By Ben Miller, Daniel Michaud-Soucy

Educating the community is one of Dragos’ core missions. As such, we offer a 5-day training class on Industrial Control Systems (ICS) security. The material spans 100-600 level content and caters to a variety of students–some with Operational Technology (OT) backgrounds looking to learn more about the security of their industrial processes and some with Information Technology (IT) backgrounds looking to familiarize themselves with ICS.

Embedding yourself in a new field of study for 5 consecutive days is demanding but very rewarding. Students (as well as instructors) often come out of the training class with high motivation and a thirst for more. Recently, one of our students suggested putting together a reading list for those who wish to further their learning. Thanks, Marcus, for the suggestion. Without further ado, here is a list of resources (books, papers, and videos) curated by our instructors and organized by class module.

Format: #paper, #book, #video, #repo
Topics: #history, #101, #process, #architecture, #plc, #programming, #hardware, #pid, #tools
Spectrum: #redteam, #blueteam, #hacking
Industry Vertical: #oilandgas, #manufacturing, #wastewater, #electricpower

Module 1: Intro to Industrial Systems and Networks

An Abbreviated History of Automation & Industrial Controls Systems and Cybersecurity by Hayden, Assante and Conway
#paper, #history, #101
This paper provides an overview of the evolution of automation and control systems. It helps frame the “How did we get here?” question and why the security of control systems and industrial processes is the way it is.

Industrial Network Security by Knapp and Langill
#book, #101
This book provides a great overview of the topics covered in our training class, plus an additional layer of governance, risk management, and compliance (GRC). Definitely a breadth-first approach.

Secure Architecture for Industrial Control Systems by Obregon
#paper, #101, #architecture
This paper gives more background on properly segmenting ICS networks. It starts with the Purdue Reference Model and expands with practical implementations of key concepts like remote access.

Learning RSLogix 5000 Programming by Scott
#book, #plc, #programming
PLC programming in the Rockwell Automation world. A deeper look at controllers, ladder logic, sequential function charts, as well as the software required to program these devices.

Technician’s Guide to Programmable Controllers by Borden and Cox
#book, #plc, #programming, #hardware
An in-depth look at all things PLC: theory, hardware, instructions, programming, installation, startup, and troubleshooting.

Piping and Instrumentation Diagram Development by Toghraei
#book, #pid, #process
This book is a comprehensive resource for all things P&ID. Understand how to develop these diagrams and learn about real-life problem sets.

Crude Oil Distillation Process
#video, #oilandgas, #process
This 17-minute video overviews the petroleum refining process.

Electric Transmission and Generation: How the Grid Works
#video, #electricpower, #process
This 56-minute video overviews electric power transmission and generation.

Wastewater Treatment
#video, #wastewater, #process
This 6-minute video walks through the process of wastewater treatment.

Steel Ball Manufacturing
#video, #manufacturing, #process
This 11-minute video is a good example of a manufacturing process driven by tons of automation and process control.

Electric Power System Basics: For the Nonelectrical Professional
#book #electricpower

Module 2: Assessing Industrial Environments

The Industrial Control System Cyber Kill Chain
#paper, #redteam, #blueteam
The ICS Kill Chain helps organize the various phases an adversary must go through to achieve impact on an operational process. This is a helpful tool, not only for scoping offensive engagements, but also seeing the defender’s perspective. Each phase of the kill chain is an opportunity for the blue team to catch the bad guys.

Hacking Exposed: Industrial Control Systems by Bodungen, Singer, Shbeeb, Hilt and Wilhoit
#book, #redteam, #hacking
For those looking for more on the red-team side of things, this book covers a handful of additional topics not covered in class. Read further about strategizing your offensive assessment, as well as hacking protocols and devices.

Cyber Security Assessments of ICS: A Good Practice Guide by DHS CPNI
#paper, #redteam
Good overview of best practices for assessing ICS. Different lens for a few topics covered in module 2.

Common Vulnerability Scoring System v3.0 by FIRST
#paper
The CVSS framework provides a structured way of communicating prioritized risk to stakeholders. Frameworks are usually far from perfect, but this provides a good starting point for organizing vulnerabilities found during penetration tests and assessments.

Embedded Device Vulnerability Analysis by Oliver and O’Meara
#paper, #redteam
This paper provides a repeatable, macro-level methodology for assessing the security of embedded devices using an open-source tool called TROMMEL and other tools.

Note: Use tools found in the following repositories at your own risk, only use in non-production environments.

ICS Security Tools, Tips, and Trade by Yardley and Friends
#repo, #tools, #redteam
This repository contains a ton of tools, packet captures, scripts and guides for a variety of ICS security-related subjects. One of those must-have bookmarks.

icsmaster by w3h
#repo, #tools, #redteam
The other solid repository on ICS related things like dorks, passwords, Metasploit modules, etc.

Counter Hack Reloaded by Ed Skoudis and Tom Liston
#book #redteam
Having trouble understanding the various types of attacks which threaten computer systems? Want a simple explanation of how attacks actually function and the risk they pose to computer networks? Skoudis’ book provides an easy to understand description of fundamental exploitation and attack techniques and methodologies – and methods blue teams use to defend against them.

Module 3: Tools, Strategies, and Techniques for Successful Hunting in ICS

The Cuckoo’s Egg by Stoll
#book #history
Any security book list needs Stoll’s book listed. Any defender should have read it at least once.

Tao of Network Security Monitoring by Bejtlich
#book #101 #blueteam
We talk through the different data types available for intrusion analysis early on in Module 3. These data types and the approach is largely distilled from Richard’s original book on Network Security Monitoring.

Thinking, Fast and Slow by Kahneman
#book
Cognitive Biases, if unrecognized for what they are, can lead to poor decisions–and knowing is half the battle. Kahneman’s book explains the science of thinking and breaks down the cognitive biases.

Science, Strategy and War by Osinga
#book #history
There is not a single mention of “OODA loops” in our 5-day class, but if you’ve heard of them and are looking for a definitive guide to them, this is probably the best recommendation we can give.

Double Loop Learning in Organizations by Argyris
#paper
We talk about hunting and how it can influence how a security organization can learn. We use this original article/research from the 1970s to illustrate the concept.

A Fierce Domain: Conflict in Cyberspace, 1986 to 2012 by Healey
#book #history
We give a lot of stories/historical use cases throughout the course. If learning from history interests you, then Jason’s book should be required reading.

Generating Hypothesis for Successful Threat Hunting by Lee, Bianco
#paper #blueteam
We talk quite a bit on hypothesis generation as a cornerstone to hunting and cite Rob and Dave’s whitepaper during that discussion.

Hunting with Rigor: Quantifying the Breadth, Depth and Threat Intelligence Coverage of a Threat Hunt in Industrial Control System Environments By Gunter
#paper #blueteam
Dan (one of the Dragos hunters here) distilled down many concepts in a SANS whitepaper earlier this year. We don’t directly reference his whitepaper yet in the course, but there’s a direct lineage of ideas between our course material and Dan’s whitepaper. If you’re looking for an expansion of our hunt concepts in the class, this paper should be high on your list.

Project MIMICS by Lee, Miller
#blog #blueteam
We reference the MIMICS research that Dragos performed back in 2017 as a form of hunting using external tools and explain some of those findings. This white paper overviews that research.

Aurora Generator Test
#video
We talk about the Aurora test as a domain-specific hypothesis (see the Generating Hypothesis For Successful Threat Hunting whitepaper above) in the class. This is the original video of that test from Idaho National Lab.

Module 4: ICS Monitoring and Security Operations

Diamond Model of intrusion analysis by Caltagirone, Pendergast, and Betz
#paper #blueteam
We talk and reference the activity groups that the Dragos intel team tracks throughout the class. These activity groups aren’t arbitrary, but instead use the methodology laid out in the original Diamond Model whitepaper.

Insights into Building an Industrial Control System Security Operations Center, Dragos
#paper #blueteam
Dragos wrote a whitepaper on forming an ICS-SOC after several discussions and engagements. We reference this when talking about setting up security operations centers.

Guidelines for Planning an Integrated Security Operations Center, EPRI
#paper #blueteam
EPRI members also have access to guidance on integrated SOCs. This isn’t publicly available, unfortunately; however, nearly every class will have at least one student who cites this whitepaper.

Industrial Control Threat Intelligence by Caltagirone
#paper #blueteam
Sergio wrote a primer on how intelligence programs tailored to industrial operations can influence better decision making. We talk about this when reviewing intelligence products.

The Four Types of Threat Detection by Caltagirone and Lee
#paper #blueteam
In Module 4, we use the Dragos Platform quite a bit. To understand our approach in threat detection of the platform, this whitepaper will offer insight.

The Checklist Manifesto by Gawande
#book
When we talk about how playbooks work within the Dragos Platform, I often refer back to this book and the lessons learned within it. If you are curious about writing your own playbooks, I recommend this book.

The Industrial Control System Cyber Kill Chain by Assante, Lee
#paper #blueteam
We talk through intrusions quite a bit in the class. We use the ICS Kill chain as a model to help describe those intrusions.

Windows Registry Forensics: Advanced Digital Forensic Analysis of the Windows Registry (2nd Edition) by Harlan Carvey
#book
The importance of Windows registry artifacts for understanding what’s happened on a computer are mentioned several times in Modules 3 and 4. Carvey’s book provides a great reference for what various registry entries might be of interest for security investigations, and how to understand their values. (This is a great supplement to his RegRipper tool, which we discuss in the course.)

Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software by Michael Sikorsk, Andrew Honig
#book
Still have more technical questions about malware after our high level overview of system infection and command and control throughout the course? ‘Practical Malware Analysis’ provides a comprehensive, self-paced course in how malware functions and hides – including the fundamentals of reverse engineering it.

Windows Internals, Part 1 by Mark Russinovich, Alex Ionescu, and David Solomon
#book #architecture
ICS systems often rely on old or obscure Windows operating system configurations for critical functions, so a detailed reference about how Windows works is a fantastic resource. Mark Russinovich is a foremost expert in the nuts and bolts of Windows, and has been releasing Windows Internals reference books for years. This is a wonderful book to have handy if you run into a process or system file don’t quite understand.