Cyber Fire Operational Technology

What to expect

The OT course is a combination of lectures and hands-on exercises with industrial control systems emphasizing cybersecurity risks. This is a three-day course that runs from 8:30a-5:00p. Each topic in the course will include lectures, puzzles, labs, and lab review.

Technical Content

intermediate

Audience

Security operation center staff
Incident responders
Reverse engineers
Software engineers
IT Staff responsible for operational technology or coordinating with OT/operations staff
Cybersecurity staff with some responsibility for OT systems
Operations staff who are responsible for OT/ICS/process systems
Managers responsible for coordinating incident response, training, or who have an interest in how OT cybersecurity could fit into your organizational construct
Anyone interested in learning about OT

Applicability

If you are unfamiliar with operational technology, this course will provide you with a baseline knowledge of cybersecurity topics related to OT. If you are familiar with OT, this course will provide you with hands-on exercises that allow you to interact with key ICS devices in a way that will bolster your knowledge around related cybersecurity topics.

Objectives

Understand how Industrial Control Systems (ICS) and Operational Technology (OT) are implemented in various operational industries.
Understand OT network topology along with piping and instrument diagrams.
Understand the consequences of an OT cyberattack.
Understand how field controllers (RTU, IED, PAC, PLC) are different than a typical PC.
Perform OT-focused open-source reconnaissance techniques.
Understand how attackers take unauthorized control of a poorly protected HMI.
Understand how to extract, open, and analyze a piece of firmware.
Search PCAPs to find a malicious executable.
Locate potentially compromised hosts.
Determine origination of command and control traffic.
Recognize log file manipulations.

Typical Agenda

Day 0
180m	Understand how Industrial Control Systems (ICS) and Operational Technology (OT) are implemented in various industries. Learn how to identify OT equipment within process operations. Understand OT network topology along with piping and instrument diagrams. Understand the consequences of an OT cyberattack. ICS Protocols overview. Industrial Architecture.
180m	Learn how field controllers (RTU, IED, PAC, PLC) are different than a typical PC. Learn the fundamentals of ladder logic. Ladder logic exercises to write simple constructs.
Day 1
90m	CyberStrike Lights Out - Learn how cyber attackers remotely shut down electric power infrastructures in 2015 and 2016. Perform OT-focused open-source reconnaissance techniques. Connect to a remotely-operated HMI and exploit a known vulnerability.
90m	Take unauthorized control of an HMI. Connect to and send unauthorized commands to a PLC.
90m	Extract, open, and analyze a piece of industrial firmware. Perform traffic capture of ICS communications data and extract operations-specific data bits to enable process control.
90m	Manipulate HMI view and PLC functionality in a way that would make the two data streams appear to mismatch. Segment a single network on a managed switch into two virtual local area networks.
Day 2
360m	Learning to leverage common tools to achieve the following. Conduct incident response exercises based on several notional OT compromises. Search PCAPs to find a malicious executable targeting ICS. Trace the attacker through the compromise to discover specific activities. Discover which hosts operated breaker commands. Discover where the command and control traffic is originating. Find out which ICS protocols the attacker was scanning for. Find out if the attacker manipulated log files.

Setup

For this course, a laptop is required. Participants will need to have administrative access on that laptop in order to run a virtual machine provided by the course instructors. The VM will require that the laptop be capable of running an Intel or AMD 64 bit virtual machine image.