Industrial Control Systems Security Specialist (ICSSS)

By the end of this training, you will have learnt to consolidate, develop, and apply your operational, business and ICS/OT security specific knowledge to secure and mitigate risks to automation and control system technologies at an advanced level.

Senior practitioner-level ICS/OT cyber security professionals who wish to understand how to manage all aspects of industrial control systems security effectively. Example roles might include:

• ICS/OT SOC analysts
• ICS/OT cyber security risk or compliance officers
• ICS/OT incident response practitioners
• ICS/OT cyber security architects
• Senior IT/Cyber security practitioners with responsibilities with industrial control systems or operational technology

• Implement test procedures, principles, and methodologies relevant to developing and integrating cyber security capability.
• Determine network traffic analysis tools, methodologies, and processes.
• Understand remote access technology processes, tools and capabilities and their implications for cyber security.
• Design identification and reporting processes.
• Consider statutes, laws, regulations, and policies governing the collection of information using cyber security techniques.
• Explain concepts, terminology, and operations of communications media.
• Discuss network technologies in IT and ICS/OT environments.
• Provide best practice cyber security risk management methodologies for the IT and ICS/ OT domains.
• Develop system protection planning measures for IT and ICS/OT environments.
• Review an organisation’s architectural concepts and patterns in IT and ICS/OT environments.
• Evaluate supervisory control and data acquisition system components.
• Design ICS network architectures and communication protocols.
• Analyse the ICS threat landscape.
• Identify, capture, contain and report malware.
• Secure network communications.
• Recognise and interpret malicious network activity in traffic.
• Analyse tools, techniques and procedures used by adversaries remotely to exploit and establish persistence on a target.
• Access databases where required documentation is maintained.
• Design multi-level and cross domain security solutions applicable to IT and ICS/ OT environments.
• Translate operational requirements into protection needs in an IT and ICS/OT environments.
• Protect an ICS/OT environment against cyber threats.

Ideally, either GICSP training and/or qualification or GRID training and/or qualification, with five or more years practical experience in an ICS security practitioner role.

Knowledge of:

• Any national cyber security regulations and requirements relevant to their organisation.
• Human-computer interaction and the principles of usable design, as they relate to cyber security.
• An organisation’s policies and standard operating procedures relating to cyber security.
• Security event correlation tools.
• Multi-level security systems and cross domain solutions applicable to IT and ICS/OT environments.
• Integrating the organisation’s goals and objectives into the system architecture in IT and ICS/OT environments.
• Demilitarized zones in IT and ICS/OT environments.
• ICS operating environments and functions.
• ICS devices and industrial programming languages.
• Threats and vulnerabilities in ICS systems and environments.
• Intrusion detection methodologies and techniques for detecting ICS intrusions.
• ICS security methodologies and technologies.

Skills in:

• Applying host and network access controls.
• Protecting a network against malware.
• Performing cyber security related impact and risk assessments.
• Utilizing feedback to improve cyber security processes, products, and services.
• Applying cyber security and privacy principles to organisational requirements.
• Conducting cyber security reviews of systems.
• Conducting information searches.
• Identifying a network’s characteristics when viewed through the eyes of an attacker.
• Assessing the cyber security controls of ICS/OT environments.

This training can be tailored to an industry or for a defined audience, with various durations. Example topics typically include:

Module 1 – Understanding the Flow

• Course introduction and Lab setup
• Level 0 and 1 – Devices and communications
• Understand the attack surface of a level 1 device (including process weaknesses)
• Passive and Active discovery
• Exercise – NMAP discovery
• System architecture and data flow
• HMIs and EWS
• HMI to PLC relationships
• PLC to HMI communications (including operational functions)

Module 2 – SCADA and Protocols

• SCADA components and communications paths
• Understanding peer to peer
• Peer to peer communications
• OPC and other protocols
• OPC and Beyond

Module 3 – Design and Devices

• Network architecture and design
• Levels 2 and 3 communications (including trusted communication flows)
• Perimeter prevention and detection
• Data diode or firewall?
• Databases
• Databases exploration
• Using VPNs

Module 4 – Monitoring what you have

• System Monitoring
• Logging and alerting
• Asset Management and Validation using tools
• Managing and validating assets

Module 5 – Bringing it all together

• ICS Attack and Defend including troubleshooting
• Understand and exercise on local processes and environment
• Vendor security models and industrial DMZs
• Pivoting and positioning in an ICS target environment
• Operational traffic reverse engineering
• Protocol-level manipulation
• Firmware manipulation
• Industrial wireless discovery and attack
• Time synchronization manipulation
• Data table and scaling modifications

Exam Preparation