Back in ~2004 I started teaching a 3-day course on SCADA Security for Infosec Institute. Back then the term ICS didn’t exist, and the INL/DHS courses were the only other options. I left the class after about 18 months with the realization training is hard work and not something I enjoyed. The class was passed to and greatly improved by a number of instructors, and it still exists.
A lot has changed in the ICSsec training options in 10 years. Now the market is full of high quality choices and may even reaching a point of too many courses with a shakeout coming. Here is an incomplete list and some of my impressions based on talking with students and instructors that might help you pick a course.
The Originals and Classics
Red Tiger Security
Jonathan Pollet and the team at Red Tiger were the first to produce what I would call an ICS hacking course. They cover what an ICS is and defending an ICS, but they excel at how to assess and attack an ICS. There labs have grown over the years in size and complexity (and resilience to students; rampant crashing is a problem when you put together an ICS lab).
They traditionally sell out the class in conjunction with Black Hat and SANS events, and the classes are also available directly from Red Tiger. The main course is 5-days, but they also offer an abbreviated 2-day course.
All will benefit from this course, but it is the class to go to if you want to learn how to identify vulnerabilities ICS systems, components and protocols and go into it with some technical security skills.
Joel Langill, aka the SCADAHacker, took over the Infosec Institute course for a couple of years before branching out to create his own course. He came from the ICS world where he worked decades for large oil companies and large vendors (his Honeywell knowledge is top notch).
Joel offers a one-week and two-week course as well as an occasional shorter course taught in conjunction with a conference. He recently moved to Europe and is offering courses there as well as in the US.
@digitalbond twitter followers probably know that Joel and I disagree quite often on the seriousness of insecure by design and what the ICS community needs to prioritize. I would classify Joel as Mr. Compensating Control. Compensating controls are very important, and students receive practical information on how ICS are deployed and operate, and how to secure them with what is available from vendors today.
Joel defines his training as focused on defense. I would recommend this class to someone in Operations who does not understand IT or security as well as someone in IT who wants to understand ICS and the ICS culture.
INL / DHS
DHS and other government agencies funded the development, and continue to fund the operation, of a variety of INL taught ICSsec courses. The biggest advantage these courses have is the price … they are free.
They have a one day beginner and intermediate course that is typically taught around a conference. These courses are being taught less often and either need to be updated or retired.
INL’s flagship training option is the week long Red/Blue Training Course in Idaho Falls, formally known as ICS Cybersecurity 301. Attendees rave about this course, particularly the 10 hour Red Team / Blue Team exercise that takes place on a lab system that cost more than $1 million. The Blue Team (defense) is much larger and students are assigned to roles such as Operator, Engineer, IT, CIO, etc. The only negative I hear about this course is the location.
I recommend the Red/Blue training for anyone in an asset owner or vendor organization that needs to understand why ICSsec is important and difficult. It is even better if you can send multiple people from your organization so they have a common experience.
Note: by law the National Labs are not allowed to compete with private industry. They clearly are competing in training, but this has been going on for years now and is unlikely to change.
Big New Training Options
SANS / GIAC GICSP
For years SANS has offered ICSsec courses from Red Tiger, CYBATI, UtiliSec and others around their SANS SCADA Security Summit. The market must have appeared large enough for SANS (don’t let the non-profit status fool you; they are hard-nosed business types) as they brought Michael Assante in as the Project Lead for ICS, developed a ICS410: ICS/SCADA Security Essentials, and created a corresponding certification (GICSP: Global ICS Security Professional).
SANS has huge mindshare in the IT Security market, so it is almost assured that a large number of IT Security professionals will attend this course and get the certification. They may be IT Security professionals who want to get into ICSsec or people in the IT Group of a large company that has an ICS.
How many ICS engineers will chose this course is an open question. SANS does not have as positive reputation with the Operations organizations. The course and cert has been panned on lists such as SCADASEC, but this is only anecdotal evidence. The course and cert was created by a talented and experienced group of ICS security types. I’m sure the course content is strong and will improve over time. Justin Searle, Paul Henry and Eric Cole are some of the instructors.
I feel safe in recommending the course in general, but I’m not sure what specific profile will benefit most from it. If you take the course; you might as well get the certification. Just don’t expect the certification to get much respect beyond the fact you took a 5-day course, at least from me.
The fact that SANS and ISA are stepping up their ICS security training is evidence the market is there. Where SANS has mindshare within IT Security, ISA has mindshare with engineers and operations in manufacturing and other vertical sectors.
The ISA99 standards committee continues to publish ICS (or IACS in their terminology) security standards, and they are offering a set of courses around these standards and general ICSsec information.
- Industrial Automation Cybersecurity: Principles and Applications (4.5 days)
- Industrial Networking and Security (5 days)
- Introduction to Industrial Automation Security and the ANSI/ISA-62443 Standards (1 day)
- Using the ANSI/ISA99 (IEC 62443) Standards to Secure Your Industrial Control System (2 days)
The last course will include a certification if you pass the test.
Obviously ISA is best positioned to teach the standards they develop. They also have a lot of talented ICSsec professionals that work on the ISA99 standards and teach these courses. The content and instructor is likely to be strong.
In comparison to SANS, ISA marketing is weak, and training is just one of many things they do. Also, the courses don’t make sense. Do I take the 4.5 day IACS: Principles and Applications or the 5 day Industrial Networking and Security? The one-day or two-day course on IEC 62443?
I know Bryan Singer teaches some of these classes, and he certainly knows the material and is an enthusiastic teacher. If ISA is well recognized in your sector then these courses are recommended, particularly the two focused on the IEC standards.
Cimation is about to launch a set of four ICSsec courses taught by Clint Bodungen, formerly of CIDG. Cimation has been actively hiring ICSsec talent the last two years for a variety of service offerings.
Too early to recommend, but more evidence that companies believe in the ICSsec training market.
Please do not take offense if you are in this section or not on the list. The main point of this article is there are a lot of quality ICSsec training options available.
- Justin Searle of UtiliSec (although he may be moving more to SANS training)
- Matthew Luallen of CYBATI
- Tom Parker of FusionX
- Don Weber of InGuardians