Industrial Control Systems (ICS) security is a very niche discipline within cybersecurity specialties. It's not surprising that this means there aren't many ways to learn about this subject coming from a traditional IT background. Luckily for the rest of us, the Cybersecurity and Infrastructure Security Agency (CISA) has put together an amazing trove of ICS security training and resources. I recently completed the ICS Cybersecurity 301V course offered by CISA and wanted to write a brief summary of the course.
Why Learn ICS Security?
You may have been one of the dozens of people who saw 2015's Blackhat, which features a scene where a hacker uploads some malware that subsequently causes an explosion at a nuclear facility. For everyone else, here's the scene:
OT is all around us and makes a lot of modern life possible: power stations, manufacturing facilities, and wastewater treatment plants, just to name a few examples. Makes sense that we'd want to keep those secure, right?
The ICS security field has typically been overlooked, mainly because these systems were air-gapped or had limited external connectivity, and therefore a smaller attack surface. The increasing convergence of operational technology (OT) and IT networks has negated this strategy, however. Insecure implementations both by operators and vendors are making ICS a bigger target for attackers. According to Fortinet's annual report on the state of OT and Cybersecurity, organizations that experienced at least 1 OT intrusion are up 19% from 2019.
While the number of opportunities for obtaining a dedicated ICS security position are pretty slim compared to traditional IT security positions, there is a growing need for experts that understand how to apply modern cybersecurity concepts to OT. This is especially true as we start to see successful attacks having actual human impact.
CISA has put together a great introductory course to ICS cybersecurity in the ICS 301V course. This course used to be a 5-day event that took place in Idaho Falls, Idaho, however it was redesigned and split into two components: a completely online virtual training (301V), and a hands-on training lab (301L). A full description of the ICS 301V course can be found here: https://us-cert.cisa.gov/ics/Training-Available-Through-ICS-CERT#virtual
CISA estimates that it takes about 11-12 hours to complete the entire 301V course, and I would agree with that number. You are given about 2 full weeks to complete the course (my window started on a Monday and ended the following week's Friday), which should be enough time, but it's always good to plan ahead.
301V is delivered through CISA's Virtual Learning Portal. Each session of the course is broken down into several pre-recorded videos. The videos were well produced, and the instructors did a good job of disseminating the information they presented. My only complaint with the portal is that all other content in the catalog is locked out until your 301V timeframe ends.
At the end of each session, you are required to pass a short quiz as a recap of what was taught. You cannot skip forward to a new session, but you can go back and review the videos you already watched in case you missed something.
At the end of the course, you must take an exam and pass with a score of 80% or higher in order to obtain the certificate of completion and Continuing Education Units.
The course covers the following topics:
- Session 1: Overview of Industrial Control Systems including an attack demonstration
- Session 2: Network Discovery and Mapping
- Session 3: Network Defense, Detection, and Analysis
- Session 4: The Exploitation Process
- Session 5: Network Attacks and Exploits
Coming from a traditional IT background, I felt that the first session was the most useful. This session went over common OT terms, typical ICS devices, and some of the common protocols used. The following sessions discuss core cybersecurity topics like vulnerability management, risks, and detection methods. These were less useful for me, however they do talk about everything within the context of OT.
The later sessions start to look at OT from an attacker/red team perspective, and they do show off a few example exploits that can be found in Metasploit, which was pretty cool. If you register for the 301L lab, you'll actually be able to put this knowledge to the test in a simulated environment.
Overall I thought the 301V course was a good introduction to cybersecurity concepts within the context of OT. Those already familiar with general security concepts and penetration testing methodology may not find much new information in the later sessions, however.
If you're interested in taking this course, you'll need to watch for the registration link in training calendar found here: https://us-cert.cisa.gov/ics/Calendar
If you're interested in learning more about securing ICS/OT, I highly recommend checking out the training available from CISA. Best part: it's all free!