Every twelve weeks, Dragos hosts “Assessing, Hunting and Monitoring Industrial Control System Networks,” a five-day course at its Hanover, Maryland headquarters covering an introduction to ICS and security best practices, industrial environment assessment, ICS threat hunting, and industrial network monitoring.
It’s a hands-on course that includes a personal programmable logic controller (PLC) that you’re encouraged to break and is yours for the duration of the class. A week may seem like a short time, but the instructors from the Threat Operations Team pack a lot into those five days.
The course breaks down into four different modules that start with an overview of ICS environments. Then you jump into architecture reviews and vulnerability assessments with an activity exploiting the PLC. Module three dives deep into threat hunting and collection management using tools like ELK, Wireshark, Snort, and Bro; followed by a comprehensive project where participants work through a scenario similar to the 2016 Ukrainian electric grid attack in which you operate as a Security Operations Center analyst leveraging the skills and resources discussed throughout the week, including the Dragos Platform.
The class is designed for IT and OT security professionals, especially those who aren’t already familiar with ICS. Indeed, the course hammers home the idea that IT and OT environments are different, and security teams and analysts should work together to defend against ICS threats.
But I am not either of those things. I am also not “technical” in the way most people view the word, like someone who writes code or hacks hardware in my day job. I went into the class in May concerned I would fall behind quickly and not be able to complete all the assignments using tools and software I was unfamiliar with.
Some things were really easy for me, like programming a PLC using basic ladder logic via engineering workstation software. Other tasks, like analyzing the operational impact of a Red Team activity and executing a threat hunt, were more challenging. Instructors provided a virtual machine and raw files including packet captures and historian data for some exercises as if you were analyzing a live environment, and each module contained a number of exercises—including investigating an IT network intrusion and its impact on the OT environment—using the tools and skills gleaned in the class. Though I came in unfamiliar with some of the tools, I was able to grasp a foundation of ICS assessment and threat hunting through the collaborative lab projects.
And, spoiler alert: no one knew everything.
That’s one of the biggest lessons the ICS security community—and InfoSec in general—should take to heart. No one knows everything, and we’re all constantly learning. Current security solutions still focus largely on the enterprise network, leaving gaps in the ICS environment. And we’ve all heard the cybersecurity skills gap statistics that will require new talent to fill.
The ICS community is small, and the number of “experts” is even smaller. As industrial cybersecurity becomes an increasingly prioritized and publicized space, a lot more people will be learning new skills and collaborating across teams to effectively secure operational networks.
A five-day advanced course doesn’t make you an expert, but it does help you understand some challenges and opportunities that IT and OT security teams face, and effective tools and strategies to better secure critical infrastructure and defend against potential attacks. Armed with new skills and anecdotes from real-world scenarios, you can better defend your own networks—and hopefully teach your colleagues something new, too.