ICS456: SANS Nashville 2021

Provided by

What You Will Learn

The five-day ICS456: Essentials for NERC Critical Infrastructure Protection empowers students with knowledge of the what and the how of the version 5/6/7 standards. The course addresses the role of the Federal Energy Regulatory Commission (FERC), North American Electric Reliability Corporation (NERC), and Regional Entities, provides multiple approaches for identifying and categorizing BES Cyber Systems, and helps asset owners determine the requirements applicable to specific implementations. Additionally, the course covers implementation strategies for the version 5/6/7 requirements with a balanced practitioner approach to both cybersecurity benefits, as well as regulatory compliance.

This course goes far beyond other NERC Critical Infrastructure Protection (CIP) courses that only teach what the standards are by providing information that will help you develop and maintain a defensible compliance program and achieve a better understanding of the technical aspects of the standards. Our 25 hands-on labs utilize three provided virtual machines that enable students to learn skills ranging from securing workstations to performing digital forensics and lock picking. Our students consistently tell us that these labs reinforce the learning and prepare them to do their jobs better.

You Will Learn:
  • BES Cyber System identification and strategies for lowering their impact rating
  • Nuances of NERC defined terms and CIP standards applicability and how subtle changes in definitions can have a big impact on your program
  • The significance of properly determining Cyber System impact ratings and strategies for minimizing compliance exposure
  • Strategic implementation approaches for supporting technologies
  • How to manage recurring tasks and strategies for CIP program maintenance
  • Effective implementations for cyber and physical access controls
  • How to breakdown the complexity of NERC CIP in order to communicate with your leadership
  • What to expect in your next CIP audit, how to prepare supporting evidence, and how to avoid common pitfalls
  • How to understand the most recent Standards Development Team's (SDT) efforts and how that may impact your current CIP program
You Will Be Able To
  • Understand the cybersecurity objectives of the NERC CIP standards
  • Understand the NERC regulatory framework, its source of authority, and the process for developing CIP standards, as well as their relationship to the other BES reliability standards
  • Speak fluent NERC CIP and understand how seemingly similar terms can have significantly different meanings and impacts on your compliance program
  • Break down the complexity to more easily identify and categorize BES Cyber Assets and Systems
  • Develop better security management controls by understanding what makes for effective cybersecurity policies and procedures
  • Understand physical and logical controls and monitoring requirements
  • Make sense of the CIP-007 system management requirements and their relationship to CIP-010 configuration management requirements, and understand the multiple timelines for assessment and remediation of vulnerabilities
  • Determine what makes for a sustainable personnel training and risk assessment program
  • Develop strategies to protect and recover BES Cyber System information
  • Know the keys to developing and maintaining evidence that demonstrates compliance and be prepared to be an active member of the audit support team.
  • Sharpen your CIP Ninja!
Hands-On Training

Day 1
  • Virtual Machine Setup - Windows, Kali Linux, and Security Onion VM will be utilized throughout the five-day course
  • Checkpoint exercise - Ensure familiarity with the NERC website for locating standards, and cover entity registrations, the Functional Model, and a Glossary of Terms
  • Protocol Primer - Use Wireshark to analyze packet captures
  • Analysis of Facility Environments - Walk through assets owned by a ficticious company to determine in-scope assets and approaches to generation segmentation
  • CSET Facility Assessment - Utilize the ICS-CERT's Cybersecurity Evaluation Tool (CSET) to perform a self-assessment on a model network compared to industry standards, including NERC CIP
  • Kaspersky Industrial Protection Simulation (KIPS) - Electric sector "make your own adventure" simulation that challenges students to secure and ensure on-going operations of a fictional combined-cycle gas turbine power plant
Day 2
  • Wireshark Analysis and Network Visualization - Utilize Wireshark to analyze real packet captures from an ICS environment and introduce the Dragos Security CyberLens tool, which can be used to passively discover ICS assets and visualize their network placement and communications
  • Firewall Rule Development and Analysis - Utilize the Common Open Research Emulator (CORE) to emulate a live network and to understand the effect of firewall rules on the network communications
  • ICS Signatures and Alerting - Utilizes the Squil (pronounced squeal) network security monitoring tool to create event driven IDS alerts when replaying pcap packet captures from an ICS environment
  • Breach of Physical Controls - Learn the basics of lock picking with your very own clear padlock and pick tool set
  • Physical Security Review and Response Exercise - Analyze physical security camera images and perimeter access logs to identify potential security and compliance problems
Day 3
  • Windows System Assessment - Utilize a number of tools including Windows Baseline Security Analyzer, NetStat, and Windows Firewall Configurator to analyze the security posture of a provided Windows VM
  • Validating Findings and Demonstrating Impact - Utilize the provided Kali Linux VM and favorite red-team tools such as Cain & Able, remote desktop, and Metasploit Framework to gain unauthorized access to the Windows VM, demonstrating the risks of insecure configuration
  • System Hardening - Learn from the red team's action and use a number of native Windows tools to harden the Windows VM and preventing future exploitation
  • System Log Management - Use Splunk Enterprise to analyze a Windows event log to identify events of interest
  • Basic Change Management from the Command Line - Utilize hashing techniques and Tripwire to identify system file and configuration changes
  • Vulnerability Assessment Tool Capability - Gain familiarity with Nmap, SNMP, and the OpenVAS vulnerability scanning framework
Day 4
  • Information Leakage Awareness - Walk through creating a Shodan account and using it to discover all sorts of interesting Internet-connected devices
  • Steganography Lab - Use the S-Tools application to conceal and identify data hidden in plain sight in order to understand the risk of data exfiltration in your environment
  • Yara Introduction - Learn the basics of Yara, the "Pattern Matching Swiss Knife for Malware," utilizing indicators of compromise (IOC's) to detect malware in memory images
  • Incident Response TTX - Walk through a tabletop exercise that you can take back to your organization for play with your larger team to test incident response capability and security policy/plan effectiveness
  • Forensic Data Preservation - Use FireEye's free Redline tool to learn how to collect and analyze forensic data and the FTL Imager tool to create a system image for data preservation
Day 5
  • Auditor Tools - NERC CIP auditors use NP-View to analyze their environment, and you should too! In this lab you'll analyze firewall configurations for an example electric entity to determine and visualize network communications
  • Power Shell - Learn the basics and get an appreciation for the power of PowerShell for task automation and configuration management
  • Auditor / Defender - Whether you play the role of auditor or audited entity, this exercise will challenge your NERC CIP knowledge and ability to present material to tell a compelling story of compliance
What You Will Receive
  • Electronic Download package containing useful and otherwise hard to find NERC, regional entity, and various CIPC reference documents; SANS posters and brochures; and multiple documents created by SANS to help structure and guide your compliance program
  • Three virtual machines including a Windows 10, Kali Linux, and a Security Onion Linux VM which will be utilized during course labs to demonstrate and highlight security controls consistent with NERC CIP requirements
  • MP3 files of the course author/instructor to help recall course content and examples
  • A clear acrylic padlock and lockpicking tools
  • Incident response and security exercises designed for students to continue to utilize in their organizations
  • On-going access to course authors and instructors via a private NERC CIP focused community forum group

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...