Duration: 4 Days  
This course provides you with a thorough understanding of supervisory control and data acquisition
(SCADA) devices and their inner workings. You will learn how to execute cyber missions where a SCADA environment is part of the greater cyberspace operational environment. By performing incident response on SCADA devices, you will learn in-depth concepts about SCADA devices.
Certification: CSFI-CSCOE
What You Will Learn
	- Concepts of SCADA devices
- SCADA devices work and 
function
- Security concepts 
and challenges directly with SCADA devices
- Vulnerability assessments within SCADA environments
- Incident response within a SCADA environment
- Penetration tests on Industrial Control systems
- Vulnerabilities in web applications used in industrial control systems
- Hardware, network, user interface, and server-side vulnerabilities
- Incident response on industrial control systems
- Unique differences between ICS incident response and traditional 
Audience
Anyone involved with designing, monitoring, or operating SCADA networks
Prerequistes
	- Familiarity 
with basic network topology such as switching, routing, and IP addressing
- Recommended course book: Cybersecurity for Industrial Control Systems: SCADA, DCS, PLC,
 HMI, and SIS
Course Outline
1. Pentesting SCADA Network Protocols
	- ICS Systems Overview
- Controllers, Embedded Systems and Protocols
- PLCS, DCS, Hybrid Controllers, PC-Control
- SCADA and ICS Protocols
- Working with Modbus, OPC, and HMIs
- Different levels of network communication penetration testing 
	
		- Testing of network mediums vs network protocols 
- Where security defenses should be placed and tested 
 
- Serial communications 
	
		- RS-485 and RS-232 
- Modbus 
RTU 
 
2. Pentesting SCADA Field and Floor Devices
	- Tests performed against SCADA networks
- External Penetration Testing
- Internal Penetration Testing
- Vulnerability Assessments 
- Wireless Audits
- SCADA Vulnerability Assessment Methodology 
	
		- Physical Security
- Network 
Infrastructure (Switches, Routers, and Firewalls)
- Assets in the SCADA DMZ
- Control Room Servers, Workstations, and Applications 
 
- SCADA Protocols
- PLC, RTU, DCS, and Embedded Controllers
- SCADA Exploitation
		- Discuss 
SCADA exploitation
- Discuss 
methods for exploitation
- Perform exploitation of SCADA devices/embedded controllers 
 
- Analysis of embedded electronics in SCADA field and floor devices 
	
		- Discussion of device disassembly 
 
3. Pentesting 
SCADA Field and Floor Devices Continued and Intro to SCADA Incident Response
	- Introduction 
to SCADA Incident Response
		- Prepare
- Identify
- Contain
- Eradicate
- Respond
- Lessons Learned
 
- SCADA 
Incident Response Overview
		- Challenges seen
- Reasoning
- Actions
 
- SCADA Incident Response In-Depth
		- How to perform SCADA Incident Response
- Lessons learned phase
 
- Analyzing data obtained from data dumping and bus snooping 
	
		- Hands-on exercise doing string analysis of datasets 
- Hands-on exercise doing entropy analysis of datasets 
- Hands-on exercise doing systematic key searches through datasets
		
- Hands-on exercise doing file carving from datasets 
 
- End-to-end analysis and reporting 
	
		- Strategies for end-to-end analysis after targeted pentesting
		
- Strategies for reporting and remediation recommendations 
 
4. 
SCADA Active Defense Methodologies
	- Introduction to SCADA Active Defense
		- Concepts
- What to be 
concerned about
 
- SCADA Secure Architecture
		- DMZ
- Bastion Hosts
- ACLs
- Network Segmentation
 
- Network 
Segmentation
- Remote Access
- IDS/AV Considerations
- Bastion hosts/firewalls
Course Labs
Lab 1: Introduction to SamuraiSTFU 
(Security Testing Framework for Utilities)
	- Setting up the virtual machine 
- Walk through the tools and functionality 
- Introduction to the student hardware kits 
Lab 2: Pentesting RF 
communications between master servers and field devices 
	- Hands-on network traffic extraction 
- Traffic transmission and exploitation 
Lab 3: Pentesting TCP/IP based SCADA 
protocols 
	- Protocol capture 
and analysis 
- modbus, DNP3, 
IEC 61850, ICCP, ZigBee, C37.118, and C12.22 
- Dealing with unknown protocols 
- Hands-on entropy analysis of network payloads 
- Reverse engineering unknown protocols 
- Hands-on SCADA protocol fuzzing 
Lab 4: Pentesting technician interfaces on 
SCADA field and floor devices 
	- Functional analysis of field technician interfaces 
- Hands-on exercise capturing USB communications to tech interfaces
	
- Hands-on exercise analyzing captured USB communications 
- Impersonating endpoints in field tech interface communications 
- Exploiting vulnerabilities found during analysis 
Lab 5: Analyzing field and 
floor device firmware 
	- Obtaining field and floor device firmware 
- Hands-on exercise disassembling firmware 
- Hands-on exercise analyzing disassembled firmware 
- Exploiting firmware flaws 
Lab 6: Overview of pentesting field and floor 
device embedded circuits 
	- Local attack through physically exposed devices 
- Expanding physical attacks to remote attacks 
Lab 7: Dumping data at rest on 
embedded circuits 
	- Using 
the Bus Pirate and other similar tools 
Lab 8: Bus Snooping on embedded 
circuits 
	- Overview of bus 
snooping 
- Hands-on exercise 
snooping busses 
Lab 9: Capture the Flag Event
	- Pits two teams against each other
- One group is active defender
- One group is active attacker