Operational Technology

What to expect

The OT course is a combination of lectures and hands-on cyber exercises with industrial control systems and physical protection systems. There will be a morning break, lunch break, and an afternoon break during each day.
Technical Content 🟦 intermediate

Audience

  • Security operation center staff
  • Incident responders
  • Reverse engineers
  • Software engineers
  • IT Staff responsible for operational technology or coordinating with OT/operations staff
  • Cybersecurity staff with some responsibility for OT systems
  • Operations staff who are responsible for OT/ICS/process systems
  • Managers responsible for coordinating incident response, training, or who have an interest in how OT cybersecurity could fit into your organizational construct

Applicability

If you are unfamiliar with operational technology, this course will provide you with a baseline knowledge of cybersecurity topics related to OT. If you are familiar with OT, this course will provide you with hands-on exercises that allow you to interact with key ICS devices in a way that will bolster your knowledge around related cybersecurity topics.

Objectives

  • Understand how Industrial Control Systems (ICS) and Operational Technology (OT) are implemented in various operational industries
  • Understand OT network topology along with piping and instrument diagrams
  • Understand the consequences of an OT cyberattack
  • Understand how different field controllers (RTU, IED, PAC, PLC) are different than a typical PC
  • Perform OT-focused open-source reconnaissance techniques
  • Know how to take unauthorized control of a poorly protected HMI
  • Understand how to extract, open, and analyze a piece of firmware
  • Search pcaps to find a malicious executable
  • Locate potentially compromised hosts
  • Determine origination of command and control traffic
  • Recognize log file manipulations

Typical Agenda

Day 0
180m
  • Understand how Industrial Control Systems (ICS) and Operational Technology (OT) are implemented in various operational industries
  • Learn how to identify various OT equipment withing process operations
  • Understand OT network topology along with piping and instrument diagrams
  • Understand the consequences of an OT cyberattack
  • ICS Protocols overview
  • Industrial Architecture
180m
  • Learn how different field controllers (RTU, IED, PAC, PLC) are different than a typical PC
  • Learn the different ways these devices are programmed, including structured text, function block diagram, instruction lists, sequential function charts, C++, C#, etc, as well as other proprietary languages
  • PLC Programming Demonstration
  • Ladder logic demo to program compact logix 5370
  • OpenPLC and PLC Fiddle exercise to achieve the same outcome
  • Exercise to complete a series of different constructs available in LL (open contacts, close contacts, branch, latch, timers, counter etc)
Day 1
90m
  • Learn how cyber attackers remotely shut down electric power infrastructures in 2015 and 2016
  • Perform OT-focused open-source reconnaissance techniques
  • Connect to a remotely operated human machine interface (HMI) and exploit a known vulnerability
90m
  • Take unauthorized control of an HMI
  • Connect to and send unauthorized commands to a programmable logic controller (PLC)
90m
  • Extract, open, and analyze a piece of firmware
  • Perform traffic capture of ICS communications data and extract operations-specific data bits to enable process control
90m
  • Manipulate HMI view and PLC functionality in a way that would make the two data streams appear to mismatch
  • Segment a single network on a managed switch into two virtual local area networks
Day 2
360m
  • Conduct incident response exercises based on a notional OT compromise
  • Search pcaps to find a malicious executable
  • Trace the attacker through the compromise to discover specific activities
  • Decrypt ransomware used by the attacker
  • Discover which hosts operated breaker commands
  • Discover where the command and control traffic is originating
  • Find out which ICS protocols the attacker was scanning for
  • Find out if the attacker manipulated log files

Setup

In-person events

  • We will provide enough equipment to allow small groups to work together to complete the exercises.
  • If you have a laptop with internet access and a Kali Linux OS and would like to bring it, please do.
  • Be sure to bring a laptop with a web browser for the collaborative exercise, if you are coming to a Foundry event!

Online events

A Setup Guide will be provided in the participant portal.