Build, Break, Secure Industrial Control Systems (ICS)

Discover the world of Industrial Control Systems with an attack mindset! In this 3-day training, we will follow a hands-on approach, growing from a very simple local process to a realistic ICS environment with 3 words in mind:

• Build: how does it work?
• Break: what are the weaknesses and how to exploit it?
• Secure: what can we do to fix it?

You will perform a lot of lab sessions, including: programming a PLC in ladder logic, analyzing network captures of ICS protocols, perform Modbus/S7/OPC-UA requests, using Metasploit to compromise a Windows host and gather sensitive information from an Active Directory, and much more!

The last day is dedicated to the Capture-the-Flag, in which you will apply the newly acquired techniques to compromise a corporate network, pivot to the ICS network and take control of the process to capture a flag with a robotic arm.

Moreover, the training doesn’t stop on the third day! With the WhiskICS virtual training kit, you’ll be able to redo all the exercises after the training and continue experimenting with ICS security on your own.

The outline of the 3-day training is the following:

DAY 1

• Introduction to Industrial Control Systems

  • A brief history of ICS
  • Vocabulary
  • The CIM model
  • Classic architectures
  • ICS components (PLCs, HMI, SCADA, DCS, sensors, RTUs, Historian, etc) and their roles
  • OT vs IT
  • Common ICS vulnerabilities

• Automation basics & programming PLC

  • Introduction to automation (PID loop…)
  • Basic steps of programming a PLC
  • LAB: programming several examples using soMachineBasic from Schneider and deploying it to the PLC simulator

• ICS protocols

  • General presentation of ICS protocols (fieldbus, supervision, data exchange)
  • LAB: exercises on analysis of network packet capture (modbus/tcp, S7, OPC-UA)
  • LAB: Exchange data with the PLC simulator using modbus clients, S7 as well as OPC-UA client

• Hacking the process

  • Short discussion on the difficulties of hacking a real process and presentation of research work on the topic (“easy button for cyber-physical ICS attacks” by Reid Wightman, “Rocking the pocket book: hacking chem plants” by Marina Krotofil and Jason Larsen)
  • Introduction to MITRE ATT&CK and focus on the last steps of the attack (Inhibit Response Function, Impair Process Control, and the possible outcomes)

• Focus on PLC security

  • Presentation of PLCs internal architecture
  • Discussion about OS and middleware (codesys)
  • Presentation of vulnerabilities on standard interfaces (web, ftp, snmp…)
  • LAB: Identify & exploit exposed interfaces on the PLC simulator
  • Presentation of Modbus 90 function used by Schneider PLCs
  • LAB: Use of specific exploits against Schneider simulators

DAY 2

• Process supervision: SCADA and DCS

  • General presentation on supervision systems (SCADA & DCS)
  • LAB: Programming a SCADA software (Schneider IGSS) to interact with the PLC simulator

• Linking to corporate environments: Windows & Active Directory security

  • Presentation of Windows & AD
  • LAB: using nmap/Nessus in ICS environment
  • LAB: Exploiting a Windows vulnerability with Metasploit
  • LAB: Gathering credentials and pivoting to other systems
  • LAB: Gathering information from Active Directory (users, computers…)

• An introduction to safety

  • Presentation of layers of safety, including SIS, physical safety…
  • Presentation of safety analysis methods and link to cybersecurity (SPR: Security PHA review)
  • LAB: Performing a SPR on a simplified HAZOP analysis of the distillation process

• Industry 4.0 & IIoT

  • Industry 4.0 genesis & use cases
  • Industry 4.0 & IIot communications protocols (LoRa, Sigfox, MQTT…)
  • LAB: Analysis of a MQTT network capture
  • LAB: Using a MQTT client to connect to a broker

• ICS cybersecurity general approach

  • Overview on ICS cybersecurity standards
  • Large focus on IEC62443 (cybersecurity lifecycle, zones & conduits, security levels..)
  • Main topics to consider (governance, hardening...) and open discussions on the difficulties and how to overcome it

DAY 3

• All day Capture the Flag

The whole last day is dedicated to applying the pentesting skills to a custom-designed ICS setup, composed of a corporate Active Directory with several servers and workstations, an ICS network composed of servers, HMIs and PLCs from several vendors. This setup controls a model train and some robot arms that need to be used to capture a flag on the train!