Industrial Control System Security 101 and 201

This 4-hour session is designed to arm incident response teams and security researchers with vital skills needed to monitor, analyze and respond to attacks against the unique networks that make up the backbone of the world's critical infrastructure. With recent attacks on critical infrastructure demonstrating the real and present danger to ICS networks, it is more important than ever to hone these skills and reduce the blind spots that exist for security teams. Understanding the inner workings of these networks, their unique protocols and the methods adversaries will employ to disrupt (including using legitimate commands to ICS network components) is of paramount importance as we witness an increasingly active threat landscape unfolding. 

The workshop is composed of two, 2-hour sessions of ICS Fundamentals 101 and ICS Advanced 201. The two sessions step both the novice and intermediate skilled participant through the risks and mitigations of critical infrastructure and control system security. 

The participant will use open source and trial editions of RexDraw, PeakHMI, NRL Core, Kali Linux, Python and Raspberry PIs. 

The instructors will also perform demonstrations using real industrial devices. Participants will learn the ICS fundamentals and the value of technical, operational and physical security controls within ICS environments.

ICS 101 will guide the participants through the elements of ICS technical components (hardware, software, logic and protocols) through reversing engineering a bottling facility and a traffic light. The participants will learn about physical I/O, functional logic, industrial protocols and user interface design using the philosophy of build, break and secure. The participants will reverse a pre-built HMI user interface, OPC tag server and functional logic; break using industrial protocols overrides, MitM modifications and logic manipulations; secure using social, communication, application/os, firmware and hardware controls.

ICS 201 will teach students how to understand the content of network packet captures across a wide variety of proprietary ICS protocols. Using this understanding, we will explore in-depth the attacks and defenses demonstrated in ICS 101 to associate the value of active defense. 

Participants will learn how to utilize WireShark to perform a deep packet analysis on multiple PCAPs ranging from simple to complex. Students will be taught the fundamental skills necessary for performing blind protocol analysis on proprietary ICS protocols, and learn how to create custom rules for specific addresses within the packets as well as ICS vendor specific commands. This analysis will give insight into the attacks performed, the elements manipulated and valuable tools available to actively defend the environment. Participants will gain in-depth understanding of industrial protocols and their complexity as well as detailed explanation of "behind the scenes" of ICS operations. When leaving this workshop, participants will be able to capture, and analyse industrial communication flows originating from different network segments using open source tooling (e.g. Snort, Wireshark, etc), and how to identify potential anomalous network traffic.

Prerequisites: Experience with Linux and Windows operating system administration. Experience with TCP/IP networking. Experience with Kali Linux.

Materials: A laptop with at least one USB port, 40GB of unused hard disk space, minimum of Intel i3 processor, most recent VMWare Player or equivalent VMWare product. Local administrator rights on the laptop, ability to turn off anti-virus software.