Security for SCADA/ICS

BlackBeretBlackBeret Member Posts: 683 ■■■■■□□□□□
Is anyone familiar with resources for SCADA/ICS pentesting? I know SANS has a few courses for it, but at this time I'm paying out of pocket and that's not happening. I'm looking to learn all of it really, basics, security, pentesting, securing. At the moment I only work with your standard enterprise networks, but I see SCADA as something a little more valuable and I'd love to specialize in it.

Comments

  • NetworkNewbNetworkNewb Member Posts: 3,298 ■■■■■■■■■□
    Have you looked in to the Work Study option for SANS courses? It includes the training course + exam for only $900. Not bad when considering how much training courses costs. Without the work-study it would cost over 6k for the course+exam.

    https://www.sans.org/work-study/
  • BlackBeretBlackBeret Member Posts: 683 ■■■■■□□□□□
    If I were to do SANS that would be my option, but it also involves taking a week off of work, traveling, hotel, etc. which would add a lot to that cost. I wish you could do work study on-demand, "Thank you for calling the SANS on-demand support line, how can I help you?".
  • the_Grinchthe_Grinch Member Posts: 4,165 ■■■■■■■■■■
  • realPSIrealPSI Member Posts: 51 ■■□□□□□□□□
    I will give you my opinion based off my experience in the DCS/SCADA/ICS field.

    Scadahacker and digitalbond are both excellent sites for resources dealing with scada security. In addition, there are many links and recommendations on both sites. Also, there is a free class given by DHS in Idaho. I have not been, but if possible and I cannot get my company to pay for it I will finance the trip on my own.

    Scadahacker has a link to free online training for ICS. It is a 15 hour course. I think it is very basic, but it does give an intro and try to convey avaliability is everything with ICS.

    Your certs look good. The CISSP is equivalent to the GICSP for most job postings I see. GICSP is slowly creeping into a lot of security job postings.

    I would get MCSA 2012 with 74-409 as the elective. Pick up CCNA. My reasoning for this is most control systems are built around a server and cisco network equipment. The trend in DCS and ICS is moving towards virtualization for the AV, IDS, and IPS servers/machines.

    I have not worked in an enterprise environment so I do not know the daily task of enterprise, but scada/ics is more of a compliance routine. Patches and AV updates as required and as allowed by the production environment. Availability is job 1!

    If you really want to get into SCADA/ICS/DCS Admin and security then I strongly suggest getting a Bachelors. It seems like a Bachelors with experience trumps all certs. Most job postings and places want experience on the scada system or DCS. A mistake in the control system is more likely to cause production loss or equipment damage versus a mistake in the IT side. You have to think more as a technician than an IT person.

    Working on DCS/SCADA will make you a JOAT. I do DB, Admin, security, networking, A+, engineering, web, firewall, and a lot of control logic interpretation and design. I think you have the strong background and basis for the IT side. I would consider trying to gain skills in the instrument and controls, engineering, and electrical side of ICS/SCADA/DCS.

    Ask if you have more questions, I know I jumped around and probably could of done a better job of organizing my reply.

    Keep in mind this is just my opinion. Others might have different experiences.
  • BlackBeretBlackBeret Member Posts: 683 ■■■■■□□□□□
    Thank you for all of the information, I'll be bookmarking this post. SCADAhacker looks like a great resource and I'll find the free course you mentioned. The bachelors will be done in May then on to the Masters. Linux+ and MCSA are about to become company requirements so I'll go those paid for, and CCNA is something I was planning to do on my own so it looks like I'm already heading the right way. I've always tried to avoid cert collecting, but the knowledge collection is great.
  • jamthatjamthat Member Posts: 304 ■■■□□□□□□□
    BlackBeret wrote: »
    Thank you for all of the information, I'll be bookmarking this post. SCADAhacker looks like a great resource and I'll find the free course you mentioned. The bachelors will be done in May then on to the Masters. Linux+ and MCSA are about to become company requirements so I'll go those paid for, and CCNA is something I was planning to do on my own so it looks like I'm already heading the right way. I've always tried to avoid cert collecting, but the knowledge collection is great.

    We (the US) are extremely short-staffed in this area. If I could go back and do it all over again, this is the field I would choose. That said, the people I've met who work in the security side of this field (primarily through ICS-CERT in Idaho Falls and various DOE labs) have deep expert-level engineering (mechanical, electrical, whatever) and computer science knowledge. I doubt I could keep up lol. Kudos to realPSI.

    If you're willing to move around to get in this field, keep an eye out for openings at basically any DOE labs..you won't regret it!
  • realPSIrealPSI Member Posts: 51 ■■□□□□□□□□
    My background is Navy Nuclear Power, industrial electrician with PLC, VFD, and motor control system experience. I am not a degreed engineer, but I wish I was. A BS in EE, ME, CE from a named school with ABET is the gold standard in the utility industry. This degree trumps everything because most the people I speak with don't really understand or recognize certifications. You have to have the buyin which is an engineering degree. The good thing is I am slowly seeing BSIT, BSCS, or MIS degrees getting listed as an acceptable substitution. It is about time because my job is more IT than engineering. Last week I was learning MSSQL so I could shrink a control system database, investigating why S2003 had duplicate PCs listed in AD and in the wrong place-discovered by updating the AV software to the latest rev. Today I was investigating ladder logic and the feasibility of programming logic changes before unit startup and configuring points for a modbus TCP link between control systems.

    Security and network configs are almost a set it and forget it. Very little is ever changed unless there is a failure. Availability is job1!

    I have an AS in Computer Network Engineering and about 10 college credit certificates in almost every area of IT. This training has really help tie the control system architecture and the IT system together. I get it now in a very big picture kind of way.

    My plans are complete my Advance Certificate in Cybersecurity and Digital Forensics, obtain CCNA S, MCSA 2012 with Virtualization, and GICSP. These certs with a BSIT or BSEET will cover every technology I have seen with control systems,securing them, and what I see on most scada security job postings. The BS and GICSP being the most important part of the plan.

    Look at Emerson Ovation, Delta-V, and ABB products. Those are the big ones. Also Osi Pi is finding its way into almost all industries.
    If you can get any classes in EET, PLCs, or industrial controls it would be a huge help in getting a foot in the door. Understanding the control system has priority over IT.
  • theanttheant Registered Users Posts: 2 ■□□□□□□□□□
  • cshkurucshkuru Member Posts: 246 ■■■■□□□□□□
    I recently passed the GICSP after attending ICS 410. Everything available in the class is available free online, except for the instructor. The big difference is that the instructor is crucial for guiding the discussion and understanding of the material UNLESS you are a very motivated self learner.

    If you can't afford SANS (and who really can on their own dime?) DHS has free course as mentioned before https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT so does Udacity https://www.udacity.com/course/cyber-physical-systems-security--ud279 (ufortunately I didn't know about that one until after I took the test).

    Eric Knapp's book (mentioned above) was a good resource, so was Hacking Exposed - Industrial Control Systems https://www.amazon.com/Hacking-Exposed-Industrial-Control-Systems/dp/1259589714

    ICS-CERT has their CSET tool which is a great resource. It has a very extensive resource library associated with it, including SP800-82 industrial Control System Security, the CIP standards, some Smart Grid Stuff etc. https://cset.inl.gov/SitePages/Home.aspx

    I mentioned SP800-82, the Nescor Guide to Pen Testing for Electric Utilities are also available for download free and since they were written by the guy who wrote the course... (Justin Searle) http://smartgrid.epri.com/doc/NESCORGuidetoPenetrationTestingforElectricUtilities-v3-Final.pdf

    finally the main tool used in the course is SamuariSTFU and that is available for download free also.

    I know this revived an old thread but since this is a growing area I thought it was worth it. I am getting ready to work on my GRID cert next so as I go along I will try and post resources there too.
  • TechGromitTechGromit Member Posts: 2,156 ■■■■■■■■■□
    cshkuru wrote: »
    I recently passed the GICSP after attending ICS 410. Everything available in the class is available free online, except for the instructor. The big difference is that the instructor is crucial for guiding the discussion and understanding of the material UNLESS you are a very motivated self learner.

    Red Tiger Security taught the SANS classes under contract until 2009, after that, SANS terminated the arrangement with Red Tiger and designed there own course to get 100% of the training dollars. My company hired Red Tiger Security to give use training, but it's only a 4 day course, SANS is 5 days. I'm considering buying a practice exam and see how I do, it may be worth challenging since so much material is available online, unlike a lot of other GIAC certs.
    Still searching for the corner in a round room.
  • cshkurucshkuru Member Posts: 246 ■■■■□□□□□□
    I definitely think it is doable. i obviously can't go into detail without violating my NDA but know your purdue model back and forth it is foundational and cuts across a lot of the domains they are testing. out of the materials i carried in that was really the only thing i consulted.
Sign In or Register to comment.