ICS Security„Module ONE“

2

ICS Security “Module ONE”Welcome to the long announced seminar series „Security for ICS Systems“ We start with a five-day basic training - ICS Security Module ONE. Module ONE is the seminar on which all further courses are based. It provides basic knowledge for understanding indust-rial control systems - from secure design and architec-ture to topics such as incident response or governance.

The course is aimed • at advanced IT specialists who want to enter new territory and are looking for a detailed introduction to ICS • at engineers who are fit in the ICS world and want to know more about cyber risks and security • at the governance specialist who is trying to estab- lish a new policy framework for the OT world• or simply at the project manager of an industry 4.0 project, who despairs of the complexity of the ICS world. As you can see, the target group can be ex panded at will.

„Module ONE“ is a 5 day classroom seminar. But it is also an online course - find 6h of additional video ma-terial, documentation and quizzes to support the learning

process. We add weekly webinars for the next 8 weeks after the course - with no additional costs. The particepants will also have full access for 6 months to our Basic and Advanced video trainings.

The webinars will add different ICS topics from dif-ferent trainer. At the end of each webinar, we have a FAQ session to answer questions. So we can guaran-tee, that the student has the necessary support even after the classroom finished. The seminar finishes with an online test, whereby 80% of the 50 questions must be answered correctly. After successful completion the participant receives a certificate.

3

What you will learnWe start with an explanation of the specifics of an ICS environment on the first day. This explanation is not limited to trivial definitions, but takes a much more technical approach. Students will develop and deepen a common understanding of the cybersecurity of industrial control systems (ICS) and the important considerations associated with cyber-to-physical operations (CPS) in these environments.

The participants will learn about PLC‘s and ladder lo-gic and how complex controls are constructed. They will recognize the differences between the classic Office IT and an ICS environment. Topics will be e.g. safety,

communication and serial protocols. The students will understand why cybersecurity for automation is not the same as for office IT.The course explains all essential terms, architec-tures, methods and devices in the different technical sections and layers in order to achieve an understanding of the used technologies also for the career changer.

The attack surface (Day 4) of an ICS System is dif-ferent from an Office environment. This includes not only the different, often very simple protocols of the lower lay-ers, but also the very different consequences of a suc-cessful attack - from high physical damage to personal injury.

There are many attack vectors within an ICS environ-ment. Some are similar to traditional IT systems, while others are more specific to ICS. Knowing them will help to protect against potential attacks. The Students will look at the different technologies and communica-tion tools used at levels 0 and 1, the levels that are most different from an IT network. They will be introduced to network analysis techniques. During the course, ex-amples of the analysis of different network data-samples will be presented or worked on by the students.

4

The third day is about workstations and operating systems. We will show important functions of the differ-ent operating systems for servers and workstations as well as implementation approaches and system admin-istration procedures. Students will learn how to monitor and protect these hosts from attacks and work with both Windows and Linux-based virtual machines and contain-ers. They will examine concepts that are beneficial for ICS systems, e.g. approaches to system hardening, pro-tocol management, warning and monitoring.

The fourth day introduces the middle layers of the control networks. The student will learn various methods for segmenting and controlling the flow of traffic through the control network. They will deal with cryptographic concepts and their application to communication proto-cols and devices on which confidential data is stored.They learn about the risks of using wireless commu-nication in control networks, which wireless technologies are used frequently, and the possibilities for attacks or countermeasures.

The participants will be working intensively on layers 2 and 3, which have turned out to be the prime targets

of many attacks. We will discuss typical attacks and the best methods of defense. The focus is on HMI systems and historians and their upstream communication.

Day 5 is about standards and frameworks. We will introduce the different (main) security programs and will take a more detailed look at ICE 62443, including roles and responsibilities. Another focus will be the draft of a security policy for ICS systems. The second part of the day will deal with the topics „ICS Risk Management“ and Incident Response - including some real life scenarios.

What you will learn

5

Day 1:ICS - What makes the differenceOverview of ICS• Processes & Roles• Industries• Critical InfrastructuresIEC 62443 and friends• Introduction to standards• Role of standardsNetwork Security Models• Purdue and IEC 62443Network Levels 0 and 1• Controllers and Field De-

vices• Programming Controllers or

how to understand Ladder Logic

• PLC Examples Network Levels 2 and 3• HMIs, Historians, Alarm

Servers• the engineering workstation• Specialized Applications

and Master ServersDCS and SCADA• realtime monitoring challen-

ges

• network performance, de-lays and overheads

• Protocol IssuesICT & ICS Differences• ICS Life Cycle Challenges• Industrial Standards• a more philosophical view…Physical and Cyber Security • safety risks - yesterday and

today• Hybrid RisksSecure ICS Network Ar-chitectures• IEC 62443 best practise• Zones and Conduits• Security LevelsExercise: Architecting a Secure DCS

Day 2: Security of Field De-vices and ControllersICS Attack Surface• Threat Actors and Reasons

for Attack• Attack Surface and Inputs• Vulnerabilities• Threat/Attack Models

Level 0 and 1• Level 0 and 1 Attack scena-

rios• Monitoring Level 0/1• Know your devices - Inven-

tories and Asset manage-ment

• Open source tools• Level 0 and 1 Technologies• Level 0 and 1 Communica-

tions• Seriell Protocol Families -

from RS-232 to Profibus• about realtime processing• Exercise: Exploring Proto-

cols• Level 0 and 1 Protection

strategies• Exercise: Binary protocol

analysisEthernet and TCP/IP• Ethernet Concepts• TCP/IP Concepts• Ethernet vs Industrial Ether-

net• Understanding the TCP/IP

Protocol• Exercise: Network Capture

Analysis• ICS Protocols over TCP/IP

• Wireshark, Snort and friends on ICS Protocols

• Attacks on Networks• Using nmap for discovering

modbus

Day 3: Workstations and Ser-vers in an ICS Environ-ment

OS: Microsoft Windows• From Xp to windows 10• Windows Services• Active Directory and the ICS

world• Kerberos - does it help?• Windows Security Policies

and GPOs• Windows legacy systems -

best practiseOS: Unix and Linux• Windows / Unix / Linux -

where is the difference, pros and cons

• Linux distributions • Open source in an producti-

on environment

Course Overview

6

• Single Sign on ideas and LDAP

• System Hardening / AppA-rmor / SE Linux and other concepts

Embedded Systems• IntroductionPatching ICS Systems• Patch or not-to-patch…• Patching of legacy

systems…• Tools and Strategies• Informations: Vendors,

CERTS, and Security Bul-letins

Endpoint Security• Antivirus, pro’s and cons• Whitelisting (and grey and

black)• Sandboxing and Containers• Limits of Container• Testbeds and Honeypots• Example: Configuring White

ListingEvent Logging and Analysis• Windows Event Logs and

Audit Policies• Linux and Syslog • Syslog Server for windows

and Linux

• SIEM• SIEM and the network - not

the best friends• Modern Examples (Metro-

nom, Zeek, Elasticsearch)Remote Access Attacks• Not limited to layer layer 2

and 3 • Hardware based attacks• Software based attacks

Day 4:SCADA SystemsHorizontal and Vertical attack path• attacking ICS Systems - a

methodology• the risk of upstream/

downstream attacks• protecting the different layerEnforcement Zone Devices• Micro segmentation• about software defined

perimeters• TCP/IP Layer 3 vs Layer 2

protection• acl’s and smart networks• Firewalls, Industrial Firewalls

and NextGen Firewalls• Data Diodes and Unidirecti-

onal GatewaysLevel 2 and 3 Attack Scena-rios• Historians and Databases• Exercise: SQL Injection• Physical based attacks

(USB)• smart USB attacks are not

lame…• HMI and UI Attacks• Web-based Attacks• Password RisksUnderstanding Basic Crypto-graphy• Symmetric and Asymmetric

Encryption• Hashing and HMACs• Digital Signatures• Private and Public Keys• Encryption on Rest vs en-

cryption on travel• end-to-end encryption• pro and cons of encryption

for ICSWireless Technologies• Satellite and Cellular• Mesh Networks and Micro-

wave

• Bluetooth and Wi-Fi• ZigBee and others• IoT Devices…• Wireless Attacks and De-

fences• Encryption• Risks of Wireless Networks• IoT/IIoT attacks• Sniffing, Jamming, Masque-

rading, Rogue APExercise: WiFi Attack ScenarioExercise: after an attack - foren-sics and lessons learned

Day 5: ICS Security GovernanceBuilding an ICS CyberSecurity Program• Starting the Process• About ISMS - general

approach• Frameworks: ISA/IEC

62443, ISO/IEC 27001, NIST CSF

Course Overview

7

* Understand risks and weak points of modern ICS Systems

* Implement organizational security measures on ICS /Scada Networks

* Implement technical securi-ty measures on ICS /Scada Networks

* know the basic standards on ICS Systems

* Help to implement a SCADA / ICS Security Policy.

Contact us at: sales@gnsec.com

(C) 2020 all rights reserved

GNSEC Singapore Pte Ltd10 Anson Road #27-08;

International Plaza Singapore 079903

www.gnsec.com

IEC 62443 - Overview• Concepts and Threat/Risk

Assessment • Development Assurance • Integration Assurance • Operational Assurance• Technical Standards• Organizational Standards• Creating ICS Cyber Security

PolicyPolicies, Standards, Guide-lines, and Procedures• Governance in ICS• Security Organisation - Ex-

amples and Models• Examples of an ICS Policy

Framework

Measuring Cyber Security Risk• ICS Risk Assessment

Frameworks - from • Assessment Strategy -

some thoughts• From State to Gap Analysis• Threat Profiling• Risk AnalysisIncident Response• ICS Cert Structure and best

practise

• ICS Cert Integration Model with ICS Cert

• ICS Cert (US) best practiseExercise: Incident Response Tabletop ExerciseFinal Thoughts and Next StepsLessons Learned• next things to do • about certification

PrerequisitesTo fully succeed in this course, attendees should: * Have a general knowledge

of computer and operating system fundamentals

* Have a general knowled-ge of Industrial Control Systems

* Have a general knowledge of Network Technologies

Skills GainedUpon completion of this course, students will be able to:

Course Overview