Securing ICS Course at Lambeau Field

Wednesday, September 25, 2013 @ 06:09 PM gHale

Learning how to put the deep freeze on attackers trying to hack into an industrial control system takes on new meaning as a new course focused on “blue teaming” an industrial control system (ICS) is taking place at historic Lambeau Field in Green Bay, WI, October 7-11.

Understanding and Securing Industrial Control Systems” is a new course offered by security provider, SCADAhacker, focused on securing or “blue teaming” the industrial control system (ICS) architecture and the setting is a VIP suite overlooking the football field used by the 13-time world champion Green Bay Packers.

Belden Guarantees Network Uptime
U.S. Grid ‘Highly Vulnerable’
Wireless Field Sensors Vulnerable
Utility Blackouts as a Weapon

The course will include hands-on labs, but also extensive demonstrations to reinforce the selection and implementation of security controls relating specifically to ICS. Many of those individuals responsible for auditing, installing, or operating industrial control systems are aware of the need for cyber security, yet are confused on exactly what to implement, and how to verify the resulting solution. This course provides a solid foundation on how to address those concepts.


The course agenda:
• Understanding the Unique Threat Landscape of Industrial Control Systems
o What is an Industrial Control System
o Simplifying the ICS Architecture
o Why is ICS Security different from traditional IT Security
o Why ICS are more vulnerable to cyber threats than other IT assets

• Understanding Current Standards and Best Practices from a Security and Compliance Point of View
o ISA-99, IEC-62443, ISO-27000, NERC-CIP R3-R5, CFATS, NIST 800-53/800-82, SANS, CPNI

• Understanding Risk in terms of Threats, Vulnerabilities, and Consequences
o Threats to the ICS and Operational Integrity
o Typical ICS Vulnerabilities
o Consequences of an ICS Attack
o Risk Identification and Classification

• Understanding and Identifying ICS Vulnerabilities

• Selecting and Implementing Security Controls
o Administrative Security Controls
o Technical Security Controls
o Network Considerations
o Compensating Controls
o Allocating Security Controls to ICS Architecture Resources

• Auditing and Assessing ICS Security
o Security Audits
o Security Assessments (“Theoretical” versus “Physical”)
o Vulnerability Assessments, which includes Nessus Home Feed versus Professional Feed, Nessus SCADA Plugins, Compliance Audit Files for Nessus (including Bandolier), Creating Custom Audit Files for Nessus

• A Hands-On Look at Key New Emerging Technologies
o Industrial Firewalls with Stateful Deep Packet Inspection (DPI) of ICS Protocols
o Personal/Portable Firewalls / VPNs
o Unidirectional Security Appliances (aka Data Diodes)
o Layer 2 Encryption Technologies
o Intrusion Detection and Prevention Systems (IDS/IPS)
o Security Incident and Event Monitoring (SIEM)
o Application Whitelisting / Host-based Intrusion Prevention System (HIPS)

• Case Studies
o Using Chained Exploits to Gain Access to Trusted Internal Networks and Attack an ICS from the “Inside-Out”
o Implementing a Network Behavior-based Intrusion Detection System for Industrial Control Systems
o Network Segmentation and IP Addressing
o Network Architectures and Active Directory Considerations
o Network Communications and ICS Protocols
o A detailed look at Stuxnet – how it infects and spreads, and what could be done to stop similar attacks (actual live Stuxnet worm will be used for this study)
o Working with Firewalls: Analysis, Testing and Validation
o Using Vulnerability Scanners (Nessus Home/Pro Feeds, OpenVAS)
o Assessing the Current Security Posture of an ICS Architecture
o Improving the Security Posture of a Vulnerable ICS Architecture

All students will receive their own modified Chromebook laptop computer to use during the course. This environment has been preloaded with a variety of security related applications that will be used during the course, as well as the extensive SCADAhacker Reference Library and catalog of software for creating security testing environments on other computing platforms. Students will also receive a library of virtual machines that can be used to reinforce the hands-on portion of the course, and help in developing a local security testing lab.

There will be labs that utilize physical ICS equipment providing a realistic scenario to what is out there in the field. This will include not only ICS equipment, but also associated security components as well. Some of the technologies covered in this advanced course include:
• Industrial Protocols such as Modbus/TCP, TSAP, Ethernet/IP and Common Industry Protocol (CIP)
• Industrial Firewalls such as Tofino Security Appliance, mGuard, Zenwall and others
• Unidirectional Security Gateways and Data Diodes (Waterfall Security Solutions)
• Application Whitelisting such as Microsoft Software Restriction Policies and McAfee Application Control
• Security Event and Incident Management solutions such as McAfee Enterprise Security Manager and AlienVault OSSIM
• Network Encryptors (Certes Networks CEP)
• Firewalls and Firewall Evaluation Tools (Cisco, pfSense, Vyatta, Athena, Firewalker, FWBuilder)
• Vulnerability Scanners from Tenable Networks (Nessus)

Due to the material presented, the course size will be limited to a maximum of 12 students. Each course will begin at 8:00am on Monday morning and conclude by 2:00pm Friday afternoon. The fee for the course is $3,850. A deposit of $500 is required in advance, with the balance due on the first day of training. Registration is fully refundable (less any processing fees levied by the credit card company), up to 7 days prior to the start of the course. Cancellations made within 7 days of the course start, will be handled on a case-by-case basis. No refunds will be granted after the start of the course.

The course dates for the remainder of 2013 have been finalized and are:

October 7 – 11, Lambeau Field – Green Bay, WI
November 11 – 15 (The Hague, Netherlands)
November 18 – 22 (The Hague, Netherlands)

Click here for more information.

Leave a Reply

You must be logged in to post a comment.