2-DAY TRAINING 2 – Advanced ICS Hacking




CAPACITY: 15 pax




Industrial control systems (ICS) are often a sitting target for cybercriminals. The majority of these systems monitor complex industrial processes and critical infrastructures that deliver power, water, transport, manufacturing and other essential services.

There are many vulnerabilities in ICS systems that could expose an installation to attacks. Downtime or infiltration of an ICS network could result in massive outages, hundreds of thousands of impacted users and even national disaster. Penetration testing on ICS systems is a very specific field that requires in-depth knowledge and hardware availability.

This training is going to help you to understand ICS systems, analyze their weaknesses, attack them and design strategies to protect them. It is aimed at security professionals who want to understand ICS systems, improve their skills or specialize in ICS security, and will take them from the fundamentals of ICS security to advanced hacking techniques.

We will focus on methodologies for hacking commercial hardware devices such as PLCs as well as simulators, and we will also provide an excellent opportunity for participants to have hands-on experience in penetration testing of these devices and systems. The ICS setup will simulate the ICS infrastructure with real-time PLCs and SCADA applications. We will cover the most common ICS protocols (Modbus, S7, DNP3, OPC, Profinet), analyze packet captures and learn how to use these protocols to talk to PLCs. You will learn how to program a PLC, to better understand how to exploit them. You will also learn how to bypass airgaps and how to defend airgapped systems, and also the techniques and tactics that adversaries use to compromise ICS systems.

Throughout the course, we will use a virtual machine created by us specifically for ICS penetration tests, it has all the necessary tools for ICS hacking. The course is structured for beginner to intermediate level assistants and there is no need of previous experience in ICS, reversing or hardware

Key Learning Objectives

This course is a perfect fit for professionals who want to understand ICS systems, improve their skills
or specialize in ICS security, and will take them from the fundamentals of ICS security to advanced
hacking techniques. It’s an excellent opportunity for participants to acquire hands-on experience in
penetration testing ICS devices and systems

Who Should Attend

  • Penetration Testers / Read Team Members who want to pentest ICS systems or bypass the airgap
  • Government officials from defensive or defensive units
  • SCADA and PLC programmers
  • IT and OT security professionals seeking to increase their knowledge of ICS hacking and security
  • Anyone interested in ICS security

Prerequisite Knowledge

  • Basic knowledge of Linux
  • Basic knowledge of networking and pentesting

Hardware / Software Requirements

  • Laptop with at least 40GB free space
  • 8 GB minimum RAM
  • Virtualization Software such as VMWare or Virtualbox
  • Admin/Root access on their laptop

Students Receive

  • Slides/lectures of the training
  • VM with test environment, exercises and all the tools used in class
  • 1 month of support from the trainer to complete the exercises presented

Agenda – Day 1: Overview of ICS, Protocols & Hacking

ICS Basics

  • Introduction to ICS
  • Vocabulary
  • The CIM model
  • Classic architectures
  • History of ICS
  • Briefing of ISA99/IEC62443, NIST 800-82, ANSSI
  • IT vs OT
  • ICS systems exposed on Internet

ICS Components

  • ICS Architecture, Components and Roles
    • RTU
    • HMI
    • DCS
    • Sensors
    • PLC
    • SCADA
    • Historian

Programming PLCs

  • PLC Wiring
    • PLC Inputs
    • PLC Outputs
  • PLC Programming Languages
  • How PLC Programs are executed
  • PLC PRogramming in Ladder Logic
    • Ladder Logic fundamentals and Principles
    • PLC Simulation Software
  • Programming PLC hands-on exercises

ICS Protocols

  • Modbus
    • Introduction and protocol overview
    • Reconnaissance
    • Sniffing and Eavesdropping
    • Baseline Response Replay
    • Modbus Flooding
    • Modifying PLC values
    • Rogue Interloper
    • Hands-on practice
  • S7
    • Introduction and protocol overview
    • Reconnaissance
    • Sniffing and Eavesdropping
    • Uploading and downloading PLC programs
    • Start and Stop PLC CPU
    • Hands-on practice
  • DNP3
    • Introduction and protocol overview
    • Reconnaissance
    • Length Overflow Attack
    • Reset Function Attack
    • Rogue Interloper
    • Hands-on practice
  • Profinet
    • Introduction and protocol overview
    • Reconnaissance
    • Sniffing and Eavesdropping
    • Replay Attacks
    • Packet Forging Attacks
    • Hands-on practice
    • Introduction and protocols overview
    • Reconnaissance
    • OPC Attacks
    • Hands-on practice

Agenda – Day 2: Bypassing the Airgap, Pentesting & Attacks

Bypassing the Air Gap

  • What is an Airgap?
  • Airgap Problems
  • Is there really an airgap?
  • Airgap, Firewall or Data Diode?
  • Airgap Attacks and Examples
  • Inbound / Outbound channels
    • Thermal channels
    • Electromagnetic channels
    • Acoustic channels
    • Optical channels
    • Electric channel
    • Magnetic channels
  • Defending the Airgap

Common ICS Vulnerabilities

  • Weak Network Segmentation and Segregation
  • Exposition to Internet or insecure networks
  • Insecure protocols used
  • Old software use and lack of maintenance
  • Default credentials and insecure configurations
  • Lack of security awareness
  • Weak USB and personal device use policies
  • Other vulnerabilities

Discussion of real attacks

  • ISC-CERT Alerts
  • ATT&CK for ICS
    • Adversary tactics and techniques
    • ICS related incidents and attacks

Pentesting ICS systems

  • Pentesting ICS Basics
  • Warnings and Precautions
    • Pentesting ICS Real Incidents
    • Pentesting ICS Best Practices
  • Pentesting ICS Tools
  • Pentesting ICS Theory
    • Architecture Review
    • Information gathering
    • Vulnerability Scanning
    • Exploitation
    • Protocols Testing

Hands-on Pentesting ICS practice

  • PLC Scanning and Reconnaissance
  • Network capture analysis & replaying packets
  • Attacking ICS protocols
  • Fuzzing ICS protocols
  • Attacking PLC standard interfaces and features
  • Attacking HMI
  • Attacking Windows ICS components

Securing ICS Systems

  • ICS Security Policy
  • ICS Risk Management
  • ICS Security Awareness and Training Program
  • Network Segmentation and Segregation
    • Assess and limit the connections with insecure networks
  • USB and personal devices use policies and restrictions
  • ICS systems hardening and adequate configuration
  • Apply ‘defence in depth’ principle to protect ICS devices
  • Security supervision and other measures.

ICS System Case Study

  • Case study to apply all the knowledge acquired through the training.



Location: Training Rooms Date: July 20, 2020 Time: 9:00 am - 6:00 pm Yamila Levalle Sarka Pekarova