The target of this course is to raise awareness about Industrial Control System (ICS) cyber security risks, to provide knowledge about attacks and defensive measures and to experience hands-on practices about cyber security within the ICS domain to the course participants. With this increased cyber security awareness, knowledge and hands-on experience, the course participants could implement this into their own organization, which could be beneficial for the security level of their organization.

The following section provides a brief description of each of the classroom sessions.

1. Introduction

  • Introduction of the participants and the training;
  • Overview of security risks to industrial control systems based on real world examples;
  • Overview of strategies to prevent and detect cyber-attacks.

2. Network scanning (hands-on)

  • Detecting computers and services on a network with the ‘zenmap’-scanner;
  • Challenges in scanning industrial networks;
  • Analyzing network traffic with Wireshark to find computers in a network and understanding the communication between them.

3. Trends in Attacks

  • The motivation of different threat actors, from script kiddies to nation states;
  • How to design systems that are not interesting for hackers to attack;
  • Analysis of recent advanced cyber-attacks.

4. Hacking demonstration and intro

  • Step by step demonstration how hackers can attack industrial control systems;
  • Steps hackers take in attacking systems;
  • Tools and methods used by hackers.

5. Web attacks and password cracking (hands-on)

  • Phishing attacks;
  • Attacks against websites such as cross-site scripting (XSS) and SQL injection;
  • Cracking passwords using John the Ripper.

6. Secure Architectures

  • Concepts of secure architectures, such as segmentation, in networks and devices;
  • Examples of good architectures for smart metering, electric vehicles, and substation automation;
  • Using security requirements to procure secure components.

7. More on ICS

  • Different types of industrial control systems (e.g. distributed control systems and SCADA systems);
  • Components in industrial control systems (such as RTUs and PLC) and their functions;
  • Vulnerabilities commonly found in industrial control systems;
  • Industrial protocols and their security.

8. Hacking hands-on 2: Metasploit and Post-Exploitation (hands-on)

  • Exploiting vulnerabilities with Metasploit and Armitage;
  • Steps attackers take once they have access to a system, such as creating a persistent backdoor, escalating privileges, and extracting sensitive information.

9. Incident response

  • Steps in responding to a possible cyber incident;
  • Analyzing what really happened during an incident;
  • Containing attacks and recovering from them.

10. Intrusion detection (hands-on)

  • Dealing with large numbers of alerts from intrusion detection systems;
  • Distinguishing between real attacks and false alarms;
  • Finding the source of an attack.

11. Strategy session

  • Explanation of the rules of the Red Team – Blue Team exercise;
  • Participants are split into teams and learn their objectives;
  • Each team starts discussing their strategy for the exercise day.
  • Teams are shown the facilities during the exercise;
  • Both teams get instruction on using their systems;
  • Further discussion of the exercise strategies, including tasks for different members.

12. Red team - Blue team exercise
The Blue Team runs a simulated company. They have the following tasks:

  • Improve the security of the IT and industrial networks:
    • Make the network architecture more secure by improving firewall rules;
    • Harden systems by closing unnecessary services;
  • Detect attacks on the networks:
    • Provide clear evidence that incidents are caused by malicious attackers;
    • Find the source of the attack and remove it;
  • Keep the normal operations of the company running through the day.

The Red Team plays a group of hackers. Their tasks are:

  • Enter the Blue Team’s networks and establish permanent access;
  • Extract confidential information from the systems;
  • Gain access to the critical industrial control systems and disrupt them.

Both teams earn points based on how well they perform their tasks. At the end of the day the team with the most points wins. In the exercise participants, can practice skills they learned during the first two days. They can choose different roles based on what they want to learn.

13. Exercise debriefing and Lessons Learned

  • The leader of each team presents a timeline of what they did during the exercise;
  • Participants in different roles are asked to share their experiences;
  • ENCS exercise moderators point out what each team did well and what they could have done better;
  • The participants formulate lessons learned from the training to their own work.