT Staff responsible for operational technology or coordinating with OT/operations staff
  • Cybersecurity staff with some responsibility for OT systems
  • Operations staff who are responsible for OT/ICS/process systems
  • Managers responsible for coordinating incident response, training, or who have an interest in how OT cybersecurity could fit into your organizational construct

Is this the right class for me?

If you are unfamiliar with operational technology, this course will provide you with a baseline knowledge of cybersecurity topics related to OT. If you are familiar with OT, this course will provide you with hands-on exercises that allow you to interact with key ICS devices in a way that will bolster your knowledge around related cybersecurity topics.

Laptop Configuration

In-person events

  • We will provide enough equipment to allow small groups to work together to complete the exercises.
  • If you have a laptop with internet access and a Kali Linux OS and would like to bring it, please do.

Online events

What do I need to know?

Familiarity with IT cybersecurity topics will be helpful.

When should I arrive?

Please arrive before class begins. Class schedules should be available through the Cyber Fire website or information packet you received prior to attending. Laptop configuration help is offered at Cyber Fire Foundry on Sunday evening before the event. Please visit the registration desk before coming to class.

Time outside of class

We will take coffee and lunch breaks as described in the printed Foundry schedule. We will make sure the room is locked or under observation from staff during lunch, but we are not responsible for the safety of anything you leave in the room. Lunch is usually on your own unless otherwise listed on the schedule. Networking with peers is useful for the puzzle contest held after this course and making contacts outside your organization proves useful to many people after they return to work. Breaks during classes provide good opportunities to meet new people. Social events are usually held in the evenings once or twice during the week.

Course to take next

Host Forensics, Incident Coordination, or Malware Analysis