Industrial Control Systems Security Practitioner

By the end of this training, you will have learnt to demonstrate an understanding of an Active Defense approach, ICS-specific attacks and how these attacks inform mitigation strategies. You will also develop an understanding of the strategies and fundamental techniques specific to core subjects with an ICS-focus, such as network security monitoring, digital forensics, incident response and threat intelligence.

Practitioner-level ICS/OT cyber security professionals who wish to understand how to manage all aspects of industrial control systems security effectively. Example roles might include:

• ICS incident response team leads and members
• ICS and operations technology security practitioners
• IT security professionals
• Security Operations Centre (SOC) team leads and analysts
• ICS red team and penetration testers
• IT/cyber security practitioners with responsibilities with industrial control systems or operational technology

• Determine cyber security vulnerabilities across a range of industry standard technologies.
• Be aware of human-computer interaction and the principles of usable design, as they relate to cybersecurity.
• Recognise security event correlation tools.
• Discuss multi-level security systems and cross domain solutions applicable to IT and ICS/OT environments.
• Understand supervisory control and data acquisition system components.
• Gain knowledge of the ICS threat landscape, and threats and vulnerabilities in ICS systems and environments.
• Demonstrate an understanding of intrusion detection methodologies and techniques for detecting ICS intrusions.
• Protect a network against malware.
• Effectively preparing and presenting briefings in a clear and concise manner.
• Conduct cyber security reviews of systems.
• Identify a network anomaly.
• Conduct information searches.
• Identify a network’s characteristics when viewed through the eyes of an attacker.
• Identify and analyse physical, functional, or behavioral relationships to develop understanding of attackers and their objectives.
• Recognise denial and deception techniques when used by attackers or cybercriminals.
• Monitor a threat or vulnerability situation and environmental factors.
• Determine network hardware devices and functions in IT and ICS/OT environments.
• Translate operational requirements into protection needs in an IT and ICS/OT environments.
• Assess the cyber security controls of ICS environments

Ideally an IT or ICS background/fundamental cyber security experience and having trained as an Industrial Control Systems Security Analyst to be comfortable with ICS terminology and systems such as SCADA, DCS, PLCs, and RTUs. It would be useful to have an understanding of risk and mitigation approaches in OT environments.

Knowledge of:

• Best practices for incident response and incident management.
• Industry standard systems diagnostic tools and fault identification techniques.
• National cyber security regulations and requirements relevant to the organisation.
• Industry standard security models and their effective application.
• Demilitarised zones.
• Industry standard security models.
• Best practice incident response methods, roles, and responsibilities.
• Industry standard continuous monitoring technologies and tools.
• An organisation’s local and wide area network connections and the risks they pose to its cyber security.
• Cyber threat intelligence gathering principles, policies and procedures including legal authority and restrictions.
• An organisation’s policies and standard operating procedures relating to cybersecurity.
• Identification and reporting processes.
• Global social dynamics of the different cyber threat types.
• Network technologies in IT and ICS/OT environments.
• System protection planning measures for IT and ICS/OT environments.
• Integrating the organisation’s goals and objectives into the system architecture in IT and ICS/OT environments.
• ICS operating environments and functions.
• ICS network architectures and communication protocols.
• ICS devices and industrial programming languages.
• Intrusion detection methodologies and techniques for detecting ICS intrusions.
• ICS security methodologies and technologies.

Skills in:

• Applying core cyber security principles.
• Effectively recognising and categorising types of vulnerabilities and associated attacks.
• System, network and OS hardening techniques.
• Using feedback to improve cyber security processes, products and services.
• Collecting data from a variety of cyber security resources.
• Using multiple search engines and tools in conducting open-source searches.
• Protecting an ICS/OT environment against cyber threats.

This training can be tailored to an industry or for a defined audience, with various durations. Example topics typically include:

Module 1 – Threat Intelligence

• Where do you start? – Active Defence Introduction including case study
• Incident Management
• Threat Intelligence (building on the introduction for the ICSSA)
• Using the ICS Kill Chain
• Closing the door – reducing the Threat
• What do you do with it? Using Threat Intelligence

Module 2 – Asset Identification and Security Monitoring

• Case Study – BlackEnergy
• Asset Visibility
• Threat Detection
• NSM – Collecting data
• NSM – Detecting the good and bad
• NSM – Analysing what you find

Module 3 – Incident Management

• Case Study – TRISIS
• ICS Incident Response
• Evidence and Forensics
• Obtaining Forensics from Memory

Module 4 – Analysis

• Case Study – Crashoverride
• Analysing the Evidence
• Analysing malware
• Developing effective YARA rules

Module 5 – ICS Scenarios

• Exercises

Exam Preparation