Operational Technology 1

What to expect

The OT course is a combination of lectures and hands-on exercises with industrial control systems emphasizing cybersecurity risks. This is a three-day course that runs from 8:30a-5:00p. Each topic in the course will include lectures, puzzles, demos, labs, and lab review.
Technical Content Beginner

Audience

  • Security and operation center staff
  • Incident responders
  • Reverse engineers
  • Software engineers
  • IT Staff responsible for operational technology or coordinating with OT/operations staff
  • Cybersecurity staff with some responsibility for OT systems
  • Operations staff who are responsible for OT/ICS/process systems
  • Managers responsible for coordinating incident response, training, or who have an interest in how OT cybersecurity could fit into your organizational construct
  • Anyone interested in learning about cybsecurity for OT

Applicability

If you are unfamiliar with operational technology, this course will provide you with a baseline knowledge of cybersecurity topics related to OT. If you are familiar with OT, this course will provide you with hands-on exercises that allow you to interact with key ICS devices in a way that will bolster your knowledge around related cybersecurity topics. If you are unfamiliar with cybersecurity, this course will introduce you to common cybersecurity considerations for OT systems.

Objectives

  • Understand how Industrial Control Systems (ICS) and Operational Technology (OT) are implemented in various operational industries.
  • Understand OT network topology along with piping and instrument diagrams.
  • Understand the consequences of an OT cyberattack.
  • Understand how field controllers (RTU, IED, PAC, PLC) are different than a typical PC.
  • Understand how HMIs and PLCs work together to form SCADA systems.
  • Perform OT-focused open-source reconnaissance techniques.
  • Understand how attackers take unauthorized control of a poorly protected HMI.
  • Understand how to extract, open, and analyze a piece of firmware.
  • Search PCAPs to find a malicious executable.
  • Locate potentially compromised hosts.
  • Determine origination of command and control traffic.
  • Recognize log file manipulations.

Typical Agenda

Day 0
60m
  • Cybersecurity Fundamentals including the following
  • Security Triad​
  • Threat Actors​
  • System Security Threats​
  • Hardware Threats​
  • Threat Mitigation​
  • Cryptography​
  • System Administration​
  • Security Mindset​
  • DFIR​
90m
  • Introduction to Operation Technology including the following
  • Understand how Industrial Control Systems (ICS) and Operational Technology (OT) are implemented in various industries
  • Learn how to identify OT equipment within process operations
  • Understand OT network topology along with piping and instrument diagrams
  • Understand the consequences of an OT cyberattack
  • Industrial Architecture
90m
  • ICS Protocols overview including the following
  • Overview of common industrial protocols such as
  • Modbus
  • DNP3
  • EtherNet/IP (CIP)
  • In depth look at Modbus packet structure
90m
  • Learn the fundamentals of ladder logic
  • Ladder logic exercises to write simple constructs
  • Exercises to create ladder logic programs that interact with training system device
Day 1
120m
  • Introduction to OpenPLC runtime
  • Introduction to OpenPLC programming
  • Exercises creating ladder logic programs in OpenPLC
  • Exercises to create ladder logic programs that interact with training system device
60m
  • Introduction to HMIs via Node Red flow programming
  • Demonstration of Node Red flows to control training system device
  • Exercises creating Node Red flows to control training system device
  • Exercises exploring methods to optimize security of such systems
180m
  • Connecting Node Red to OpenPLC to simulate HMI to PLC SCADA interaction
  • Exercises to create flows in Node Red that send ICS protocol commands to OpenPLC runtime to control the training system device
Day 2
360m
  • Learning to leverage common tools to achieve the following.
  • Conduct incident response exercises based on several notional OT compromises.
  • Search PCAPs to find a malicious executable targeting ICS.
  • Trace the attacker through the compromise to discover specific activities.
  • Discover which hosts operated breaker commands.
  • Discover where the command and control traffic is originating.
  • Find out which ICS protocols the attacker was scanning for.
  • Find out if the attacker manipulated log files.

Setup

For this course, a laptop is required. Participants will need to have administrative access on that laptop in order to run a virtual machine provided by the course instructors. The VM will require that the laptop be capable of running an Intel or AMD 64 bit virtual machine image.