A Collection of Resources for Getting Started in ICS/SCADA Cybersecurity
*Last Updated Jan 2023*
I commonly get asked by folks what approach they should take to get started in industrial control system (ICS) or Operational Technology (OT) cybersecurity. Sometimes these individuals have backgrounds in control systems, sometimes they have backgrounds in security, and sometimes they are completely new to both. I have made this blog for the purpose of documenting my thoughts on some good resources out there to pass off to people interested. Do not attempt to do everything at once but it’s a good collection to refer back to in an effort to polish up skills or learn a new industry. There are also many skills that may not immediately be relevant to your job but I believe these topics all work together (ranging from analysis of threats to understanding the physical process of a gas turbine). Rest assured, no matter how ill prepared you might feel in getting started realize that by having the passion to ask the question and start down the path you are already steps ahead of most. We need passionate people in the industry; everything else can be taught.
General Thoughts:
IT and OT/ICS cybersecurity can be very different. There’s definitely transferable skills between both fields though. Often times folks look at ICS cybersecurity and think it’s different because there are legacy systems, different network protocols, and purpose built systems like programmable logic controllers (PLCs). While those are all true in reality the biggest difference is the mission function of the systems. There are unique purposes of the systems, unique impacts in failure, unique risks, and unique threats – so applying the same cybersecurity practices meant for a different environment, with different impacts, against different risks and threats seems counter intuitive. A broad generalization that can help understand this is that in IT cybersecurity there is a large focus on the system and data. We put a lot of protection and focus on the system (patching, EDR, passwords, application whitelisting, etc.) because if an adversary gets on a system, escalates privileges, etc. it’s a bad day. We also put a lot of focus in IT cybersecurity on data (encryption in transit, encryption at rest, data loss prevention, etc.) especially with the need to protect data, people’s personal information, credit cards and financial transactions, etc. But in ICS cybersecurity it’s more systems of systems and physics. Sure we care about some data and some systems. But in reality it’s more about an adversary’s ability to take System 1 and manipulate System 2 to cause a physical manifestation in System 3. As an example, an adversary that knows how to take access an Engineering Workstation to reprogram the logic on a PLC to cause an over pressurization event in a pipeline is going to be very dangerous whether or not they use vulnerabilities, exploits, and malware to do it or just native functionality and expertise. And physics is what we care about for what is technically possible or not possible on those systems in the first place with a large focus on ensuring safety and reliability of both people, the environment, and the operations.
I would advise any new person starting in the field to spend time really focusing on the “mission” first. I.e. what is it that the plant or site is trying to accomplish. What are they in business or production for? Then apply the cybersecurity that makes sense against the risks that actually impact the mission. Coming at the problem with what “right security” looks like before understanding the business and the mission purpose will lead you astray quickly. But if you understand the point of what the operations folks are trying to accomplish it’ll allow you to be a valuable partner.
Optional Pre-Reqs
It’s always good to pick up a few skills regarding the fundamentals of computers, networks, and systems in general. I would recommend trying to pick up a scripting language as well; even if you don’t find yourself scripting a lot understanding how scripting works will add a lot of value to your skill set.
- Learn Python the Hard Way
- Learn Python the Hard Way is a great free online resource to teach you, step-by-step, the Python scripting languages. There’s a lot of different opinions about different scripting language. In truth, most of them have value in different situations so I’ll leave it to you to pick your own language (and I won’t tell you that you’re wrong for not learning Python, even though you are). Another good programming resource is Code Academy.
- MIT Introduction to Computer Programming
- MIT’s open courseware is a treasure for the community. It shocks me how many people do not take advantage of free college classes from top universities. This is the Introduction to Computer Science and Programming course. It should be taken at a slow pace but it’ll give you a lot of fundamental skills.
- MIT Introduction to Electrical Engineering and Computer Science
- Another MIT open course but this time focused on electrical engineering. This is a skill that will help you understand numerous types of control systems better as well as have a better grasp on how computers work.
- Microsoft Virtual Academy
- Microsoft Virtual Academy can be found at various locations on YouTube. I have linked to the first one; I would recommend browsing through the topic list for everything from fundamentals of networking, to fundamentals of computers, to how the Internet works.
Intro to Control Systems
Control systems run the world around us. Escalators, elevators, types of medical equipment, steering in our cars, and building automation systems are types of control systems you interact with daily. Industrial control systems (ICS) are industrial versions of control systems found in locations such as oil drilling, gas pipelines, power grids, water utilities, petrochemical facilities, and more. This section will go over some useful resources and videos to learn more about industrial control systems and ultimately “the mission” of some of the sites. If you know how a waste water treatment facility process works as an example you’re then more capable to understand the instrumentation and automation around it and the cybersecurity that would be relevant to that site.
Intro to Computer and Network Security
There’s a lot of resources in the form of papers below (especially the SANS Reading Room) which are all great. However, you really need to get hands on so many of the resources are focused on tools and data sets. Try to read up as much as possible and then deeply dive into hands on learning.
- The Sliding Scale of Cyber Security
- I wrote this paper specifically to address the nebulous nature of “cyber security.” When people say they specialize in cyber security, what exactly does that mean? I put forth that there are 5 categories of investment that can be made. The prioritization for the value towards security should be towards the left hand side of the scale. It is ok to invest in multiple categories at once but understand the true return on investment you’re getting versus the cost.
- VMWare
- You’ll want to be able to set up Virtual machines (VMs) to get hands on with files and various security tools. VMWare is a great choice as is VirtualBox. VMWare has a free version you’ll want to use (Player). Don’t worry about getting Workstation or Player Pro until later when you are more experienced and want to save snapshots (copies of your VM to revert back to). Below you’ll find a sample video on VMs, feel free to Google around for better understanding.
- How to Set Up a Virtual Machine
- Security Onion
- You’re going to want to get hands on with the files presented in this guide; Security Onion is an amazing collection of free tools to do just that with a focus on network security monitoring and traffic analysis.
- SANS’ SIFT
- If you’re super cool you’ll want to get into forensics at some point; the SIFT VM from SANS is a collection of tools you’ll need to get started.
- REMnux
- Before you try out reverse engineering malware (REM) you’ll want to have a safe working environment to do so. This is not a beginner topic but at some point you’ll likely want to examine malware, Lenny’s REMnux VM is the safe place to do that.
- Malware Traffic Analysis
- Brad’s blog on malware traffic analysis is one of the best resources in the community. It combines sample files with his walk throughs of what they are and how to deal with them. You can learn a lot this way very quickly.
- Open Security Training
- This website is dedicated to open (free) security training. There are a number of qualified professionals who have dedicated time to teach things from the basics of security to advanced reverse engineering concept. You could spend quite a time on this website’s courses and all of them would make you more capable in this field. There are often full virtual machines (VMs), slides, and videos for the courses.
- Sample PCAPs from NETRESEC
- These packet capture samples are invaluable to learning how our systems interact on the network. Take a tool like Wireshark and analyze these files to get familiar with them and the practice (Wireshark will continually be your friend in any field you specialize in).
- DEFCON Capture the Flag Files
- DEFCON has made available their files (and often times walkthroughs) for their capture the flag contests. These range from beginner to advanced concepts in offensive security practices such as red teaming. Learning how to break into systems and how they fail is great for defense. It’s not required but it can be helpful.
- Iron Geek
- This is an invaluable collection of videos from conferences around the community. If you’re looking for a specific topic it’s a good idea to search these conference videos. Felt like you missed out on the last decade of security? Don’t worry most of its captured here.
- SANS Reading Room
- The SANS Institute is the largest and most trusted source of cyber security training. Their Reading Room is a free collection of papers written by students and instructors covering almost every topic in security.
- Honeynet Project
- Consider this a capstone exercise. Read up on honeypots and learn to deploy a honeypot such as Conpot. The idea is that to run a honeypot correctly you’ll have to learn about safeguarding your own infrastructure, setting up proxies and secure tunnels, managing cloud based infrastructure such as an EC2 server, performing traffic analysis on activity in the honeypot, malware analysis on discovered capabilities, and eventually incident response and digital forensics off of the data provided to explore the impact to the system. Working up to this point and then running a successful honeypot for any decent length of time really helps develop and test out a wide range of skills in the Architecture, Passive Defense, Active Defense, and (potentially in the form of Threat Intel) Intelligence categories of the Sliding Scale of Cyber Security.
Intro to Control System Cyber Security
Cybersecurity is not a new topic but in ICS it is mostly unexplored. The hardest part for most folks is learning who to listen to and what resources to read. There are a lot of “experts” out there who will quickly lead you astray; look at people’s resumes to see if they had the opportunity to do what they are speaking to you about. Because they don’t have experience doesn’t mean they are necessarily wrong but it’s an easy check. As an example, if someone calls themselves a “SCADA Security Guru” or something like a “thought leader” but they’ve only ever been a Chief Marketing Officer of an IT company, that should be a red flag. It is important to be very critical of information in this space but continually push forward to try to make the community better. Below are some trusted resources to help you on your journey.
Recommended ICS Cybersecurity Books
Recommended Professional Training
You in no way need certifications or professional training to become great in this field. However, sometimes both can help either for job opportunities, getting a raise, or polishing up some skills you’ve developed. I highly encourage you to learn as much as you can before getting into a professional class (the more you know going in the more you’ll take away) and I encourage you to try to find an employer to pay your way (they aren’t cheap). If your employer doesn’t have a training policy it’s a good time to try and find a new employer. Here are two professional classes I like for ICS cyber security training (I’m biased because I teach at SANS but I teach there because I believe in what they provide).
- Department of Homeland Security and Department of Energy Training
- The ICS-CERT and Idaho National Labs provide a variety of online and in person training. One of the most well known is the ICS 301 class which is a 5-day introduction to ICS hosted in Idaho Falls, Idaho. It is a free course and highly recommended.
- SANS ICS 410 – ICS/SCADA Essentials
- This class is designed to be a bridge course; if you are an ICS person who wants to learn security, or a security person who wants to learn ICS, this course offers the bridge between those two career fields and offers you an introduction into ICS cyber security. Over the years this course has become of staple of people entering our community.
- SANS ICS 515 – ICS/SCADA Active Defense and Incident Response
- This is the class I authored at SANS teaching folks about targeted threats (such as state adversaries or well funded crime groups) that impact ICS and how to hunt them in your environment and respond to incidents. More than just focusing on the threats though this class helps you understand the risks our community faces and how to develop strategies against them with hands on practitioner focused labs and training.
- SANS ICS 612 – ICS Cybersecurity In Depth
- An absolute gem of a class that teaches a ton across foundational ICS security, architecture, passive defense, etc. topics. I say foundational not because it’s entry level but because it should be required for anyone joining the field. It’s a hands on class with a full control system setup and is most students’ best opportunity to get hands on with real industrial equipment and processes.
- Assessing and Exploiting Control Systems
- Justin Searle is the author of SANS ICS410 and he also made Assessing and Exploiting Control Systems. This course is an introduction to vulnerability and penetration testing of these systems with a focus on everything from PLCs to RF. A lot of the focus tends to be on smart grid and electric but there are elements for everyone. The same class is also hosted at SANS from time to time, but it is significantly cheaper to find it at BlackHat if you can grab a spot. The class moves around so the link above is for an old class but Google the name and where it’s being hosted to find it.
- Dragos 5 Day Training
- Dragos hosts a five day training that covers an introduction to ICS, assessing ICS, threat hunting, and security monitoring. Uniquely, it provides access to industrial ranges and is hosted in Houston, Texas, Hanover, Maryland, Dubai, UAE, and Melbourne, Australia. The industrial ranges and physical equipment make for an exciting educational experience. However, the class is only open to those in the asset owner and operator community (e.g. working at an energy, manufacturing, auto, etc. company) such as Dragos customers and partners. Most of the other training in the market tries to avoid vendor tools and practices to be vendor-neutral. I love this and engage this way even in my own SANS class. However, the reality is in your day-to-day work you’re going to be working with vendor tools and want to learn from their best practices too. This is a unique opportunity to train with those operating on the front lines of the community and understand their specific approaches.
Recommended Conferences
No matter how much time you spend reading or practicing eventually you need to become part of the community. Contributions in the form of research, writing, and tools are always appreciated. Contributions in the form of conference presentations are especially helpful as they introduce you to other interested folks. The ICS cybersecurity community is an important one on many levels. It’s one of the best communities out there with hard working and passionate people who care about making the world a safer place. Below are what I consider the big 5. These conferences are the ones that are general ICS cyber security (not a specific industry such as API for oil and gas or GridSecCon for electric sector) although those are valuable as well.
- SANS ICS Security Summit
- For over fifteen years the SANS ICS Security Summit has been a leading conference on bringing together researchers, industry professionals, and government audiences. The page above links to the various SANS ICS events but look for the one that says “ICS Security Summit” each year. It is usually held at Disney World in Orlando Florida. Its strong suit is the educational and training aspects not only because of the classes but also because of the strong industry focus.
- DigitalBond’s S4
- The S4 conference is a powerhouse of leading ICS security research. Dale puts on a fantastic conference every year (now with a European and Japanese venue as well each year) that brings together some of the most cutting edge research and ideas. S4 in the US is often held in January in Florida.
- The ICS Cyber Security Conference (WeissCon)
- Affectionately known as WeissCon after its founder Joe Weiss, the conference is now owned and operated by SecurityWeek and usually runs in October at different locations each year in the US (Georgia is usually a central location for the conference though). The conference brings together a portion of the community not often found at the other locations and has a strong buy-in from the government community as well as the vendor community.
- The ICS Joint Working Group (ICSJWG)
- The ICSJWG is a free conference held twice a year by the Department of Homeland Security. I often encourage people to go to the ICSJWG conference first as a type of intro into the community, to then go to the SANS ICS Security Summit for more view into the asset owner community and to get training, then go to S4 for the latest research, to go to WeissCon to see some of the portions of the community and vendor audience not represented elsewhere, and finally to CS3Sthlm to get an international view. It is perfectly ok to go to all five of the big conferences a year (I do) but if you need a general path that is the one I would follow initially.
- CS3Sthlm
- CS3Sthlm used to be known as 4SICS and is held every year in Stockholm, Sweden. It is one of the leading ICS security conferences in the world (I consider it one of the “big five”) and it is in my opinion the best ICS security conference in Europe. The founders Erik and Robert are some of the friendliest people in the ICS community and have a wealth of experience to share with folks from decades defending infrastructure.
- Dragos Industrial Security Conference (DISC)
- DISC is the Dragos annual conference however it is unique in that it is entirely dedicated to research and insights into the ICS cyber threats and responding to them. The conference is 100% free and open to those in the industrial asset owner and operator community. It happens every year on November 5th in Maryland, USA.
This is just a small collection of a lot of the fantastic resources out there. Always fight to be part of the community and interact – that is where the real value in learning is. Never wait to have someone show you though, even the “experts” are usually only expert in a few things. It is up to you to teach yourself and involve yourself. We as a community are waiting open armed.