Cyber Fire Operational Technology

What to expect

The OT course is a combination of lectures and hands-on cyber exercises with industrial control systems and physical protection systems. There will be a morning break, lunch break, and an afternoon break during each day.

Technical Content

intermediate

Audience

Security operation center staff
Incident responders
Reverse engineers
Software engineers
IT Staff responsible for operational technology or coordinating with OT/operations staff
Cybersecurity staff with some responsibility for OT systems
Operations staff who are responsible for OT/ICS/process systems
Managers responsible for coordinating incident response, training, or who have an interest in how OT cybersecurity could fit into your organizational construct

Applicability

If you are unfamiliar with operational technology, this course will provide you with a baseline knowledge of cybersecurity topics related to OT. If you are familiar with OT, this course will provide you with hands-on exercises that allow you to interact with key ICS devices in a way that will bolster your knowledge around related cybersecurity topics.

Objectives

Understand how Industrial Control Systems (ICS) and Operational Technology (OT) are implemented in various operational industries.
Understand OT network topology along with piping and instrument diagrams.
Understand the consequences of an OT cyberattack.
Understand how field controllers (RTU, IED, PAC, PLC) are different than a typical PC.
Perform OT-focused open-source reconnaissance techniques.
Understand how attackers take unauthorized control of a poorly protected HMI.
Understand how to extract, open, and analyze a piece of firmware.
Search PCAPs to find a malicious executable.
Locate potentially compromised hosts.
Determine origination of command and control traffic.
Recognize log file manipulations.

Typical Agenda

Day 0
180m	Understand how Industrial Control Systems (ICS) and Operational Technology (OT) are implemented in various industries. Learn how to identify OT equipment within process operations. Understand OT network topology along with piping and instrument diagrams. Understand the consequences of an OT cyberattack. ICS Protocols overview. Industrial Architecture.
180m	Learn how field controllers (RTU, IED, PAC, PLC) are different than a typical PC. Learn the fundamentals of ladder logic. Ladder logic exercises to write simple constructs.
Day 1
90m	CyberStrike Lights Out - Learn how cyber attackers remotely shut down electric power infrastructures in 2015 and 2016. Perform OT-focused open-source reconnaissance techniques. Connect to a remotely-operated HMI and exploit a known vulnerability.
90m	Take unauthorized control of an HMI. Connect to and send unauthorized commands to a PLC.
90m	Extract, open, and analyze a piece of industrial firmware. Perform traffic capture of ICS communications data and extract operations-specific data bits to enable process control.
90m	Manipulate HMI view and PLC functionality in a way that would make the two data streams appear to mismatch. Segment a single network on a managed switch into two virtual local area networks.
Day 2
360m	Conduct incident response exercises based on several notional OT compromises. Search PCAPs to find a malicious executable targeting ICS. Trace the attacker through the compromise to discover specific activities. Decrypt ransomware used by the attacker. Discover which hosts operated breaker commands. Discover where the command and control traffic is originating. Find out which ICS protocols the attacker was scanning for. Find out if the attacker manipulated log files.

Setup

In-person events

We will provide enough equipment to allow small groups to work together to complete the exercises.
If you have a laptop with internet access and a Kali Linux OS and would like to bring it, please do.
Be sure to bring a laptop with a web browser for the collaborative exercise, if you are coming to a Foundry event!

Online events

A Setup Guide will be provided in the participant portal.