Course: Operational Technology

Learn the peculiarities of computers that interact with the physical environment.


Cyber threat actors have already proven they can turn off electricity to hundreds of thousands of homes from a remote location. In today’s environment, motors, pumps, switches, and valves are operated via special computing devices called industrial control systems. In our Operational Technology (OT) class, you will be immersed in cybersecurity topics focused on industrial control systems. The course consists of two days of content. Day one includes the DOE CyberStrike training, which is designed to highlight OT cybersecurity issues with exercises that target a programmable logic controller, human machine interface, and the underlying networking infrastructure connecting the hardware. On day two, the cyber exercises further target industrial control systems as well as physical protection systems.

What to expect

The OT course is a combination of lectures and hands-on cyber exercises with industrial control systems and physical protection systems. There will be a morning break, lunch break, and an afternoon break during each day.

Who should attend?

  • Security operation center staff
  • Incident responders
  • Reverse engineers
  • Software engineers
  • IT Staff responsible for operational technology or coordinating with OT/operations staff
  • Cybersecurity staff with some responsibility for OT systems
  • Operations staff who are responsible for OT/ICS/process systems
  • Managers responsible for coordinating incident response, training, or who have an interest in how OT cybersecurity could fit into your organizational construct

Is this the right class for me?

If you are unfamiliar with operational technology, this course will provide you with a baseline knowledge of cybersecurity topics related to OT. If you are familiar with OT, this course will provide you with hands-on exercises that allow you to interact with key ICS devices in a way that will bolster your knowledge around related cybersecurity topics.

Day 1

Topics Duration
  • Understand how Industrial Control Systems (ICS) and Operational Technology (OT) are implemented in various operational industries
  • Learn how to identify various OT equipment withing process operations
  • Understand OT network topology along with piping and instrument diagrams
  • Understand the consequences of an OT cyberattack
  • ICS Protocols overview
  • Industrial Architecture
180m
  • Learn how different field controllers (RTU, IED, PAC, PLC) are different than a typical PC
  • Learn the different ways these devices are programmed, including structured text, function block diagram, instruction lists, sequential function charts, C++, C#, etc, as well as other proprietary languages
  • PLC Programming Demonstration
  • Ladder logic demo to program compact logix 5370
  • OpenPLC and PLC Fiddle exercise to achieve the same outcome
  • Exercise to complete a series of different constructs available in LL (open contacts, close contacts, branch, latch, timers, counter etc)
180m

Day 2

Topics Duration
  • Learn how cyber attackers remotely shut down electric power infrastructures in 2015 and 2016
  • Perform OT-focused open-source reconnaissance techniques
  • Connect to a remotely operated human machine interface (HMI) and exploit a known vulnerability
90m
  • Take unauthorized control of an HMI
  • Connect to and send unauthorized commands to a programmable logic controller (PLC)
90m
  • Extract, open, and analyze a piece of firmware
  • Perform traffic capture of ICS communications data and extract operations-specific data bits to enable process control
90m
  • Manipulate HMI view and PLC functionality in a way that would make the two data streams appear to mismatch
  • Segment a single network on a managed switch into two virtual local area networks
90m

Day 3

Topics Duration
  • Download and learn the latest version of the Cyber Security Evaluation Tool (CSET)
  • Learn the steps of a cybersecurity evaluation
  • Use the CSET tool to begin preparing an assessment
  • Begin a simple methodology and understand the standards associated with your type of infrastructure
  • Build a network diagram using the tool provided in CSET
  • Answer the standards and control questions and then output a report from CSET
120m
  • Guest Presentation – DHS Threat Hunting and Incident Response
  • Learn the basics of the OT cyber incident response process
60m
  • Conduct incident response exercises based on a notional OT compromise
  • Search pcaps to find a malicious executable
  • Trace the attacker through the compromise to discover specific activities
  • Decrypt ransomware used by the attacker
  • Discover which hosts operated breaker commands
  • Discover where the command and control traffic is originating
  • Find out which ICS protocols the attacker was scanning for
  • Find out if the attacker manipulated log files
180m

Laptop Configuration

In-person events

  • We will provide enough equipment to allow small groups to work together to complete the exercises.
  • If you have a laptop with internet access and a Kali Linux OS and would like to bring it, please do.

Online events

  • Instructions to be announced

What do I need to know?

Familiarity with IT cybersecurity topics will be helpful.

When should I arrive?

Please arrive before class begins. Class schedules should be available through the Cyber Fire website or information packet you received prior to attending.

Laptop configuration help is offered at Cyber Fire Foundry on Sunday evening before the event. Please visit the registration desk before coming to class.

Time outside of class

We will take coffee and lunch breaks as described in the printed Foundry schedule. We will make sure the room is locked or under observation from staff during lunch, but we are not responsible for the safety of anything you leave in the room. Lunch is usually on your own unless otherwise listed on the schedule.

Networking with peers is useful for the puzzle contest held after this course and making contacts outside your organization proves useful to many people after they return to work. Breaks during classes provide good opportunities to meet new people. Social events are usually held in the evenings once or twice during the week.

Course to take next

Host Forensics, Incident Coordination, or Malware Analysis.