Thursday, April 3, 2014

A Month-Long View of Industrial Controls Security Training

For the past four weeks I have been immersed in Industrial Controls Systems (ICS ) security training.  My journey began on March 12th where I spent five days in the SANS ICS training in Orlando followed by about 15 hours of web-based ICS training from ICS-CERT then two days in Burbank, California attending the ISA training on the ANSI/ISA-62443 Standards.  (By the way, the 62443 standard used to be called the ISA99 standard.)

What I'd like to do is offer a view of these different training options to give you a sense of why some professionals will need this training and how the ICS-CERT training can be especially helpful for managers and supervisors overseeing work on ICS.  Also, I'll let you know about free training that does not require travel or substantial resources.

Why am I Taking These Classes?

Right now my employer -- Securicon -- is focusing on industrial control security and the SANS certification program -- GICSP - discussed later -- may be a key cert to have in the company for future work at some select global energy/oil/gas companies.  Secondly, one vendor we work with has asked us to complete the ISA training on the ISA-62443 standards.  Therefore, I'm the designated player for the company and have been sent to these courses - not that I'm complaining!  I love this stuff and I'm up for another security certification in this domain.

SANS ICS410 ICS/SCADA Security Essentials (~$4,395 + $599 for GICSP test)

This course is offered in a classroom (and now as an online option) by SANS.  I was privileged to be in a class in Orlando with about 57 other students from literally around the globe.  The instructor was Mr. Justin Searle who is by far one of the best IT security instructors I have ever experienced as either a student or co-instructor.

The course runs for five consecutive days with class beginning at 9 AM and ending at 5 PM with breaks and a lunch in between.  The days were broken down into the following:

  • Day 1 - Industrial Control Systems (ICS) Overview
  • Day 2 - ICS Attack Surface
  • Day 3 - Defending ICS Servers and Workstations
  • Day 4 - Defending ICS Networks and Devices
  • Day 5 - ICS Governance and Resources 
Each day some hands-on exercises were included.  

At the end of the training you receive a certificate of completion; however, the true goal for myself and many others is to pass the Global Industrial Controls Security Professional (GICSP) certification from SANS.

The GICSP certification involves a separate test which requires the student pass with a minimum passing score of 69%.  I hope to take this test before the end of April.

For more details on the GICSP and the class please go to these links:  GICSP, ICS410, SANS ICS Security.

ISA - Using the ANSI/ISA-62443 Standards to Secure Your Control System (~$1,510)

I just finished this course on April 2nd in Burbank, CA.  The class is a two-day event and this recent course was taught by Mr. John Cusimano -- again, another very good and knowledgeable instructor.  The class size was very conducive to open dialogue with the instructor and other students.

The focus of these two days was on the following key topics:

Day 1:
  • Introduction to Control Systems Security and ISA/IEC62443 Standards
  • Terminology, Concepts, Models and Metrics
  • Networking Basics (Do you know your OSI Model??)
  • Network Security Basics
Day 2:
  • Creating an ICS Security Management Program
  • Designing/Validating Secure Systems
  • Developing Secure Products and Systems
And like the SANS Course, some hands-on exercises were included using tools such as Wireshark and the command line (e.g., Netstat -a).

Upon completion of this test you are eligible to take a proctored test called the ISA99 Exam.  Passing this test will give you the ISA99 certificate from ISA that demonstrates your knowledge and capabilities with the ISA standards used to secure industrial control systems.

For more information you can go the ISA Cybersecurity site.

I hope to take this test before the end of April.

ICS-CERT Online Training -- Excellent Resource! (Free)

Finally, for my "spare time" between the SANS and ISA training I've been working on two courses offered at no charge by the US Department of Homeland Security ICS-CERT organization.

The two courses are both web-based and only require that you register with the Training Portal.

The first class I took was 100W - Operational Security (OPSEC) for Control Systems.  This is a one-hour on-line class that is focused on ways to protect your industrial control systems by being cautious about releasing network information outside the company or to those who don't have a need to know.  The course also addresses phishing attacks, etc.  You get a certificate "...suitable for framing..." at the end of the course.

The second course -- which I highly recommend to executives, managers, supervisors and engineers interested in learning more about ICS security -- was 210W - Cybersecurity for Industrial Control Systems.  This course was excellent and took about 15-20 hours to complete.  

There are 10 separate modules that are listed below:
  • Differences in Deployments of ICS
  • Influence of Common IT Components on ICS
  • Common ICS Components
  • Cybersecurity within IT and ICS Domains
  • Cybersecurity Risk
  • Current Trends (Threats)
  • Current Trends (Vulnerabilities)
  • Determining the Impacts of a Cybersecurity Incident
  • Attack Methodologies in IT and ICS
  • Mapping IT Defense-in-Depth Security Solutions for ICS (longest but best module!)
Again, this training does not require any money but only requires your time to take the modules (which you can stagger over time).


ICS security continues to get focus from the industry and government.  That is why SANS, ISA and ICS-CERT are continuing to bring in training modules for a broad range of players from journeymen electricians to utility executives.  Take advantage of the training -- at least the free classes -- so you better understand how to best defend your Industrial Control systems.