Assessing and Exploiting Control Systems & IIoT

Provided by

Enquire about this course


This is not your traditional SCADA, ICS, IIoT security course! How many courses send you home with lifetime access to course updates and a $500 kit including your own PLC and a set of hardware RF hacking tools?!? This course teaches hands-on penetration testing techniques used to test individual components of a control system, including embedded electronic field devices, network protocols, RF communications, Human Machine Interfaces (HMIs), and various forms of master servers and their ICS applications. Skills you will learn in this course will apply directly to systems such as the Smart Grid, PLCs, RTUs, smart meters, building management, manufacturing, Home Area Networks (HAN), smart appliances, SCADA, substation automation, synchrophasors, and even IoT.

This course is structured around the formal penetration testing methodology created by UtiliSec for the United States Department of Energy. Using this methodology and the ControlThings Platform (previously SamuraiSTFU), an open source Linux distribution for pentesting energy sector systems and other critical infrastructure, we will perform hands-on penetration testing tasks on user interfaces (on master servers and field device maintenance interfaces), control system protocols (modbus, DNP3, IEC 60870-5-104), proprietary RF communications (433MHz, 869MHz, 915MHz), and embedded circuit attacks (memory dumping, bus snooping, JTAG, and firmware analysis). We will tie these techniques and exercises back to control system devices that can be tested using these techniques. The course exercises will be performed on a mixture of real world and simulated devices to give attendees the most realistic experience possible in a portable classroom setting.

Advances in modern control systems, including initiatives such as the Smart Grid and Industry 4.0, have brought great benefits for asset owners/operators and customers alike, however these benefits have often come at a cost from a security perspective. With increased functionality and additional inter-system communication, modern control systems bring a greater risk of compromise that vendors, asset owners/operators, and society in general must accept to realize the desired benefits. To minimize this risk, penetration testing in conjunction with other security assessment types must be performed to minimize vulnerabilities before attackers can exploit critical infrastructures that exist in all countries around the world. Ultimately, this is the goal of this course, to help you know how, when, and where this can be done safely in your control systems.

Course Length and Content:

This course is broken into individual modules, with each being offered individually or combined into course lengths from 1-5 days in length. Here is a list of the current modules and their approximate length, which can be slightly increased or decreased depending on conference or client needs.

Assessing and Exploiting Control System Architectures - 0.5 Days
Assessing and Exploiting Control Network Captures - 1.0 Days
Assessing and Exploiting Production Control Networks - 0.5 Days
Assessing and Exploiting Controller Logic - 0.5 Days
Assessing and Exploiting Control Protocols - 0.5 Days
Assessing and Exploiting Proprietary Serial Protocols - 0.5 Days
Assessing and Exploiting Proprietary RF Protocols - 1.0 Days
Assessing and Exploiting Embedded Memory - 0.5 Days
Assessing and Exploiting Embedded Firmware - 0.5 Days


This course is designed for intermediate level security professionals, be they engineers, technicians, analysts, managers, or penetration testers. Basic penetration testing experience is desirable, but not required. It is assumed that attendees will have no knowledge of ICS, Smart Grid, SCADA, or critical infrastructure.

Recommended Reading before the Course:

For those with little or no ICS experience, these Wikipedia articles provide a brief introduction to the concepts and history of control systems that will be helpful to know for class.
  • (Large YouTube Playlist of Basic ICS Concepts)
NIST 800-82 is a great introduction to industrial control systems, the security issues surrounding them, and basic cyber defenses
Since this course will be getting very deep into the technical weeds of communications, it would be helpful to have a basic understanding of the following encoding methods: ASCII, Unicode, UTF-8, UTF-16, and UTF-32
Learning Outcomes
  • Attendees will be able to explain the steps and methodology used in performing penetration tests on Industrial Control Systems and Industrial Internet of Things.
  • Attendees will be able to use the free and open source tools in ControlThings Platform to discover and identify vulnerabilities in web applications.
  • Attendees will be able to exploit several hardware, network, serial, user interface, RF, and server-side vulnerabilities.
Resources Provided on the Course:

The following items (or rough equivalents depending on availability) are provided to each attendee to use in class and keep after course completion:
  • Velocio Ace 1600 PLC (Programmable Logic Controller)
  • vBuilder software to program the PLC to keep (non-expiring)
  • vFactory software to program an HMI for the PLC (non-expiring)
  • RTL-SDR (Software Defined Radio)
  • Great Scott Gadgets Yardstick sub-GHz Radio
  • Great Scott Gadgets GreatFET
  • Breadboard with SPI and I2C EEPROMs
  • TivaC Launchpad (ARM m4) for Firmware exercises
  • Latest version of the ControlThings Platform on USB
  • PDF version of the course slide deck
  • Lifetime access to future updates to the course modules presented in class, restricted to the individual that attended the course
Course Outline

Assessing and Exploiting Control System Architectures
  • Examples when to use
  • Overview of methodology
  • Different security assessment types and their respective benefits and risks
    • Passive vs active assessments
    • Manual vs automated
    • Reasons why architecture reviews should always be performed first
  • Basic control system concepts, systems, and devices
  • Control system architectures
  • PLCs, RTUs, and IEDs
  • Understanding RTOS
  • Industrial and non-Industrial
  • What is IIoT and how it differs from IoT
  • Field devices, buses, and loops
  • Plant neworks
  • SCADA networks
  • Purdue model and IEC 62443
  • DCS vs SCADA
Assessing and Exploiting Control Network Captures
  • Examples when to use
  • Overview of methodology
  • Traffic Capture
    • Hardware and software to use
    • Suggested configurations
  • Endpoint and Flow Analysis
  • Common TCP/IP based ICS protocols
  • Exercise: Using Wireshark for endpoint and flow analysis
  • Exercise: Using GrassMarlin
  • Deepdive into Modbus TCP
  • Exercise: Analysing Modbus TCP captures
  • Exercise: Using zeek with Modbus TCP
  • Exercise: Using strings on control protocols
  • Overview of ProfiNet, EnternetIP/CIP, OPC, DNP3, IEC 104, IEC 61850, ICCP
  • Exercise: Finding unknown protocols with Wireshark
  • Exercise: Entropy analysis of network payloads
  • Exercise: Using GrassMarlin on unknown protocols
  • Known Protocol Analysis
  • Unknown Protocol Analysis
  • Gap Analysis with Security Architecture Review
Assessing and Exploiting Production Control Networks
  • Examples when to use
  • Overview of methodology
  • DNS interrogation
    • When DNS is and when it is not available
    • Using but not abusing DNS
  • Port Scanning
  • How and why control systems break on port scans
  • Nmap options to avoid
  • General Nmap recommendations
  • Recommended Nmap scans from low to high risk
  • Safe and unsafe fingerprinting technologies
  • Alternatives to traditional fingerprinting
  • Common IT protocols that are generally safe to enumerate on control systems
  • Avoiding automatic enumerating of web interfaces on control systems
  • Dangers of enumeration control protocols in production
  • Plugins and configuration that break control systems
  • Recommended settings for Nessus
  • Using audits
  • Again, the dangers of automated tools on web apps and services
  • Technology Fingerprinting
  • Protocol Enumeration
  • Vulnerability Scanning
  • Vulnerability validation
  • Exploitation
  • Post Exploitation / Cleanup
Assessing and Exploiting Controller Logic
  • Examples when to use
  • Overview of methodology
  • Understanding controller logic
    • Exercise: Understanding tags
    • Exercise: Understanding ladder logic
    • Exercise: Understanding sequential function charts
  • Velocio PLCs vs other PLCs
  • Exercise: Programming a PLC
  • Exercise: Debugging a PLC
  • Exercise: Leveraging the HMI for proof of concept attacks
  • Testing business logic flaws
Assessing and Exploiting Control Protocols
  • Examples when to use
  • Overview of methodology
  • Traffic Capture
    • Communication mediums vs communication protocols
    • Serial communications like RS-232, TIA-422, and TIA-485
    • Fieldbus Protocols and Protocol Families
    • Understanding USB and serial interfaces on Windows
    • Methods to capture serial traffic in Windows and Linux
    • Exercise: Capturing serial traffic
    • Exercise: Manual decode of Modbus RTU
    • Understanding the common 1-off address issue of ICS protocols
    • Exercise: Using Wireshark to decode Modbus RTU
  • Protocol Enumeration
  • The severe lack of availability of ICS protocol tools
  • Repurposing an engineer's troubleshooting tools
  • Exercise: Using Python to interact with Modbus RTU on our PLC
  • Exercise: Enumeration with ctmodbus on our PLC
  • Understanding data types and 2's complement
  • Reasons to avoid fuzzing protocols on embedded devices
  • Exercise: Writing protocol fuzzers with boofuzz
  • Exercise: Fuzzing Modbus TCP on our PLC
  • Exercise: Manual fuzzing with ctmodbus
  • Protocol Fuzzing
  • Protocol Exploitation
Assessing and Exploiting Proprietary Serial Protocols
  • Examples when to use
  • Overview of methodology
  • Functional analysis
    • Using ICS vendor maintenance software and hardware
    • Exercise


Start date Location / delivery
15 Aug 2022 QA London International House Centre E1W, 1st Floor, International House, E1W 1UN Book now
01132207150 01132207150

Related article

QA's practice director of Cyber Security, Richard Beck, rounds up the latest cyber security news.