CSCOE Certification
This course provides you with a thorough understanding of Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) devices and their inner workings. You will learn how to execute cyber missions in which a SCADA environment is part of the greater cyberspace operational environment. By performing incident response on SCADA devices, you will learn in-depth concepts about SCADA devices.
What Students Will Learn
- How to execute cyberspace operations within a SCADA environment
- Concepts of SCADA devices
- SCADA devices work and function
- Security concepts and challenges directly with SCADA devices
- Vulnerability assessments within SCADA environments
- Incident response within a SCADA environment
- Penetration tests on Industrial Control systems
- Vulnerabilities in web applications used in industrial control systems
- Hardware, network, user interface, and server-side vulnerabilities
- Incident response on industrial control systems
- Unique differences between ICS incident response and traditional
Who Should Attend
- Anyone involved with designing, monitoring, or operating SCADA networks
- Security personnel whose job involves assessing, deploying, or securing control system components, communications, and operations
- Managers who need to build deeper technical skills
- NERC CIP, DHS CFATS, and other Auditors
- Penetration Testers
- Programmers
- Process Engineers and Field Technicians
- Network and System Administrators Supporting Control Systems
- Operations and Plant Management Personnel
- Control System Hardware, Software and Integrator Vendor Personnel
- Computer Emergency Response Teams
Prerequisites
- Familiarity with basic network topology such as switching, routing, and IP addressing
- Recommended course book: Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC, HMI, and SIS
Follow-On Courses: N/A
Time Frame: 5 Days
Certification: CSFI-CSCOE
Course Outline
- Pentesting SCADA Network Protocols
- ICS Systems Overview
- Controllers, Embedded Systems and Protocols
- PLCS, DCS, Hybrid Controllers, PC-Control
- SCADA and ICS Protocols
- Working with Modbus, OPC, and HMIs
- Different Levels of Network Communication Penetration Testing
- Serial Communications (RS-485, RS-232, Modbus RTU)
- Pentesting SCADA Field and Floor Devices
- Tests performed against SCADA networks
- External Penetration Testing
- Internal Penetration Testing
- Vulnerability Assessments
- Wireless Audits
- SCADA Vulnerability Assessment Methodology
- SCADA Protocols
- PLC< RTU, DCS, and Embedded Controllers
- SCADA Exploitation
- Analysis of embedded electronics in SCADA field and floor devices
- Discussion of device disassembly
- Pentesting SCADA Field and Floor Devices Continued and Intro to SCADA Incident Response
- Introduction to SCADA Incident Response
- SCADA Incident Response Overview
- SCADA Incident Response In-Depth
- Analyzing Data Obtained from Data Dumping and Bus Snooping
- End-to-End Analysis and Reporting
- SCADA Active Defense Methodologies
- Introduction to SCAA Active Defense
- Network Segmentation
General Lab and Training Information
CSFI offers unique SCADA training and certification with hands-on labs. The quality of our instructors and course materials are amongst the best in the world. This training can be offered either on-location, or virtually (our virtual webinar platform is Gototraining).
The labs require a computer with the most recent VMware and an open USB port. Setup is performed in Lab 1.
The lab kits are shipped to and retained by the participant. The exam is open book combined with an active defense challenge. The distance version is a modified version of the live event. Students must complete all hands-on labs to become certified.
Each participant will receive 30 days of access after the event.
Note: Students must purchase our SCADA KIT (Cost per SCADA KIT: $400.00) before starting training.
Train how to execute cyberspace operations within a SCADA environment.
The training cannot be deployed without the SCADA KIT. ICS training demands superb know-how, unique hardware/software, and a strong hands-on labs experience. The ICS/SCADA training market is growing very fast but there are very few training providers that can actually deliver this form of training.
The educational platform engages the participant in understanding, enumerating, penetrating and mitigating the engineering workstation, HMI, OPC, Historian, PLC/PAC/IED/R(M)TU/DCS and protocol communications. The educational platform is encompassed by three primary components:
- Virtualized operating system providing cyber offensive and defensive capabilities for ICS and IT environments.
- Leveraging the Raspberry PI with PiFace Digital to represent a variety of control system devices (e.g. PLCs, PACs, MTU/RTU, DCS, Physical Security.
- Low voltage, kinetic I/O supporting models such as a traffic light, water treatment facility, bottling plant and assembly line.
SCADA Labs Outline
- Introduction to SamuraiSTFU (Security Testing Framework for Utilities)
- Setting up the virtual machine
- Walkthrough the tools and functionality
- Introduction to the student hardware kits
- Pentesting RF Communications Between Master Servers and Field Devices
- Hands-on network traffic extraction
- Traffic transmission and exploitation
- Pentesting TCP/IP Based SCADA Protocols
- Protocol capture and analysis
- Modbus, DNP3, IEC 61850, ICCP, ZigBee, C37.118, and C12.22
- Dealing with unknown protocols
- Hands-on entropy analysis of network payloads
- Reverse engineering unknown protocols
- Hands-on SCADA protocol fuzzing
- Pentesting Technician Interfaces on SCADA Field and Floor Devices
- Functional analysis of field technician interfaces
- Hands-on exercise capturing USB communications to tech interfaces
- Hands-on exercise analyzing captured USB communications
- Impersonating endpoitns in field tech interface communications
- Exploiting vulnerabilities found during analysis
- Analyzing Field and Floor Device Firmware
- Obtaining field and floor device firmware
- Hands-on exercise disassembling firmware
- Hands-on exercise analyzing disassembled firmware
- Exploiting firmware flaws
- Overview of Pentesting Field and Floor Device Embedded Circuits
- Local attack through physically exposed devices
- Expanding physical attacks to remote attacks
- Dumping Data at Rest on Embedded Circuits
- Using the Bus Pirate and other similar tools
- Bus Snooping on Embedded Circuits
- Overview of bus snooping
- Hands-on exercise snooping busses
- Capture the Flag Event
- Pits two teams against each other
- One group is active defender
- One group is active attacker
- Training Kit Orientation and Setup
- Introduction to Programmable Logic Controllers, Ladder Logic, Functional Block, Comunications and OLE for Process Control (OPC) / Human Machine Interface (HMI) Programming
- ICS Device Vulnerability Assessments
- Analyze Known Categoies of ICS Vulnerabilities
- Traffic Light Control System Analysis
- ICS Device Exploit Analysis and Control
- Applied ICS Device Security Analysis
- Communications Exploit Analysis and Control
- Protocol Spoofing and Fuzzing
- Industrial Wireless Analysis (e.g., 802.11, Wireless HART)
- OPC/HMI Devices Vulnerability Assessment, Exploit Analysis and Control
- Analyze Vendor Specific Control Systems (e.g, Rockwell and Siemens)