Operational Technology 2

What to expect

This course uses a mix of lecture, guided analysis, and hands-on scenario-based labs. Participants will interpret industrial control traffic, identify malicious activity, and perform process-aware incident response. Days run from 8:30a–5:00p with scheduled breaks and review discussions.
Technical Content Advanced

Audience

  • OT / ICS cybersecurity engineers and analysts
  • SOC analysts supporting industrial environments
  • Incident responders who may encounter OT systems
  • Controls engineers seeking security threat awareness
  • Security professionals preparing for ICS threat hunting or ICS-CERT style response roles

Applicability

This course is appropriate for those with baseline ICS/OT knowledge who want to expand into advanced protocol analysis and incident response. Prior exposure to networking or cybersecurity fundamentals is expected.

Objectives

  • Deeply understand core ICS/OT protocols including Modbus/TCP, EtherNet/IP, DNP3, Profinet, and others.
  • Interpret control logic and correlate logic behavior to real-world industrial processes.
  • Identify adversarial TTPs specific to ICS kill-chain and real-world attacks (e.g., CRASHOVERRIDE, TRISIS).
  • Analyze ladder logic, function block diagrams, and structured text to detect unauthorized logic changes.
  • Perform packet analysis to extract control-state changes, register/coil writes, and setpoint modifications.
  • Conduct incident response operations in OT while maintaining process stability and safety.
  • Reconstruct adversary timeline across engineering workstations, HMIs, controllers, historians, and network layers.
  • Communicate operational impact and risk to both operations and security leadership.

Typical Agenda

Day 0
180m
  • ICS/OT attack chain and adversarial techniques.
  • Industrial protocol stack structure and operational workflow.
  • Deep-dive of Modbus/TCP packet structure and command interpretation.
  • map[Control-system timing:scan cycles, process state feedback, and deterministic behavior.]
180m
  • Lab on protocol decoding of real process traffic (pump, valve, well control scenarios).
  • Build and apply Wireshark protocol filters.
  • Simulate unauthorized register writes and observe physical/HMI divergence.
Day 1
120m
  • Deep-dive of EtherNet/IP and CIP services for controller memory and tag manipulation.
  • Review function block and structured text logic for malicious modifications.
  • Firmware integrity and unauthorized logic load detection.
120m
  • Lab on detecting and analyzing unauthorized controller logic upload.
  • Compare baseline vs modified logic state for hidden manipulation.
120m
  • map[ICS incident response considerations:containment that preserves safety.]
  • Process safety systems, bypass risks, and failover behaviors.
  • Lab on executing containment and recovery steps with process continuity constraints.
Day 2
360m
  • Full ICS incident response scenario.
  • PCAP and host log review to trace adversary movement.
  • Identify register changes, setpoint tampering, and manipulated tag values.
  • Determine which devices issued unauthorized control actions.
  • Reconstruct chronological adversary timeline and operational impact.
  • Produce both executive and technical reporting outputs.

Setup

Participants must bring a laptop capable of running the provided virtual machine. Administrative rights are required. Setup assistance will be available before class start.