ICS SE SO MA THE

To get your free vendor- AUTO MATI O N

sponsored whitepaper, visit
sans.org/tools.php
C U R I T Y L U T I O N S P E VE NTS
1700
René-Antoine Ferchault de Réamur proposed
1900
H I S TO RY
ideas for automatic devices to EARLY 1700s
provide feedback for the purposes of control
1ST INDUSTRIAL REVOLUTION
Seeing Through the Fog of Complexity – James Watt’s steam governor provided
proportional control of the throttle
1788 Mechanical
How a foundational tool like NexDefense’s SOPHIA can ensure
Production
ICS/SCADA systems stay reliable, predictable, and secure
Use of relays and control cabinets in remote Powered by
nexdefense.com rooms to turn things on/off by use of
switches and monitor recorders
1900s Steam
OF

Next-generation Security
Machine tools were automated
with Numerical Control (NC) using
punched paper tape
1950s 1900 ICS
for SCADA and ICS First use of distributed control
throughout a large industrial plant 1959 1970
paloaltonetworks.com
2ND INDUSTRIAL REVOLUTION Detailed History of ICS
Application Security
Modicon 084 the first programmable Mass Production
• Directory Integration Monitoring Products: controller implemented. (Modicon stood for 1969 Powered by whitepaper available at
MOdular DIgital CONtroller.)
• App Armor • Process Monitoring Electricity ics.sans.org/resources
Design Considerations for • SE Linux • Event Monitoring
Securing Industrial Automation and
• chroot() • Network Communications Monitoring Allen-Bradley designed and named the
Control System Networks Bulletin 1774 PLC and coined the term 1971
rockwellautomation.com • MS EMET • Control System Management “Programmable Logic Controller”
• Health Monitoring Modbus introduced I CS SE CU RITY
to allow PLCs to talk with one another 1973
E VEN TS
Remote I/O introduced 1976 1970 Uncorroborated report of a Trojan program
1982
2000
inserted into SCADA system software that caused
an explosion along the Trans-Siberian pipeline
PLCs are linked to PCs 1986

Strategies for Industrial Device Testing Fieldbus protocols to include 3RD INDUSTRIAL REVOLUTION
securicon.com ControlNet, DeviceNet, Profibus, Automation of
and Fieldbus Foundation.
1990s Production by A former consultant accessed
Quickly followed by Ethernet and TCP/IP Electronics the control system of the plant and
connectivity for PLCs MAR 2000 released up to one million litres of sewage into
the surrounding waterways
Open Technology Movement
Host Defense ICS Vendors begin migration from 2000 Media reports about GAZPROM cyber
Expendible ICS Networks APR 2000
Device Testing: Products: proprietary networks, software, and & BEYOND incident impacting operational systems
waterfallsecurity.com hardware platforms to open architectures
• Device Fuzzing • Traditional AV
• Performance Testing • Host IDS
• Pen Testing • Application Whitelisting First PAC is introduced 2001 Plant computers infected by Slammer
worm. The worm entered the plant network
• Vulnerability Scanning • File Config Management JAN 2003 via a contractor’s infected computer connected
Yokogawa’s Comprehensive via telephone dial-up directly to the plant
Lifecycle Approach to network, thus bypassing the firewall
Process Control System Cyber-Security
yokogawa.com
First controllers with
embedded web server 2003 2001 The Blaster worm infected the
communication system of a U.S. railway company
2004
AUG 2003 – the dispatching and signaling systems were
affected and passenger and freight traffic systems
were disrupted
TRENDS DCS system found infected with Nachi
DEC 2003 (AKA Welchia) virus on 8 APCs

SOLUTIONS
SCADA workstations
2005

ICS C
shipped to utility with infections

TRAINING Intro to the U R R I C U L U M AUG 2005

Zotob worm infects 13 U.S. auto plants

ICS Curriculum
causing shutdowns and delays

A D V A N C E D Breach into Pennsylvania water plant

I C S NOV 2006 installation of spyware on plant’s
Hosted by: computer systems
C O U R S E S
Los Angeles traffic system cyber
AUG 2007
This course is for individuals who interact intrusion by insiders (labor strike)
with or who could impact Industrial HOSTED
This course is for individuals
Controls System environments. The roles Assessing and with responsibility for
Commuter tram collision by glancing
blow and derailment due to unauthorized
Industrial Control performed by personnel specific to this field Exploiting Control performing pentesting and switching in the city of Lodz, Poland
can roughly be divided into four domains: Systems vulnerability discovery within JAN 2008
Systems (ICS) Revelation by U.S. government official
A term used
IT (includes OT support)
IT Security (includes OT security)
ICS environments.
NERC CIP Standards become enforceable JUL 2008 2005 that cyber attacks have resulted in
power outages in multiple regions
to describe the outside the United States
personnel, hardware,
Engineering
Corporate, industry,
Hosted by: 2010 Conficker Worm gets into ICS
and software and professional standards
FEB 2009 along with 12 million general computers.
HOSTED
T R A D I T I O N A L It infected power generation plants in the U.S.
components that
read inputs and
Securing the Human (STH) C O U R S E Critical Infrastructure
This hands-on course is
for individuals with the Off-shore oil platform

control outputs in a Security Awareness Products T R E N D and Control System responsibility of securing 2009
hacks impact leak detection systems.
Unauthorized access and control of off shore
Cybersecurity control systems and control platform leak detection and monitoring system
manner that bridges system components.
STH End User SEC301 ICS410
the Cyber and SEP 2009
Utility smart meters are compromised
These modules cover the broadest Intro to Information ICS/SCADA in scale resulting in lost revenue
Physical worlds. set of users and a wide range of DHS ICS-CERT is created NOV 2009
Security Security Essentials
Virus infection of OPC servers at
cybersecurity awareness topics. GIAC: GISF GIAC: GICSP This course is for individuals with DEC 2009 Petro-chemical plant in South Africa
responsibility for generating and
ICS515 using ICS threat indicators in an Stuxnet worm discovered.
STH Utility ICS Active Defense effort to actively modify defense 2010 Stuxnet is a computer worm that was discovered
This course is for individuals new to and Response systems against new threats, respond in June 2010 but evidence suggests variations
These modules focus on cybersecurity information technology that need to to intrusions and perform triage to may have dated back to 2005 and was designed

P O S T E R awareness and NERC CIP to target ICS and impact a specific process
understand the basics of information prevent future intrusions.
training program needs for utilities. assurance, computer networking,
2011
cryptography, and risk evaluation. SEP 2011 Duqu malware discovered
DEC 2011 APT attacks on gas pipeline sector
STH Engineer
These modules focus on individuals SANS’ Advanced PR E S E NT 2012 Houston water system compromise

who support, engineer, or interact with This GIAC certification is being leveraged across Cybersecurity Courses: Automation of
MAY 2012 Flame malware discovered
industries to ensure a minimum set of knowledge and Cyber Defense: SEC501 • SEC502 • SEC503 • SEC511 Telvent intrusion,
control system cyber assets. Cyber-physical SEP 2012

ics.sans.org
capabilities that IT, engineers, and security professionals Forensics: FOR408 • FOR508 • FOR610 company warns ICS customers (ICS supplier)
should know if they are in a role that could impact First ePAC is introduced 2013
Systems and
the cybersecurity of an ICS environment. Hands-on Exercise: SEC562 (CyberCity) the Internet Havex Trojan is discovered in ICS-focused
JUN 2014 water-holing attacks – observed capability to locate
of Things OPC servers and attempts to exfiltrate collected data
© 2000-2017 SANS™ Institute ICS-PSTR_32nd EDITION_0617_v1
 TRANSPORTATION O I L
Rail
Switching
Shipping
Terminal operations
Warehouse Distribution
Inventory tracking
NATURAL G A S
Gas flow metering Condensate tank levels
Sensor monitoring Crane control Conveyor systems Flow control and pressure Liquefaction control systems
Signal monitoring Cargo management Automated product delivery management Vaporization control systems
Traction systems systems Automated storage and retrieval systems Alert and alarm systems Boiloff control systems
Safety systems Aviation Automated guided-vehicle systems Monitor temperature levels Well head control
Air traffic control Highway/Road Pipeline pressure monitor Field compression Upstream systems: Midstream systems:
systems Traffic control systems Odorant management systems Ballast control systems Process control systems
Bridge monitoring systems Drilling control systems monitoring and controlling
Gas compressor control temperature, flow, pressure,
Traffic monitoring systems
weight, and viscosity
Power generation control
Safety-instrumented systems
Water treatment systems
Concrete batch control systems Downstream systems:
Storage, pretreatment, distillation,

ELECTRIC
Helicopter fueling systems
and dispatch control systems
Safety-instrumented systems
Safety-instrumented systems

Transmission
Switching
Circuit breaker control
Protective relaying
Distribution automation logic
components
Generation
CHEMICAL
Turbine control systems
Boiler control systems
Acoustic monitoring systems
Heat rate systems
Coal handling systems
Emission monitoring systems
Water chemistry systems
Vibration control systems
AGC systems

Batch process control and continuous process control systems

Monitoring and control of process temperature, pressure, flow rate,

HEALTHC ARE
liquid level, gas level, and chemical makeup
Chemical reactor control
Mixing systems
Distillation column control
Patient vital sign monitoring systems Evironmental monitoring of gas, liquid, and solid discharge
MRI monitoring systems Safety-instrumented systems
Infusion systems
Implanted medical devices
Nurse monitoring stations
Operating room environmental
control systems

Learn why ICS security Light manufacturing Heavy manufacturing

should be on your career map Etching control – Chemical Robotic arm assembly

WATER
Mechanical Planarization (CMP) Weld controllers
Lithography control Sealing and dispensing systems

ics.sans.org
Processing temperature Quality test systems
Monitoring source water Process pressure Production line control systems
Treatment process control Cooling and heating rates Press control systems
Pressure control Hydraulic press controls
Flow control Flat metal line feeder control
Wastewater collection system monitoring CNC systems
Pump station monitor and control
Valve pump and mixing monitor and control

MANUFACTURING
CONTROL CENTER
Switch gear management
Lighting control
HVAC control systems
O P E R AT I O N S Control Centers
Energy management systems

OTHER SECTORS
Fire suppression systems Communications front end
Physical access control and Inter-control center
monitoring systems communication systems
Facility management systems Operator alarm systems Amusement Parks Mining Food and Beverage

BUILDING MGT
Contingency analysis
State estimation
Automatic generation
Amusement park ride Dust management systems Packaging systems
control Ventilation performance Food safety systems
Theme element systems Batch mixing process systems
activation

SYSYEMS
Machine long travel Clean and sterilizing in-place
Air quality systems Safety systems monitoring systems systems
Water treatment systems Conveyor alignment detection Ingredient, work in progress, and
Boiler control systems
Visit SANS’ CyberCity: sans.org/netwars/cybercity Ground water level monitor finished goods tracking systems