ADVANCED ICS HACKING
Industrial control systems (ICS) are often a sitting target for cybercriminals. The majority of these systems monitor complex industrial processes and critical infrastructures that deliver power, water, transport, manufacturing and other essential services.
There are many vulnerabilities in ICS systems that could expose an installation to attacks. Downtime or infiltration of an ICS network could result in massive outages, hundreds of thousands of impacted users and even national disaster. Penetration testing on ICS systems is a very specific field that requires in-depth knowledge and hardware availability.
This training is going to help you to understand ICS systems, analyze their weaknesses, attack them and design strategies to protect them. It is aimed at security professionals who want to understand ICS systems, improve their skills or specialize in ICS security, and will take them from the fundamentals of ICS security to advanced hacking techniques.
We will focus on methodologies for hacking commercial hardware devices such as PLCs as well as simulators, and we will also provide an excellent opportunity for participants to have hands-on experience in penetration testing of these devices and systems. The ICS setup will simulate the ICS
infrastructure with real-time PLCs and SCADA applications. We will cover the most common ICS protocols (Modbus, S7, DNP3, OPC, Profinet), analyze packet captures and learn how to use these protocols to talk to PLCs. You will learn how to program a PLC, to better understand how to exploit
Throughout the course, we will use a virtual machine created by us specifically for ICS penetration tests, it has all the necessary tools for ICS hacking. The course is structured for beginner to intermediate level assistants and there is no need of previous experience in ICS, reversing or hardware.
Day 01: Overview of ICS, Protocols & Hacking
1.1 Introduction to ICS
1.3 The CIM model
1.4 Classic architectures
1.5 History of ICS
1.6 Briefing of ISA99/IEC62443, NIST 800-82, ANSSI
1.7 IT vs OT
1.8 ICS systems exposed on Internet
2.1 ICS Architecture, Components and Roles
3.1 PLC Wiring
3.2 PLC Programming in ladder
3.3 Programming PLC hands-on
4.1.a. Introduction and protocol overview
4.1.c. Sniffing and Eavesdropping
4.1.d. Baseline Response Replay
4.1.e. Modbus Flooding
4.1.f. Modifying PLC values
4.1.g. Rogue Interloper
4.1.h. Hands-on practice
4.2.a. Introduction and protocol overview
4.2.c. Sniffing and Eavesdropping
4.2.d. Uploading and downloading PLC programs
4.2.e. Start and Stop PLC CPU
4.2.f. Hands-on practice
4.3.a. Introduction and protocol overview
4.3.c. Length Overflow Attack
4.3.d. Reset Function Attack
4.3.e. Rogue Interloper
4.3.f. Hands-on practice
4.4.a. Introduction and protocol overview
4.4.c. Sniffing and Eavesdropping
4.4.d. Replay Attacks
4.4.e. Packet Forging Attacks
4.4.f. Hands-on practice
4.5.a. Introduction and protocols overview
4.5.e. OPC Attacks
4.5.d. Hands-on practice
Day 02: Bypassing the Airgap, Pentesting & Attacks
Bypassing the Air Gap
5.1 Tools and techniques
Common ICS Vulnerabilities
6.1 Lack of network segmentation
6.2 Lack of hardening
6.3 ICS protocols insecurity
6.4 Other vulnerabilities
Discussion of real attacks
Pentesting ICS systems
8.1 Pentesting Tools
8.2 Pentesting ICS Theory
8.3 Warnings and precautions
Hands-on Pentesting ICS practice
9.1 PLC Scanning and Reconnaissance
9.2 Network capture analysis & replaying packets
9.3 Attacking ICS protocols
9.4 Fuzzing ICS protocols
9.5 Attacking PLC standard interfaces and features
9.6 Attacking HMI
9.7 Attacking Windows ICS components
9.7.a. Find credentials on Windows systems
9.7.b. Exploiting to gain admin privileges
Securing ICS Systems
10.1 System hardening
10.2 Network segmentation
10.3 Security supervision and other measures
ICS System Case Study
Why people should attend this course:
This course is a perfect fit for professionals who want to understand ICS systems, improve their skills
or specialize in ICS security, and will take them from the fundamentals of ICS security to advanced
hacking techniques. It’s an excellent opportunity for participants to acquire hands-on experience in
penetration testing ICS devices and systems.
3 takeaways that students will learn:
• Deep understanding of ICS components and protocols
• Real-life penetration testing experience against key ICS components and protocols
• Strategies and methods to secure ICS systems
Lecture vs hands-on:
The time will be distributed on 40% lecture vs 60% hands-on. The focus of the course
will be mostly dedicated to the hands-on laboratories. The theory lessons will be used
to explain necessary concepts that will boost the practical exercises.
• PLC Programming: 30 minutes.
• Modbus: ~ 30 minutes.
• DNP3: ~ 30 minutes.
• S7: ~ 30 minutes.
• OPC: ~ 30 minutes.
• Profinet: 30 minutes.
• PLC Scanning: ~ 30 minutes.
• Network Capture and Replay: ~ 30 minutes.
• Attacking ICS Protocols: ~ 1 hour.
• Fuzzing ICS Protocols: ~ 1 hour.
• Attacking PLC: ~ 1 hour.
• Attacking HMI: ~ 1 hour.
• Attacking Windows ICS Components: ~ 30 minutes.
• ICS System Case study: ~ 1 hour.
Keywords: ICS Hacking, Industrial Control Systems, Industrial Network Protocols, SCADA, PLC,
Modbus, DNP3, OPC, S7, Profinet
Who should take this course:
• Penetration Testers / Read Team Members who want to pentest ICS systems or bypass the
• Government officials from defensive or defensive units
• SCADA and PLC programmers
• IT and OT security professionals seeking to increase their knowledge of ICS hacking and
• Anyone interested in ICS security
• Basic knowledge of Linux
• Basic knowledge of networking and pentesting
What students should bring:
• Laptop with at least 40GB free space
• 8 GB minimum RAM
• Virtualization Software such as VMWare or Virtualbox
• Admin/Root access on their laptop
What students will be provided by:
• Slides/lectures of the training
• VM with test environment, exercises and all the tools used in class
Max capacity: 40
Absolutely max capacity: 45
• Trainer 1: @ylevalle
• Company: @DreamlabGlobal
Yamila Vanesa Levalle is an Information Systems Engineer, Security Researcher and Offensive
Security Professional with more than 15 years of experience in the InfoSec field with expertise on
ICS systems security.
Yamila currently works as Security Researcher and Consultant in Dreamlab Technologies, where she
conducts researches, publishes investigations regarding several information security topics and
spread her skills giving trainings. She is an international security conferences speaker and has
presented her researches at important events, such as BlackHat Arsenal Las Vegas, PHDays Moscow, Northsec Montreal, AusCERT Australia, OWASP Latam Tour, and others.