Cyber threat actors have already proven they can turn off electricity to hundreds of thousands of homes from a remote location. In today’s environment, motors, pumps, switches, and valves are operated via special computing devices called industrial control systems. In our Operational Technology (OT) class, you will be immersed in cybersecurity topics focused on industrial control systems. The course consists of two days of content. Day one includes the DOE CyberStrike training, which is designed to highlight OT cybersecurity issues with exercises that target a programmable logic controller, human machine interface, and the underlying networking infrastructure connecting the hardware. On day two, the cyber exercises further target industrial control systems as well as physical protection systems.
What to expectThe OT course is a combination of lectures and hands-on cyber exercises with industrial control systems and physical protection systems. There will be a morning break, lunch break, and an afternoon break during each day.
- Perform OT-focused open source reconnaissance techniques
- Connect to a human machine interface (HMI) and exploit a known vulnerability
- Take unauthorized control of an HMI
- Connect to and send unauthorized commands to a programmable logic controller (PLC)
- Extract, open, and analyze a piece of firmware
- Perform traffic capture of ICS communications data and extract operations-specific data bits to enable process control
- Manipulate HMI view and PLC functionality in a way that would make the two data streams appear to mismatch
- Segment a single network on a managed switch into two virtual local area networks
- Explore the basic functionality of the Siemens TIA portal and how to connect to and operate a PLC process
- Perform Windows Event Log auditing to determine how unexpected actions were carried out on the Engineering Workstation
- Remove unauthorized services and modify the Windows Firewall
- Fingerprint the normal network traffic for the Industrial Control System
- Identify all connected systems, what protocols are in use, and then use that fingerprint to identify new and malicious traffic
- Identify the vulnerable system components that lead to system compromise
- Identify and remove persistent malware
- Operate the ICS in a normal scenario to baseline how the system behaves, and then monitor the system while malicious activities are conducted
- Perform remote debugging and analysis of a headless embedded PPS controller that has been compromised
- Investigate new behavior of a surveillance station following a system update
- Determine how the remote command and control instructions are sent to the surveillance station
- Explore the functionality of a 2 factor access control system
- Identify different behaviors as the system is remotely manipulated to change the normal operating behavior
Who should attend?
- Security operation center staff
- Incident responders
- Reverse engineers
- Software engineers
- IT Staff responsible for operational technology or coordinating with OT/operations staff
- Cybersecurity staff with some responsibility for OT systems
- Operations staff who are responsible for OT/ICS/process systems
- Managers responsible for coordinating incident response, training, or who have an interest in how OT cybersecurity could fit into your organizational construct
Is this the right class for me?If you are unfamiliar with operational technology, this course will provide you with a baseline knowledge of cybersecurity topics related to OT. If you are familiar with OT, this course will provide you with hands-on exercises that allow you to interact with key ICS devices in a way that will bolster your knowledge around related cybersecurity topics.
- We will provide enough equipment to allow small groups to work together to complete the exercises.
- If you have a laptop with internet access and a Kali Linux OS and would like to bring it, please do.